Archive for the 'Windows Active Directory' Category

Hyper-V and DC as virtual machine

Ivan Versluis June 23rd, 2008

When I try to open the “Active Directly Sites and Services” MMC console I got the following error message.

image

Naming information cannot be located because: The clocks on the client and server machines are skewed. Contact your system administrator to verify that your domain is properly configured and is currently online.

My Hyper-V host is running in a workgroup and not being member of a AD DS domain. Therefore it is not syncing the time with a managed NTP time service. One of my remote domain controllers is running on this host and I am having issues to authenticate myself on the AD DS running as virtual machine. The best option in this case is to disable the time synchronization within the virtual machine options. Another option is to fix the host time, but if you are selling the Hyper-V as a service to customers than you won’t be member of their domain ;)

Right click the virtual machine; choose settings within the Hyper-V management console. Go to Integration Services and uncheck “Time synchronization”. 

image

After the reboot the domain controller synced the time with the correct values.

Remove Active Directory without replication

Ivan Versluis April 27th, 2008

Couple minutes ago I initiated the remove of Active Directory and forced the demotion of a virtual machine domain controller. The domain controller exceed the 60day not being able to replicate and I was not able to get the replication working. It took me more than 90 minutes to troubleshoot and fix the problem. Since Windows 2003 there is option in the dcpromo tool to force the Active Directory removal.

 

1. By default, Windows Server 2003 domain controllers support forced demotion. Click Start, click Run, and then type the following command:
dcpromo /forceremoval
2. Click OK.
3. At the Welcome to the Active Directory Installation Wizard page, click Next.
4. At the Force the Removal of Active Directory page, click Next.
5. In Administrator Password, type the password and confirmed password that you want to assign to the Administrator account of the local SAM database, and then click Next.
6. In Summary, click Next.
7. Perform a metadata cleanup for the demoted domain controller on a surviving domain controller in the forest.
2008-04-27_182818

Reboot the server and cleanup the metadata with ntdsutil. I hate to use workaround like this, but there is not quick and dirty fix for me now. I am planning and testing to upgrade my Exchange 2007 server to SP1, but because the replication to the second dc did not take place for more than 60days the replication stopped.

One of the Errors on my primary domain controller. Demote didn’t work with force removal and option 3 also did not fix the problem when using the registry fix.

Event Type:    Error
Event Source:    NTDS Replication
Event Category:    Replication
Event ID:    2042
Date:        4/27/2008
Time:        5:18:39 PM
User:        NT AUTHORITY\ANONYMOUS LOGON
Computer:    NET-DC-01
Description:
It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.
The reason that replication is not allowed to continue is that the two machine’s views of deleted objects may now be different. The source machine may still have copies of objects that have been deleted (and garbage collected) on this machine. If they were allowed to replicate, the source machine might return objects which have already been deleted.
Time of last successful replication:
2008-01-26 20:26:04
Invocation ID of source:
01dcf6c8-f6b8-01dc-0100-000000000000
Name of source:
e02a9b21-b7e0-4be6-9cc9-971b00325f65._msdcs.Networknet.nl
Tombstone lifetime (days):
60
The replication operation has failed.
User Action:
Determine which of the two machines was disconnected from the forest and is now out of date. You have three options:
1. Demote or reinstall the machine(s) that were disconnected.
2. Use the “repadmin /removelingeringobjects” tool to remove inconsistent deleted objects and then resume replication.
3. Resume replication. Inconsistent deleted objects may be introduced. You can continue replication by using the following registry key. Once the systems replicate once, it is recommended that you remove the key to reinstate the protection.
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

For more information check the knowledge base article.

Tags: , , , , , ,

Windows Active Directory DCpromo answer file

Ivan Versluis March 4th, 2008

The following example will help you to quickly provision an Active Directory domain in vm or other lab environments. The provision of domain controller can be controlled and reproduced same way as before.  Copy the text below and create new text file named ad.txt.  

[DCInstall]
AdministratorPassword =P@SSWORD1
CreateOrJoin = Create
DomainNetBiosName = 70-296
NewDomainDNSName = 70-296.net
RebootOnSuccess = Yes
ReplicaOrNewDomain = Domain
SiteName = “Default-First-Site”
InstallDNS=yes
ConfirmGc=Yes
TreeOrChild = Tree
UserName=Administrator
Password=P@SSWORD1

Review the local administrator password and open a cmd shell on your Windows Server. Run dcpromo /answer:ad.txt. In the example answer file I automatically install the DNS server; make sure the Windows Server source cd-rom is available locally or in a cd drive.

For more options go to http://support.microsoft.com/kb/223757/en-us or  http://www.petri.co.il/unattended_installation_of_active_directory.htm.

After the reboot and logon with Domain Administrator account I verify the installation with ADUC (dsa.msc) console.

image

The Active Directory domain was successfully installed. Using the answer file I am able to redo my lab environments and prepare myself for production deployments.

Tags: , , , , , ,

Computer Account SID hell with virtual machines guests and gsgetsid.exe and NewSid.exe howto

Ivan Versluis December 14th, 2007

Today I configured new VMWare team and installed one domain controller and one other server as file server. I used my masterbuild server image of Win2k3 EE R2 and both images run the sysprep.exe routine. After the dc was setup to run AD and DNS I joined the second guest machine on the domain. The domain join on the second machine worked fine.

I reboot and tried to logon with a domain account and than with the domain admin. Both accounts generated the Logon Message below.

The system cannot log you on due the following error:

The name or security ID (SID) of the domain specified is inconsistent with the trust information for that domain.

Please try again or consult your system administrator.

clip_image001

I logged on with the local administrator account and saw the event id 5516 Netlogon error as shown below.

clip_image002

Continue Reading »

Kerberos error eventid 4

Ivan Versluis December 2nd, 2007

Due to migration and tests between VMWare Workstation and Virtual Server 2005 R2SP1 I created two domain controllers for Networknet.nl domain. At some point I had issues with the DNS and than I assigned the IP address of my second DC of the domain to the primary one.

Right now all my domain clients are reporting the error message below. The kerberos client received a KRB_AP_ERR_MODIFIED for the domain controller account. I have seen this before and will fix it by deleting the complete DNS records for Active Directory.

image

Screen clipping taken: 12/2/2007, 2:18 PM

Open Computer Management console and scroll down to DNS snap-in. Locate your _msdcs zone and select all record except for the (same as parent folder). Right click and delete them.

image

Screen clipping taken: 12/2/2007, 2:21 PM

Go to your primary AD zone and select all other AD related records.

image

Screen clipping taken: 12/2/2007, 2:24 PM

As shown above; select and right click for deletion. Check the hostnames for the domain controllers with correct ip address.

Now the DNS zones are clean. To fix the recreation of all required records for Active Directory you can do the following.

  • Stop and restart the Netlogon service. E.g. “net stop netlogon & net start netlogon” in a cmd box.
  • Reboot the domain controller

Verify the records after the reboot if restart of the service.

These steps are executed in a lab environment and be careful when deleting the DNS AD related records in a production environment. If there are dozen of domain controllers; restart or reboot is also required on all of them to get the records back.

What happens in the background is that file C:\WINDOWS\system32\config\netlogon.dns is being imported into the DNS zones.

Tags: ,