Networknet.nl

Couple minutes ago I initiated the remove of Active Directory and forced the demotion of a virtual machine domain controller. The domain controller exceed the 60day not being able to replicate and I was not able to get the replication working. It took me more than 90 minutes to troubleshoot and fix the problem. Since Windows 2003 there is option in the dcpromo tool to force the Active Directory removal.

1. By default, Windows Server 2003 domain controllers support forced demotion. Click Start, click Run, and then type the following command: dcpromo /forceremoval 2. Click OK. 3. At the Welcome to the Active Directory Installation Wizard page, click Next. 4. At the Force the Removal of Active Directory page, click Next. 5. In Administrator Password, type the password and confirmed password that you want to assign to the Administrator account of the local SAM database, and then click Next. 6. In Summary, click Next. 7. Perform a metadata cleanup for the demoted domain controller on a surviving domain controller in the forest.

Reboot the server and cleanup the metadata with ntdsutil. I hate to use workaround like this, but there is not quick and dirty fix for me now. I am planning and testing to upgrade my Exchange 2007 server to SP1, but because the replication to the second dc did not take place for more than 60days the replication stopped.

One of the Errors on my primary domain controller. Demote didn’t work with force removal and option 3 also did not fix the problem when using the registry fix.

Event Type:    Error
Event Source:    NTDS Replication
Event Category:    Replication
Event ID:    2042
Date:        4/27/2008
Time:        5:18:39 PM
User:        NT AUTHORITY\ANONYMOUS LOGON
Computer:    NET-DC-01
Description:
It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.
The reason that replication is not allowed to continue is that the two machine’s views of deleted objects may now be different. The source machine may still have copies of objects that have been deleted (and garbage collected) on this machine. If they were allowed to replicate, the source machine might return objects which have already been deleted.
Time of last successful replication:
2008-01-26 20:26:04
Invocation ID of source:
01dcf6c8-f6b8-01dc-0100-000000000000
Name of source:
e02a9b21-b7e0-4be6-9cc9-971b00325f65._msdcs.Networknet.nl
Tombstone lifetime (days):
60
The replication operation has failed.
User Action:
Determine which of the two machines was disconnected from the forest and is now out of date. You have three options:
1. Demote or reinstall the machine(s) that were disconnected.
2. Use the “repadmin /removelingeringobjects” tool to remove inconsistent deleted objects and then resume replication.
3. Resume replication. Inconsistent deleted objects may be introduced. You can continue replication by using the following registry key. Once the systems replicate once, it is recommended that you remove the key to reinstate the protection.
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

For more information check the knowledge base article.

Before I read the Step by Step Guide document and quote below I tried getting the BitLocker drive encryption running in a virtual machine.

Windows BitLocker Drive Encryption Step-by-Step Guide

For a non-TPM scenario, you use a startup key to authenticate yourself. The startup key is located on a USB flash drive inserted into the computer before the computer is turned on. In such a scenario, your computer must have a BIOS that can read USB flash drives in the pre-operating system environment (at startup). Your BIOS can be checked by the hardware test near the end of the BitLocker setup wizard.

Using USB removable storage and VMWare virtual machine is just not going to work. The only way to get BitLocker working in a virtual machine is to change the group policy setting and allow BitLocker to work without a TPM chip and use a floppy disk as storage for the startup key. Floppy disk is available in a virtual machine during the boot process of Vista. I was successfully being able to run the BitLocker preparation tool but after the final check of the C volume encryption the system complained about the removable storage was not available during the boot process of Windows Vista.

BitLocker Drive Encryption from the control panel and steps which I executed before reading the Step by Step Guide.

Click Turn on BitLocker

Now I was required to put the Startup key on a USB device.

My USB flash disk was available in the virtual machine.

I clicked continue and restart now.

After logon the error message.

BitLocker could not be enabled. The system firmware failed to enable clearing of system memory on reboot. No encryption applied, any changed made to C: during BitLocker setup will be removed.

How to get BitLocker working in a virtual machine?

• Install Windows Vista SP1(Enterprise or Ultimate editions) in a virtual machine
• Make sure you partitioned or format the volumes in the right way. Use the SHIFT+F10 to perform these steps in Vista Setup.

create partition primary size=1500

assign letter=S

create partition primary

assign letter=c

If you don’t partition and format the hard disk this way use the BitLocker Drive Preparation Tool

• Change the GPO setting. Gpedit.msc and locate the “Control Panel Setup:Enable advanced startup options” setting  in Computer Configuration/Administrative Templates/Windows Components/Bitlocker Drive Encryption and configure “Control Panel Setup: Enable advanced startup options”; check Allow Bitlocker without compatible TPM chip. Reboot

• Make sure Floppy drive has been configured for the virtual machine and create new bitlocker.flp file. Format the disk.

• Open a privileged cmd prompt and run cscript c:\Windows\System32\manage-bde.wsf -on C: -rp -sk A:

• Reboot and make sure floppy drive is last option in the bios boot oder.

• Encryption in Progress. Keep in mind that BitLocker will encrypt the complete partition and in my case a SCSI harddisk of 64GB will be expanded. After the process has been finished I will end with 64GB virtual disk; same deal with physical hard disk only 6GB will be left during the encryption process. Anyway good lesson learned for my next virtual machine. Using these steps now I am able to test all different features and options available by BitLocker. If you buy new hardware today than the TPM complaint chip will be on your motherboard so setting up a virtual lab is good preparation for the real physical setup.