Posts filed under ‘Windows’

The DNS server was unable to open Active Directory”

Recently , One of our customer reported an issue stating that the Exchange Services are failing and Outlook clients are getting disconnected. We noticed few DC related events (Kerberos) on both the exchange servers. Thus , we ran the “netdom query fsmo” command on the 2 Exchange Servers and got the below error:

The same error appeared on all the other domain joined servers. Therefore ,we decided to check the DC’s.

When we reviewed the event viewer on the 2 DC’s , there were DNS related errors(Event ID 4000)

Further , we could not open the DNS MMC snap-ins and pinging the hostname by DC was failing as well. However, the DNS service is started state. In addition to this , there were errors on KDC consistency as well. After , troubleshooting for few minutes ,we go hold of the Microsoft KB :https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/dns-zones-do-not-load-event-4000-4007 and followed the steps mentioned to resolve the issue successfully.

Few points to consider:
– You will find an additional “d: in the word password in the below command. Do not change it.
netdom resetpwd /server: /userd: netdom resetpwd /server: /userd: /passwordd:*
– In my case I had to run this command on the PDC and the other DC as well
– Stop the KDC service prior to running the command.
– First I started on the PDC and restarted it and ensured the DNS snap-in was accessible and the pinging
by hostname was working.
– Finally , I continued the same steps on the remaining domain controllers.

October 5, 2021 at 10:04 am Leave a comment

How to check the AD Schema version

We all know , how to check the FFL & DFL version using the AD Snap-ins.However , if you want to check the AD schema version , you need to run regsvr32 schmmgmt.dll to active the MMC snap-in to get the required details.

Most of the time this process will fail and need additional troubleshooting steps. Instead of that , you can use the below PowerShell command to easily get the AD schema version. In the meantime , you could still use the ADSI Edit as well.

Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion

Output of the above command will give you a value for the ObjectVersion. This value need to be compared with below to obtain the correct schema version.

Source: https://support.globalsign.com/aeg/aeg-how-check-active-directory-schema-version

August 31, 2021 at 12:08 pm Leave a comment

How to use KMS based activation for Windows images

Hi All

In our Hosting environment , we had to deploy large number of Windows Servers. We need to ensure that the Windows images are remain active within our datacenters only. As we cannot use MAK based activation. Because , if the customer moves out from us the licenses should be not active . In other words , it is customer responsibility to reactivate the Windows in his new environment.

So we came up with the idea of KMS based activation using VMware Templates and this is how we did it.

  • Install the KMS Service on a Windows 2019 and activate it with the KMS Key.
    ( I am not writing the steps here .Since a simple Google search result will yield lot’s how-to articles on KMS installation.)
  • Created a Windows 2019 VM.
  • Activated the Windows 2019 with the GVLK. You can refer the below URL for the GVLK keys.
    https://docs.microsoft.com/en-us/windows-server/get-started/kmsclientkeys
  • Ran the Sysprep and converted it to a template.
  • Thereafter , we created a custom specification file to perform the KMS activation on Windows image. All these settings are mandatory .Otherwise , the KMS commands will fail to run.

    + In the Windows License Page , clear all the settings.

+ In the Administrator Password and set a Password ,

+ In the Commands to run once Page, enter the below commands
cscript c:\windows\system32\slmgr.vbs /skms “kms server ip”:1688
cscript c:\windows\system32\slmgr.vbs /ato

That’s it. Now you can go ahead and deploy the Windows images and get it activated by KMS.

Further reading:

1)Use the below command on your Windows images to verify the CMID(Client Machine ID is not duplicated).

Get-WmiObject -class SoftwareLicensingService | Select-object ClientMachineID

Duplicated CMID will prevent VM’s from getting activated.

2) On the KMS client you can review the below Registry key to verify the correct KMS settings have been applied.

HKLM/SOFTWARE/MICROSOFT/WINDOWSNT/CURRENTVERSION/SOFTWAREPROTECTIONPLATFORM/
–KeyManagementServiceName
–KeyManagementServicePort

3) Use the below commands on the KMS Server & Clients to verify the Windows Activation.

slmgr /dlv

slmgr /dli


August 4, 2021 at 9:18 am Leave a comment

DCPromo Fails – The directory service is missing mandatory configuration information

Last week , we worked on a AD migration project. This project involved deploying a Windows 2016 based Domain Controller and then decommission the Windows 2008R2 domain controller.

We successfully transferred the FSMO roles . During the decommissioning process when we ran the dcpromo command we received the error “The directory service is missing mandatory configuration information”

During the troubleshooting the  MS KB (https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/dcpromo-demotion-fails) was pointing us to correct direction. The issue was related to  fsmoroleowner attribute  on CN=Infrastructure is not set properly. In my case it was pointing to the server which I am trying to demote.

You can see this by opening ADSI Edit;

Right click the ADSI Edit root and click on Connect to…
Use the following connection point: DC=DomainDNSZones,DC=abc,DC=local  (Replace it with your actual AD DNS Zone)
Click on Default Naming Context [DC.abc.local] to populate it.
Click on DC=DomainDNSZones,DC=abc,DC=local folder.
Double click on CN=Infrastructure.
Locate the fSMORoleOwner attribute

Ensure you connect to DC=ForestDNSZones as well to verify the attribute.

In my case DomainZones was showing the correct DC .But the ForestDNSZones pointing to the Windows 2008R2 Server.

I have tried the manual method using the ADSI Edit to change the value. However it was failing with the error  “The role owner attribute could not be read”

In this case you need to refer the MS KB https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/dcpromo-demotion-fails to create the .vbs file to fix this issue.( I have seen suggestions to run the dcpromo /forceremoval instead and then run a metadata cleanup. I do not recommend this approach)

The script provided in the KB does not work due to incorrect end statements. Luckily the Blogger veducate.co.uk (https://veducate.co.uk/dcpromo-fails-missing-mandatory-configuration/) have provided a fixed version.

NOTE: You need to  run these commands from the current owner of the FSMO roles.

Create a .vbs file via CMD
fsutil file createnew fixfsmo.vbs 0

Copy the below contents to the file
================================================

const ADS_NAME_INITTYPE_GC = 3
const ADS_NAME_TYPE_1779 = 1
const ADS_NAME_TYPE_CANONICAL = 2

set inArgs = WScript.Arguments

if (inArgs.Count = 1) then
‘ Assume the command line argument is the NDNC (in DN form) to use.
NdncDN = inArgs(0)
Else
Wscript.StdOut.Write “usage: cscript fixfsmo.vbs NdncDN”
End if

if (NdncDN <> “”) then

‘ Convert the DN form of the NDNC into DNS dotted form.
Set objTranslator = CreateObject(“NameTranslate”)
objTranslator.Init ADS_NAME_INITTYPE_GC, “”
objTranslator.Set ADS_NAME_TYPE_1779, NdncDN
strDomainDNS = objTranslator.Get(ADS_NAME_TYPE_CANONICAL)
strDomainDNS = Left(strDomainDNS, len(strDomainDNS)-1)

Wscript.Echo “DNS name: ” & strDomainDNS

‘ Find a domain controller that hosts this NDNC and that is online.
set objRootDSE = GetObject(“LDAP://” & strDomainDNS & “/RootDSE”)
strDnsHostName = objRootDSE.Get(“dnsHostName”)
strDsServiceName = objRootDSE.Get(“dsServiceName”)
Wscript.Echo “Using DC ” & strDnsHostName

‘ Get the current infrastructure fsmo.
strInfraDN = “CN=Infrastructure,” & NdncDN
set objInfra = GetObject(“LDAP://” & strInfraDN)
Wscript.Echo “infra fsmo is ” & objInfra.fsmoroleowner

‘ If the current fsmo holder is deleted, set the fsmo holder to this domain controller.

if (InStr(objInfra.fsmoroleowner, “\0ADEL:”) > 0) then

‘ Set the fsmo holder to this domain controller.
objInfra.Put “fSMORoleOwner”, strDsServiceName
objInfra.SetInfo

‘ Read the fsmo holder back.
set objInfra = GetObject(“LDAP://” & strInfraDN)
Wscript.Echo “infra fsmo changed to:” & objInfra.fsmoroleowner

End if

End if

=================================================

Run the file twice as below
1) cscript fixfsmo.vbs dc=forestdnszones,dc=abc,dc=local

2) cscript fixfsmo.vbs dc=domaindnszones,dc=abc,dc=local

Voila , The fsmoroleowner attribute got updated with the correct server name , and  I was able to demote the server successfully.

Source: (Helped me to fix the syntax errors on script provided by Microsoft)

DCPromo Fails – The directory service is missing mandatory configuration information

 

Thanks.

 

November 19, 2020 at 2:56 pm Leave a comment

How to install and configure LAPS

Recently , we had to deploy LAPS on one of our client environment. The requirement was to manage the local administrator password of all the domain joined workstations / servers via centrally. I used the below guides to complete the installation .(Kudos to the blog owners)

Source1:

https://scripting.rocks/sysadmin/laps/

Source2:

https://vaishnaav.files.wordpress.com/2019/12/step-by-step-guide-to-deploy-microsoft-laps-1.pdf
(via :prajwaldesai.com).

In addition to the above you may come across the below issues.

  • Unable to configure the Group Policy using the LAPS Administrator Template or missing LAPS Administrator Templates.

    Solution: You need to run the laps installation on the DC and remove all the options and select only ” GPO editor templates”

  • Manual Password reset via Fat Client / Command Line is not working.

    Solution : You need to run the GPupdate after the manual password reset on the computer where you are changing the password.

Good Luck.

December 15, 2019 at 2:29 pm Leave a comment

How to Track File Deletion on a File Server

Hi Folks

Anybody wants to enable auditing on their file server , for the purpose of tracking and auditing who has deleted any files or folders , I would recommend the below article.

https://blogs.technet.microsoft.com/askds/2009/08/04/tracking-a-remote-file-deletion-back-to-the-source/

It covers detailed steps on how to enable the Group Policy for auditing and enabling Folder level Auditing parameters. However after enabling the required configuration you need to filter out for the event ID’s 4663,4624,5140, and 4660 in the Security Event Log.

These event ID’s will provide the audit trail for the event.

June 18, 2019 at 12:22 pm Leave a comment

Additional Permissions needed for a Service Account to Reset and Change AD passwords and Unlock AD Accounts.

In some scenarios we had to delegate the  permission for a Junior Administrator to do some AD related tasks ,for example change/reset the AD user password , Unlock user account , etc. In this case most of the articles I have googled and referred pointing only to enable the
“Reset user passwords and force password change at next logon “. But what I realized is that this alone will not grant your the required permission.

Thus additionally you need to add a custom level delegation as provided below;

  • Create a custom task to delegate and click Next.
  • Select  Only the following objects in the folder from the Delegate control of option.
  • Select the User objects option as the object to which to delegate.
    Click Next to proceed.(Ensure Property-specific is selected.)
  • Scroll down to select the Read lockout Time and Write lockout Time.
  • Review the changes and click next to complete the wizard.

Please note that I have not listed any detailed steps on how to create the delegation rules as there are plenty of articles available on the Internet  that provides a very descriptive guidelines along with  the screenshots.

Source: https://webactivedirectory.com/knowledge-base/permissions-service-account-needs-reset-change-ad-passwords-unlock-ad-accounts/

June 28, 2018 at 11:20 am Leave a comment

SYSVOL Replication Error on Windows 2012 R2

Hi Guys

Recently we migrated  one of our customer’s  active directory domain controllers to a virtualized environment. During the DC migration  my colleague noticed that the SYSVOL and NETLOGON folders are not replicating it’s contents from the existing domain controller. Thus he copied the contents manually. But after some time client started reporting error like;

  • The Group Policy is not getting updated or Propagated to all the workstations / users.
  • Logon Scripts stopped working.

Thus when we digged in to the problem we were able to track down the issue to DFSR based sysvol replication, Most importantly the old DC was not replicating for almost 1300 days approximately(Figure.1) The below event ID’s helped us to track down the issue:

So when we started troubleshoot we tried to ran the commands stated in the Eventviewer(refer attached file) but no avail.

Also we ran the below command

For /f %i IN (‘dsquery server -o rdn’) do @echo %i && @wmic /node:”%i” /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername=’SYSVOL share’ get replicationgroupname,replicatedfoldername,state

Strangely the status on all the server showing 2 which is Initial Sync. (One of the reason for the problem) .Also in our MaxOfflineTimeInDays more than 1000 days. But
By default in Windows the  is set to 60 Days. In our case we need to extend it upto 1800 days where there was an offset of more than 1000. so we ran the command to force the servers to allow the content freshness for more than 1000 days.

wmic.exe /namespace:\\root\microsoftdfs path DfsrMachineConfig set MaxOfflineTimeInDays=1800

(Do not forget to bring it back the original value of 60 Days)

But sill no avail. Then we decided to Authoritative restore of the SYSVOL folders. We ran the below command set which were extracted from the MS KB:https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo)


Do this step on the PDC Emulator Role

Stop the DFSR Service

#net stop dfsr

Open the ADSIEDIT.MSC tool, modify the following DN and two attributes on the domain controller you want to make authoritative (preferably the PDC Emulator, which is usually the most up to date for SYSVOL contents):

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>

msDFSR-Enabled=FALSE
msDFSR-options=1

Modify the following DN and single attribute on all other domain controllers in that domain:

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>

msDFSR-Enabled=FALSE

Stop the DFSR service on all the remaining controllers

#net stop dfsr

Force Active Directory replication throughout the domain and validate its success on all DCs.

Start the DFSR service set as authoritative:(On the PDC emulator)

#net start dfsr

You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated.

On the same DN from Step 1, set:

msDFSR-Enabled=TRUE

Run the below command to force Active Directory replication throughout the domain and validate its success on all DCs.

#repadmin /syncall /AdP

Run the following command from an elevated command prompt on the same server that you set as authoritative:

DFSRDIAG POLLAD

You will see Event ID 4602 in the DFSR event log indicating SYSVOL has been initialized. That domain controller has now done a “D4” of SYSVOL.

Start the DFSR service on the other non-authoritative DCs.

#net start dfsr

You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated on each of them.

Modify the following DN and single attribute on all other domain controllers in that domain:

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>

msDFSR-Enabled=TRUE

Run the following command from an elevated command prompt on all non-authoritative DCs (i.e. all but the formerly authoritative one):

DFSRDIAG POLLAD

————————————————————————————-

Voila we could see the replication started working and when we checked the replication status  via the command

For /f %i IN (‘dsquery server -o rdn’) do @echo %i && @wmic /node:”%i” /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername=’SYSVOL share’ get replicationgroupname,replicatedfoldername,state

it shows  the status 4 (which is all synced)

I am listing the below articles which helped me in the initial troubleshooting.

https://support.microsoft.com/en-us/help/967336/a-newly-promoted-windows-2008-domain-controller-may-fail-to-advertise

http://www.itprotoday.com/windows-8/fixing-broken-sysvol-replication

https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo

http://kpytko.pl/active-directory-domain-services/non-authoritative-sysvol-restore-dfs-r

http://kpytko.pl/active-directory-domain-services/authoritative-sysvol-restore-dfs-r/

Good Luck

Muralee

Update 1 (29/01/2018) :

  • Added the start and stop DFSR commands.

November 5, 2017 at 12:19 pm 4 comments

Windows 2016 License Calculator

Hi

With recent change of Licensing approach by Microsoft to transient from Processor based to Core based license has triggered various confusions for customers.  But the HP has come up with a cool calculator that helps to calculate the exact licenses we need to procure per server  and the total rights for virtual OSE’s. Further this tool gives an option to add the number of VM’s that we are planning to host and in turn the tool gives the additional license pack we need to order;

http://h17007.www1.hpe.com/us/en/enterprise/servers/licensing/index.aspx#.WT5dwcb-vIU

June 12, 2017 at 12:51 pm Leave a comment

How to import Users to Windows 2012 Active Directory using PowerShell

Hi Guys

In many AD installations I do come across requirements  to create multiple users in Active Directory(More than 200 in many cases) .In these cases we could use the below mentioned CSV template and use the PS command to directly import the users in  to Active Directory.

users

Here the Path value is pointing to the OU that you want to place the users  in the Active Directory , which could be find using the Attribute Editor of the OU(We need to enable the Advance Feature in the ADUC Management Console)

PS Command Syntax
Import-CSV C:\anyname.csv | New-ADUser –AccountPassword (ConvertTo-SecureString –AsPlaintext “any complex password” –Force) –PassThru | Enable-ADAccount.

Example:

Import-CSV C:\Users_1.csv | New-ADUser –AccountPassword (ConvertTo-SecureString –AsPlaintext “P@ssw0rd” –Force) –PassThru | Enable-ADAccount

 

Update2:

I am including here another method to achieve the same.

# Prepare the CSV file as per below(You could any details as much as you want, by adding the correct attribute.)

firstname,lastname,username,email,department,password,jobtitle,company,ou,Mobile

# Then run the below powershell.

+ You must change the active directory domain name.

+ You must change the csv file name.

+ Ensure that , you have given the proper DN namespace for the OU Value. Otherwise , the script will fail with the below error messages:

“No superior reference has been configured for the directory”

“New-ADUser : The object name has bad syntax”

 

===================================================================================

# Import active directory module for running AD cmdlets
Import-Module activedirectory

#Store the data from ADUsers.csv in the $ADUsers variable
$ADUsers = Import-csv C:\test.csv

#Loop through each row containing user details in the CSV file
foreach ($User in $ADUsers)
{
#Read user data from each field in each row and assign the data to a variable as below

$Username = $User.username
$Password = $User.password
$Firstname = $User.firstname
$Lastname = $User.lastname
$OU = $User.ou #This field refers to the OU the user account is to be created in
$email = $User.email
$telephone = $User.Mobile
$jobtitle = $User.jobtitle
$company = $User.company
$department = $User.department
$Password = $User.Password

#Check to see if the user already exists in AD
if (Get-ADUser -F {SamAccountName -eq $Username})
{
#If user does exist, give a warning
Write-Warning “A user account with username $Username already exist in Active Directory.”
}
else
{
#User does not exist then proceed to create the new user account

#Account will be created in the OU provided by the $OU variable read from the CSV file
New-ADUser `
-SamAccountName $Username `
-UserPrincipalName “$Username@vands.pro” `
-GivenName $Firstname `
-Surname $Lastname `
-Name “$Firstname $Lastname” `
-DisplayName “$Lastname, $Firstname” `
-Enabled $True `
-Path $OU `
-Company $company `
-EmailAddress $email `
-Mobile $telephone `
-Title $jobtitle `
-Description $jobtitle `
-Department $department `
-AccountPassword (convertto-securestring $Password -AsPlainText -Force) -ChangePasswordAtLogon $True

}
}

===============================================================================

December 22, 2016 at 2:24 pm Leave a comment

Older Posts


Archives

Categories

Follow Hope you like it.. on WordPress.com

Blog Stats

  • 47,082 hits

%d bloggers like this: