Sunday, February 20, 2011

NETLOGON and SYSVOL Not Shared

If you have a domain controller and the SYSVOL is missing you will be getting the following error in your logs:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1006
Date: 22/02/2010
Time: 6:01:40 PM
User: NT AUTHORITY\SYSTEM
Computer: DC1\
Description:
Windows cannot bind to contoso.com domain. (Local Error). Group Policy processing aborted.

To get this fixed copy the SYSVOL folder of a healthy domain controller manually.

1.  At Windows Server, logon as Domain Administrator.
2.  Click "Start > Run"¸ enter "cmd".
3.  Enter "net stop ntfrs".
4.  Enter "regedit".
5.  Navigate to the following registry key on the domain controller you just copied the SYSVOL to:

HKLM\SYSTEM\CurrentControlSet\Services\Ntfrs\Parameters\Backup/Restore\Process at Startup

6.  Right-click "BurFlags", select "Modify".
7.  Type "D4", click "OK".
8.  Back to Command Prompt, enter "net start ntfrs".

Remark:            This solution works at Windows Server 2000/ 2003.

For more information:
http://support.microsoft.com/kb/290762

This posting is provided “AS IS” with no warranties, and confers no rights!

Domain Controller demotion (Force removal)


1.  At Child Domain Controller, logon as Child Domain Administrator.
2.  Click "Start > Run", type "dcpromo /forceremoval" and press [Enter].
3.  When popup warning, click "Yes".


4.  Click "Yes".


5.  Click "Yes".


6.  Click "Yes".


7.  At welcome screen, click "Next" twice.
8.  Provide Administrator password, click "Next".


9.  Click "Next".


10. Click "Finish".


11. Click "Restart Now".

Remark: After remove the child domain controller, you need to perform "ntdsutil" to clean up the child domain information.

This posting is provided “AS IS” with no warranties, and confers no rights!

Domain Controller demotion (Normal State)


1.  At Child Domain Controller, logon as Child Domain Administrator.

2.  Click "Start > Run", type "dcpromo" and press [Enter].
3.  At welcome screen, click "Next".
4.  Check "This server is the last domain controller in the domain", click "Next" twice.


5.  Check "Delete all application directory partitions on this domain controller", click "Next".



6.  At Network credentials screen, provide Enterprise Domain Administrator user name and password, click "Next".
7.  Provide a new password for Server administrator account, click "Next" twice.
8.  Click "Finish", click "Restart Now".

This posting is provided “AS IS” with no warranties, and confers no rights!

Friday, February 11, 2011

Using VHD tool

VHD tool is an unmanaged code command-line tool which provides useful VHD manipulation functions including instant creation of large fixed-size VHDs. The source code is included.


It can create a large fixed-size VHD extremely fast.

Go to the following website to download VHD Tool.

http://code.msdn.microsoft.com/vhdtool

VHD Tool provides these functions:

Create:              Creates a new fixed format VHD of size <Size>.  
                        WARNING - this function is admin only and bypasses file system security. The resulting VHD file will contain data which currently exists on the physical disk.

Convert:            Converts an existing RAW disk image file to a fixed-format VHD. The existing file length, rounded up, will contain block data A VHD footer is appended to the current end of file.      

Extend:             Extends an existing fixed format VHD to a larger size <Size>.
WARNING - this function is admin only and bypasses file system security.  The resulting VHD file will contain data which currently exists on the physical disk.

Repair:              Repairs a broken Hyper-V snapshot chain where an administrator has expanded the size of the root VHD.  The base VHD will be returned to its original size. THIS MAY CAUSE DATA LOSS if the contents of the base VHD were changed after expansion.

This posting is provided “AS IS” with no warranties, and confers no rights!

Tuesday, February 8, 2011

Change the static IP address of a domain controller



Prerequisites
·  At your production environment, you should have alternate Domain Name System
·  You should modify the DHCP server to distribute the alternate DNS server and the new DNS server IP
·  If the affected client computers are configured with static IP addresses, you need to change the IP address

Lab
To perform this procedure, you must be a member of the Domain Admins group in the domain of the domain controller whose IP address you are changing.

1. At the dc server, logon as Domain Administrator.
2. Click "Start > Run", enter "ncpa.cpl".
3. Right-click "Local Area Connection", select "Properties".
4. Double-click "Internet Protocol Version 4 (TCP/IPv4)".
5. Next to "IP address", type the new address.
6. Next to "Subnet mask", type the new subnet mask.
7. Next to "Default gateway", type the new Default gateway.
8. Next to "Preferred DNS server", type the new address of the DNS Server
9. Next to "Alternate DNS server", type the address of the DNS Server that this computer contacts.
10. Click "OK".
11. Click "Close".
12. Launch Command Prompt, enter the following commands:

Ipconfig /registerdns
Dcdiag /fix



Ensure the service records are appropriately registered with DNS.

This posting is provided “AS IS” with no warranties, and confers no rights!

Move Root Certificate Authority from Windows Server 2003 to Windows Server 2008

In this scenario, we have the following servers:

Server Name
IP Address
Operating System
Server Role
DC01.contoso.com
172.16.30.10/24
Windows Server 2003 R2
Domain Controller, Global Catalog, DNS Server
CA01.contoso.com (Old)
172.16.30.11/24
Windows Server 2003 R2
Certification Authority
CA01.contoso.com (New)
172.16.30.12/24
Windows Server 2008 R2
Certification Authority


Assume CA01 has been installed the Certificate Authority.

Lab
1.     At the CA01 server, logon as Domain Administrator.
2.     Click Start > Administrative Tools > Certification Authority.
3.     Right-click Domain name, select All Tasks > Back up CA.
4.     At welcome screen, click Next.
5.     Check Private key and CA certificate and Certificate database and certificate database log.
6.     Click Browse.
7.     Select C:\CA Backup, click OK.

Remark:            You need to create the CA backup folder.


8.     Click Next.
9.     Provide the password for backup, click Next.
10.  Click Finish.
11.  Click Start > Run, enter regedit.
12.  Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration.


13.  Right-click Configuration, select Export.
14.  Save the registry file in the C:\CA Backup folder.

Remark:            You can enter the following command to export the registry:
Reg export HKLM\System\CurrentControlSet\Services\CertSvc\Configuration “C:\CA Backup\backup.reg”

15.  Click Start > Run, enter appwiz.cpl.
16.  Click Add/Remove Windows Components.
17.  Uncheck Certificate Services, click Next.
18.  Click Finish.
19.  Click Start > Run, enter sysdm.cpl.
20.  Select Computer Name tab, click Change.
21.  Under Computer name, type CA02.


22.  Click OK.
23.  Restart the CA02.
24.  At Windows Server 2008 R2 server, logon as Local Administrator.

25.  Click Start, enter sysdm.cpl.
26.  Select Computer Name tab, click Change.
27.  Under Computer name, type CA01.
28.  Next to Member of, select Domain.
29.  Under Domain, type contoso.com.


30.  Click OK.
31.  After joined domain, restart the computer.
32.  When the restart process is finished, logon as Domain Administrator.
33.  Click Start, type \\CA02\C$
34.  Copy CA Backup to C:\
35.  Click ServerManager icon.
36.  Right-click Roles, select Add Roles.
37.  At welcome screen, click Next.
38.  Check Active Directory Certificate Services.


39.  Click Next twice.
40.  Check Certification Authority and certificate Authority Web Enrollment.
41.  Click Add Required Role Services.




42.  Click Next.
43.  Still select Enterprise, click Next.
44.  Select Root CA, click Next.
45.  At Set Up Private Key screen, select Use existing private key > Select a certificate and use its associated private key.


46.  Click Next.
47.  Click Import.
48.  Click Browse.
49.  Select C:\CA Backup\Contoso Root CA.p12.


50.  Enter the password for the private key, click OK.
51.  Select the Certificate.


52.  Click Next three times.
53.  At Select Role Services screen, check Basic Authentication.


54.  Click Next.
55.  Click Install.
56.  Click Close.
57.  Click Start, enter certsrv.msc.
58.  Right-click Domain name, select All Tasks > Stop Service.
59.  Click Start, enter regedit.
60.  Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration.

Remark:            If the path that is shown in the registry export from the old CA differs from the new path, you must adjust your registry export accordingly.


61.  Close Registry Editor.
62.  Launch Windows Explore, navigate to C:\CA Backup.
63.  Double-click the registry file to import the setting.
64.  Back to Certification Authority, right-click Domain Name, select All Tasks > Restore CA.
65.  At welcome screen, click Next.
66.  Check Private key and CA certificate and Certificate database and certificate database log.
67.  Click Browse.
68.  Select C:\CA Backup, click OK.


69.  Click Next.
70.  Enter the password that you exported as before, click Next.
71.  Click Finish.


72.  Click Yes to start the ADCS service.

This posting is provided “AS IS” with no warranties, and confers no rights!