AD DS : Sysvol Replication Optimistaions (DFSR and Central Store)

AD DS : Sysvol Replication Optimistaions (DFSR and Central Store)

You may not be aware that new functionality is built-in to Windows 2008 and Windows 2008 R2 that can help optimise SYSVOL replication in your environment. These technologies are DFSR repliction and the PolicyDefinitions Central Store.

Implementing the PolicyDefinitions Central Store

This change is a simple quick-win, tim implement follow these steps:

  1. Create a PolicyDefinitions folder under \\<domain_controller_fqdn>\SYSVOL\<domain_fqdn>\Policies (for example \\DC1.domain.local\domain.local\Policies\PolicyDefinitions)
  2. Copy the contents of C:\Windows\PolicyDefinitions to this new folder
  3. Verfy the Central Store in now in use in a Group Policy editor window, select the Administartive Templates tree, you should see “Administrative Templates: Policy definitions (ADMX files) retrieved from the central store.

Implementing DFSR Replication

  1. Check SYSVOL status on all Domain Controllers (check the value of the following registry key: Reg Query HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /s (SysvolReady should be set to ‘1’)
  2. Check that Domain Controllers are replicating properly; repadmin /showreps and repadmin /replsum
  3. From the PDC FSMO role holder execute: dfsrmig /SetGlobalState 1
  4. Wait for all domain controllers to report they have reach the ‘PREPARED’ state: dfsrmig /getMigrationState
  5. Again, check replication; repadmin /showreps and repadmin /replsum
  6. From the PDC FSMO role holder execute: dfsrmig /setGlobalState 2
  7. Wait for all domain controllers to report they have reach the ‘REDIRECTED’ state: dfsrmig /getMigrationState
  8. Again, check replication; repadmin /showreps and repadmin /replsum
  9. From the PDC FSMO role holder execute: dfsrmig /setGlobalState 3 (NOTE from here-on-in you can’t roll-back this change)
  10. Wait for all domain controllers to report they have reach the ‘ELIMINATED’ state: dfsrmig /getMigrationState

More information about the process available here: http://technet.microsoft.com/en-us/library/dd640019(v=ws.10).aspx

Windows Server: Folder Redirection – Migration

Windows Server: Folder Redirection – Migration

I recently had to migrate a load redirected folders from one server to NetApp CIFS vFiler. The redirected folders were being access via a DFS NameSpace, had Exclusive Rights for users and contained up to 20GB per user, with some files having specific ACL’s that prevented even the SYSTEM account from accessing them! Needless to say this wasn’t a simple process.

Firstly let me point out a simple way of doing this in a smaller environment. If you update your Group Policy Folder Redirection Options  (or apply a new policy with higher precedence), if the Redirection Policy is configured to “Move the contents of xxxx to the new location” then at logon the users files will be moved to the new location…. an automated migration that works well for small amounts of data.

With up to 20GB of data per user the above solution simply wasn’t going to cut it. This would have added hours of delays for users logging on. We opted to pre stage the data, which meant we had to disable the “Move the contents of xxxx to the new location” for each folder we were pre-staging – this is an important step! You should allow a week or two for all users to get this change before proceeding with your migration.

Next problem, how to pre-stage the data! Well RoboCopy failed miserably due to the ACL’s and exclusive rights, so we used a tool called SecureCopy which worked really well – to a point; open files, and files with specific ACL’s which users had set were not pre-staged. The number of these files totalled around 2,300!

We needed to pre-stage these files are many of them were current, business related documents… welcome back to the fight RoboCopy! We deployed a script (below) to run at user logon, as the user, that would copy the missing files (using /MIR to mirror the folder contents) from the Windows box to the NetApp CIFS. This ran for a few days to minimise the amount of missing data when we ‘flipped the switch.’

Finally, with the data pre-staged we change the GPO folder redirection options to point to the vFiler shares. The RoboCopy script was still running, so when users logged on they got the migrated, pre-staged redirected folders that were up-to-date 🙂

All-in-all the process took a few days (weeks if you include the initial step to disable “Move folder contents…”) but the end result was minimal interruption to users – which in the world of infrastructure is a good thing.

In short, the process was:

  1. Disable “Move the contents of xxxx to the new location” for each redirected folder
  2. Wait a week or two!
  3. Use SecureCopy to pre-stage most of the data
  4. Deploy a RoboCopy user logon script to mirror the user data on the old Windows box to the CIFS vFiler folder containing the users’ data.
  5. Wait a few days to minimise the amount of un-synched data
  6. Change the folder redirection policy / deploy a new GPO with higher precedence

{code lang:php title:”Copy Script” lines:false hidden:false}Option Explicit
On Error Resume Next
‘———————–
‘——– Define Variables
‘———————–
Dim objNetwork, strUserName, fso, objFSO, objFolder, objFiles, fldName, checkFile, logFile, logPath
Dim srcSrv, myDocShare, myFaveShare, myDeskShare
Dim dstSrv, myDocDst, myFaveDst, myDeskDst

Set objNetwork = WScript.CreateObject(“WScript.Network”)
Set objFSO = CreateObject(“Scripting.FileSystemObject”)

‘———————–
‘——– Obtain User Logon Name
‘———————–
strUserName = objNetwork.UserName
‘Share path to create log files for each RoboCopy opperation
logPath = “\\SERVER\Share\Folder\”

‘———————–
‘——– Define redirected folders to check
‘———————–
‘Source
srcSrv = “\\Server or DFS NameSpace Root\”
‘Destination
dstSrv = “\\Server or DFS Name Space Root\”

‘Source Share Paths, add more if required, be sure to define variables at the top of the script
‘and destination paths below
myDocShare = “MyDocuments\” & strUserName
myFaveShare = “MyFavourites\” & strUserName
myDeskShare = “MyDesktop\” & strUserName
‘Destination Share Paths
myDocDst = “MyDocuments\” & strUserName
myFaveDst = “MyFavourites\” & strUserName
myDeskDst = “MyDesktop\” & strUserName

‘———————–
‘——– Check User Has Not Been Processed Already
‘———————–
If NOT(objFSO.FileExists(dstSrv & myDocShare & “\SharesMirrored”)) Then
        ‘———————–
        ‘——– Check Redirected Folders, add any additional shares created above
        ‘———————–
        CheckFolder(myDocShare)
        CheckFolder(myFaveShare)
        CheckFolder(myDeskShare)
        
        ‘———————–
        ‘——– Subs/Functions
        ‘———————–
        Sub CheckFolder(fldName)
            Dim objShell, logName
         Set objShell = CreateObject(“WScript.Shell”)
         ‘Hide and run all copies async.
            
         If inStr(fldName,”Documents”) > 1 Then
             LogName = “Docs”
            ElseIf inStr(fldName,”Desktop”) > 1 Then
                    LogName = “Desktop”
            ElseIf inStr(fldName,”Favourites”) > 1 Then
                    LogName = “Faves”
            End If
            
            ‘Perform Validation
            If strUserName = “” or srcSrv = “” or fldName = “” or dstSrv = “” Then
                ‘Do Nothing
         Else
             objShell.Run “robocopy.exe ” & Chr(34) & srcSrv & fldName & chr(34) & ” ” _
                 & Chr(34) & dstSrv & fldName & Chr(34) & ” /COPY:DAT /E /XX /XO /R:1 /W:5 /LOG:” & chr(34) _
                 & logPath & strUserName & “-” & logName & “.txt”,0,false
            End If
        End Sub
                
        ‘———————-
        ‘——– Create Log File
        ‘———————-
        ‘Set checkFile = objFSO.CreateTextFile(dstSrv & myDocShare & “\SharesMirrored”, True)
Else
        Wscript.Quit
End If{/code}

 

Windows Server : A simple DFS Migration Plan

Windows Server : A simple DFS Migration Plan

I recently used the steps below to move DFS Name Spaces from one server to another without interruption to client connectivity.

  1. Install OS and configure the server that you will move the DFS namespaces to
  2. Create SMB shares on the server that you will host the DFS Namespaces from
  3. Replicate the data, either using DFS, RoboCopy or SecureCopy. For fairly static data the last two are fine, for data that changes more frequently I would choose DFS. Before proceeding make sure that all data is replicated.
  4. Add new server to DFS Namespace(s) that you have replicated the data for using the DFS Management Console
  5. Wait for AD DS replication to ensure that the additional server is listed on DFS clients (use dfsutil /pktinfo to verify)
  6. Set referral order override; configure the new server as “First amongst all targets” and the old server as “Last amongst all targets” using the DFS Management Console
  7. Again, wait for AD DS replication to ensure that the additional server is listed on DFS clients (use dfsutil /pktinfo to verify)
  8. If both DFS servers are Windows 2008 R2 then you can now disable the old server in the DFS Name Server list using the DFS Management Console, if one of the servers is running a previous version of windows not proceed to step 10.
  9. Wait for Ad DS replication, again checking with dfsutil /pktinfo
  10. Delete the old server from the Name Space(s) using the DFS Management Console

Windows : Troubleshooting Automatic Updates

Windows : Troubleshooting Automatic Updates

Troubleshooting Automatic Updates, especially in version of Windows prior to Windows Server 2008, can be a bit of a pain.

Your first point of call should always be C:\Wndows\WindowsUpdate.log this log is invaluable in troubleshooting update issues.

You can trigger detection of updates using the command: wuauclt.exe /detectnow

You can trigger installation of updates using the command: wuauclt.exe /updatenow

Another useful command in a managed (WSUS) environment is: wuauclt.exe /resetauthorization /detectnow

If using WSUS you should also check the group you should also confirm the “target group” is correct. Search the log file mentioned above for “target group” to confirm this.

Windows 2008 : DFS Client Referral Cache Management

Windows 2008 : DFS Client Referral Cache Management

The following commands can be used to manage the DFS Client Referral Cache. This is useful when migrating DFS namespace servers or troubleshooting client referral issues.

  • To view the current referral cache: dfsutil /pktinfo
  • To clear the referral cache: dfsutil /pktflush

Windows 2008 : Command Line Configure Network Adapters

Windows 2008 : Command Line Configure Network Adapters

Use the following commands to configure IPv4 settings for a NIC. 

First identify the NIC you wish to configure – obtain the Idx number of the NIC: netsh int ipv4 show int

Now set the IP address, subnet and gateway address: netsh int ipv4 set address 11 static 192.168.1.100 255.255.255.0 gateway=192.168.1.254

Now configure the primary DNS for the NIC: netsh int ipv4 set dnsserver 11 static 192.168.1.1

Finally, the secondary DNS for the NIC: netsh int ipv4 add dnsserver 11 192.168.1.2

PKI : Publishing CRL to an IIS Website Automatically

PKI : Publishing CRL to an IIS Website Automatically

This article covers the required steps for configuring an Issuing CA to publish its CRL automatically to an IIS Website that is accessible externally.

1.       Deploy an IIS Web Server to host the AIA and CDP;

a.       Create a file share ‘PKI’ with Modify Permissions for “Cert Publishers” and the AD DS Computer accounts of the Issuing CA’s deployed in step 3.

b.      Create a new Website in IIS, use the PKI share created above as the home directory. Use port 80 and a host header to differentiate the site.

c.       Via IIS Manager ‘Allow Double Escaping’ under the web site > Request Filtering > Edit Feature Settings (in action pane).

d.      Ideally, publish this website using TMG/ISA Server.

2.       Next deploy the issuing CA (if you already have then skip this step); this is the front-line of your PKI. When deploying a CA I’d suggest the following as good practice:

a.       Don’t forget to use the CAPolicy.inf file. This should be created in advance of installing the AD CS role. This will reduce the impact of deployment in any production environment, especially the “LoadDefaultTemplates=False” option which will ensure the CA cannot issue any certificates until you configure it to do so. An example CAPolicy.inf file is below:

[Version]
Signature="$Windows NT$"

[certsrv_server]
RenewalKey length =2048 
RenewalValidityPeriodUnits=6
RenewalValidityPeriod=years 
LoadDefaultTemplates=False 
CRLPeriodUnits=3
CRLPeriod=days
CRLDeltaPeriodUnits=12
CRLDeltaPeriod=hours
CRLOverlapPeriod=Hours
CRLOverlapUnits=8
CRLDeltaOverlapPeriod=Hours
CRLDeltaOverlapUnits=8

[PolicyStatementExtension]
Policies = AllIssuancePolicy
Critical = FALSE

[AllIssuancePolicy]
OID = 2.5.29.32.0

 

3.       Configure CDP / AIA settings on the new CA:

a.       CDP; Remove http and file locations already listed and then add the following MANUALLY (do not copy paste!):

·         file://\\ <IIS server>\PKI\cdp\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

·         http://<external DNS name> /cdp/<CaNAme><CRLNameSuffix><DeltaCRLAllowed>.crl

·   File point s should be set to ONLY: Publish CRL’s to this location, Publish Delta CRL’s to this location

·   HTTP point should be set to ONLY: Include in CRLs, Include in the CDP extension of issued certificate

·   LDAP point should be set for all other than IDP

 

b.      AIA; Remove http and file locations already listed and then add the following MANUALLY (do not copy paste!):

·         file://<IIS Server>\PKI\aia\<ServerDNSName>_<CaName><CertificateName>.crt

·         http://<external DNS name>/aia/<ServerDNSName>_<CaName><CertificateName>.crt

·         File point should be set to NOT include in AIA extension

·         HTTP point should be set to include in AIA         

·         LDAP point should be set to include in AIA         

 

You’ll need to manually copy the CRT file across from C:\Windows\system32\certsrv\CertEnroll. Make sure you do this every time the certificate is renewed.

AD DS : DCPROMO fails with A domain controller for the specified domain could not be located.

AD DS : DCPROMO fails with A domain controller for the specified domain could not be located.

Check the DCPROMO log files located under: C:\Windows\Debug.

Perform the following test on the server: nltest /dsgetdc:<fqdn of a functioning domain controller>

You can also confirm, that you can lookup srv records in DNS, execute the following from a command prompt:

  1. nslookup
  2. set type=all
  3. _ldap._tcp.dc._msdcs.<domain_name>

If SRV records are returned then it is more than likle this is a firewall related issue. Check logs for blocked traffic, specifically on UDP and TCP port 389.

Active Directory: Firewalled Domain Controller Issues

Active Directory: Firewalled Domain Controller Issues

In implementing a new child domain recently I encountered some strange and typically unhelpful error messages which turned out to be firewall related. Moral of the story, ensure that all of your domain controllers can communicate with each other on all of the ports listed here: http://social.technet.microsoft.com/wiki/contents/articles/active-directory-replication-over-firewalls.aspx

Also, ensure that all of your clients can also communicate on these ports.

Symptoms

When trying to create a new account using dsa.msc:


 
Windows cannot verify that the user name is unique because the following error occurred while contacting the global catalog: a local error has occurred.

When trying to modify group membership via dsa.msc:

The following Active Directory Domain Services error occurred: The system detected a possible attempt to compromise security.

When browsing the GC using adsiedit.msc:

Operation failed: Error code: 0x80090350. The system detected a possible attempt to compromise security.

Confirm time is the same on all Domain Controllers in the forest, this is especially important if you domain is a child domain.

Test srv records for GC:

  1. nslookup
  2. set type=srv
  3. _ldap._tcp.<site name>._sites.gc._msdcs.<fully qualified domain name>

Confirm replication is working as expected: repadmin /showreps

GC is browsabel via ADSIedit connecting on port 3268