My IT Notes

Windows Server 2012 Active Directory/Domain controller migration

https://megapuper.ru/index.php?title=%D0%9C%D0%B8%D0%B3%D1%80%D0%B0%D1%86%D0%B8%D1%8F_%D0%BA%D0%BE%D0%BD%D1%82%D1%80%D0%BE%D0%BB%D0%BB%D0%B5%D1%80%D0%B0_%D0%B4%D0%BE%D0%BC%D0%B5%D0%BD%D0%B0_Windows_Server_2012_Active_Directory

Before AD role seting up: Windows Internal Database, reboot
Remote Registry must be started at the time of adding AD role.

IPv6 is essential to be enabled on main network interface.

If on the second AD controller you get an error “Unable to add role, server needs to be restarted” you must install Windows Internal Databese feature, reboot server, addin GPO Logon As Service: NETWORK SERVICE, NT SERVICE\ALL SERVICES и NT SERVICE\MSSQL$MICROSOFT##WID, configure Remote Regitry service automatic startup (disable it after you finish with AD role), run gpupdate on both servers, reboot, check rights in GPO, and only after all this add second server with AD role.

Console commands:
https://community.spiceworks.com/topic/1495956-trransferring-fsmo-roles#entry-5601702

The GUI interface for the FSMO roles is spread all over the place. I always use NTDSUTIL to do this.

Open a command prompt on a Domain Controller
Enter “ntdsutil” and the following commands:

roles
connections
connect to server dc1 - put the target DC server's name here
quit
transfer infrastructure master
transfer naming master
transfer pdc
transfer rid master
transfer schema master
quit
quit

After each transfer you will see a list of the FSMO roles and where they are currently stored. Also, ntdsutil has the ability to seize the FSMO roles to a new domain controller. Instead of “transfer …” you use “seize …” for the roles. Use transfer first and seize only as a last resort.

If new group policies DC do not ally on the computers in domain after you move AD role to the new server, check DNS records connected to old DC server removed or changed to the new server’s IP and name.

Sometimes it can work better in Powershell. It used to for me because using ntdsutil once I got error with transferring Schema Master role:
https://petri.com/seizing_fsmo_roles/
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole PDCEmulator -Force
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole RIDMaster -Force
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole InfrastructureMaster -Force
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole SchemaMaster -Force
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole DomainNamingMaster -Force

Removal:
https://winitpro.ru/index.php/2022/01/13/udalenie-kontrollera-domena-active-directory/

DFS Replication errors:

Authoritative restore for DFSR replication:
https://www.rmtechteam.com/blog/dfs-replication-dfsr-fix/
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/forest-recovery-guide/ad-forest-recovery-authoritative-recovery-sysvol

Perform a non-authoritative synchronization of DFSR-replicated sysvol replication:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/force-authoritative-non-authoritative-synchronization

How to fix Error 0xc00002e2 after rebooting Windows Domain Controller:

It happens when you restore old controller’s backup due, as I suppose, to a outdated DC database.
https://support.hostway.com/hc/en-us/articles/360001126259-How-to-fix-Error-0xc00002e2-after-rebooting-Windows-Domain-Controller

Reboot the server into Directory Services Restore Mode by pressing F8 before the OS begins loading. You will be required to use the local Administrator account password.

In Directory Services Restore Mode, you can check if there is a problem with the database by running the following commands:
ntdsutil.exe
activate instance ntds
files

If there is a problem with the Active Directory database NTDS.DIT, you will see an error like the following:
Could not initialize the Jet engine: Jet Error -501. Failed to open DIT for AD DS/LDS instance NTDS. Error -2147418113

To resolve this issue, rename all of the .log files located in C:\Windows\NTDS\ to .log.old, so the logs can be recreated after reboot.

This should fixed the database after the server is rebooted once more. If you continue to get the error, you can access again Directory Services Restore Mode and run the following command:
esentutl /p "c:\windows\ntds\ntds.dit"

Reboot the server and the issue should be solved.

Troubleshoot missing SYSVOL and Netlogon shares:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/troubleshoot-missing-sysvol-and-netlogon-shares

Correct removal of DC:

https://winitpro.ru/index.php/2022/01/13/udalenie-kontrollera-domena-active-directory/

Checking DC health with Dcdiag:

https://winitpro.ru/index.php/2021/04/14/proverka-sostoyaniya-kontrollerov-domena-active-directory-i-replikacii/

An Active Directory Domain Controller Could Not Be Contacted:

An Active Directory Domain Controller Could Not Be Contacted

Group Policy Apply Troubleshooting:

https://winitpro.ru/index.php/2019/03/18/primenenie-gpo-spravka-admina/
https://serverfault.com/a/516427

Test file share connectivity and permissions
Test command at workstation:
nslookup %USERDNSDOMAIN%
net view %USERDNSDOMAIN%
cd \\%USERDNSDOMAIN%\SYSVOL\%USERDNSDOMAIN%\
and check file permissions in folders: Policies and scripts

Check other ports’ connectivity
open and check port at domain infrastructure
Instructions here: Active Directory Firewall Ports – Let’s Try To Make This Simple

Delete local registry keys:
reg delete HKLM\SOFTWARE\Policies /f
reg delete HKCU\Software\Policies /f

Delete local folder:
RD /S /Q %windir%\System32\GroupPolicy

Never use passwords in GP:

https://adsecurity.org/?p=2288