Windows Server Active Directory and Domain controller info

Миграция и удаление контроллера домена Windows Server 2012 Active Directory/Domain controller migration

Перед установкой Ad Role: Windows Internal Database, reboot

Необходимо чтобы во время добавления роли была запущена служба Remote Registry.

Необходимо чтобы на обоих контроллерах была включена поддержка IPv6 в настройках сетевых карт.

Если на втором сервере появляется ошибка типа “Невозможно добавить роли потому что сервер должен быть перезагружен”, то надо на оба сервера установить Windows Internal Databese, перезагрузиться, добавить в Logon As Service: NETWORK SERVICE, NT SERVICE\ALL SERVICES и NT SERVICE\MSSQL$MICROSOFT##WID, включить службу Remote Regitry, сделать gpupdate на обоих серверах, перезагрузить оба сервера, проверить, есть ли оба пользователя в gpedit, и потом только добавлять роль DC на второй сервер.

Console commands:

The GUI interface for the FSMO roles is spread all over the place. I always use NTDSUTIL to do this.

Open a command prompt on a Domain Controller
Enter “ntdsutil” and the following commands:

connect to server dc1 - put the target DC server's name here
transfer infrastructure master
transfer naming master
transfer pdc
transfer rid master
transfer schema master

After each transfer you will see a list of the FSMO roles and where they are currently stored. Also, ntdsutil has the ability to seize the FSMO roles to a new domain controller. Instead of “transfer …” you use “seize …” for the roles. Use transfer first and seize only as a last resort.

Если после переезда на новый DC не применяются групповые политики на других компьютерах, необходимо проверить чтобы в DNS сервере нового DC были убраны и изменены все записи, касающиеся старого DC.

Sometimes it can work better in Powershell. It used to for me because using ntdsutil once I got error with transferring Schema Master role:
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole PDCEmulator -Force
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole RIDMaster -Force
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole InfrastructureMaster -Force
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole SchemaMaster -Force
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole DomainNamingMaster -Force


DFS Replication errors:

Authoritative restore for DFSR replication:

Perform a non-authoritative synchronization of DFSR-replicated sysvol replication:

How to fix Error 0xc00002e2 after rebooting Windows Domain Controller:

It happens when you restore old controller’s backup due, as I suppose, to a outdated DC database.

Reboot the server into Directory Services Restore Mode by pressing F8 before the OS begins loading. You will be required to use the local Administrator account password.

In Directory Services Restore Mode, you can check if there is a problem with the database by running the following commands:
activate instance ntds

If there is a problem with the Active Directory database NTDS.DIT, you will see an error like the following:
Could not initialize the Jet engine: Jet Error -501. Failed to open DIT for AD DS/LDS instance NTDS. Error -2147418113

To resolve this issue, rename all of the .log files located in C:\Windows\NTDS\ to .log.old, so the logs can be recreated after reboot.

This should fixed the database after the server is rebooted once more. If you continue to get the error, you can access again Directory Services Restore Mode and run the following command:
esentutl /p "c:\windows\ntds\ntds.dit"

Reboot the server and the issue should be solved.

Troubleshoot missing SYSVOL and Netlogon shares:

Корректное удаление контроллера домена в Active Directory:

Проверка состояния контроллеров домена с помощью Dcdiag:

An Active Directory Domain Controller Could Not Be Contacted:

An Active Directory Domain Controller Could Not Be Contacted

Group Policy Apply Troubleshooting:

Windows troubleshooting

The Print Spooler service terminated unexpectedly:

net stop spooler
del %systemroot%\system32\spool\printers\*.shd
del %systemroot%\system32\spool\printers\*.spl
net start spooler

Fix DHCP service cannot start: error 5: Access Denied:

Windows Update Error 0x80070422 while installing standalone update .msi:

– windows update service not running. Start it manually before installing .msi.

Windows 10 20H1 update error 0x8007001f MIGRATE_DATA:

Stop Windows Update
Remove c:\windows\SoftwareDistribution\Downloads
Remove c:\Windows_BT
Check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. If the value in ProfilesDirectory is not set as default %SystemDrive%\Users, set it like this temporary, update Windows, and change back as it was before update.

Install Windows 11 on unsupporterd hardware:

Fresh install with boot from original ISO:
After getting error about unsupported hardware press Shift + F10, then type “regedit” in CMD window
Create key “LabConfig”
Create DWORD BypassTPMCheck, BypassSecureBootCheck, BypassRAMCheck, BypassCPUCheck with “1” in each
Close regedit and CMD
Go back in setup window and continue the installation.

Updating existing installation to Windows 11:
Extract install.wim from Windows 11 ISO
Open Windows 10 .ISO equal to Windows 11 .ISO you’ve decided to install with any CD image editor like UltraISO. Replace ./Sources/install.wim with install.wim from Windows 11 .ISO. Save with decided name.

Domain controller Kerberos login/password errors

If you experience this symptoms:
– your secondary DC can’t resolve DNS names
– you see “Audit Failure” event ID 4625 with the name of your secondary DC in event viewer on your promary Domain Controller

Check that you have right Kerberos realm on the secondary DC in HKEY_LOCAL_MACHINE\SECURITY\Policy\PolPrDmN
Aquire Kerberos password change from Primary DC:
netdom resetpwd /server: /userd:domain\administrator /password:

“Cannot connect to the DRIVELETTER$ admin share to verify if folder YOURDECIDEDSHAREDFOLDER exists on computer COMPUTERNAME” error while configuring NFS share:
Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
If the AutoShareServer and AutoShareWks DWORD values in the LanmanServer\Parameters subkey are configured with a value data of 0, change that value to 1.

Error 0x800ccc14 in Outlook 2021 while creating new user profile:после/fe32ecfd-2d08-43ae-91f9-401bda3ee803
If you’ve installed CryptoPRO before creating user profile in Outlook you’ll get this error. Remove the CryproPRO shit and create a profile without errors.