Tag: troubleshoot

Миграция и удаление контроллера домена Windows Server 2012 Active Directory/Domain controller migration

https://megapuper.ru/index.php?title=%D0%9C%D0%B8%D0%B3%D1%80%D0%B0%D1%86%D0%B8%D1%8F_%D0%BA%D0%BE%D0%BD%D1%82%D1%80%D0%BE%D0%BB%D0%BB%D0%B5%D1%80%D0%B0_%D0%B4%D0%BE%D0%BC%D0%B5%D0%BD%D0%B0_Windows_Server_2012_Active_Directory

Перед установкой Ad Role: Windows Internal Database, reboot

Необходимо чтобы во время добавления роли была запущена служба Remote Registry.

Необходимо чтобы на обоих контроллерах была включена поддержка IPv6 в настройках сетевых карт.

Если на втором сервере появляется ошибка типа “Невозможно добавить роли потому что сервер должен быть перезагружен”, то надо на оба сервера установить Windows Internal Databese, перезагрузиться, добавить в Logon As Service: NETWORK SERVICE, NT SERVICE\ALL SERVICES и NT SERVICE\MSSQL$MICROSOFT##WID, включить службу Remote Regitry, сделать gpupdate на обоих серверах, перезагрузить оба сервера, проверить, есть ли оба пользователя в gpedit, и потом только добавлять роль DC на второй сервер.

Console commands:
https://community.spiceworks.com/topic/1495956-trransferring-fsmo-roles#entry-5601702

The GUI interface for the FSMO roles is spread all over the place. I always use NTDSUTIL to do this.

Open a command prompt on a Domain Controller
Enter “ntdsutil” and the following commands:

roles
connections
connect to server dc1 - put the target DC server's name here
quit
transfer infrastructure master
transfer naming master
transfer pdc
transfer rid master
transfer schema master
quit
quit

After each transfer you will see a list of the FSMO roles and where they are currently stored. Also, ntdsutil has the ability to seize the FSMO roles to a new domain controller. Instead of “transfer …” you use “seize …” for the roles. Use transfer first and seize only as a last resort.

Если после переезда на новый DC не применяются групповые политики на других компьютерах, необходимо проверить чтобы в DNS сервере нового DC были убраны и изменены все записи, касающиеся старого DC.

Sometimes it can work better in Powershell. It used to for me because using ntdsutil once I got error with transferring Schema Master role:
https://petri.com/seizing_fsmo_roles/
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole PDCEmulator -Force
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole RIDMaster -Force
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole InfrastructureMaster -Force
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole SchemaMaster -Force
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole DomainNamingMaster -Force

Удаление:
https://winitpro.ru/index.php/2022/01/13/udalenie-kontrollera-domena-active-directory/

DFS Replication errors:

Authoritative restore for DFSR replication:
https://www.rmtechteam.com/blog/dfs-replication-dfsr-fix/
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/forest-recovery-guide/ad-forest-recovery-authoritative-recovery-sysvol

Perform a non-authoritative synchronization of DFSR-replicated sysvol replication:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/force-authoritative-non-authoritative-synchronization

How to fix Error 0xc00002e2 after rebooting Windows Domain Controller:

It happens when you restore old controller’s backup due, as I suppose, to a outdated DC database.
https://support.hostway.com/hc/en-us/articles/360001126259-How-to-fix-Error-0xc00002e2-after-rebooting-Windows-Domain-Controller

Reboot the server into Directory Services Restore Mode by pressing F8 before the OS begins loading. You will be required to use the local Administrator account password.

In Directory Services Restore Mode, you can check if there is a problem with the database by running the following commands:
ntdsutil.exe
activate instance ntds
files

If there is a problem with the Active Directory database NTDS.DIT, you will see an error like the following:
Could not initialize the Jet engine: Jet Error -501. Failed to open DIT for AD DS/LDS instance NTDS. Error -2147418113

To resolve this issue, rename all of the .log files located in C:\Windows\NTDS\ to .log.old, so the logs can be recreated after reboot.

This should fixed the database after the server is rebooted once more. If you continue to get the error, you can access again Directory Services Restore Mode and run the following command:
esentutl /p "c:\windows\ntds\ntds.dit"

Reboot the server and the issue should be solved.

Troubleshoot missing SYSVOL and Netlogon shares:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/troubleshoot-missing-sysvol-and-netlogon-shares

Корректное удаление контроллера домена в Active Directory:

https://winitpro.ru/index.php/2022/01/13/udalenie-kontrollera-domena-active-directory/

Проверка состояния контроллеров домена с помощью Dcdiag:

https://winitpro.ru/index.php/2021/04/14/proverka-sostoyaniya-kontrollerov-domena-active-directory-i-replikacii/

An Active Directory Domain Controller Could Not Be Contacted:

An Active Directory Domain Controller Could Not Be Contacted

Group Policy Apply Troubleshooting:

https://winitpro.ru/index.php/2019/03/18/primenenie-gpo-spravka-admina/
https://serverfault.com/a/516427

Test file share connectivity and permissions
Test command at workstation:
nslookup %USERDNSDOMAIN%
net view %USERDNSDOMAIN%
cd \\%USERDNSDOMAIN%\SYSVOL\%USERDNSDOMAIN%\
and check file permissions in folders: Policies and scripts

Check other ports’ connectivity
open and check port at domain infrastructure
Instructions here: Active Directory Firewall Ports – Let’s Try To Make This Simple

Delete local registry keys:
reg delete HKLM\SOFTWARE\Policies /f
reg delete HKCU\Software\Policies /f

Delete local folder:
RD /S /Q %windir%\System32\GroupPolicy