$olución de problema$ & Escenarios

1. PDC is crashed but there was no impact thanks to ADC. How can i configure DC using ADC ?

If the DC goes down , Then there is no need to configure DC using ADC. Please follow below procedure

1.Have to make sure to seize the FSMO roles to Additional domain controller. (Note – this action should performed only if Primary DC holds FSMO roles , In case you Additional domain controller hold the FSMO roles then No need to perform step 1 and 2)

http://support.microsoft.com/kb/255504

2. Once all the roles seized , go ahead the configure time service on new PDC Emulator holding DC ( i.e on addititonal domain controller where seized the roles).
Refer beliow link which explains how to configure time service on PDC emulator

http://social.technet.microsoft.com/wiki/contents/articles/8863.time-service-configuration-on-dc-with-pdc-emulator-fsmo-role.aspx
3. Once this is done run netdom query fsmo to make sure my ADC holds all the FSMO roles

4.Perform metadata cleanup in primary DC which has got failed (Refer below link) and also make sure that none of the old DC DNS entries exists in the domain(refer 2nd link to check where to find out the old DC entries in DNS)

http://support.microsoft.com/kb/216498

http://blogs.msmvps.com/awinish/2011/05/08/metadata-cleanup-of-a-domain-controller/

5. After accomplishing this , go ahead and rebuild primary DC by installing server OS in it and run dcpromo on it and wait for replication

6. Once this is done transfer back all FSMO roles from my ADC ( You need to configure time service once again if you are transferring the roles)

2. METADATA Cleanup

https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

http://kpytko.pl/active-directory-domain-services/metadata-cleanup-over-gui/

NTDSUTIL – option 1 (step by step, complete commands)
.

PS C:\> ntdsutil
C:\Windows\system32\ntdsutil.exe: activate instance ntds
Active instance set to “ntds”.
C:\Windows\system32\ntdsutil.exe: metadata cleanup
metadata cleanup: connections
server connections: connect to server DC5
Binding to DC5 …
Connected to DC5 using credentials of locally logged on user.
server connections: quit
metadata cleanup: select operation target
select operation target: list domains
Found 1 domain(s)
0 – DC=mynet,DC=lan
select operation target: select domain 0
No current site
Domain – DC=mynet,DC=lan
No current server
No current Naming Context
select operation target: list sites
Found 1 site(s)
0 – CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
select operation target: select site 0
Site – CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
Domain – DC=mynet,DC=lan
No current server
No current Naming Context
select operation target: list servers in site
Found 2 server(s)
0 – CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
1 – CN=DC5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
select operation target: select server 0
Site – CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
Domain – DC=mynet,DC=lan
Server – CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
DSA object – CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
DNS host name – DC2.mynet.lan
Computer object – CN=DC2,OU=Domain Controllers,DC=mynet,DC=lan
No current Naming Context
select operation target: quit
metadata cleanup: remove selected server

Transferring / Seizing FSMO roles off the selected server.
Removing FRS metadata for the selected server.
Searching for FRS members under “CN=DC2,OU=Domain Controllers,DC=mynet,DC=lan”.

Removing FRS member “CN=DC2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=mynet,DC=lan”.

Deleting subtree under “CN=DC2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=mynet,DC=lan”.

Deleting subtree under “CN=DC2,OU=Domain Controllers,DC=mynet,DC=lan”.
The attempt to remove the FRS settings on CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan failed because “Element not found.”;
metadata cleanup is continuing.

“CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan” removed from server “DC5”

metadata cleanup: q
C:\Windows\system32\ntdsutil.exe: q
PS C:\>
NTDSUTIL option 2 – abbreviated commands

Note: the commands entered in the previous section can be more or less abbreviated, as shown below, as long as there is no ambuguity with other ntdsutil commands. Once again, I have made minor edits (font size and spacing) for readbility.

PS C:\Users\ufc> ntdsutil “act ins ntds” “meta clean” conn “co to ser DC5” q “s o t” “l d”

C:\Windows\system32\ntdsutil.exe: act ins ntds
Active instance set to “ntds”.
C:\Windows\system32\ntdsutil.exe: meta clean
metadata cleanup: conn
server connections: co to ser DC5
Binding to DC5 …
Connected to DC5 using credentials of locally logged on user.
server connections: q
metadata cleanup: s o t
select operation target: l d
Found 1 domain(s)

Note: we stopped the command above at “list domains” or “l d” since the choices that follow depend on the number of domains and the names of the sites and servers, which we may not know beforehand. If we do, we can enter all the information on a single line as shown in the next example.

0 – DC=mynet,DC=lan
select operation target: sel dom 0
No current site
Domain – DC=mynet,DC=lan
No current server
No current Naming Context
select operation target: list sites
Found 1 site(s)
0 – CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
select operation target: sel site 0
Site – CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
Domain – DC=mynet,DC=lan
No current server
No current Naming Context
select operation target: list serv in site
Found 2 server(s)
0 – CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
1 – CN=DC5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
select operation target: sel ser 0
Site – CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
Domain – DC=mynet,DC=lan
Server – CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
DSA object – CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
DNS host name – DC2.mynet.lan
Computer object – CN=DC2,OU=Domain Controllers,DC=mynet,DC=lan
No current Naming Context

select operation target: q
metadata cleanup: rem sel ser

Transferring / Seizing FSMO roles off the selected server.
Removing FRS metadata for the selected server.
Searching for FRS members under “CN=DC2,OU=Domain Controllers,DC=mynet,DC=lan”.

Removing FRS member “CN=DC2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=mynet,DC=lan”.

Deleting subtree under “CN=DC2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=mynet,DC=lan”.

Deleting subtree under “CN=DC2,OU=Domain Controllers,DC=mynet,DC=lan”.
The attempt to remove the FRS settings on CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan failed because “Element not found.”;
metadata cleanup is continuing.

“CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan” removed from server “DC5”
metadata cleanup:
NTDSUTIL – option 3 (single command)

Note: in fact, we have to enter three commands before entering the “remove selected server” command with the path to the server to remove.
PS C:\Users\ufc> ntdsutil
C:\Windows\system32\ntdsutil.exe: activate instance ntds
Active instance set to “ntds”.
C:\Windows\system32\ntdsutil.exe: metadata cleanup
metadata cleanup: remove selected server cn=DC2,cn=servers,cn=default-first-site-name,cn=sites,cn=configuration,dc=mynet,dc=lan

Binding to localhost …
Connected to localhost using credentials of locally logged on user.
Transferring / Seizing FSMO roles off the selected server.
Removing FRS metadata for the selected server.

You can then verify everything has gone well with the metadata cleanup  by running the following checks at an elevated command line on an Active Domain Controller.

Dcdiag /a /c /v /f:C:\logfile.log

Repadmin /showrepl * /verbose /all /intersite > C:\repllog.log

 

STEP-BY-STEP GUIDE TO RENAME ACTIVE DIRECTORY DOMAIN NAME

Few of the blog readers asked me on few occasions if they can change the AD domain name to the different domain name. Answer is yes you can, but you need to aware of the issues it can occur as well. Otherwise you will be end up in a mess with non-functioning infrastructure. Idea of this post is to demonstrate how to rename AD and also to point out some issues you may face with a domain rename.

Following are the critical points you need to consider before AD rename.

1.    Forest Function Level – Forest Function level must be windows server 2003 or higher to perform AD rename.
2.    Location of the Domain – in forest it can have different level of domains. Those can be either complete different domains or child domains. If you going to change the location of the dc in the forest you must need to create trust relationships between domains to keep the connectivity.
3.    DNS Zone – DNS Zone files must be created for the new domain name prior to the rename process in relevant DNS servers.
4.    Folder Path Change – if DFS folder services or roaming profiles are setup, those paths must change in to server-based share or network share.
5.    Computer Name Change – Once the domain is renamed the computers host names will also renamed. So if those are configured to use by applications or systems make sure you prepare to do those changes.
6.    Reboots – Systems will need to reboot twice to apply the name changes including workstations. So be prepare for the downtime and service interruptions.
7.    Exchange Server Incompatibility – Exchange server 2003 is the only supported version for AD rename. All other versions are not supported for this. Also there can be other applications in environment which can be not supported with rename. Make sure you access these risks.
8.    Certificate Authority (CA) – if CA is used make sure you prepare it according to https://technet.microsoft.com/en-us/library/cc816587

Once your infrastructure is ready, to perform the rename process we need an administrative computer or server. It must be a member of domain and should not a DC. It must have “Remote Server Administration Tools” installed. For windows 2012 server it can be add as feature via server manager. For windows 8 or later can download it from http://www.microsoft.com/en-us/download/details.aspx?id=28972

In demo, I am going to rename contoso.com domain to canitpro.local domain. It is runs with windows server 2012 R2.

I have prepare a server which runs windows server 2012 R2 as member server to perform the rename. You can install Remote Server Administration Tools by Server manager > Add roles and features. Make sure you select AD DS and AD LDS tools under the RSAT.

rename1

Before we start the rename make sure forest domain activities are stopped. Such as adding new DC, changing forest configuration etc.

Also I went ahead and create the relevant DNS zone for new domain name in primary DNS server. (in my blog you can find complete dns article which explain about DNS zone setup)

rename2

Then in the member server log in as domain admin and open the command prompt with admin rights.

First we need to create a report which explains the current forest setup. To do that type rendom /list and press enter.

rename3

This will create an xml file with name Domainlist.xml in the path above command is executed. In my demo its C:\Users\Administrator.CONTOSO

rename4

To proceed it need to be edited to match with the new domain name. Make sure you save the file after edits.

rename5

Then type rendom /upload command from same folder path.

rename6

To check the domain readiness before the rename process type rendom /prepare

rename7

Once its pass with no errors, execute rendom /execute to proceed with rename. It will reboot all domain controllers automatically.

rename8

rename9

All workstations and servers will needs to reboot twice to apply changes. Username and password will not change, but the domain name will be new one.

With rename process domain controllers will not be renamed. Those need to change manually.

rename10

It can do using command netdom computername DC.contoso.com /add:DC.canitpro.local

rename11

Then type netdom computername DC.contoso.com /makeprimary:DC.canitpro.local once complete, reboot the DC.

rename12

We can see it’s changed after reboot.

rename13

The next thing we need to fix is the group policies. It’s still uses the old domain name.

rename14

To fix this type and enter gpfixup /olddns:contoso.com /newdns:canitpro.local

rename15

Then run gpfixup /oldnb:CONTOSO /newnb:canitpro

rename16

We done with that too. The only thing we need to run is rendom /end to stop the rename process and unfreeze the DC activity.

rename17

This ends the rename process and we have a dc now with a new domain name.

 

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s