Paul Bergson (MVP - Directory Services)

Windows DCDiag Generating - Error 0x6ba "The RPC server is unavailable."

Once you arrive to Windows 2008 with Advanced Firewall and you run DCDiag you could end up with "error 0x6ba The RPC server is unavailable."  This is the result of the remote DC not allowing RPC connections from the firewall being enabled.

To remove this error and allow DCDiag to be run remotely, open up the following rule on the remote DC's Firewall settings:

Remote Service Management (RPC)

To not open this up to widely, I configure the "Scope" tab to only those ip addresses that will be running DCDiag remotely

Upgrade Certificate Server from 32 to 64 bit

In some older documents Microsoft stated that there was no support for upgrades from 32 to 64 bit:  

http://technet.microsoft.com/en-us/library/cc755153(WS.10).aspx

This is no longer the situation and there is support to migrate 32 to 64 bit, the Active Directory Certificate Services Migration Guide covers the steps required: 

http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspx

This process went smooth and the previous tech doc was all that was needed.

Windows 7/2008 Kerberos Default Encryption and Windows 2003/2000

With the latest o/s release Microsoft modified the default encryption method from RC4 to AES when first attempt to commenicate with a Ticket Granting Ticket Service Request.  As long as the client whether it be Windows 7 or Windows 2008, communicates with a Windows 2008 R2 Domain Controller (DC) everything is all good.  However if the client talks to a Windows 2003/2000 DC then the default of the client is AES and these DC's don't speak in AES.  The clients are intelligent enough to then attempt other encryption methods but the DC will generate an error 27 in the System Event log, giving you the impression that you have problems, as seen below.

Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 27
Date:  9/28/2010
Time:  1:21:04 PM
User:  N/A
Computer: DC
 
Description:
While processing a TGS request for the target server krbtgt/DOMAIN.COM, the account Windows7Client@MNPOWER.COM did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18.  The accounts available etypes were 23  -133  -128  3  1.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The key to this mystery is the line "The requested etype were 18."  This etype is defined in the RFC3962, http://www.ietf.org/rfc/rfc3962.txt.

Unfortuantely there is no way to stop the Event Log errors, so you will have to modify the default value the clients start with when attempting a Kerberos session.

HKLM\System\CurrentControlSet\Control\LSA\Kerberos\Parameters

Value Name:  DefaultEncryptionTypeValue

Type:  Reg_DWORD

Value Data:  0x17(23)

This will now set RC4 as the default value and still allows AES if needed.

Since I have a mid-sized environment that was continuously adding new Win7 clients I wasn't about to ask our pc support staff to manually change the registry since that would be a difficult task and once we are up to Windows 2008 R2 FFL, I would like my default to be AES once again.  So I decided to build a WMI Group Policy and apply it to our Workstations OU. Make sure that under the "Common" tab of the new registry key to be sure to select "Remove this item when it is no longer needed", this will then remove the entry if the client doesn't have the policy applied against it.

So I built a preference GPO with the registry settings above and applied it to all my Win7 clients via the WMI Filter below:

select * from Win32_OperatingSystem where Version like "6.1%" and ProductType = "1"

How to apply a WMI Filter
http://technet.microsoft.com/en-us/library/cc779036(WS.10).aspx

Note:
This will capture both 2008 R2 and Windows 7 Clients so if you only want to apply this against Windows 7, make sure that the GPO is linked to an OU that doesn't contain Windows 2008 R2 servers.

Thanks to Mark Parris for his invaluable assistance in this blog.

Invalid service type: RpcSs when running DCDIAG

After recently bringing up a RODC in my default site, all my 2003 RWDC's in all my sites flipped to a single process which is not a good thing for DC's.  I can't be absolutely certain this was the cause but the errors occured on the same day of the RODC promotion.

The erorr in DCDiag should look like something similar to below:

 WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS

You can easily fix this either by running an SC command or from RegEdit.  I would recommend SC just to ensure that it is properly configured.

From a command prompt key in the following.  Make sure that you include the "Space" after the "=" otherwise you will get an error.

sc config rpcss type= share  (Remotely ->   sc \\RemoteServer config rpcss type= share)

If you want to do this manually then open up the Registry Editor and drill down

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RpcSs\Type

The value should be Equal to 10 (Hex) if the single process is configured and 20 (Hex) if Multi-Process is configured

RODC - Password Replication Policy and Password Cache Management

With the advent of Read Only Domain Controllers (RODC) remote offices no longer have to present a risk for your Active Directory (AD) enterprise secrets.  RODC's by default do not cache ANY user or computer passwords.  This can present a problem if there is a loss of connectivity between the remote site's RODC and a Read Write Domain Controller (RWDC), since without caching since neither a user or computer will be able to authenticate.  You can however specifiy that their passwords be cached either by including a group or specific user in the Password Replication Policy on the RODC at the remote site.  Access to this policy is gained by opening up the RODC computer object and selecting the "Password Replication Policy" tab. 

It is realtively simple to add and remove user and computer objects, simply click on the "Add" or "Remove" button and modify the membership.  Problem is this can be very dynamic, users and computers are consisting coming and going and management of this can become extremely tedious.  Even if you are using group membership, this still has to be maintained.

I have found the use of Powershell was the piece I needed to resolve the problem.  It was important though that I am able to determine where a user or computer exists.  There is no software out there that can determine where an object exists without some clear definition.  Fortunately for me I have a nightly syncronization program between HR and AD that keeps all my users objects address accurate.  Now I just need a way to determine my machine object location. 

After doing some thinking I quickly realized that I already know which machines reside at any one site by the subnet definitions within AD Sites and Services. 

Now that I had things clear in my process, I had to find a way to gather all the information.  I decided that Powershell would be the best path to go, since I had two defined process. 

• Determine the ip subnets within the site I wanted to build my group for
• Query for all DNS records within the doman the RODC belongs to
• Query AD to determine which of the DNS hosts are members of the AD domain
• Update the computer objects location with a value that defines this sites lcoation
• Since the users and computers move around so much clear out the current group membership
• Read all computer and user objects and those that have the specific location defined add to the Site Group

 I have posted both scripts below, you will note that the users "City" attribute is not touched since this should be a managed attribute by your HR department.  Both scripts can be run on within a single task, just make sure that the Dynamic Security group sub-task is run second.

Note: Script 2 will generate churn for DC replication.  This rebuilds the group everytime it is run, so it will cause the group and its membership to be rereplicated wether or not there were any changes.  Not a big deal for small to midsized shops without expensive links or significant numbers of DC's, but if you have 100,000's of objects or 100's of dc's this is not efficient.  I hope to rewrite this to manage delta's only.

1)

import-module activeDirectory
#
# Script       - UpdateSiteLocation.ps1
# Author       - Paul Bergson
# Date Written - 09/22/2010
# Description  - Script will populate the location field of all computer accounts that reside in a specific site
#                  When used in association with the Powershell script to dynamically populate the members
#                  of a security group of all computer and user accounts with the same location.  This group can
#                  be part of the Password Replication Policy (PRP) for an RODC in the defined site.

$ErrorActionPreference = "SilentlyContinue"

# Get the subnets associated with Boswell and place them in the array $ipSubNetAry
$ipSubNetAry = @()                          # Create an empty array
$UpdateSite = "Site-Timbuktu"                # Define the site that you want to build the array for
$locationName = "Timbuktu"                  # Define the value you want populated in the object's "Location" attribute

$forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$sites = $forest.Sites
Foreach ($site in $sites)
   {
    $MPSubNets = $site.Subnets
    ForEach($MPSubNet in $MPSubNets)
       {
        If($MPSubNet.site.name -eq $UpdateSite)
           {
            $ipSubNetAry = $ipSubNetAry + $MPSubNet.Name.Substring(0,($MPSubNet.Name.Length-5))
           }
       }
   }
  
# Go get the host records from the sites in the array of the subnets
$dnsRecords = gwmi -computername computer.domain.com -namespace root\microsoftDNS -Query ('select OwnerName, IPAddress from MicrosoftDNS_AType where DomainName = "domain.com"')

# Now that all host records have been captured look for matching subnet's and see if they reside in Active Directory
ForEach ($hostRecord in $dnsRecords)
    {$ServerIpAddress = $HostRecord.IpAddress

         ForEach($ipSubNet in $ipSubNetAry)
             {
              $FoundMatch = $ServerIpAddress.StartsWith($IpSubNet)
            
              if ($FoundMatch)
                {
                    $FQDN = $hostRecord.OwnerName
                    $Sam = $FQDN.Split(".")
                    # Get the AD computer object to see if it needs to be updated
                    # Sam[0] holds the host name from the fqdn when the array is formed
                    $ComputerObj = $Null                         # Clear prior to call otherwise old value stays in object variable
                    $ComputerObj = get-adcomputer -identity $Sam[0] -properties Location
                    if ($error[0])                               # Don't process if host not available          
                       {
                        ForEach($NewComputer in $ComputerObj)
                           {
                           if ($NewComputer.Location -ne $locationName)
                              {write-output $NewComputer.samAccountName     # Not really needed other than if run locally
                               write-output $FoundIpAddress                 # it will provide feedback on the machines updated
                               # Next line does the actual update.  It should be commented out during any testing
                               Set-ADComputer $NewComputer.samAccountName -Location $locationName
                               }
                            }
                       }
                  }
              }
       }

2)

# Program buildDynamicSecurityGroup
# Author  Paul Bergson
# Date Written   September 20, 2010
# Description    This will recreate the membership list of the AD security group "DynamicSecurityGroup".  This group is used to manage
#                whose passwords are cached on the RODC in Timbuktu
#                By using the attribute City on USers and Location on Computers this is a Dynamic Security Group
#                This script is run nightly

# Get the ad cmdlets imported
import-module ActiveDirectory
$siteName = "Timbuktu"

# Clear all current members
  get-adgroupmember DynamicSecurityGroup | %{remove-adgroupmember DynamicSecurityGroup $_.SamAccountName -Confirm:$false}

# Add all users and computers to the $SiteName global security group
 get-aduser -filter{city -like $siteName} | %{Add-ADGroupMember DynamicSecurityGroup $_.SamAccountName}
 get-adcomputer -filter{location -like $siteName} | %{Add-ADGroupMember DynamicSecurityGroup $_.SamAccountName}

KMS Server won't activate additional servers

I have had my KMS server up and running for several years without any problems.  Recently I was working on a new 2008 Standard Server and it wouldn't activate.

I attempted to first use the standard GUI on the Windows Activation screen.  I was even surprised it popped up since KMS usually just works.  I selelcted "Activate Windows online now", a few moments later it came back with the response "The Product key you typed is already in use".

What does that mean? So I thought: forget it, I'm jumping to an elevated command line.

I ran slmgr -ato and I got the message it was activating and waiting for a click on the Ok button.  This was followed by the error message (What can't they open up a window within the program???).

Run 'slui.exe 0x2a 0xc004C008' to display the error text. Error: 0xC004C008

So I ran it as requested:

An error has occured

Code: 0xC004C008

Description: The activation server determined that the specified product key could not be used.

Finally something to work with.  It turns out there are limits placed on your KMS server and you have to contact Microsoft to get your KMS server limits increased.  So my sales rep and I contacted Microsoft Licensed Support at 1-866-230-0560.

They requested we send an upgrade request to the address kmsadd@microsoft.com

Ask for an increase in X number of activations on the key with the following details included:

• Enrollment Number:
• Company Name:
• # of Activations:
• KMS Key to modify:

It sure would have been helpful if Microsoft could have just said, "Hey Dude you have used up all your KMS licenses.  Please contact your local sales rep to get your count increased."

I have now gone through the requested steps and emailed my request but I still have to wait up to two business days for it to complete. 

The email response from their robot:

Thank you for your request for additional KMS activations. You can expect to receive a response within two business days. 

All support and responses provided through this alias will be in English.

 

Please reference Case ID:xxxxxxx for any questions regarding this request.

Hopefully the tags on this page help others to quickly solve this problem.              

Thanks to Josh Bussiere for his assistance.

Changing the Weight and Priority of a Domain Controller Within a Site

If you have multiple domain controllers (dc) within a site and you would like to have one of these dc's refered to more often or only if no other dc is available.  Selection of a dc within a site is controlled by both the weight and priority. 

Weight of a Domain Controller

By default all dc's have a weight of 100, the heavier the weight the more often the dc is referred to.  The formula for the referral is based is an elementary math.  If there are two servers in a site and one has a weight of 100 and the other 200.  The dc with twice the weight will receieve twice the referals.

To modify the weight of a dc the registry key:

 HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LdapSrvWeight is used.

Priority of a Domain Controller

By default all dc's have a priority of 0, the lower the priority the first in priority.  The dc with the lowest priority in the site will receive ALL authentication requests unless it is unavailable.  If the lowest priority dc is unavailable then the next lowest dc in the site will receive all requests, etc...

To modify the priority of a dc the registry key:

 HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LdapSrvPriority is used.

For additional information see: http://technet.microsoft.com/en-us/library/cc787370(WS.10).aspx

Moving the NTP service to a new PDCe

Want to move the time service to the new PDCe? 

This is something that is required if you have just moved the PDCe to a new Domain Controller.

First you need to reset the old PDCe time service, so that it is part of the domain heirarchy.
 
From a command prompt on the old NTP server
 "net time /setsntp: "                  (Note the blank space prior to the end ")
  The prior command line tells the DC to delete the current registry settings for the time service

Follow this by: 
 w32tm /config /syncfromflags:domhier /update
  The prior command line should reset the domain time hierarchy

Follow this by:
 net stop w32time && net start w32time
  This DC should now be part of the time domain heirarchy

Next you need to assign the NTP service to the new PDCe

To verify the PDCe role run the following from a command prompt

Netdom query fsmo

Once you have established the correct DC, follow the steps below as taken from KB816042

1. Change the server type to NTP. To do this, follow these steps:
   1. Click Start, click Run, type regedit, and then click OK.
   2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
   3. In the right pane, right-click Type, and then click Modify.
   4. In Edit Value, type NTP in the Value data box, and then click OK.
2. Set AnnounceFlags to 5. To do this, follow these steps:
   1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
   2. In the right pane, right-click AnnounceFlags, and then click Modify.
   3. In Edit DWORD Value, type 5 in the Value data box, and then click OK.
3. Enable NTPServer. To do this, follow these steps:
   1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
   2. In the right pane, right-click Enabled, and then click Modify.
   3. In Edit DWORD Value, type 1 in the Value data box, and then click OK.
4. Specify the time sources. To do this, follow these steps:
   1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
   2. In the right pane, right-click NtpServer, and then click Modify.
   3. In Edit Value, type Peers in the Value data box, and then click OK.
      
      Note Peers is a placeholder for a space-delimited list of peers from which your computer obtains time stamps. Each DNS name that is listed must be unique. You must append ,0x1 to the end of each DNS name. If you do not append ,0x1 to the end of each DNS name, the changes made in step 5 will not take effect.
5. Select the poll interval. To do this, follow these steps:
   1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval
   2. In the right pane, right-click SpecialPollInterval, and then click Modify.
   3. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
      
      Note TimeInSeconds is a placeholder for the number of seconds that you want between each poll. A recommended value is 900 Decimal. This value configures the Time Server to poll every 15 minutes.
6. Configure the time correction settings. To do this, follow these steps:
   1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection
   2. In the right pane, right-click MaxPosPhaseCorrection, and then click Modify.
   3. In Edit DWORD Value, click to select Decimal in the Base box.
   4. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
      
      Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source.
   5. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection
   6. In the right pane, right-click MaxNegPhaseCorrection, and then click Modify.
   7. In Edit DWORD Value, click to select Decimal in the Base box.
   8. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
      
      Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source.
7. Quit Registry Editor.
8. At the command prompt, type the following command to restart the Windows Time service, and then press ENTER:
   net stop w32time && net start w32time

 Reference - "Keeping the Domain on Time" a Microsoft Blog
http://blogs.msdn.com/b/w32time/archive/2007/09/04/keeping-the-domain-on-time.aspx

AD Clients Not Authenticating to its Local Site

Ever have a Branch Office or Site that has clients that doesn't authenticate to the local dc?  Adminstrators get confused and start looking at the client to try and figure out what is wrong, when it is most likely and incorrectly configured Sites and Services subnet situation.  When a workstation first logs on (Machines log onto the domain, just like users) it sends out a dns query to locate a service record of the closest DC for the subnet this workstation resides on. 

There are three possible scenarios for a client to attach to a DC:

1. The subnet that this machine resides on has been properly defined in Sites and Services
2. The site this machine belongs to doesn't have a domain controller within its site
3. This machine's subnet hasn't been defined in Sites and Services

There is no reason to go over scenario one, since everything is working as expected

Scenario two should be working as well, since auto site coverage was implemented in Windows 2003.  Domain Controllers should register their DNS service (SRV) records in nearby sites that contain no DC's.  This action is known as "Automatic Site Coverage" (ASC),  ASC has to factor in the link costs associated with a site to compute the cheapest route for the DC less clients with in the site.

Scenario three is a mistake in the Sites and Services defined topology by the administrator.  Although the client and Domain Controller both exist in the same subnet, the subnet hasn't been defined in Sites and Services.  Therefore when the client machine hatches the DC Locator service, the DC in the local site isn't offered to authenticate the machine or the user.  Instead a Dc from the default-site within Sites and Services is presented to the client.  Also the log file netlogon.log on the authenticating DC is updated with a line noting the missing subnet.  I check this log file weekly to verify that our network crew didn't add any new subnets without our group being notified. 

Just run the following from a command prompt on your default-site DC's to see if there are any undefined subnet's:

notepad.exe %systemroot%\Debug\Netlogon.log

 You will need to examine each DC to verify that all your sites are defined.

To clear out this log, the NetLogon service needs to be stopped before saving it.

Best Practices - Sites and Services
http://technet.microsoft.com/en-us/library/cc755768(WS.10).aspx

Active Directory Cleanup - The Most Common Question I See

I am out in the Microsoft NewsGroups and quite often I see someone having trouble with their Active Directory (AD) domain.  The number one issue I see is they will lose a Domain Controller (DC) and just move on without realizing that without letting the rest of the DC’s know that this machine is not coming back –or– they attempt to reintroduce a DC back into the domain with the same name without cleaning up the metadata within AD.

To clean up AD after a lost DC is relatively simple and a script has been released that now makes it so there is no need to use ntdsutil.  The few times I have had to clean up AD, I still use the manual method but I like to feel in control of things and see what is happening.  There should be nothing wrong in using the script.

The KB article to manually cleanup the metadata is 216498

The TechNet script to clean up the metadata is linked here addmvb04

Once you have cleaned things up you still have to go into Active Directory Sites and Services and remove the lost DC from the site in which it belonged.  This is a requirement even if you had a successful demotion.  The steps for this are outlined at the end of each section within the manual cleanup.

Update 

With the release of 2008, there have been enhancements to no longer require scripting or command line.  Just be sure to use the 2008 console of Sites and Services outlined in the link below:

http://technet.microsoft.com/en-us/library/cc816907(WS.10).aspx

Disabling IPv6 on Windows 2008

I have run into nothing but trouble with IPv6.  Not that there is anything in particular that is wrong, but not all apps understand and can work with it.  For example I am running a geographically dispersed cluster on a Windows server with 2008 Exchange 2007 on a Dell 2950.  I am getting these odd Event Log errors 2501, 2601 and 2604. 

When updating security for a remote procedure call (RPC) access for the Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object xxxxxxx - Error code=8007077f.  The Exchange Active Directory Topology service will continue with limited permissions.

For my experience it turns out a tunnel adapter on the 2950 is mapping a DNS record on IPv6.  I thought I had disabled all the IPv6 pieces but I was mistaken. 

The following recipe should be what is needed to disable all pieces of IPv6 on Windows Server 2008 (As well as Vista) as well as enabling ping on IPv4.

Enable Pings, Firewall doesn't allow IPv4 pings
                Server Manager / Configuration / Windows Firewall with Advanced... / Inbound Rules
                                Action / New Rule
                                                Select Custom
                                                                Next
                                                Select All Programs
                                                                Next
                                                Protocol Type = ICMPv4
                                                                Next
                                                Local Ip Address = Any
                                                Remote IP Address = Any
                                                                Next
                                                Select allow the connection
                                                                Next
                                                Check Domain
                                                Check Private
                                                Check Public
                                                                Next
                                                Name = IPv4
                                Finish
 
Network
                Right Click Network Places
                Select Manage Network Connections For each enabled and used NIC
                                Right Click - Local Area Connection - Select Properties
                                                Networking Tab                               
                                                                DeSelect IPv6
                                                Close
 
Disables tunneling but not the loopback interface
                Regedit  (For additional info http://technet.microsoft.com/en-us/library/bb878057.aspx)
                                Add the following key
                                                HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents
                                                                DWORD => FFFFFFFF
 
Change the Nic Provider Order
                Network Connections
                                Advanced
                                                Advanced Settings
                                                                Provider Order
                                                                                Move Microsoft Windows Networks to the top

Bare Metal Backup and Recovery of a Windows 2008 Server with WBAdmin

Backing up a Windows Server 2008 with snapshot enabled:

wbadmin start backup -backupTarget:\\servername\sharename  -include:c:,e: -quiet –vssfull

wbadmin 1.0 - Backup command-line tool

(C) Copyright 2004 Microsoft Corp.

Retrieving volume information...

This would backup volume systems(C:) to \\servername\sharename.

Backup to \\servername\sharename is starting.

Creating the shadow copy of volumes requested for backup.                                               

Running backup of volume systems(C:), copied (1%).

Running backup of volume systems(C:), copied (4%).

Running backup of volume systems(C:), copied (98%).

Backup of volume systems(C:) completed successfully.

Backup completed successfully.

Summary of backup:

------------------

Backup of volume systems(C:) completed successfully.

Finding out the versions currently available to restore:

 wbadmin get versions -backuptarget:\\servername\sharename

wbadmin 1.0 - Backup command-line tool

(C) Copyright 2004 Microsoft Corp.

Backup time: 11/25/2008 10:55 AM

Backup target: Network Share labeled \\servername\sharename

Version identifier: 11/25/2008-16:55

Can Recover: Volume(s), File(s), Application(s), Bare Metal Recovery, System State

Finding out what specifically is available within a version backup:

wbadmin get items -Version:11/25/2008-16:55

wbadmin 1.0 - Backup command-line tool

(C) Copyright 2004 Microsoft Corp.

Volume Id = {7896551d-751d-11dd-8929-806e6f6e6963}

Volume 'systems', mounted at C:

Application = Registry

Component = Registry (\Registry)

Recover a Failed System:

Boot up the machine with a W2K8 install disk                             (Make sure to use the correct bit length x32 or x64)

                … Windows is loading  files…

Accept English

Next

Select “Repair Your Computer”

Click “Load Drivers”

                Ok

                                Browse the media for the drivers        (Make sure to use the correct bit length x32 or x64)

                                Click Add Drivers

Next

Would recommend you verify that you have a good network connection by checking the nic’s activity lights.  I had issues with a nic on a couple of different occasions that boiled down to a bad network connection.

Select “Windows Complete PC Restore”

Cancel

                Select Restore a Different Backup

                                Next

                Select Advanced

                                Select Search for a backup on the network

                                                Yes

                                                                \\ip address of server\sharename

                                                                                Ok

                                                                Enter domain\domain user id and password

Select the backup to restore

                Next

Select the drive(s) to restore

                Next

Select Exclude Disks

                Select any disk you may want to exclude from the restore

                Select Advanced

                                Deselect Restart computer…   (This is done for visual inspection to verify that the restore went correctly)

                Next

Finish

Confirm reformatting

                Ok

Troubleshooting Active Directory Issues

There are a number of different issues that can create problems with Active Directory:

When someone has troubles and unclear as to why I usually suggest the following:
Run diagnostics against your Active Directory domain.

If you don't have the support tools installed, install them from your server install disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
      A qucik little dump repadmin /replsum > c:\replsum.txt
-> dnslint /ad /s "ip address of your dc"

**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take
into account slow links to dc's will also add to the testing time.

If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests
without having to learn all the switch options. The details will be output
in notepad text files that pop up automagically.

The script is located on my website at
http://www.pbbergs.com/windows/downloads.htm

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.

DCDiag explanation
http://blogs.technet.com/b/askds/archive/2011/03/22/what-does-dcdiag-actually-do.aspx


Description and download for dnslint
http://support.microsoft.com/kb/321045

If you are working with folks in a forum and will be posting log errors consider using Skydrive and then include the link to the logs in the post.

http://explore.live.com/windows-live-skydrive