Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help
 
 
in Search
Home Blogs Photos

Paul Bergson

  • KMS Server won't activate additional servers

    I have had my KMS server up and running for several years without any problems.  Recently I was working on a new 2008 Standard Server and it wouldn't activate.

    I attempted to first use the standard GUI on the Windows Activation screen.  I was even surprised it popped up since KMS usually just works.  I selelcted "Activate Windows online now", a few moments later it came back with the response "The Product key you typed is already in use".

    What does that mean? So I thought: forget it, I'm jumping to an elevated command line.

    I ran slmgr -ato and I got the message it was activating and waiting for a click on the Ok button.  This was followed by the error message (What can't they open up a window within the program???).

    Run 'slui.exe 0x2a 0xc004C008' to display the error text. Error: 0xC004C008

    So I ran it as requested:

    An error has occured

    Code: 0xC004C008

    Description: The activation server determined that the specified product key could not be used.

     

    Finally something to work with.  It turns out there are limits placed on your KMS server and you have to contact Microsoft to get your KMS server limits increased.  So my sales rep and I contacted Microsoft Licensed Support at 1-866-230-0560.

    They requested we send an upgrade request to the address kmsadd@microsoft.com

    Ask for an increase in X number of activations on the key with the following details included:

    • Enrollment Number:
    • Company Name:
    • # of Activations:
    • KMS Key to modify:

    It sure would have been helpful if Microsoft could have just said, "Hey Dude you have used up all your KMS licenses.  Please contact your local sales rep to get your count increased."

    I have now gone through the requested steps and emailed my request but I still have to wait up to two business days for it to complete. 

    The email response from their robot:

    Thank you for your request for additional KMS activations. You can expect to receive a response within two business days. 

    All support and responses provided through this alias will be in English.

     

    Please reference Case ID:xxxxxxx for any questions regarding this request.

     

    Hopefully the tags on this page help others to quickly solve this problem.              

     

    Thanks to Josh Bussiere for his assistance.

     

    Posted dinsdag 31 augustus 2010 18:32 by pbbergs | 3 Comments

  • Changing the Weight and Priority of a Domain Controller Within a Site

    If you have multiple domain controllers (dc) within a site and you would like to have one of these dc's refered to more often or only if no other dc is available.  Selection of a dc within a site is controlled by both the weight and priority. 

    Weight of a Domain Controller

    By default all dc's have a weight of 100, the heavier the weight the more often the dc is referred to.  The formula for the referral is based is an elementary math.  If there are two servers in a site and one has a weight of 100 and the other 200.  The dc with twice the weight will receieve twice the referals.

    To modify the weight of a dc the registry key:

     HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LdapSrvWeight is used.

     

    Priority of a Domain Controller

    By default all dc's have a priority of 0, the lower the priority the first in priority.  The dc with the lowest priority in the site will receive ALL authentication requests unless it is unavailable.  If the lowest priority dc is unavailable then the next lowest dc in the site will receive all requests, etc...

    To modify the priority of a dc the registry key:

     HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LdapSrvPriority is used.

     

    For additional information see: http://technet.microsoft.com/en-us/library/cc787370(WS.10).aspx

    Posted vrijdag 9 juli 2010 16:37 by pbbergs | 0 Comments

  • Moving the NTP service to a new PDCe

    Want to move the time service to the new PDCe? 

    This is something that is required if you have just moved the PDCe to a new Domain Controller.

    First you need to reset the old PDCe time service, so that it is part of the domain heirarchy.
     
    From a command prompt on the old NTP server
     "net time /setsntp: "                  (Note the blank space prior to the end ")
      The prior command line tells the DC to delete the current registry settings for the time service

    Follow this by: 
     w32tm /config /syncfromflags:domhier /update
      The prior command line should reset the domian time hierarchy

    Follow this by:
     net stop w32time && net start w32time
      This DC should now be part of the time domain heirarchy

    Next you need to assign the NTP service to the new PDCe

    To verify the PDCe role run the following from a command prompt

    Netdom query fsmo

    Once you have established the correct DC, follow the steps below as taken from KB816042

    1. Change the server type to NTP. To do this, follow these steps:
      1. Click Start, click Run, type regedit, and then click OK.
      2. Locate and then click the following registry subkey:
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
      3. In the right pane, right-click Type, and then click Modify.
      4. In Edit Value, type NTP in the Value data box, and then click OK.
    2. Set AnnounceFlags to 5. To do this, follow these steps:
      1. Locate and then click the following registry subkey:
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
      2. In the right pane, right-click AnnounceFlags, and then click Modify.
      3. In Edit DWORD Value, type 5 in the Value data box, and then click OK.
    3. Enable NTPServer. To do this, follow these steps:
      1. Locate and then click the following registry subkey:
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
      2. In the right pane, right-click Enabled, and then click Modify.
      3. In Edit DWORD Value, type 1 in the Value data box, and then click OK.
    4. Specify the time sources. To do this, follow these steps:
      1. Locate and then click the following registry subkey:
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
      2. In the right pane, right-click NtpServer, and then click Modify.
      3. In Edit Value, type Peers in the Value data box, and then click OK.

        Note Peers is a placeholder for a space-delimited list of peers from which your computer obtains time stamps. Each DNS name that is listed must be unique. You must append ,0x1 to the end of each DNS name. If you do not append ,0x1 to the end of each DNS name, the changes made in step 5 will not take effect.
    5. Select the poll interval. To do this, follow these steps:
      1. Locate and then click the following registry subkey:
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval
      2. In the right pane, right-click SpecialPollInterval, and then click Modify.
      3. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.

        Note TimeInSeconds is a placeholder for the number of seconds that you want between each poll. A recommended value is 900 Decimal. This value configures the Time Server to poll every 15 minutes.
    6. Configure the time correction settings. To do this, follow these steps:
      1. Locate and then click the following registry subkey:
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection
      2. In the right pane, right-click MaxPosPhaseCorrection, and then click Modify.
      3. In Edit DWORD Value, click to select Decimal in the Base box.
      4. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.

        Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source.
      5. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection
      6. In the right pane, right-click MaxNegPhaseCorrection, and then click Modify.
      7. In Edit DWORD Value, click to select Decimal in the Base box.
      8. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.

        Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source.
    7. Quit Registry Editor.
    8. At the command prompt, type the following command to restart the Windows Time service, and then press ENTER:
      net stop w32time && net start w32time

     

    Posted dinsdag 18 mei 2010 14:35 by pbbergs | 1 Comments

  • AD Clients Not Authenticating to its Local Site

    Ever have a Branch Office or Site that has clients that doesn't authenticate to the local dc?  Adminstrators get confused and start looking at the client to try and figure out what is wrong, when it is most likely and incorrectly configured Sites and Services subnet situation.  When a workstation first logs on (Machines log onto the domain, just like users) it sends out a dns query to locate a service record of the closest DC for the subnet this workstation resides on. 

    There are three possible scenarios for a client to attach to a DC:

    1. The subnet that this machine resides on has been properly defined in Sites and Services
    2. The site this machine belongs to doesn't have a domain controller within its site
    3. This machine's subnet hasn't been defined in Sites and Services

    There is no reason to go over scenario one, since everything is working as expected

    Scenario two should be working as well, since auto site coverage was implemented in Windows 2003.  Domain Controllers should register their DNS service (SRV) records in nearby sites that contain no DC's.  This action is known as "Automatic Site Coverage" (ASC),  ASC has to factor in the link costs associated with a site to compute the cheapest route for the DC less clients with in the site.

    Scenario three is a mistake in the Sites and Services defined topology by the administrator.  Although the client and Domain Controller both exist in the same subnet, the subnet hasn't been defined in Sites and Services.  Therefore when the client machine hatches the DC Locator service, the DC in the local site isn't offered to authenticate the machine or the user.  Instead a Dc from the default-site within Sites and Services is presented to the client.  Also the log file netlogon.log on the authenticating DC is updated with a line noting the missing subnet.  I check this log file weekly to verify that our network crew didn't add any new subnets without our group being notified. 

    Just run the following from a command prompt on your default-site DC's to see if there are any undefined subnet's:

    notepad.exe %systemroot%\Debug\Netlogon.log

    Posted maandag 19 april 2010 9:53 by pbbergs | 1 Comments
    Filed under:

  • Active Directory Cleanup - The Most Common Question I See

    I am out in the Microsoft NewsGroups and quite often I see someone having trouble with their Active Directory (AD) domain.  The number one issue I see is they will lose a Domain Controller (DC) and just move on without realizing that without letting the rest of the DC’s know that this machine is not coming back –or– they attempt to reintroduce a DC back into the domain with the same name without cleaning up the metadata within AD.

     

    To clean up AD after a lost DC is relatively simple and a script has been released that now makes it so there is no need to use ntdsutil.  The few times I have had to clean up AD, I still use the manual method but I like to feel in control of things and see what is happening.  There should be nothing wrong in using the script.

     

    The KB article to manually cleanup the metadata is 216498

    The TechNet script to clean up the metadata is linked here addmvb04

     

    Once you have cleaned things up you still have to go into Active Directory Sites and Services and remove the lost DC from the site in which it belonged.  This is a requirement even if you had a successful demotion.  The steps for this are outlined at the end of each section within the manual cleanup.

    Posted dinsdag 9 juni 2009 20:30 by pbbergs | 0 Comments

  • Disabling IPv6 on Windows 2008

    I have run into nothing but trouble with IPv6.  Not that there is anything in particular that is wrong, but not all apps understand and can work with it.  For example I am running a geographically dispersed cluster on a Windows server with 2008 Exchange 2007 on a Dell 2950.  I am getting these odd Event Log errors 2501, 2601 and 2604. 

    When updating security for a remote procedure call (RPC) access for the Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object xxxxxxx - Error code=8007077f.  The Exchange Active Directory Topology service will continue with limited permissions.

    For my experience it turns out a tunnel adapter on the 2950 is mapping a DNS record on IPv6.  I thought I had disabled all the IPv6 pieces but I was mistaken. 

    The following recipe should be what is needed to disable all pieces of IPv6 on Windows Server 2008 (As well as Vista) as well as enabling ping on IPv4.


    Enable Pings, Firewall doesn't allow IPv4 pings
                    Server Manager / Configuration / Windows Firewall with Advanced... / Inbound Rules
                                    Action / New Rule
                                                    Select Custom
                                                                    Next
                                                    Select All Programs
                                                                    Next
                                                    Protocol Type = ICMPv4
                                                                    Next
                                                    Local Ip Address = Any
                                                    Remote IP Address = Any
                                                                    Next
                                                    Select allow the connection
                                                                    Next
                                                    Check Domain
                                                    Check Private
                                                    Check Public
                                                                    Next
                                                    Name = IPv4
                                    Finish
     
    Network
                    Right Click Network Places
                    Select Manage Network Connections For each enabled and used NIC
                                    Right Click - Local Area Connection - Select Properties
                                                    Networking Tab                               
                                                                    DeSelect IPv6
                                                    Close
     
    Disables tunneling but not the loopback interface
                    Regedit  (For additional info http://technet.microsoft.com/en-us/library/bb878057.aspx)
                                    Add the following key
                                                    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6Parameters\DisabledComponents
                                                                    DWORD => FFFFFFFF
     
    Change the Nic Provider Order
                    Network Connections
                                    Advanced
                                                    Advanced Settings
                                                                    Provider Order
                                                                                    Move Microsoft Windows Networks to the top

    Posted donderdag 19 maart 2009 20:36 by pbbergs | 6 Comments

  • Bare Metal Backup and Recovery of a Windows 2008 Server with WBAdmin

    I work in a shop where we are unable to roll out the latest version of Veritas' NetBackUp (NBU) do to bugs.  Although the version 6.5.3 now supports Windows 2008, it can't provide a clean backup that can be trusted so we needed to find a way to roll out a backup product.  So while we wait for Veritas to get its act together (One year and counting) we have chosen to backup our Windows 2008 physical machines using WBAdmin.  Our virtual machines are all backed up via snapshotting technology so this is not a factor.  So as we start to roll out physical machines I built this set of details (Which is still in flux).  The nice thing about the details below is it will allow you to do a rebuild w/o having to preload anything.  It even partitions the disk for you, this is really a slick technology.

     

    What does this have to do with AD you might ask?  Well we need to roll out 2008 and we have to have a reliable means to backup our DC's, so this is it.  I'm not sure if others are in the quandry we are but if so, I hope this helps out.

     

    The info below is for backing up machines to an external disk using unc for the destination.  Unfortunately you can't schedule these through the backup gui.  This option is only available for backing up a disk to another local disk, I'm not sure why WBAdmin won't allow unc pathing but trust me that it won't work.  So you will have to build a scheduled task to run your nightly backup.

     

    Hopefully the info below will be of assistance and please let me know of any issues you find with this article.

     

    Backing up a Windows Server 2008 with snapshot enabled:

    wbadmin start backup -backupTarget:\\servername\sharename  -include:c:,e: -quiet –vssfull

     

    wbadmin 1.0 - Backup command-line tool

    (C) Copyright 2004 Microsoft Corp.

     

    Retrieving volume information...

     

    This would backup volume systems(C:) to \\servername\sharename.

     

    Backup to \\servername\sharename is starting.

     

    Creating the shadow copy of volumes requested for backup.                                               

    Running backup of volume systems(C:), copied (1%).

    Running backup of volume systems(C:), copied (4%).

    Running backup of volume systems(C:), copied (98%).

    Backup of volume systems(C:) completed successfully.

    Backup completed successfully.

     

    Summary of backup:

    ------------------

    Backup of volume systems(C:) completed successfully.

     

     

    Finding out the versions currently available to restore:

     wbadmin get versions -backuptarget:\\servername\sharename

     

    wbadmin 1.0 - Backup command-line tool

    (C) Copyright 2004 Microsoft Corp.

     

    Backup time: 11/25/2008 10:55 AM

    Backup target: Network Share labeled \\servername\sharename

    Version identifier: 11/25/2008-16:55

    Can Recover: Volume(s), File(s), Application(s), Bare Metal Recovery, System State

     

     

    Finding out what specifically is available within a version backup:

    wbadmin get items -Version:11/25/2008-16:55

     

    wbadmin 1.0 - Backup command-line tool

    (C) Copyright 2004 Microsoft Corp.

     

    Volume Id = {7896551d-751d-11dd-8929-806e6f6e6963}

    Volume 'systems', mounted at C:

    Application = Registry

    Component = Registry (\Registry)

    Recover a Failed System:

    Boot up the machine with a W2K8 install disk                             (Make sure to use the correct bit length x32 or x64)

                    … Windows is loading  files…

    Accept English

    Next

    Select “Repair Your Computer”

    Click “Load Drivers”

                    Ok

                                    Browse the media for the drivers        (Make sure to use the correct bit length x32 or x64)

                                    Click Add Drivers

    Next

     

    Would recommend you verify that you have a good network connection by checking the nic’s activity lights.  I had issues with a nic on a couple of different occasions that boiled down to a bad network connection.

     

    Select “Windows Complete PC Restore”

    Cancel

                    Select Restore a Different Backup

                                    Next

                    Select Advanced

                                    Select Search for a backup on the network

                                                    Yes

                                                                    \\ip address of server\sharename

                                                                                    Ok

                                                                    Enter domain\domain user id and password

    Select the backup to restore

                    Next

    Select the drive(s) to restore

                    Next

    Select Exclude Disks

                    Select any disk you may want to exclude from the restore

                    Select Advanced

                                    Deselect Restart computer…   (This is done for visual inspection to verify that the restore went correctly)

                    Next

    Finish

    Confirm reformatting

                    Ok

    Posted maandag 2 februari 2009 18:45 by pbbergs | 1 Comments

  • Troubleshooting Active Directory Issues

    There are a number of different issues that can create problems with Active Directory:

    When someone has troubles and unclear as to why I usually suggest the following:
    Run diagnostics against your Active Directory domain.

    If you don't have the support tools installed, install them from your server install disk.
    d:\support\tools\setup.exe

    Run dcdiag, netdiag and repadmin in verbose mode.
    -> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
    -> netdiag.exe /v > c:\netdiag.log (On each dc)
    -> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
    -> dnslint /ad /s "ip address of your dc"

    **Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
    in the forest. If you have significant numbers of DC's this test could
    generate significant detail and take a long time. You also want to take
    into account slow links to dc's will also add to the testing time.

    If you download a gui script I wrote it should be simple to set and run
    (DCDiag and NetDiag). It also has the option to run individual tests
    without having to learn all the switch options. The details will be output
    in notepad text files that pop up automagically.

    The script is located on my website at
    http://www.pbbergs.com/windows/downloads.htm

    Just select both dcdiag and netdiag make sure verbose is set. (Leave the
    default settings for dcdiag as set when selected)

    When complete search for fail, error and warning messages.

    Description and download for dnslint
    http://support.microsoft.com/kb/321045

     

    Posted maandag 26 januari 2009 19:38 by pbbergs | 0 Comments

This Blog

Syndication

© Copyright 2005 - 2010 DIRTEAM.COM. All rights reserved.

The information on this website is provided for informational purposes only and the authors make no warranties, either express or implied. Information in these documents, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user.

Active Directory, Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.


Powered by Community Server (Personal Edition), by Telligent Systems