DefinIT

vCAC 6.1 – Creating a user selectable network dropdown that sets Network and Network Profile correctly

I am aware that that’s not a catchy blog post title. In fact, it doesn’t even really describe the problem or solution very well – for that I need to go into a little bit more depth!

Suppose I have configured a Reservation with two Networks ticked (“192.168.1.0-VLAN1” and “192.168.10.0-VLAN10”). As you can see in the screenshot below, each of the networks has a Network Profile created and assigned with a network pool to provide IP addressing for the VMs.

image

When I deploy the Blueprint without any custom properties, the network selection is round-robin and so the VM gets it’s virtual NIC assigned to “192.168.1.0-VLAN1” or “192.168.10.0-VLAN10” alternately – this is the expected behaviour. The Virtual Machines are assigned an IP address based on the Network Profile of the assigned network.

All good so far. Still with me? (more…)

Book review: Networking for VMware Administrators

NetworkingForVMwareAdministratorsI recently got my hands on a copy* of Chris Wahl and Steve Pantol’s Networking for VMware Administrators and was very keen to read it – especially given the reputation of the authors. I came to the book as someone who is at CCNA level (although now expired) and someone who regularly designs complex VMware networks using standard and distributed switches. I would class myself as having a fairly decent understanding of networking, though not a networking specialist.

The book starts out at from a really basic level explaining OSI, what a protocol is etc. and builds on the foundation set out as it progresses. Part I of the book gives are really good explanation of not only the basics of networking, but a lot of the “why” as well. If you’ve done CCNA level networking exams then you will know most of this stuff – but it’s always good to refresh, and maybe cover any gaps.

Part II of the book translates the foundations set out in Part I into the virtual world and takes you through the similarities and differences with between virtual and physical. It gives a good overview of the vSphere Standard Switch (VSS) and vSphere Distributed Switch (vDS) and even has a chapter on the Cisco 1000v. One of the really useful parts of the book are the lab examples and designs, which takes you though the design process and considerations to get to the solution. (more…)

VMworld Europe 2013 – Day 2, VCAP5-DCD Exam Experience

VMworld 2013 - Watch The KeynotesToday was always going to be a bit of a funny day as I scheduled the VCAP5-DCD exam for 10am this morning. I am happy to say that I passed! I’m a bit light on VMworld to report today, so forgive my DCD experience to pad it out!

Preparation

I have to confess my prep for this exam was light – I literally only watched the TrainSignal course by Scott Lowe (@scott_lowe) and just about finished that last night in the hotel! I don’t spend much time focussing on design during my day job, so I approached this exam as a bit of a learning experience rather than a serious bid to pass. I decided to book the exam here at VMworld just because you can get 75% off – if you’re funding yourself it’s not a discount to be dismissed easily!

Taking the exam

As with the DCA exam the DCD is a gruelling 4 hours, with 100 questions of which normally around 6 are Visio style designs. Again, same as the DCA, time management is massively important – I was actually so concerned with the time after running out in the DCA that I went probably too quickly and finished with 45 minutes to spare.

It’s also a very wordy exam – you have to read a lot of text and pull out the relevant info. On the one hand you need to read it very carefully to ensure you pick up the right requirements etc, and on the other you really need to read as fast as possible to keep on track time-wise. The technique I used was to find out what they were asking me for first, and then scan back through the text for the relevant information.

The Visio style questions are a bit clunky, and I’d definitely recommend using the demo of the interface that VMware provide to make sure you’re familiar with how it works – you don’t want to do a “Gregg” (ahem @GreggRobertson5, I am looking at you) and delete your whole diagram by accident.

Resources

There are absolutely loads of exam experiences out there to read up on – just Google “VCAP5-DCD exam experience” (though, probably, that’s how you ended up here). I used http://thesaffageek.co.uk/vsphere-5-study-resources/vcap5-dca-dcd/

TrainSignal (now PluralSight) – I am really lucky to have access to TrainSignal’s library via the vExpert program, but it’s such a good resource I’d definitely pay for it if I didn’t. The course I used was Designing VMware Infrastructure.

I have also read Scott Lowe’s Mastering VMware vSphere 5 which is a fantastic book, even if you’re not going to do the exam. If you plan on buying it you could always use the links in my booklist page 😉

The rest of the day

After the exam I was pretty wrung out and needed a bit of time to recover – I’m still feeling the effects of the concentration now 3 hours later.

Hands On Labs

I spent some time doing hands on labs (HOL) this afternoon, specifically doing the vCAC v6 labs. I’ve been involved with the beta for “project nee” which is what the HOL were based on. The HOL infrastructure is huge here, with a full suite of desktops and a BYOD version. It’s pretty slick – at the time of writing there are over 28,000 VMs created in over 3,100 labs.

Solutions Exchange

I braved the Solutions Exchange again after yesterdays car crash of a visit, determined this time that I would not let my badge get scanned by any pushy sales person. It was more tolerable this time, I got to the stands I was aiming for and was relatively un-harrassed.

I was happy to hand over my info to PernixData for a copy of the vSphere Design Pocketbook, especially as it’s got a contribution from DefinIT’s Simon Eady in it!

2013-10-16 16.28.03 2013-10-16 16.27.35

Networking

It’s impossible to explain how good it is to be able to talk to so many really awesome people who I am honoured to call peers – It’s great to chat with people who have similar goals and find out how and why they’re doing the things they are. For me that’s been one of the best parts of VMworld and I have learned at least as much through conversations with people as I have from the sessions.

Tonight is the VMworld Party, I am torn between going to that, and going to bed! Whatever I decide, tomorrow is a new day and I will be aiming to go to a few more sessions as well as keep on with the networking.

Configuring Server 2008 R2 Core Series: Network Settings

So, you’ve installed a new server with Server 2008 R2 Core – what next? Logging on, you’re presented with a shiny command prompt, you can run notepad or regedit…but aside from that, where do you go from there? In the next few series of posts I’ll hopefully point out the basics, and some not so basics!

Using the Server Configuration Tool

The server configuration tool (sconfig.cmd) is provided in R2 for some of the basic setup tasks, so you can run that by issuing the “sconfig” command. Out of the box, it looks something like this:

image

As you can see, this interactive tool will step you through configuring the network settings (Option 8), Computer Name (Option 2) or Domain/Workgroup (Option 1).

Enter number to select an option: 8

--------------------------------
    Network settings
--------------------------------

Available Network Adapters

Index#  IP address      Description

  0     192.168.8.117   Intel(R) PRO/1000 MT Network Connection

Select Network Adapter Index# (Blank=Cancel):  0

--------------------------------
    Network Adapter Settings
--------------------------------

NIC Index               0
Description             Intel(R) PRO/1000 MT Network Connection
IP Address              192.168.8.117
Subnet Mask             255.255.255.0
DHCP enabled            True
Default Gateway         192.168.8.1
Preferred DNS Server    192.168.8.5
Alternate DNS Server    192.168.8.22

1) Set Network Adapter IP Address
2) Set DNS Servers
3) Clear DNS Server Settings
4) Return to Main Menu

Select option:  1

Select (D)HCP, (S)tatic IP (Blank=Cancel): S
Set Static IP
Enter static IP address: 192.168.8.220
Enter subnet mask (Blank = Default 255.255.255.0):
Enter default gateway: 192.168.8.1
Setting NIC to static IP...

--------------------------------
    Network Adapter Settings
--------------------------------

NIC Index               0
Description             Intel(R) PRO/1000 MT Network Connection
IP Address              192.168.8.220
Subnet Mask             255.255.255.0
DHCP enabled            False
Default Gateway         192.168.8.1
Preferred DNS Server
Alternate DNS Server

1) Set Network Adapter IP Address
2) Set DNS Servers
3) Clear DNS Server Settings
4) Return to Main Menu

Select option:  2
DNS Servers

Enter new preferred DNS server (Blank=Cancel): 192.168.8.22
Enter alternate DNS server (Blank = none): 192.168.8.5
Alternate DNS server set.

--------------------------------
    Network Adapter Settings
--------------------------------

NIC Index               0
Description             Intel(R) PRO/1000 MT Network Connection
IP Address              192.168.8.220
Subnet Mask             255.255.255.0
DHCP enabled            False
Default Gateway         192.168.8.1
Preferred DNS Server    192.168.8.22
Alternate DNS Server    192.168.8.5

1) Set Network Adapter IP Address
2) Set DNS Servers
3) Clear DNS Server Settings
4) Return to Main Menu


Select option:  4
Enter number to select an option: 2

Computer Name

Enter new computer name (Blank=Cancel): SERVERCORE2008
Changing Computer name...
Enter number to select an option: 1

Change Domain/Workgroup Membership

Join (D)omain or (W)orkgroup? (Blank=Cancel) D

Join Domain
Name of domain to join:  MCGEOWN.LOCAL
Specify an authorized domain\user:  MCGEOWN\sam.mcgeown

Joining MCGEOWN.LOCAL...

Enter the password of the authorized user:

 

Command Line Configuration with Netsh/Netdom

There’s also a manual method (e.g. for a scripted installation and config) using Netsh and Netdom commands that most Windows admins will be familiar with.

List the interfaces (network adaptors):

netsh interface ipv4 show interfaces

Identify the name of the interface you want to assign an IP for and configure:

netsh interface ipv4 set address name="<Interface Name>" source=static address=<IP Address> mask=<Subnet Mask> gateway=<Gateway>

 

image

Configure DNS servers:

netsh interface ipv4 add dnsservers "<Interface Name>" <DNS Server IP> index=<number>

 

image

If you want to add more than one IP address for your server, try:

netsh interface ipv4 add address name="<Interface Name>" address=<Additional IP> mask=<Subnet Mask>

 

To change your computer’s name, you can use (leave off the /reboot if you don’t want to yet):

netdom renamecomputer /newname:<New Name> /reboot

 

To join your computer to a domain, you can use (leave off the /reboot if you don’t want to yet):

netdom /join /domain:<domain> /UserO:<domain\user to join with> /PasswordO:<Password> /reboot

 

Not so different after all?

At the end of all that, you can see that configuring basic network settings with sconfig.cmd is pretty straight forward, and configuring basic network settings for scripts, or a more command-line based admin, is also quite do-able.

C:\Users\Administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : ServerCore2008
   Primary Dns Suffix  . . . . . . . : MCGEOWN.LOCAL
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : MCGEOWN.LOCAL

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-50-56-AB-28-8B
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::3c4d:cdd1:5a4a:fbff%3(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.8.220(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IPv4 Address. . . . . . . . . . . : 192.168.8.221(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IPv4 Address. . . . . . . . . . . : 192.168.8.222(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IPv4 Address. . . . . . . . . . . : 192.168.8.223(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.8.1
   DHCPv6 IAID . . . . . . . . . . . : 50352214
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-3B-B4-6C-00-50-56-AB-28-8B

   DNS Servers . . . . . . . . . . . : 192.168.8.5
                                       192.168.8.22
   NetBIOS over Tcpip. . . . . . . . : Enabled

C:\Users\Administrator>

Netsh command reference | Netdom command reference

Trace cables the easy way with Cisco CDP on Windows

No matter how good your network diagrams are, sometimes you need to verify the port your server/desktop is in. Cisco Discovery Protocol is a great tool for network admins when you need to quickly map routers and switches, and if you’ve got an ESX server connected you’ll see that it picks up CDP info too – but the vast majority of my managed systems are Windows.

Here’s how to use TCPDUMP by Micro Olap to extend that functionality to your Windows boxes.

Firstly you need to find the interface number of the network adaptor you are trying to find CDP data for.  Use this command:

tcpdump -D

Which gives you a list of the interfaces on the computer:

clip_image002

My actual NIC is the third one in the list, so I can run the command:

tcpdump -i 3 -nn -v -s 1500 -c 1 ether[20:2] == 0x2000

-i n [interface and the number in the list, for me 3]

-nn [don’t resolve DNS, speeds things up]

-v [verbose mode, otherwise we won’t see all the packet details]

-s 1500 [set the maximum packet size to capture, the MTU is 1500 by default so it will capture the entire packet]

-c 1  [Capture one packet only, since we only want the CDP packet and filter using the header]

ether[20:2] == 0x2000 [Check the Ethernet header packet ID for the hex value 0x2000 – CDP protocol]

image

Some output is omitted, but you can see that the name of the switch and the port are both in there.

Easier than tracing a cable!

Teaming NICs with ESX 3.5 and Cisco Switches in an aggregate.

Here’s the setup. We have a core switch of 2 Cisco 3750s, connected together for fault tolerance as a single logical switch; we also have several ESX 3.5 hosts with 4 Gigabit Ethernet NICs installed each. The Virtual Machines will all be on VLAN 8 (reserved for internal servers) and the VMKernel will be on VLAN 107 (reserved for VMKernel traffic like VMotion).  I want to create a load balanced, fault tolerant aggregate of these four NICs over the Core Switch.

Configure ESX server’s vSwitch

Configuring the vSwitch is actually pretty simple, but there are a couple of gotchas, so don’t skip this bit! First thing to note is that if you are making changes to the vSwitch and the Service Console is on that vSwitch you can quite easily lock yourself out. Make sure you configure this correctly, first time! In this setup, I am adding all 4 NICs to vSwitch0, which will be the only vSwitch. I’ll then use Port Groups to assign VLANs and Active/Passive configurations to the VMKernel/Service Console.

First things first then – assign the four NICs to the vSwitch. This is done in the Configuration Tab in VMware Infrastructure Client, then the Networking page. Edit the properties of your vSwitch, then select the Network Adaptor tab. Add all the NICs you wish to team in there (they may already be in there, depending on your setup). You should end up with something that looks like this (note that I’ve not assigned any VLAN yet):

 

Now you need to configure the NIC teaming, so edit the vSwitch Properties and under the Ports tab select the vSwitch. Click edit, and then go to the NIC teaming tab. Configure the teaming options like this:

That’s the easy part over and done with! Time to move onto the Cisco!

Configuring the Cisco Core Switch

Firstly, we need to log on to the switch and enter enable mode; I’m going to assume you know how to do this – if not, you really shouldn’t be attempting this setup!

Determine the switches trunk load balancing setup by using the command “show etherchannel load-balance”. It should look something like this:

If the protocol is NOT src-dst-ip, then you won’t be able to establish a trunk connection with the ESX server. If your protocol is not src-dst-ip, change it with the command “port-channel load-balance src-dst-ip”. This now matches the “Route based on IP hash” setting you configured in ESX. Although ESX has a setting for MAC based hashing, as does the Cisco, I was unable to get it to work.

Moving on. You need to create a Port-Channel interface for the trunk (this is a virtual interface that binds the 4 GigabitEthernet interfaces together). As i’ve got other Port-channels in use for connections to other switches, I’m setting up port-channel 40. Move to config mode (conf t) and then enter the setup:

interface Port-channel40
 description VMTEST01 Aggregate
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 8
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
end

Description simply adds a description, “switchport trunk encapsulation dot1q” sets the encapsulation of the trunk to 802.1Q. “switchport trunk native vlan 8” means that any traffic without a VLAN tag will be automatically assigned to VLAN 8. “switchport mode trunk” obviously designates that we want a trunk, rather than access. “switchport nonegotiate” means that it will not attempt to negotiate the protocol, and be a static trunk, rather than LCAP or PGaP. “spanning-tree portfast trunk” causes a Layer 2 LAN interface configured as an access port to enter the forwarding state immediately, bypassing the listening and learning states (i.e. if the link goes down and then comes back up, it will do so quickly).

With the Port-channel configured, you now need to edit your GigabitEthernet ports and assign them to the Port-channel. For each port in the trunk, enter the following config (this example is port 8 on the master switch in my stack, hence 1/0/8):

interface GigabitEthernet1/0/8
 description VMTEST01 VMNIC1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 8
 switchport mode trunk
 switchport nonegotiate
 channel-group 40 mode on
 spanning-tree portfast trunk
end

The difference between that and the Port-channel setup? “channel-group 40 mode on” is simply assigning the port-channel in static mode.

Once all four NICs are assigned you might have to wait a few minutes for every layer of the connection to settle down before the trunk comes up. To check the status of the etherchannel you can use the command “show etherchannel 40 summary”, replacing the 40 for whichever number you assigned to your port-channel.

I hope this helps navigate the minefield that I found to be setting up the NIC teaming!

DCDIAG /TEST:DNS fails with errors regarding root hint servers

I recently resolved an ongoing DNS issue where the Active Directory Integrated DNS was loaded in both the Domain and the DomainDNSZones partition of AD – this is a separate issue and should be resolved differently. My problem when I tried to verify that the fixed DNS setup had propogated around my domain controllers, DC01 and DC02. DC01 kept failing "DCDIAG /TEST:DNS" with errors regarding the root hint servers. Googling about it was clear that a lot of people were suffering the same issue, but no article I read had correctly identified the solution.

The error looked something like this:

P:\>dcdiag /test:dns

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: SITE\DC01
      Starting test: Connectivity
         ……………………. DC01 passed test Connectivity

Doing primary tests

   Testing server: SITE\DC01

DNS Tests are running and not hung. Please wait a few minutes…

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : DOMAIN

   Running enterprise tests on : DOMAIN.com
      Starting test: DNS
         Test results for domain controllers:

            DC: DC01.DOMAIN.COM
            Domain: DOMAIN.com


               TEST: Forwarders/Root hints (Forw)
                  Error: Root hints list has invalid root hint server: a.root-se
rvers.net. (198.41.0.4)
                  Error: Root hints list has invalid root hint server: b.root-se
rvers.net. (192.228.79.201)
                  Error: Root hints list has invalid root hint server: c.root-se
rvers.net. (192.33.4.12)
                  Error: Root hints list has invalid root hint server: d.root-se
rvers.net. (128.8.10.90)
                  Error: Root hints list has invalid root hint server: e.root-se
rvers.net. (192.203.230.10)
                  Error: Root hints list has invalid root hint server: f.root-se
rvers.net. (192.5.5.241)
                  Error: Root hints list has invalid root hint server: g.root-se
rvers.net. (192.112.36.4)
                  Error: Root hints list has invalid root hint server: h.root-se
rvers.net. (128.63.2.53)
                  Error: Root hints list has invalid root hint server: i.root-se
rvers.net. (192.36.148.17)
                  Error: Root hints list has invalid root hint server: j.root-se
rvers.net. (192.58.128.30)
                  Error: Root hints list has invalid root hint server: k.root-se
rvers.net. (193.0.14.129)

               TEST: Dynamic update (Dyn)
                  Warning: Dynamic update is enabled on the zone but not secure
DOMAIN.com.

         Summary of test results for DNS servers used by the above domain contro
llers:

            DNS server: 128.63.2.53 (h.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 128.63.2.53

            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 128.8.10.90

            DNS server: 192.112.36.4 (g.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.112.36.4

            DNS server: 192.203.230.10 (e.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.203.230.10

            DNS server: 192.228.79.201 (b.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.228.79.201

            DNS server: 192.33.4.12 (c.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.33.4.12

            DNS server: 192.36.148.17 (i.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.36.148.17

            DNS server: 192.5.5.241 (f.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.5.5.241

            DNS server: 192.58.128.30 (j.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.58.128.30

            DNS server: 193.0.14.129 (k.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 193.0.14.129

            DNS server: 198.41.0.4 (a.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 198.41.0.4

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: DOMAIN.com
               DC01                    PASS PASS FAIL PASS WARN PASS n/a

         ……………………. DOMAIN.com failed test DNS


It looks pretty horrific – DNS is failing at a basic level! It turns out that the actual issue is an old version of DCDIAG.EXE. After several hours and a lot of head scratching I checked the versions of the DCDIAG.EXE (normally c:\Program Files\Support Tools\dcdiag.exe) and "Lo! And Behold!" the version was different. I downloaded the Windows Server 2003 Support Tools R2, uninstalled the old version (v5.2.3790.1800) and installed the new one (v5.2.3790.3959).

Et voila! The working test…


P:\>dcdiag /test:dns

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: SITE\DC01
      Starting test: Connectivity
         ……………………. DC01 passed test Connectivity

Doing primary tests

   Testing server: SITE\DC01

DNS Tests are running and not hung. Please wait a few minutes…

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : DOMAIN

   Running enterprise tests on : DOMAIN.com
      Starting test: DNS
         Test results for domain controllers:

            DC: DC01.DOMAIN.COM
            Domain: DOMAIN.com


               TEST: Dynamic update (Dyn)
                  Warning: Dynamic update is enabled on the zone but not secure
DOMAIN.com.

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: DOMAIN.com
               DC01                    PASS PASS PASS PASS WARN PASS n/a

         ……………………. DOMAIN.com passed test DNS

Multi-homed Domain controller logs Event ID 1030 and 1058

I recently had an issue where a hosting environment was registering a lot of Netlogon Event 1030/1058 issues, being unable to find the Group Policy objects or download them. In this example, the server DC is the domain controller for DOMAIN.LCL.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date:  10/09/2009
Time:  06:24:29
User:  NT AUTHORITY\SYSTEM
Computer: DC
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date:  10/09/2009
Time:  06:24:29
User:  NT AUTHORITY\SYSTEM
Computer: DC
Description:
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=DOMAIN,DC=LCL. The file must be present at the location <
\\DOMAIN.LCL\sysvol\DOMAIN.LCL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Windows cannot find the network path. Verify that the network path is correct and the destination computer is not busy or turned off. If Windows still cannot find the network path, contact your network administrator. ). Group Policy processing aborted. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

On the affected machines, when navigating to \\DOMAIN.LCL there were no shares available, however navigating to \\DC shows the NETLOGON and SYSVOL shares. Pinging DOMAIN.LCL and then the DC showed that the IP addresses were not the same as expected, DOMAIN.LCL was resolving to the backup network, whereas DC was resolving to the servers LAN IP.

I checked the DNS records for the server, which were correct. Investigating the adaptor binding settings under Control Panel > Network Connections > Advanced > Advanced Settings showed that the backup network's adaptor was first in the list. I moved the adaptor for the LAN to the top of the list and OK'd my way out. I restarted the NETLOGON service and the issue was solved.

Windows servers have never been particularly good at being multi-homed, especially domain controllers. My advice comes from some bitter experience…

  • If you have multiple network adaptors for extra bandwidth/redundancy/resiliance, then I would strongly recommend using Teamed adaptors, most of the major manufacturers' drivers and management software support it. This will eliminate any issues with multi-homing because as far as the server is concerned, it has one adaptor.
  • If you have multiple network adaptors for different network segments and you're using RRAS to route between them, I would strongly suggest not using a Domain Controller at all for this purpose. Better yet, buy a hardware router.
  • If you have multiple network adaptors for different purpose networks (e.g. a LAN, a backup network and an iSCSI network) then make sure you do the following:
    • Disable "File and Printer Sharing for Microsoft Networks" and "Client for Microsoft Networks" on all but the LAN adaptor.
    • Ensure that your LAN adaptor is the FIRST adaptor in the bindings in the advanced network settings.

 Hope that helps!

Windows Vista Local Area Network Connection “Authentication Failed”

If you’re getting a error on your LAN connection it’s possible that your network connection is attempting 802.11 authentication on your wired network. Unfortunately, it seems that Vista/Server 2008 both attempt it before reverting. As far as I can see, it’s not causing any issues, other than irritating me with a “failed” and a red question mark.

VistaAuthenticationError1

Fortunately, it’s pretty easy to fix! The authentication is handled by the Wired AutoConfig service, so it’s just a case of disabling it. Navigate “Start”, then click “Run” (or just hit Win + r) and type “services.msc”. Click “OK” and the Services console will fire up.

VistaAuthenticationError2

 

Now if you scroll down to Wired Autoconfig and configure it as below (Stop the service, then select “Disabled” as the startup type).

VistaAuthenticationError3

Alternatively, you can enable 802.11 on your Windows Domain…but that’s another story!

Sponsors