DefinIT
vCSA 5.5 won’t join AD Domain‏
Simon
30/01/2014

Just a quick post on something that was not immediately obvious when it happened to me.

When deploying  vCSA 5.5 and trying to add it to the domain, I was presented with the following error.

vCSA error

 

 

 

 

 

I immediately did all the all the usual checks, making sure it had a static IP and correct DNS servers etc..

The one thing missing however was a FQDN for the hostname (in the network tab).

All I had was “vCSAname

But what was required to join a domain was “vCSAname.domain.local

After I applied this change the vCSA connected to the domain without a problem.

As always with these niggles its simple when you know how!

vSphere Security: Active Directory Authentication
Sam
04/10/2013

Security-Guard_thumb2This is the second article in a series of vSphere Security articles that I have planned. The majority of this article is based on vSphere/ESXi 5.1, though I will include any 5.5 information that I find relevant. The first article in this series was vSphere Security: Understanding ESXi 5.x Lockdown Mode.

Why would you want to join an ESXi host to an Active Directory domain? Well you’re not going to get Group Policies applying, what you’re really doing is adding another authentication provider directly to the ESXi host. You will see a computer object created in AD, but you will still need to create a DNS entry (or configure DHCP to do it for you). What you will get is a way to audit root access to your hosts, to give administrators a single sign on for managing all aspects of your virtual environment and more options in your administrative arsenal – for example, if you’re using an AD group to manage host root access, you don’t have to log onto however many ESXi hosts you have to remove a user’s permissions, simply remove them from the group. You can keep your root passwords in a sealed envelope for emergencies! 😉 (more…)

Configuring a Guest wireless network with restricted access to Production VLANs
Sam
29/06/2011

It’s a fairly common requirement – setting up a guest WiFi network that is secure from the rest of your LAN. You need a secure WLAN access for the domain laptops which has full access to the Server and Client VLANs, but you also need a guest WLAN for visitors to the office which only allows internet access. Since the budget is limited, this must all be accomplished via a single Access Point – for this article, the access point is a Cisco WAP4410N. (more…)

Managing ESXi 4.1 with vMA 4.1 on VMware Workstation
Sam
21/10/2010

vMA is available as a Virtual Appliance (OVF) from VMware. To install it on VMware Workstation 7, open Workstation and select Import or Export to import a new OVF, the URL for the latest OVF for vMA is on the vMA download page

image
(more…)

Event IDs 1030 and 1058 on Server 2003 Domain Controller
Sam
29/03/2010

I logged onto a production domain controller this morning and checked the event logs to be confronted with this:

image 

Event ID 1030 and 1058 every 5 minutes, looking into the detail for these events I can see its a replication issue for one of the GPOs.

Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1030
Date:		29/03/2010
Time:		04:01:29
User:		NT AUTHORITY\SYSTEM
Computer:	DC01
Description:
Windows cannot query for the list of Group Policy objects.
Check the event log for possible messages previously logged by the
policy engine that describes the reason for this.


For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

The slightly more informative 1058 showed

Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1058
Date:		29/03/2010
Time:		04:06:30
User:		NT AUTHORITY\SYSTEM
Computer:	DC01
Description:
Windows cannot access the file gpt.ini for GPO CN={3A7AC061-A26C-4154
-8CF5-01D5754E5C2C},CN=Policies,CN=System,DC=DOMAIN,DC=LCL.
The file must be present at the location <\\DOMAIN.LCL\SysVol\DOMAIN.LCL
\Policies\{3A7AC061-A26C-4154-8CF5-01D5754E5C2C}\gpt.ini>. (Access is denied. ).
Group Policy processing aborted. 

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

There was no visible cause for the errors, DFS had just got it’s knickers in a twist somehow and was not resolving the DFS share for the domain correctly.

The resolution was fairly simple, running the “dfsutil /purgeMUPCache” command seems to have resolved it for now. The /PurgeMUPCache command clears the MUP Cache (duh!) which holds info about DFS and other shares on the client system.

Technet says: “Clears the client MUP cache, preventing confusion about the current provider when such names conflict. Except for a temporary performance hit, this command has no other adverse effects. This command does not affect any DFS metadata. If this command is not run, and the namespace is not accessed, the obsolete cache entry eventually expires.”

There are plenty of other causes for these errors, if your server is multi-homed (multiple NICs) then check that your “public” NIC is at the top of the adaptor bindings.

My DC is now running happily, no 1030 or 1058s.

DCDIAG /TEST:DNS fails with errors regarding root hint servers
Sam
21/09/2009

I recently resolved an ongoing DNS issue where the Active Directory Integrated DNS was loaded in both the Domain and the DomainDNSZones partition of AD – this is a separate issue and should be resolved differently. My problem when I tried to verify that the fixed DNS setup had propogated around my domain controllers, DC01 and DC02. DC01 kept failing "DCDIAG /TEST:DNS" with errors regarding the root hint servers. Googling about it was clear that a lot of people were suffering the same issue, but no article I read had correctly identified the solution.

The error looked something like this:

P:\>dcdiag /test:dns

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: SITE\DC01
      Starting test: Connectivity
         ……………………. DC01 passed test Connectivity

Doing primary tests

   Testing server: SITE\DC01

DNS Tests are running and not hung. Please wait a few minutes…

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : DOMAIN

   Running enterprise tests on : DOMAIN.com
      Starting test: DNS
         Test results for domain controllers:

            DC: DC01.DOMAIN.COM
            Domain: DOMAIN.com


               TEST: Forwarders/Root hints (Forw)
                  Error: Root hints list has invalid root hint server: a.root-se
rvers.net. (198.41.0.4)
                  Error: Root hints list has invalid root hint server: b.root-se
rvers.net. (192.228.79.201)
                  Error: Root hints list has invalid root hint server: c.root-se
rvers.net. (192.33.4.12)
                  Error: Root hints list has invalid root hint server: d.root-se
rvers.net. (128.8.10.90)
                  Error: Root hints list has invalid root hint server: e.root-se
rvers.net. (192.203.230.10)
                  Error: Root hints list has invalid root hint server: f.root-se
rvers.net. (192.5.5.241)
                  Error: Root hints list has invalid root hint server: g.root-se
rvers.net. (192.112.36.4)
                  Error: Root hints list has invalid root hint server: h.root-se
rvers.net. (128.63.2.53)
                  Error: Root hints list has invalid root hint server: i.root-se
rvers.net. (192.36.148.17)
                  Error: Root hints list has invalid root hint server: j.root-se
rvers.net. (192.58.128.30)
                  Error: Root hints list has invalid root hint server: k.root-se
rvers.net. (193.0.14.129)

               TEST: Dynamic update (Dyn)
                  Warning: Dynamic update is enabled on the zone but not secure
DOMAIN.com.

         Summary of test results for DNS servers used by the above domain contro
llers:

            DNS server: 128.63.2.53 (h.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 128.63.2.53

            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 128.8.10.90

            DNS server: 192.112.36.4 (g.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.112.36.4

            DNS server: 192.203.230.10 (e.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.203.230.10

            DNS server: 192.228.79.201 (b.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.228.79.201

            DNS server: 192.33.4.12 (c.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.33.4.12

            DNS server: 192.36.148.17 (i.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.36.148.17

            DNS server: 192.5.5.241 (f.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.5.5.241

            DNS server: 192.58.128.30 (j.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.58.128.30

            DNS server: 193.0.14.129 (k.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 193.0.14.129

            DNS server: 198.41.0.4 (a.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 198.41.0.4

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: DOMAIN.com
               DC01                    PASS PASS FAIL PASS WARN PASS n/a

         ……………………. DOMAIN.com failed test DNS


It looks pretty horrific – DNS is failing at a basic level! It turns out that the actual issue is an old version of DCDIAG.EXE. After several hours and a lot of head scratching I checked the versions of the DCDIAG.EXE (normally c:\Program Files\Support Tools\dcdiag.exe) and "Lo! And Behold!" the version was different. I downloaded the Windows Server 2003 Support Tools R2, uninstalled the old version (v5.2.3790.1800) and installed the new one (v5.2.3790.3959).

Et voila! The working test…


P:\>dcdiag /test:dns

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: SITE\DC01
      Starting test: Connectivity
         ……………………. DC01 passed test Connectivity

Doing primary tests

   Testing server: SITE\DC01

DNS Tests are running and not hung. Please wait a few minutes…

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : DOMAIN

   Running enterprise tests on : DOMAIN.com
      Starting test: DNS
         Test results for domain controllers:

            DC: DC01.DOMAIN.COM
            Domain: DOMAIN.com


               TEST: Dynamic update (Dyn)
                  Warning: Dynamic update is enabled on the zone but not secure
DOMAIN.com.

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: DOMAIN.com
               DC01                    PASS PASS PASS PASS WARN PASS n/a

         ……………………. DOMAIN.com passed test DNS

Multi-homed Domain controller logs Event ID 1030 and 1058
Sam
10/09/2009

I recently had an issue where a hosting environment was registering a lot of Netlogon Event 1030/1058 issues, being unable to find the Group Policy objects or download them. In this example, the server DC is the domain controller for DOMAIN.LCL.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date:  10/09/2009
Time:  06:24:29
User:  NT AUTHORITY\SYSTEM
Computer: DC
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date:  10/09/2009
Time:  06:24:29
User:  NT AUTHORITY\SYSTEM
Computer: DC
Description:
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=DOMAIN,DC=LCL. The file must be present at the location <
\\DOMAIN.LCL\sysvol\DOMAIN.LCL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Windows cannot find the network path. Verify that the network path is correct and the destination computer is not busy or turned off. If Windows still cannot find the network path, contact your network administrator. ). Group Policy processing aborted. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

On the affected machines, when navigating to \\DOMAIN.LCL there were no shares available, however navigating to \\DC shows the NETLOGON and SYSVOL shares. Pinging DOMAIN.LCL and then the DC showed that the IP addresses were not the same as expected, DOMAIN.LCL was resolving to the backup network, whereas DC was resolving to the servers LAN IP.

I checked the DNS records for the server, which were correct. Investigating the adaptor binding settings under Control Panel > Network Connections > Advanced > Advanced Settings showed that the backup network's adaptor was first in the list. I moved the adaptor for the LAN to the top of the list and OK'd my way out. I restarted the NETLOGON service and the issue was solved.

Windows servers have never been particularly good at being multi-homed, especially domain controllers. My advice comes from some bitter experience…

  • If you have multiple network adaptors for extra bandwidth/redundancy/resiliance, then I would strongly recommend using Teamed adaptors, most of the major manufacturers' drivers and management software support it. This will eliminate any issues with multi-homing because as far as the server is concerned, it has one adaptor.
  • If you have multiple network adaptors for different network segments and you're using RRAS to route between them, I would strongly suggest not using a Domain Controller at all for this purpose. Better yet, buy a hardware router.
  • If you have multiple network adaptors for different purpose networks (e.g. a LAN, a backup network and an iSCSI network) then make sure you do the following:
    • Disable "File and Printer Sharing for Microsoft Networks" and "Client for Microsoft Networks" on all but the LAN adaptor.
    • Ensure that your LAN adaptor is the FIRST adaptor in the bindings in the advanced network settings.

 Hope that helps!

How to force the removal of Folder Redirection from specific user accounts
Sam
03/04/2009

We have a folder redirection policy in place for all of our users in combination with a roaming profile policy – this policy is applied to the OU that contains our users. Unfortunately this policy was accidently linked to the root of our domain too, causing our Domain Admin users to be redirected too – something we do not want. When the mistake was discovered, the policy was unlinked, but the redirection remained (despite being set to revert when users fall out of scope). I tried re-applying the policy, modifying the out of scope policy and then moving the Domain Admin user out of scope, but it failed to remove the folder redirection.

In the end, the solution was straight forward enough:

Create a new OU (I used "Temp") and move the affected user(s) there:

image

Create and link a new Group Policy Object to the new OU. Name it something descriptive so you know what it is in future – Folder Redirection Removal.

image

Edit the group policy, drill down to User Configuration > Windows Settings > Folder Redirection and right click – properties on each folder you want to reset. Set the setting to “Basic – Redirect everyone’s folder to the same location” and set the target folder location to “Redirect to the local userprofile location”.

image

Select the settings tab and make sure the Policy Removal setting is set to “Redirect the folder back to the local userprofile location when the policy is removed.”

image

Set that for each folder you want to reset. Close the Group Policy Object Editor, and GPMC. Log onto the user's account on each computer you want to remove the redirection on – in my case, several servers. Check the location of the redirected folders to make sure it’s been removed. Once you’re sure, you can move your user back to the correct OU.

I’ve achieved my MCSE
Sam
10/09/2008

Well, I've been away with my friends at Firebrand again and guess what…MCSE Windows Server 2003!

  • 70-293 Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
  • 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
  • 70-298 Designing Security for a Microsoft Windows Server 2003 Network