DomainController and Linux: Difference between pages

From Piszczynski
(Difference between pages)
piszczynski>Aleks
No edit summary
 
piszczynski>Aleks
 
Line 1: Line 1:


== Domain Controller Info ==
== Remote Desktop Protocol App for linux ==
 
Remmina can be used for RDP connections to windows computers using RDP as well as VNC SSH and others
Find all domain controllers in the domain:
*Resolve-DnsName -Type ALL -Name _ldap._tcp.dc._msdcs.$env:userdnsdomain
 
Testing of Domain Replication between controllers can be done using "repadmin"  command
 
*repadmin /replsummary (Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes the results in a report.)
 
Get detailed info on domain controller status:
*dcdiag /v /c /e | out-file C:\temp\dctest.txt
 
Get FSMO Roles held by Domain Controllers
*netdom query FSMO
 
== Domain Controller Troubleshooting ==
If there is an issue with creating group policy there may be an issue with the sysvol directory. Check for replication issues and any changes to the permissions that might have occurred.
 
Check for any DNS issues for entries associated with the Domain Controllers.
 
 
== Sysvol Replication Issues ==
If there are issues with domain replication use the following tools to diagnose:
*dcdiag - will provide fill diagnostics on the domain controllers use /c to do all tests (dcdiag /c)
*repadmin - will provide details on replication between domain controllers - use eg : repadmin /replsummary
 
==Migrate from FRS to DFS Sysvol Replication==
To migrate from FRS to DFS you will need to put the domain controllers through three states: Prepared, Redirected, and Eliminated
 
Check current state on DC:
*dfsrmig /getglobalstate
 
This will return a state from 0-4, 0=Start, 1=Prepared, 2=Redirected, 3=Eliminated.
 
Detailed information can be found here: https://learn.microsoft.com/en-us/windows-server/storage/dfs-replication/migrate-sysvol-to-dfsr
 
Another good guide can be found here: https://techcommunity.microsoft.com/t5/storage-at-microsoft/streamlined-migration-of-frs-to-dfsr-sysvol/ba-p/425405
 
===Migrating to prepared state===
 
Migrating to the Prepared state includes the following tasks:
 
Verify the health of Active Directory Domain Services: run the following command to check sysvol share on each DC, also check disk space on the drive that contains the sysvol
*net share
 
Check replication is healthy:
*repadmin /ReplSum
 
Check the following Reg key for the location of sysvol and confirm location HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters, also check the reg key "sysvolready" = 1
 
Check on each domain controller in Administritive tools that DFS Replication is listed and is set to automatic startup
 
Raise the domain functional level to Windows Server 2008 minimum if domain is not already at this functional level:
*in Active directory domains and trusts right click the domain to check (properties) Then Right click and select raise functional level (This cannot be reversed one completed, check this will not cause an issue with old gpo templates etc)
 
Check the state of the sysvol and connectivity between domain controllers: Make sure all tests succeed before starting:
*Dcdiag /e /test:sysvolcheck /test:advertising
 
Migrate the domain to the Prepared state: on full domain controller (not read-only) set the global state to prepared
*dfsrmig /setglobalstate 1
 
Verify that the domain has migrated to the Prepared state:
*dfsrmig /getglobalstate
 
Check all domain controllers have reached the Prepared State: (this can take some time)
*dfsrmig /getmigrationstate
 
Verify all domain controllers have reached the prepared state:
<pre>
1.  Open **DFS Management** from the **Administrative Tools** folder. 
     
    If DFS Management is not already installed, from Server Manager, use the Add Features Wizard to install the **Remote Server Administration Tools** feature, and select the **File Services Tools** feature with the **Distributed File System Tools** option. 
     
2.  In the console tree, under the **Replication** node, click **Domain System Volume**. 
     
3.  Click the **Membership** tab, click **Membership Status**, and then for each domain controller in the domain, verify that the **Enabled** check box is selected for a **Local Path** of \[*drive*:\\\]*Windows\_folder*\\SYSVOL\_DFSR\\domain. 
     
4.  Right-click **Domain System Volume**, and then click **Create Diagnostic Report** to create a diagnostic report for DFS Replication of the SYSVOL\_DFSR folder. Follow the instructions in the Diagnostic Report Wizard and view the report that the wizard produces to verify the health of DFS Replication of the SYSVOL\_DFSR folder. 
     
    DFS Management in Windows Server 2008 includes the ability to run a propagation test and generate two types of diagnostic reports—a propagation report and a general health report. To verify that SYSVOL replication is working properly, perform the propagation test and examine both reports for problems.</pre>
 
===Migrating to Redirected State===
 
Once all domain controllers are functioning in the prepared state you can migrate to redirected state:
*dfsrmig /setglobalstate 2
 
Check state with the following command:
*dfsrmig /getglobalstate
 
Check the migration status with the following command:
*dfsrmig /getmigrationstate
 
Verify the state of the sysvol on each domain controller: you want to see that the mapped share is the dfsr share(sysvol_dfsr\sysvol)
*net share
 
Use DFS management to create diagnostic report to confirm dfsr status
<pre>
1.  Open **DFS Management** from the **Administrative Tools** folder. 
     
2.  In the console tree, under the **Replication** node, click **Domain System Volume**. 
     
3.  Click the **Membership** tab, click **Membership Status**, and then for each domain controller in the domain, verify that the **Enabled** check box is selected for a **Local Path** of \[*drive*:\\\]*Windows\_folder*\\SYSVOL\_DFSR\\domain. 
     
4.  Right-click **Domain System Volume**, and then click **Create Diagnostic Report** to create a diagnostic report for the DFS Replication of the SYSVOL\_DFSR folder. Follow the instructions in the Diagnostic Report Wizard and view the report that the wizard produces to verify the health of the DFS Replication of the SYSVOL\_DFSR folder. 
     
    DFS Management in Windows Server 2008 provides the ability to run a propagation test and generate two types of diagnostic reports—a propagation report and a general health report. To verify that SYSVOL replication is working properly, perform the propagation test and examine both reports for problems.</pre>
 
===Migrating to Eliminated State===
After confirming that there are no issues with domain controllers in the Redirected state the domain controllers can be put into the Eliminated state:
 
Check migration status:
*dfsrmig /getmigrationstate
 
Confirm AD replication is functioning correctly:
*repadmin /ReplSum
 
Backup the state of the domain controllers: (run on each domain controller)
*Wbadmin start systemstatebackup
 
Finally migrate to the eliminated state: (run on writable DC)
*dfsrmig /setglobalstate 3
 
Check global state:
*dfsrmig /getglobalstate
 
Check migration state:
*dfsrmig /getmigrationstate
 
Check the sysvol share:
*net share
 
Get DFS report:
<pre>
1.  Open **DFS Management** from the **Administrative Tools** folder. 
     
2.  In the console tree, under the **Replication** node, click **Domain System Volume**. 
     
3.  Click the **Membership** tab, click **Membership Status**, and then for each domain controller in the domain, verify that the **Enabled** check box is selected for a **Local Path** of \[*drive*:\\\]*Windows\_folder*\\SYSVOL\_DFSR\\domain. 
     
4.  Right-click **Domain System Volume**, and then click **Create Diagnostic Report** to create a diagnostic report for the DFS Replication of the SYSVOL\_DFSR folder. Follow the instructions in the Diagnostic Report Wizard and view the report that the wizard produces to verify the health of the DFS Replication of the SYSVOL\_DFSR folder. 
     
    DFS Management in Windows Server 2008 provides the ability to run a propagation test and generate two types of diagnostic reports—a propagation report and a general health report. To verify that SYSVOL replication is working properly, perform the propagation test and examine both reports for problems.</pre>
 
Stop and disable the FRS service on each domain controller:
*Sc *<servername>*stop ntfrs
**Sc *<servername>*config ntfrs start=disabled
 
== DFSR configuration Rebuild ==
 
Use this process to rebuild the sysvol replication group without demoting and promoting domain controllers
 
To check if this is required look in ADSIedit.msc for the entries for the domain controllers, if they do not have the CN=DFSR-Localsettings in the AD object then it is likely there is no DFSR config.
 
1: Take backups
 
2: Shut down DFSR services on all domain controllers
 
3: On the Domain controller with PDCEmulator FSMO role enter the following Reg keys:
----
<pre>
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DFSR\Parameters\SysVols\Promoting SysVols]
Information Is Committed=dword:00000001
</pre>
----
<pre>
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DFSR\Parameters\SysVols\Promoting SysVols\<Yourdomain>]
Is Primary=dword:00000001
Command=DcPromo Parent Computer=""    (entry is blank)
Replicated Folder Name=<yourdomain>
Replicated Folder Root=C:\Windows\SYSVOL\Domain Replicated
Folder Root Set=C:\Windows\SYSVOL\sysvol\<yourdomain>
Replicated Folder Stage=C:\Windows\SYSVOL\staging areas\<yourdomain>
Replication Group Name=<yourdomain>
Replication Group Type=Domain"
</pre>
Make sure "is primary" is only = 1 on the PDC emulator DC
----
4:Start DFSR on PDCEmulator domain controller CN=Domain System Volume will be recreated under CN=Dfsr-GlobalSettings,CN=System,DC=<DOMAIN> All created registry keys and values will be deleted DFSR Event 4602 will be written on the PDCE
 
5:Create the following Reg keys on the other writable domain controllers(not RODC):
----
<pre>
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DFSR\Parameters\SysVols\Promoting SysVols]
Information Is Committed=dword:00000001
</pre>
----
<pre>
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DFSR\Parameters\SysVols\Promoting SysVols\<Yourdomain>]
Is Primary=dword:00000000
Command=DcPromo Parent Computer="DC01.yourdomain"    (point to FQDN of PDC emulator DC - the previously configured one)
Replicated Folder Name=<yourdomain>
Replicated Folder Root=C:\Windows\SYSVOL\Domain Replicated
Folder Root Set=C:\Windows\SYSVOL\sysvol\<yourdomain>
Replicated Folder Stage=C:\Windows\SYSVOL\staging areas\<yourdomain>
Replication Group Name=<yourdomain>
Replication Group Type=Domain"
</pre>
----
6: Start DFSR server on other domain controllers - CN=Domain System Volume will be recreated under CN=Dfsr-GlobalSettings,CN=System,DC=<DOMAIN> All created registry keys and values will be deleted DFSR Event 4614, 6805, and 4804 will be written when the server is replicating SYSVOL successfully Be Patient, it might take few minutes before replication starts
 
 
== Restore Destroyed DFSR from backup ==
 
If the sysvol is damaged but the replication group is still functioning and the dfsr=true flags can be seen for the domain controllers in adsiedit.msc then you may be able to restore from backup and start the replication again from the known good restored sysvol
 
See the guide below:
 
https://gist.github.com/RavuAlHemio/00e51d3ea64731be9d43b01eda18734f
 
 
== Time Service Configuration ==
<pre>
ll domain members should use NT5DS domain time.
Desktops and member servers sync with any domain controller.
Domain controllers sync with PDC emulator (one per domain)
PDC emulator in child domain can sync with any domain controller in parent domain.
PDC emulator in parent domain syncs with either a hardware clock or possibly an external source.
https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-direc...
for all domain members (aside from PDCe) should have happened by default but you can confirm by running;
 
w32tm /unregister
net stop w32time
w32tm /register
net start w32time
w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time
then check
w32tm /query /source
w32tm /query /configuration
-----------------------------------------------
for the PDCe
w32tm /unregister
net stop w32time
w32tm /register
net start w32time
w32tm /config /manualpeerlist:<preferred ip address> /syncfromflags:manual /reliable:yes /update
net stop w32time
net start w32time
then check
w32tm /query /source
w32tm /query /configuration
</pre>
https://docs.microsoft.com/en-gb/archive/blogs/nepapfe/its-simple-time-configuration-in-active-directory


----
----
If some servers are unable to change the time zone because they are synced via group policy settings but are on the wrong time zone use powershell:
To user also need to install xrdp and tightvnc:


If the time zone is not able to be changed from the GUI open an admin powershell session and use the following cmdlet:
*sudo apt install xrdp xorgxrdp -y
*set-timezone "GMT Standard Time"
*echo env -u SESSION_MANAGER -u DBUS_SESSION_BUS_ADDRESS cinnamon-session>~/.xsession
----


Can check connection to NTP server with the following command:
Other newer option is xserver-xorg-core
*'''w32tm /stripchart /computer:time.windows.com /dataonly'''


== Capture FSMO Roles from other domain controller ==
*Move-ADDirectoryServerOperationMasterRole -Identity <domain controller hostname receiving roles> -OperationMasterRole schemamaster, domainnamingmaster, pdcemulator, ridmaster, infrastructuremaster -Force


==Lost Trust Relationship With Domain==


If a server has lost the trust relationship after being restored use the following commands:
== Swap File ==


Test local computer password:
Check size of swap file:  
*'''Test-ComputerSecureChannel -verbose'''
*swapon -s


Check the Servers Computer account is in the domain and is not disabled
increase swap file to 8GB:


Reset the Computer machine account:
*sudo swapoff -a #turn off swap file
*'''Reset-ComputerMachinePassword -Server <DomainController> -Credential <DomainAdmin>'''
*sudo dd if=/dev/zero of=/swapfile bs=1M count=8192 #set size of blocks for swap file
*...Reset-ComputerMachinePassword -Server DC01 -Credential DomainAdminAccount'''
*sudo chmod 0600 /swapfile #Assign it read/write permissions for root only
*sudo mkswap /swapfile #Format the file as swap
*sudo swapon -a #enable swap file - will also be activated on next reboot without this command


The other way to restore is to unjoin the Server from the domain and then re-join it to the domain.


[https://theitbros.com/fix-trust-relationship-failed-without-domain-rejoining/ Fix Trust Relationship]
Alternate commands to make 8GB swap file
*sudo swapoff /swapfile
*sudo rm  /swapfile
*sudo fallocate -l 8G /swapfile

Revision as of 15:21, 21 August 2021

Remote Desktop Protocol App for linux

Remmina can be used for RDP connections to windows computers using RDP as well as VNC SSH and others


To user also need to install xrdp and tightvnc:

  • sudo apt install xrdp xorgxrdp -y
  • echo env -u SESSION_MANAGER -u DBUS_SESSION_BUS_ADDRESS cinnamon-session>~/.xsession

Other newer option is xserver-xorg-core


Swap File

Check size of swap file:

  • swapon -s

increase swap file to 8GB:

  • sudo swapoff -a #turn off swap file
  • sudo dd if=/dev/zero of=/swapfile bs=1M count=8192 #set size of blocks for swap file
  • sudo chmod 0600 /swapfile #Assign it read/write permissions for root only
  • sudo mkswap /swapfile #Format the file as swap
  • sudo swapon -a #enable swap file - will also be activated on next reboot without this command


Alternate commands to make 8GB swap file

  • sudo swapoff /swapfile
  • sudo rm /swapfile
  • sudo fallocate -l 8G /swapfile