windows 2008
dcdiag – VerifyEnterpriseReferences – msDFSR-ComputerReferenceBL – Q312862
0While writing a Nagios plugin on Active Directory health, dcdiag /e /c got the good idea to give this alert:
Starting test: VerifyEnterpriseReferences The following problems were found while verifying various important DN references. Note, that these problems can be reported because of latency in replication. So follow up to resolve the following problems, only if the same problem is reported on all DCs for a given domain or if the problem persists after replication has had reasonable time to replicate changes. [1] Problem: Missing Expected Value Base Object: CN=myDC,OU=Domain Controllers,DC=mydomain,DC=net Base Object Description: "DC Account Object" Value Object Attribute Name: msDFSR-ComputerReferenceBL Value Object Description: "SYSVOL FRS Member Object" Recommended Action: See Knowledge Base Article: Q312862
Article Q312862 is not really helpful, but the underlying problem is true.
Since Windows 2008, AD replication is meant through DFS-R and not FRS anymore. But it implies to have only DC > Windows Server 2003.
So if your DC are updated enough, you can use dfsrmig to migrate, which main commands are:
Check global state:
PS C:\users\mchateau\Desktop> dfsrmig /GetGlobalState Current DFSR global state: 'Start' Succeeded.
Values can be:
0 'Start' 1 'Prepared' 2 'Redirected' 3 'Eliminated'
==>if you are already in DFS-R, state is Eliminated.
Check migration state:
PS C:\users\mchateau\Desktop> dfsrmig /GetMigrationState
All domain controllers have migrated successfully to the Global state ('Start').
Migration has reached a consistent state on all domain controllers.
Succeeded.
Go from start to Prepared:
PS C:\users\mchateau\Desktop> dfsrmig /SetGlobalState 1 Current DFSR global state: 'Start' New DFSR global state: 'Prepared' Migration will proceed to 'Prepared' state. DFSR service will copy the contents of SYSVOL to SYSVOL_DFSR folder. If any domain controller is unable to start migration, try manual polling. Or run with option /CreateGlobalObjects. Migration can start anytime between 15 minutes to 1 hour. Succeeded.
Check state (in progress):
PS C:\users\mchateau\Desktop> dfsrmig /GetMigrationState
The following domain controllers have not reached Global state ('Prepared'):
Domain Controller (Local Migration State) - DC Type
===================================================
myDC01 ('Start') - Writable DC
myDC02 ('Start') - Writable DC
myDC03 ('Start') - Primary DC
myDC04 ('Start') - Writable DC
Migration has not yet reached a consistent state on all domain controllers.
State information might be stale due to Active Directory Domain Services latency.
PS C:\users\mchateau\Desktop>
You just have to go through the last two steps, turn by turn:
dfsrmig /SetGlobalState 2 dfsrmig /SetGlobalState 3
In the end:
PS C:\users\mchateau\Desktop> dfsrmig /GetMigrationState
All domain controllers have migrated successfully to the Global state ('Eliminated').
Migration has reached a consistent state on all domain controllers.
Succeeded.
Internet Information Services (IIS) Manager. Bad Data. (Exception from HRESULT: 0×80090005)
0Problem:
When you try to use the IIS console, you get the following error:
Bad Data. (Exception from HRESULT: 0x80090005)
Why:
You have copied the configuration file of IIS from one computer to the other (C:\Windows\System32\inetsrv\config\applicationHost.config)
This file contains Windows account for the applications pools. The password is encrypted using a local key on the computer so the other server can’t decrypt the password.
Modifying the applications pools password doesn’t fix the issue.
Workaround:
2 ways:
- Rollback the configuration on the destination computer. By default, IIS keep the last 10 configurations (C:\inetpub\history)
- Use the supported way to copy the configuration.
Export configuration:
aspnet_regiis -px "iisConfigurationKey" "C:\iisConfigurationKey.xml" -pri aspnet_regiis -px "iisWasKey" "c:\iisWasKey.xml" –pri
Import on target:
aspnet_regiis -pi "iisConfigurationKey" "C:\iisConfigurationKey.xml" aspnet_regiis -pi "iisWasKey" "C:\iisWasKey.xml"
GPMC : 0×80070005 – access denied – E_Accessdenied
0Willing to change a GPO at customer, i had this error message from GPMC, and gpo was not modified:
By using Process Monitor, from Sysinternals, access to registry.pol file is refused while i am domain admin:
This is following an authoritative restore, and files are indeed with the read only attribute:
After removing the read only attribute, gpo changes are working again 
RDP farm with broker: how to reach a specific server ?
0Hypothesis
- You have setup an RDP farm with let’s say 2 RPD Servers,
- You have the Broker working, so people get redirected to their current opened session (affinity),
- You restricted to one session per user.
Problem
When you try to reach a specific RDP (to do admin staff or help a user logged on it), you get rejected:
The connection cannot be completed because the remote computer that was reached is not the one you specified. This could be caused by an outdated entry in the DNS cache. Try using the IP address of the computer instead of the name.
Even trying by IP as suggested is not working:
The remote computer hat you are trying to connect is redirecting you to the remote computer. Remote Desktop Connection cannot verify that the two remote computers belong to the same farm. This can occur if there is another computer on your network with the same name as the computer your are trying to connect to.
Solution
You just have to the famous /admin option of mstsc to bypass farm/broker rules !
DPM 2010: replica is inconsistent
0Soon after setting up DPM, Standard backup are working except Bare Metal Recovery and System State on Windows 2008:
Firing a perform consistencty check get back to same state. It’s the eventlog that put you on track of the root cause: you need to install Windows Backup Feature:
Windows 2008 failover cluster: Failed to prepare storage for testing on node <> status 87
0En voulant monter un failover cluster Windows Server 2008 R2:
Pour corriger le problème, il faut assigner temporairement une lettre de lecteur à la partition bitlocker (FAT32 / 2Go) (créée automatiquement par Windows):
et voilà
Sécuriser son Windows dans le cloud (Dedibox/Amazon…)
0Suite à mon retour vers Dedibox, et le fait que j’y installe du Windows, je me suis demandé ce que je pouvais faire pour la sécuriser.
Voici les pistes envisagées:
- Pas de port TCP accessible directement. Passer donc par exemple avec LogMeIn, au moins pendant la configuration. L’accès idrac n’est pas assez fluide et simple d’accès.
- Renommer le compte Administrateur via GPedit
- Interdire l’affichage du dernier compte authentifié via GPedit.
- Ajouter un disclaimer, toujours via GPedit. Cela n’arrêtera pas un pirate motivé, mais peu suffire à bloquer certains logiciels de brute force RDP.
- Autoriser RDP mais:
- Sur un port TCP non standard. Procédure Microsoft : http://support.microsoft.com/kb/306759/en-us/
- Utiliser le firewall Windows pour autoriser l’accès uniquement depuis certaines IP fixes. Pour y accéder depuis ailleurs, d’abord se connecter en LogMeIn pour modifier la règle firewall.
- Autoriser uniquement les clients permettant une authentification réseau.
- Scanner régulièrement les adresses IP depuis l’extérieur avec nmap pour vérifier ce qui est visible.
- Appliquer les mises à jour Windows dès leur sortie.
Dedibox: Nat de VM Hyper-V
4Suite au retour sur Dedibox, j’ai décidé d’utiliser Hyper-V plutôt que VMware pour la virtualisation. Les adresses IP publiques sont facturées chez Online.net, et d’autre part je ne veux pas que certaines VM soient exposées sur Intrenet (DC, Exchange…).
Par défaut, Hyper-V ne permet pas de faire du Nat, et donc cacher tout se beau monde tout en leur donnant accès à Internet.
Voici les grandes étapes:
- Installer le rôle Network Policy and Access Services
- Créer un réseau interne dans Hyper-V
- Assigner une adresse IP fixe (ex 192.168.1.1) sur la carte réseau du réseau ainsi crée (carte virtuelle Hyper-V)
- Configurer Routing and Remote Access pour faire du NAT
- Configurer les VM afin d’utiliser le réseau virtuel Hyper-V et de passer en DHCP ou IP fixe suivant vos souhaits.
Ajouter le rôle
Configurer le NAT
Windows Server 2008 R2 – Administration avancée est sorti!
1La nouvelle version du livre pour Windows Server 2008 R2 est disponible chez ENI, toujours à la fois en livre papier et numérique
Il s’applique toujours à la version précédente, car on a spécifié quand c’est R2 seulement. Il inclut également un nouveau chapitre dédié à la haute disponibilité
WDS/MDT: enlever F12
0- By default, To boot from the network through WDS, you need:
- set up the bios to boot on the network (F12 in many bios)
- Once you get a dhcp lease, you have to quickly strike F12 to really boot from the network
This second strike is a default safe option. If the boot order set the network before the hard drive, computers will try to boot from the network all the time. Most of the time, we just boot from the network to install OS, and then always boot from hard drive.
But if you correctly set up your bios, the second F12 is uneeded. You just have to replace pxeboot.com by pxeboot.n12 to remove it:
If you already have an important number of computers deployed, you can centrally configure their bios settings. Dell and HP provides central tools to set their bios remotely (generally through an executable that is deployed:
- Dell: Dell Client Manager
- HP: HP Client Manager