Active Directory

Windows Server 2008: Creating and Maintaining System State Backups on Your Domain Controller

29 Comments

I was very excited when I started to play around with the first beta versions of Windows Server 2008 and experiment with the latest security improvements. At first, I wanted to start with one of the more basics and important things on this new server: Active Directory. Several improvements were made on security matters that we can find it related to Active Directory: Read-Only DCs, more group policies, auditing enhancements, etc. After installing a small lab to check all these features, I finally arrive to another important Active Directory matter: Backing up and Restoring Data from a Domain Controller. I was pretty disappointed at first when I realized that there was no easy way to backup a system state from a Domain Controller. Even more disappointed when I couldn’t find out the way to schedule a system state backup! Well on this post I want to review the way to simply schedule a system state backup on a Domain Controller and maintain those backups by removing the old ones from the backup catalog. Requirements a. A secondary hard drive on the domain controller. It cannot be a network drive.The only storage point possible for backing up your server is using a secondary hard drive that can only be attached locally. b. Having the Windows Server Backup feature installed. The first thing that you must know to start backing up data from Windows Server 2008 is that the backup tool is […]

Read More →

Active Directory

Troubleshooting DCDIAG error: RPC Server is unavailable

2 Comments

It’s a common best practice to run the DCDIAG tool in all DC in your forest whenever a significant change has been made, i.e. a new DC has been added or deleted in the forest. With this you are testing if the change you just made was done correctly. It’s also common that if you have at least two domains in your forest (and the trust relationships in place), when you run dcdiag in any DC you get a message indicating that when the test of replication on a specific server applies, it fails indicating that the “RPC Server is unavailable”. Well, if you see this message you probably check if that the RPC service is up and running on the server… running in cmd “net start rpcss”. But the command prompt answers you, “don’t worry dude, the service was already running”. “Alright then…” you say, “Let’s try DCDIAG again”… and you get the same error like the first time… And then you go like “Hmmmm… why do I keep getting the same “RPC Server is unavailable” error?” And then I say “I know why dude!”… And then you “You do? Is there any way I can solve it?”…“Of course, why I’ll be posting something that I don’t know the answer!”… and then… OK, enough with the theatre… This issue appears when the configurations between the different DNS servers are not compatible. It’s something like this: you have a correct […]

Read More →

Active Directory

Creating a failover environment on a Windows 2003 domain

5 Comments

Scenario: I have the domain contoso.com with only one DC (with DNS) and I wish to add another one in case something goes wrong. – The first thing that you must have is, of course, the new server where you are going to install your second DC. It’s highly recommended that both servers are working with the latest updates, Windows Server 2003 R2 SP2. And the domain is raised into “Windows 2003” functional level (on this level there are some improvements in many things, including the replications between 2003 servers). – Run the Administration Tool “Manage Your Server” in the new Windows 2003 and add the role “Active Directory” for this server. Domain controller promotion wizard – Configure the server as a DC for an existing domain and follow the instructions in the wizard. You’ll be asked for the credentials of privileged account to add a new server. The account must be a member of the “Domain Admins” group. – After the promotion of the new DC is completed, visit again “Manage your Server” and add the role “DNS Server”, but don’t set any new zone on this server. When you configure it as a DNS server the primary server will replicate the zones with this new server. – Each DC must be pointing to themselves as the first preferred DNS server and the secondary DNS must be the remaining DC. First DC TCP/IP configuration Second DC TCP/IP configuration – […]

Read More →

Active Directory

Troubleshooting a special case for domain controllers and DNS servers

3 Comments

“My DC is online, the TCP/IP it´s OK, the DNS service running but I still cannot make a valid connection with AD! “ This is a problem that can be present in many ways. The most common example is: you have your DC completely configure for Active Directory, the DNS server too, and you try to join a workstation to your domain and the following error appears: An Active Directory Domain Controller for the domain [yourdomain.com] could not be contacted.Ensure that the domain name is typed correctly(…) First of all, the obvious: Check that the connectivity is working fine… the DNS server and the DC both of them responds to PING requests. It’s most likely that if you cannot connect to the domain, the PING requests for the FQDN (such as: ping dcname.yourdomain.com or ping yourdomain.com) will not respond as well… but with the IP parameter should be working… if it’s not, then there’s definitely a connectivity problem, a bad TCP/IP configuration or a firewall within the way . Well, let’s see, this is a problem that can really make you nuts trying to solve it. Let’s assume that you have the correct configuration in your DC and workstations. If you have a DHCP server in you network, check that he is doing his job… giving the correct IP address for the workstations, the subnet mask, the DNS server and the other parameters that you are using. DCDIAG really? Can […]

Read More →