My IT Experience: October 2010

Wednesday, October 27, 2010

Active directory Delete a Failed Domain

To clean up metadata

At the command line, type Ntdsutil and press ENTER.

C:\WINDOWS>ntdsutil
ntdsutil:

At the Ntdsutil: prompt, type metadata cleanup and press Enter.

ntdsutil: metadata cleanup
metadata cleanup:

At the metadata cleanup: prompt, type connections and press Enter.

metadata cleanup: connections
server connections:

At the server connections: prompt, type connect to server <servername>, where <servername> is the domain controller (any functional domain controller in the same domain) from which you plan to clean up the metadata of the failed domain controller. Press Enter.

server connections: connect to server server100
Binding to server100 ...
Connected to server100 using credentials of locally logged on user.
server connections:

Note: Windows Server 2003 Service Pack 1 eliminates the need for the above step.

Type quit and press Enter to return you to the metadata cleanup: prompt.

server connections: q
metadata cleanup:

Type select operation target and press Enter.

metadata cleanup: Select operation target
select operation target:

Type list domains and press Enter. This lists all domains in the forest with a number associated with each.

select operation target: list domains
Found 1 domain(s)
0 - DC=dpetri,DC=net
select operation target:

Type select domain <number>, where <number> is the number corresponding to the domain in which the failed server was located. Press Enter.

select operation target: Select domain 0
No current site
Domain - DC=dpetri,DC=net
No current server
No current Naming Context
select operation target:

Type list sites and press Enter.

select operation target: List sites
Found 1 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
select operation target:

Type select site <number>, where <number> refers to the number of the site in which the domain controller was a member. Press Enter.

select operation target: Select site 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Domain - DC=dpetri,DC=net
No current server
No current Naming Context
select operation target:

Type list servers in site and press Enter. This will list all servers in that site with a corresponding number.

select operation target: List servers in site
Found 2 server(s)
0 - CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
1 - CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
select operation target:

Type select server <number> and press Enter, where <number> refers to the domain controller to be removed.

select operation target: Select server 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Domain - DC=dpetri,DC=net
Server - CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
 DSA object - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
 DNS host name - server200.dpetri.net
 Computer object - CN=SERVER200,OU=Domain Controllers,DC=dpetri,DC=net
No current Naming Context
select operation target:

Type quit and press Enter. The Metadata cleanup menu is displayed.

select operation target: q
metadata cleanup:

Type remove selected server and press Enter.

You will receive a warning message. Read it, and if you agree, press Yes.

metadata cleanup: Remove selected server
"CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net" removed from server "server100"
metadata cleanup:
At this point, Active Directory confirms that the domain controller was removed successfully. If you receive an error that the object could not be found, Active Directory might have already removed from the domain controller.

Type quit, and press Enter until you return to the command prompt.

See http://www.petri.co.il/delete_failed_dcs_from_ad.htm for more details

Thursday, October 21, 2010

Issues if FSMO roles are not functioning properly

If one or more FSMO roles are not functioning properly ,there may be a lot of issues in the Domain enviornment. Let me note down important ones among them

Domain Naming Master

Can't add or remove a domain - Changes to the namespace need this role holder.
Can't promote or demote a DC - Changes to the namespace need this role holder.

Schema Master

Can't modify the schema - Changes to the schema need this role holder.
Can't raise the functional level for the forest - This role holder must be available when the raising the forest functional level.

3 PDC Emulator

Users can't log on - If system clocks become unsynchronized, Kerberos may fail.
Can't change passwords - Password changes need this role holder.
Account lockout not working - Account lockout enforcement needs this role holder.
Can't raise the functional level for a domain - This role holder must be available when the raising the domain functional level.

4 RID Master

Can't create new users or groups - RID pool has been depleted.

5 Infrastructure Master

Problems with universal group memberships - Cross-domain object references need this role holder.

Transfering FSMO roles

Transfering FSMO roles

Microsoft didn’t impose any rule for keeping all 5 FSMO roles on same or different servers, But for obtaining maximum performance ,they recommend some suggested configurations.While installing a domain controller using dcpromo ,the first domain controller will hold all the 5 FSMO roles ,later while installing the second DC onwards we can transfer FSMO roles from the current holder to other.

We may need to transfer FSMO roles while demoting any of the DCs . when the original FSMO role holder went offline or became non operational for a long period of time, then we may need to do Seizing of FSMO roles.

However the transfer process is not initiated automatically by the operating system, for example a server in a shut-down state.

ou can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool.

Transferring the RID Master, PDC Emulator, and Infrastructure Masters via GUI
To Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles:

Open the Active Directory Users and Computers snap-in from the Administrative Tools folder.
If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Users and Computers and press Connect to Domain Controller.
Select the domain controller that will be the new role holder, the target, and press OK.
Right-click the Active Directory Users and Computers icon again and press Operation Masters.
Select the appropriate tab for the role you wish to transfer and press the Change button.
Press OK to confirm the change.
Press OK all the way out.

Transferring the Domain Naming Master via GUI
To Transfer the Domain Naming Master Role:

Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder.
If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Domains and Trusts and press Connect to Domain Controller.
Select the domain controller that will be the new role holder and press OK.
Right-click the Active Directory Domains and Trusts icon again and press Operation Masters.
Press the Change button.
Press OK to confirm the change.
Press OK all the way out.

Transferring the Schema Master via GUI

To Transfer the Schema Master Role:

regsvr32 schmmgmt.dll

Press OK. You should receive a success confirmation.
From the Run command open an MMC Console by typing MMC.
On the Console menu, press Add/Remove Snap-in.
Press Add. Select Active Directory Schema.
Press Add and press Close. Press OK.
If you are NOT logged onto the target domain controller, in the snap-in, right-click the Active Directory Schema icon in the Console Root and press Change Domain Controller.
Press Specify .... and type the name of the new role holder. Press OK.
Right-click right-click the Active Directory Schema icon again and press Operation Masters.
Press the Change button.
Press OK all the way out.

Wednesday, October 20, 2010

How to seize FSMO Roles

How to seize FSMO Roles

Open the command prompt and type ntdsutil

Eg:

C:\WINDOWS>ntdsutil

ntdsutil:

Step 2

T ype roles, and then press ENTER.

Eg:

ntdsutil: roles

fsmo maintenance:

Step :3

Type connections, and then press ENTER.

Eg:

fsmo maintenance: connections

server connections:

Step:4

Type connect to server <servername>, where <servername> is the name of the server you

want to use,and then press ENTER.

server connections: connect to server yourserver

Binding to yourserver ...

Connected to yourserver using credentials of locally logged on user.

server connections:

Step:5

At the server connections: prompt, type q, and then press ENTER again.

Eg:

server connections: q

fsmo maintenance:

Step:6

Type seize <role>, where <role> is the role you want to seize. For example, to seize the RID Master role, you would type seize rid master:

Available options are

fsmo maintenance: ?

? - Show this help information

Connections - Connect to a specific AD DC/LDS instance

Help - Show this help information

Quit - Return to the prior menu

Seize infrastructure master - Overwrite infrastructure role on connected server

Seize naming master - Overwrite Naming Master role on connected server

Seize PDC - Overwrite PDC role on connected server

Seize RID master - Overwrite RID role on connected server

Seize schema master - Overwrite schema role on connected server

Select operation target - Select sites, servers, domains, roles and naming contexts

Transfer infrastructure master - Make connected server the infrastructure master

Transfer naming master - Make connected server the naming master

Transfer PDC - Make connected server the PDC

Transfer RID master - Make connected server the RID master

Transfer schema master - Make connected server the schema master

Step:6

After the selection of FSMO role You will receive a warning window asking if you want to perform the seize. Click on Yes.

Step 7:

Repeat steps 5 and 6 until you've seized all the required FSMO roles.

Step 8:

After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.

Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.

How to promote a Domain controller to Global Catalog server?

1) Open Active Directory Sites and Services.and expand the sites

2) Select required site and the server which needs to be promoted.

3) On the right pane, right click NTDS Settings and select properties.

4) There is a checkbox for Make this server a Global Catalog. Check it to make the server a GC.

Note: It may take some time to build the role

How to check a domain is a Global Catalog Server

How to check a domain is Global Catalog Server?

1.) Start Menu > Administrative Tools > Active Directory Sites and Services.
2.) In the left pane of the Sites Tree, find the name of your Active Directory server.
3.) Right-click the NTDS Settings for your Active Directory server and select Properties. If the Global
Catalog check box is selected, the Active Directory server is configured to be a global catalog.

Command Line options

1. Open command prompt and type repadmin.exe /options * and use IS_GC for current domain options.
2. Open command prompt and type nltest /dsgetdc:yourdomain /GC
3.dsquery server –isgc eg:dsquery server -domain yourdomain.com -isgc

Wednesday, October 13, 2010

How to Show hard disk size in Linux or UNIX

Show hard disk size in Linux or UNIX

$ df

will show File syste, Total space and free space user in percentage

$ df –H

Will show the same in MB and GB