Active Directory 2012 installation stalls at the “Creating the NTDS settings object”

April 2, 2013 2 comments

I recently ran into this issue with a customer when adding additional Server 2012 domain controllers to an existing domain. The steps below worked perfectly for me.

After you start Active Directory installation in Windows Server 2012 by using Server Manager or the AddsDeployment Windows PowerShell module, the installation stalls at the stage at which you receive the following message:

“Creating the NTDS Settings object for this Active Directory Domain Controller on the remote AD DC dc1.domain.com”

This issue occurs for one or more of the following reasons:
  • The server’s built-in Administrator account has the same password as the built-in domain Administrator account.
  • The NetBIOS domain prefix or UPN were not provided as credentials for installation. Instead, only the user name “Administrator” was provided.

To resolve this issue, follow these steps:

  1. Restart the server on which Active Directory could not be installed.
  2. Use Dsa.msc or Dsac.exe on an existing domain controller to delete the failed server’s computer account. (The domain controller will not yet be a domain controller object but only a member server.) Then, let Active Directory replication converge.
  3. On the failed server, forcibly remove the server from the domain by using the System Properties Control Panel item or netdom.exe.
  4. On the failed server, remove the Active Directory Domain Services (AD DS) role by using Server Manager or Uninstall-WindowsFeature.
  5. Restart the failed server.
  6. Install the AD DS role, and then try the promotion again. When you do this, make sure that you provide promotion credentials in the form “domain\user” or “user@domain.com.”

http://support.microsoft.com/kb/2737935

Advertisements
Categories: Active Directory

Windows Server 2012 Remote Group Policy Update

We all have been there before, making a setting on a GPO and wanting to test or enforce that setting on the machine we made a change on. Before Windows Server 2012, most of us went to that machine, open the command prompt, and did a “gpupdate /force”. This was kind of annoying to have to get on each machine or wait for the refresh interval.

Now in Windows Server 2012, there is a new built-in Remote Group Policy Update feature that allows you to refresh group policy on computers that live inside of a specific organizational unit. We can simply do this by making our change to our GPO, going to the OU in the Group Policy Management Console, and right clicking on the OU and selecting “Group Policy Update”.

GPO-Update

This triggers the gpupdate to run on the computers in the OU without having to remote into any machine. The next screen will tell you that you have chosen to run the Group Policy update on all computers in the selected OU. Clicking Yes will run the gpupdate on the machines.

GPO-Update2

That’s it, just another handy little new feature that has been added to Windows Server 2012.

Categories: Active Directory

adprep in Server 2012

Now that Windows Server 2012 has been released and customers are starting to move to Windows Server 2012 Active Directory, I thought I would throw a post out there regarding the new adprep utility. In old days, and when I say old I mean Windows Server 2008 R2, we ran adprep and adprep32 on the Schema Master and Infrastructure Master of the domain. This is no longer the case.

Opening the Windows Server 2012 disc I see the normal folders that we have seen in the last version show here:

2012-disc

So let’s hop into the support folder and take a look at the adprep folder.

2012-adprep

Looking at the contents of the adprep folder, I see the adprep file, but I do not see the adprep32 file that used to allow use to run adprep on old 32-bit domain controllers that held some of the FSMO roles to begin the upgrade process. Microsoft has changed this now, we no longer need to run the adprep or adprep32 file on the domain controllers but we can run the adprep file on any remote computer whether it be domain joined or workgroup as long as its running on a 64-bit operating system of Server 2008 or later. Of course the normal permissions will be needed (Schema Admin, Enterprise Admin, Domain Admin) on the user account running the adprep utility.

Microsoft as well has moved to not even having to run the adprep tool on a remote computer before the promotion process and has integrated it into the Active Directory Domain Services installation process as needed. Since dcpromo has been removed from the operating system, installing the AD DS role then promoting the server as a domain controller will now handle any of the prep work needed to be done.

More Server 2012 stuff soon to come!

Categories: Active Directory

Migrate DHCP database from Server 2003 to Server 2008 R2

June 20, 2012 1 comment

Very often when doing Active Directory upgrade projects for customers, DHCP will be running on one of the current domain controllers that will need to be decommissioned after the upgrade process has been completed. Migrating the DHCP database and configuration from Server 2003 to Server 2008 R2 is a very easy process that is not time consuming at all.

Export the DHCP database and configuration from the server that is running Windows Server 2003.
You will need to have local administrator rights to accomplish this. 

1) Open up a command prompt by clicking Start, click Run, type cmd in the run box, then OK or Enter.

2) Type netsh dhcp server export c:\dhcp.txt all, and then press Enter. 

Install the DHCP server role on the Server 2008 R2 server. 

1) Click Start, click Administrative Tools, Click Server Manager.

2) In the Roles Summary click Add Roles, click Next, check DHCP server, and then click Next.

3) Click Next on the Introduction to DHCP Server page.

4) On the Select Network Connection Bindings page, make sure the IP Address is checked that you want to service DHCP clients.

5) On the Specify IPv4 DNS Server Settings page, remove all information that has been populated, click Next. (Since we are importing from the Server 2003 DHCP server, all information will be brought over)

6) On the Specify IPv4 WINS Server Settings page, select WINS is not required for applications on this network, click Next. (Again, if you are using WINS, these settings will be migrated over)

7) On the Add or Edit DHCP Scopes page, do not add any DHCP scopes, click Next.

8) On the Configure DHCPv6 Stateless Mode page, click Disable DHCPv6 stateless mode for this server, click Next.

9) On the Authorize DHCP Server page, click Skip Authorization of this DHCP server in AD DS, click Next. (We will be authorizing later)

10) On the Confirm Installation Selections page, review your selections, if all looks correct, click Install.

Now that we have the DHCP server database and configuration exported, and the DHCP server role installed on our new 2008 R2 server, the next step is to import our database and configuration into the new server.

Importing the exported DHCP database and configuration into our new Windows Server 2008 R2 server. 

1) Copy the exported DHCP database and configuration file to the local hard disk of the Windows Server 2008 R2 server.

2) Open up a command prompt by clicking Start, click Run, type cmd in the run box, then OK or Enter.

3) Type netsh dhcp server import c:\dhcp.txt all, and press Enter. (In this example, we copied the dhcp.txt file to the root of the c:\ drive.

Open up the DHCP console and verify the DHCP database and configuration has been imported. 

Now that we have exported the DHCP database and configuration, installed the DHCP server role, and imported the DHCP database and configuration, it is time to authorize the DHCP server. Now this process is very quick and simple but before you make the cutover to use the new DHCP server, a few things need to be in place. Depending on your network configuration, you might have to make some IP address helper for DHCP on some of your networking devices. Once those are in place, then we can authorize the new DHCP server, and unauthorize the old DHCP server.

Authorize the DHCP server

1) Open up your DHCP server console on the new Server 2008 R2 server.

2) In the console tree, expand the new DHCP server.

3) Right click on the server object, then click Authorize.

4) If all goes successful, right click the server again, and click Refresh. (Your red arrow should not be a green arrow showing that the server is authorized.)

5) If all IP address helpers are in place for the new DHCP server, you can now unauthorize your old DHCP server. A quick test can be done by running ipconfig /release and ipconfig /renew from a DHCP client to see if DHCP server address has changed.

Categories: Active Directory

Recreating FEP 2010 Olap database

January 5, 2012 9 comments

So recently I ran into an issue where a customer was experiencing issues with the FEP 2010 Olap database. No data was being shown in the FEP SQL Analysis database, and errors were showing in the Application event log as follow:

MSSQLServerOLAPService
Errors in the metadata manager. An error occurred when loading the Collection dimension, from the file, ‘\\?\D:\MSAS10_50.MSSQLSERVER\OLAP\Data\FEPDW_ABC.0.db\Collection.4141.dim.xml’.

MSSQLServerOLAPService
Errors in the metadata manager. An error occurred when loading the FEP cube, from the file, ‘\\?\D:\MSAS10_50.MSSQLSERVER\OLAP\Data\FEPDW_ABC.0.db\FEP.33097.cub.xml’.

SQLISPackage100
Package “ssisFEP_OlapProcessing” failed.

Doing a little research it looked like the old Olap database needed to be dropped and the creation of a new FEP Analysis database need to be done. There are a couple of executables in the folder where FEP has been installed to. In this example we will say that FEP lives in the “D:\Program Files\Microsoft Forefront\Forefront Endpoint Protection” folder. There are 2 executables in the folder called EnterpriseSecurityDW.exe used for SQL 2005 and EnterpriseSecurityDW2008.exe used for SQL 2008 and 2008 R2.

For this example we will use the following names for SQL server name, SQL database name, Olap database name, FEP reporting user:

SQL Servername – SQL
SQL Database Name – FEPDW_ABC
OlapDb: FEPDW_ABC
FEP reporting user: domain\fepreporting

On the SCCM/FEP server, open up an Administrator command prompt and browse to the “D:\Program Files\Microsoft Forefront\Forefront Endpoint Protection” folder.

Type the following command for a SQL 2008 or 2008 R2 server:

EnterpriseSecurityDW2008.exe /serverName:SQL /sqlDatabaseName:FEPDW_ABC /OlapDb:FEPDW_ABC /reportsUser:domain\fepreporting /overwriteDatabase:1

Type the following command for a SQL 2005 server:

EnterpriseSecurityDW.exe /serverName:SQL /sqlDatabaseName:FEPDW_ABC /OlapDb:FEPDW_ABC /reportsUser:domain\fepreporting /overwriteDatabase:1

* Note that the arguments are case sensitive

The command should execute and give you a successfully completed at the end.

Categories: FEP 2010

SCCM 2012 Beta 2 Installation error “Failed to write string -T8295 to registry on SQL Server”

During the move to SCCM 2012 with FEP 2012 in my home network, I ran into the installation hanging a few times while “Evaluating setup environment”. My new SCCM 2012 server is running on a Hyper-V virtual machine with SQL 2008 SP1 with CU15 installed locally on the server. I used a standard AD domain user for all SQL services during the installation.

After letting the installation run overnight and coming back the next morning, I noticed it had not moved at all since the previous night. I also noticed that the SQL service had entered a STOPPED state. After checking the log, I had noticed a few of these errors:

ERROR: Failed to write string -T8295 to registry on SQL Server [servername].

INFO: Name for SQL Param string value is SQLArg3.

ERROR: Failed to write string “-T4199” to registry on SQL Server [servername].

Creating SQL Server machine certificate for Server [sernername]...

The one part that I did skip was reading the SQL Server Setup and Configuration Requirements which clearly stated:

You must configure all SQL Server services (engine, agent, etc.) to run under the LOCAL SYSTEM account. If you use another account (e.g. NETWORK SERVICE or a domain user account), database replication will fail with certificate issues.

After changing the service accounts to LocalSystem, the installation went through without and issue.


								
Categories: SCCM

Little bit about ADPrep when upgrading to Active Directory 2008 R2

Little too often I am asked questions about the beginning process of upgrading Active Directory. After the design and plan is in place for the upgrade, the first step is to run the ADPrep.exe or ADPrep32.exe tool against the forest/domain. ADPrep contains certain components that will update the schema and the permissions to Active Directory application partitions. The ADPrep tool is located on the Windows Server 2008 R2 installation disc under \sources\adprep folder. The tool can either be run straight for the installation disc through the command line or the ADPrep folder can be copied to the Domain Controllers that hold specific FSMO roles pertaining to the environment.

Depending on the operating system of the current Domain Controllers whether they are 32-bit or 64-bit, the equivelant ADPrep tool whether it’s ADPrep.exe for 64-bit DC’s or ADPrep32.exe for 32-bit DC’s will be run from the command line. A little bit about the commands are listed below.

ADPrep.exe /forestprep

This command needs to be run on the Domain Controller that contains the schema master operations master role for the forest. This prepares the forest for the introduction of a domain controller that runs Windows Server 2008 R2. This command only needs to be ran once in the forest. In order to run this command, the user logged on running ADPrep will need to be a member of:

– Enterprise Admins group

– Schema Admins group

– Domain Admins group of the domain that hosts the schema master

ADPrep.exe /domainprep

This command needs to be run on the domain controller that contains the infrastructure master operations master role for the domain. This prepares the domain for the introduction of a domain controller that runs Windows Server 2008 R2. This command needs to be run after the ADPrep.exe /forestprep finishes and after the changes have replicated to all the domain controllers in the forest.

In the situation of multiple sub domains in the forest, this command will need to be run on each sub domain that will contain the new 2008 R2 domain controllers. The ADPrep.exe /domainprep command will need to be run on each infrastructure master in the relevant sub domain.

The user running this command must be part of the Domains Admins.

ADPrep.exe /domainprep /gpprep

This commands performs similar updates that adprep.exe /domainprep does but also provides updates that are necessary to enable Resultant Set of Policy (RSOP) Planning Mode functionality.

This command needs to be run after the ADPrep.exe /forestprep finishes and after the changes have replicated to all the domain controllers in the forest. The command needs to be run on the domain controller that contains the infrastructure master operations master role for the domain. This prepares the domain for the introduction of a domain controller that runs Server 2008 R2.

In the situation of multiple sub domains in the forest, this command will need to be run on each sub domain that will contain the new 2008 R2 domain controllers. The ADPrep.exe /domainprep /gpprep command will need to be run on each infrastructure master in the relevant sub domain.

The user running this command must be part of the Domains Admins group.

ADPrep.exe /rodcprep

This command updates permissions on application directory partitions to enable replication of the partitions to read-only domain controllers (RODCs). The operation runs remotely and contacts the infrastructure master in each domain to update the permissions. This command only needs to be run once per forest. This command can be run on any computer in the forest.

The user running this command must be a member of the Enterprise Admins group.

Categories: Active Directory