Latest Updates: domain RSS

  • Relying on the Unknown

    Mirco 9:41 on Tuesday, 2. September 2008 | Comments Permalink | Reply
    Tags: activedirectory, assignment, , change, , chaos, company, , , delegation, department, dns, domain, , it, , , merger, problem

    When merging different companies, one of the most crucial building blocks of future success is a fully merged and centralized IT Management. Why? Because every attempt I witnessed to try something else created chaos. And that’s something you really don’t want within your IT department.

    A small example. One of my customers bought some small companies and integrated them into their Active Directory, leaving every local administrator with a domain administrator account, because that’s what they had before the migration. Sounds fair for the administrators, but a few weeks later some of the mail servers stopped sending email.

    Someone made some small changes to the DNS service, which was Active Directory integrated, so this reduced the potential causes to the Domain Admin group members… all 120 of them. At first this doesn’t look like a huge number, but if you consider that every local administrator and at some sites even local support personnel had domain administrator privileges, it is much to great a risk to be left unchanged.

    Another small example, at another company. While rolling out a new directory structure and migrating every company site into it, all local administrators where reduced from local Domain Administrators to being Domain Users with delegated privileges. Some of them fought fiercely to regain their old “power” and the CIO was forced by some executives to reinstate them.

    The funny thing was one of them sent an email with a question, that most of the central hotline staff could answer, about a problem he had at his site only minutes after the CIO requested to rejoin this particular administrator. The request was cancelled, after we forwarded this email to the CIO.

    The main problem when merging IT departments is, that in most cases you don’t know anything about the people and their skills. Even if, in this case, they have been running the local IT at some sites for years this doesn’t mean they know what they are doing.

    We all know communication is a crucial part of business success and since IT is a crucial part of today’s businesses it’s even more important to know what is going on in your network, on your servers and who is making changes to what.

    That’s why change management was created.

    Sending an email with a problem to a distribution list of 40 administrators doesn’t necessary solve a problem. It will more likely produce another: The problem assignment.

    This approach has two possible paths of solution.

    1. Everyone thinks somebody else is already on it and ignores the email
    2. Two or more Admins will try to solve the same problem at the same time

    In most cases none of these paths will solve the original problem, because every change of one admin will lead to inconclusive result for the other, thus resulting in more changes.

    Taking some time to think, define and plan how your IT environment should work and how this plan can be realised is the first an one of the more difficult steps, but it in the end it will be worth the effort.

     

  • How to restore a Domain Controller you cannot logon to

    Mirco 6:54 on Wednesday, 16. July 2008 | Comments Permalink | Reply
    Tags: account, active, active directory, adsi, controller, dc, dcpromo, directory, domain, edit, kerberos, login, logon, , ntdsutil, registry, restore,

    For some reason we had multiple Domain Controllers that refused any logon attempt in the last few weeks.

    After getting a closer look at the event logs we found pages full of Kerberos errors. Somehow the machine account expired and wasn’t renewed, so the controller could no longer replicate and thou refused our logon attempts.

    I tried to fix the Kerberos issue, but nothing I found was helping the situation. But how do I restore a Domain Controller I cannot logon to, without reinstalling the server?

    After a quick search I found this: Microsoft Article KB332199, which had a useful subsection on the “If the domain controller cannot start in normal mode” issue.

    First restart the Domain Controller in Directory Services Restore Mode (using F8) and open REGEDIT. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions and Edit the value of ProductType from “NavmanNT” to “ServerNT”. Be careful to spell this correctly! This will tell the server that it is only a member server in the domain, and you can use a local logon account.

    Restart the system and logon using the Administrator account with the restore password. Open REGEDIT again and this time browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters. Find the Src Root Domain Srv Entry and delete it. This way the server will believe it’s the last Domain Controller in the current domain.

    Start DCPROMO and create a new temporary domain. Yes, create. No need to delete anything yet. This will overwrite any Active Directory values stored on your local server. After it’s done restart and run DCPROMO again. This time we will shut down the temporary domain and remove all Domain Controller traces from the harddrive.

    That’s it. All you need to do now is remove the Active Directory objects related to the original Domain Controller (KB216498) from the directory, wait for the replication to finish and run DCPROMO to add this server as Domain Controller of your domain.

     

c
compose new post
j
next post/next comment
k
previous post/previous comment
r
reply
e
edit
o
show/hide comments
t
go to top
esc
cancel