Nov 20, 2012

Replication error'ed out with "no more endpoints"


1.       When right click “replicate now”, and the error message is “error 1753: There are no more endpoints available from the endpoint mapper”, it’s complaining the source DC not able to find a RPC endpoint from target DC. To make it more confusing, these two DCs are replicating to all their other partners - they just don’t want to replication with each other (one direction)
2.       This KB helps: http://support.microsoft.com/kb/2089874 and with good explanation too
3.       In our case, it sounds like root DC(source) was brought to a wrong child DC (target) for replication as per above KB.
4.       However when I check all related A/CNAME records, they are all CORRECT. All WINS records are correct too. Clean DNS cache on both client side and DNS server side didn’t help either
5.       It turns out it’s child’s delegated zone in root zone has incorrect glue record (right click child zone, properties, name servers tab). Windows apparently is capable of detecting such misconfiguration but chose not to auto correct, which is weird. 

Lesson learned: when a DC's CNAME or A is resolved to a wrong IP while all its references in visible zones are correct, please check the Name Servers tab of stud node (of child zone) in parent DNS server. Also, when promote/demote child DCs, or change their IPs, please make sure changes are made in the Name Servers tab too ( I mistakenly assume that dcpromo program would do that automatically)

Sep 17, 2012

Pin point AD object deletion in event log

Ref: Technet blog here

This has been done before object being restored.


  1. Find out DN of the deleted object (using ldifde or adrestore).
    Ldifde –x –d “CN=Deleted Objects,DC=domain,DC=com” –f Deletedobj.ldf
  2. Know when the object was deleted, and on which DC
    Repadmin /Showobjmeta DCname “DN of the deleted object” > Delshowmeta.txt
    In the log, find attribute isDeleted, note the time
  3. Go to the source DC, in security log, find the logs at specific time. Event log IDs are
    630(2k3)/4726(2k8) for user objects
    647(2k3)/4743(2k8) for computer objects



May 31, 2012

Unable to restore deleted AD object

When follow instructions in this link to recover a deleted object, I got error message "illegal modify operation". One of the workaround in the comment worked for me (the restore-adobject method): add a -NewName argument in the restore-adobject statement.


LDAP method didn't work well as it showed only first 1000 objects under "deleted objects" container while we had way more that number. 

Apr 3, 2012

WMI Association Class

There is a special type of WMI class called "association class". This type of class binds two normal, related classes together. A typical example is association class for NIC-related classes. For each NIC in a system, there are two WMI classes for it: Win32_NetworkAdapterWin32_NetworkAdapterConfiguration. The former mainly includes NIC hardware info, such as speed, MAC, media connection status, etc; the later mainly includes configuration info on a NIC, such as IP, DHCP, DNS, etc. More than often, you need to obtain info from both classes, and that's where association class comes to help.

Still using NIC as our example, windows defines an association class called Win32_NetworkAdapterSetting, through which you can access info from both above-mentioned classes. An association class include two members, one called element, the other called setting. Not surprisingly, element links to a Win32_NetworkAdapter object (because it is the element) and setting links to a Win32_NetworkAdapterConfiguration object (because it is the setting stuff). Below is how you use it:

$ac = Get-WmiObject -Class win32_NetworkAdapterSetting   #gets all NIC info
$connectedAdapters = $ac | where {([wmi]$_.element).netConnectionStatus -eq 2}
$connectedAdapters | foreach {([wmi]$_.setting)|select caption, dhcpEnabled,IPaddress,dnsServerSearchOrder }

Mar 8, 2012

[Powershell] Try-Catch fails to catch an exception?

I was running a script that does WMI query and found that my try-catch-final statement seemed not working. The exception was still shown on console instead of handled by my catch block.

It turns out that exceptions are categorized into two groups, terminating exceptions and non-terminating exceptions. By default, try-catch intercepts only terminating exceptions. No surprisingly, get-WMIobject exceptions are non-terminating exceptions.

There are two ways to make it work. One is to make all exception terminating by below assignment:

$ErrorActionPreference = "Stop"; #Make all errors terminating


Remember to reset the preference at the end of your script as this is global.


$ErrorActionPreference = "Continue"


Or right after get-WMIobject statement, check the value of $?


if ($?){ 
        #processing block
}
else {
       throw $error[0].exception
}

Retrieving Terminal Server Configuration Settings Using Powershell

It was quite easy for Windows 2003 TS servers with Win32_TerminalServiceSetting WMI class, there are tons of documents on the Net. It took me some time, however, to find out that MS change the class considerably for Windows 2008.

It's now under a different name space root\cimv2\TerminalServices. It also requires you to specify an authentication flavour before you can gain access.

In short, you get info with below commands (w2k3 and w2k8 respectively):

gwmi Win32_TerminalServiceSetting -computername -namespace root/cimv2/TerminalServices -authentication 6

or

gwmi Win32_TerminalServiceSetting -computername [-namespace root/cimv2]

Feb 23, 2012

Enable LDAP over SSL Using Certificate Generated From A Different Machine

The procedure is pretty simple and well documented in KB 321051, so there is nothing special here. However the tricky part is you have to submit the request from the same DC in order to make LDAPS work because this way ensures you have the private key for the certificate.

In some cases, it could take quite a while to obtain a certificate so you want to submit the request way ahead of time - so long ahead of time that you may not have the hardware yet at the time you have to send the request.

A workaround is to submit the request from another machine - any other machine as long as you make the request right. Once you get the certifiate, install it on the requesting machine, then export it with private key, finally import onto your new DC.

Jan 22, 2012

Attempt to remove glue record on delegated zone crashes DNS console

- Windows 2008 R2
- 2 domains, parent-child
- 2 DNS zones respectively. Child zone delegated from parent zone
- Connect to parent DNS server, wrong IP listed for a name server in delegated zone properties window
- When try to remove or edit it, after confirmation, the MMC freezes

There are a few other people had same issue, seems to be a bug as far as I see it.

Resolution:
- ADSIedit, connect to parent DNS server
- Drill down to the delegated zone node
- In right hand pane, find the name server in question, remove the wrong IP from "dnsRecord(?)" attribute (you have to change the view to be "decimal" to see which entry is the wrong IP.

Update Nov 20, 2012:
Never mind the above, I found a hotfix http://support.microsoft.com/kb/2581690 that is exactly for this bug. This KB was published in 2011, I wonder why I didn't find it earlier - I consider myself an expert finding KBs :-). Not to mention why the Microsoft engineer I worked with didn't find this either.