Tag: Windows Server

Active Directory and DNS: Why you should not practice adding 8.8.8.8 in DNS forwarder?

Hi everyone and hope you are doing great today. A new day is a new start.

If you are the type of engineer that treat every DNS feature as it must add 8.8.8.8 or filling the DNS forwarder with values, then you must having trouble in understanding active directory and its DNS functionality.

Why mistakes happen?

When you are in a rush to rectify connectivity to the internet and the only idea is to point to 8.8.8.8 as the DNS. However, amending this into your DNS as your practice would impact the connectivity by an additional delay in DNS resolution and potentially adding a point of failure.

How DNS resolution works actually?

These are the basic order of resolution attempts. The first to reply wins either it’s right or wrong.

First phase: Local Windows Host File

Second phase: Computer’s DNS Server list

Third phase: Internal DNS Server

Fourth phase: Designated Conditional Forwarders

Fifth phase: DNS forwarders

Sixth phase: Root hints

What are the impacts?

Host file is static. It should only be used for troubleshooting and then immediately set back to it’s default after resolving the issue via internal DNS Servers.

If your DNS is only pointing to 8.8.8.8, it will reach out externally for DNS resolution. This means it will give you internet access but it will not resolve local DNS. Thus, will prevent your devices from communicating to Active Directory and devices won’t be able to grab policies, logins will be really slow and would cause intermittency with the domain.

Doing this would allow the local DNS queries will broadcasting your internal request to the internet. However, this is not recommended as its violating of your security policies.

DNS forwarders that points to 8.8.8.8 only are using your ISP connection to hop to 8.8.8.8 when resolving DNS. You have a local DNS resolution much closer that will speed up requests if used instead.

Moreover, if your DNS is set to 8.8.8.8, DNS failures may seem to be an ISP outage when your ISP connection if fine. If there is a failover rules set in place that are NOT using your ISP’s DNS, your system may failover when there is not an outage.

If you disabled root hints, one external DNS provider outage can stop external DNS resolution at your business.

Your Windows firewall internally would see you are on public network, which can cause it to start blocking network traffic. When you have a domain controller in your environment with its primary or secondary DNS pointing to an external address like 8.8.8.8, it can cause the same as well. Checking and unchecking IPv6 is a temporarily fix the public error, but it will continue happening until you remove 8.8.8.8.

It’s recommended that any domain controller/DNS servers local network interface should always point to another domain controller/DNS interface then itself, never to an external IP.

DNS Forwarders should be configured in the DNS management console to point to external DNS servers of your ISP. Doing this should resolve external DNS resolution.

References:

  1. https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/best-practices-for-dns-client-settings
  2. https://www.mirazon.com/stop-using-8-8-8-8-for-your-production-network/#:~:text=That%20is%20not%20recommended%20and,connection%20to%20hop%20to%208.8

Active Directory and Microsoft Defender for Identity: Defender for Identity agent failed to communicate with domain controller

Hi guys hope you guys are having a nice day today. Today I would like to bring to you about an experience that I had met involving the defender for identity and domain controller.

The problem was the defender for identity stop working all of the sudden and same goes to the group policy. This environment has more than 1 domain controllers running and only 1 of them having issue. There was no one to keep track of what was being done previously.

There was no proper error code to be found in the event logs, on the affected domain controller mentioning what was the reason. There was list of Kerberos error code and intermittent sync on the DNS, DFS replication and directory sync.

Hence, I have collected the event logs on the affected domain controller and the defender for identify logs from C:\Program Files\Azure Advanced Threat Protection Sensor\version number\Logs. Based on my findings, that the affect domain controller’s computer object was not in the default domain controller organizational unit.

These was what in the defender for identity logs shows:

A task was canceled. Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers

Warn GroupManagedServiceAccountImpersonationHelperGetGroupManagedServiceAccountAccessTokenAsync started. Error Service Controller Extension ChangeServiceStatus failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed. at System.ServiceProcess.ServiceController. WaitForStatus(ServiceControllerStatus desiredStatus,TimeSpam timeout]

Resolution

  1. Schedule a downtime if required
  2. Analyze the affected domain controller’s computer object location
  3. Move the affected domain controller into the default domain controller Organizational Unit
  4. On impacted domain controller, run the command sc triggerinfo kdssvc start/networkon.  By doing this, we are changing the trigger for the Microsoft Key Distribution Service (KdsSvc) to start the service as soon as the network is available
  5. Then restart the affected domain controller

References

  1. https://docs.microsoft.com/en-us/defender-for-identity/troubleshooting-using-logs

How to change Forest Functional Level and Domain Level?

Note:

Make sure you have Enterprise Admin account/permission to run this command and run the PowerShell as Admin. 

If you run into error that you can’t bring up a new Domain Controller due to Operating System is not in the suitable forest functional level, this solution could help you out. RODC is not accepted to run these commands.

I am not sure whether does this require FSMO roles to make the changes towards these functional levels. Hence, I run these commands on the Primary domain controller.

  1. Login to your existing domain controller using an enterprise admin account
  2. Run the Windows PowerShell as Admin
  3. Type in the following command to change the forest functional level 
    • #Get Forest level Info
Get-ADForest

#To Set the forest level
Set-ADForestMode -ForestMode <Operating System Name>

#Example: Set-ADForestMode -ForestMode Windows2012R2Forest
  4. Type the following command to change the domain level 
    • #Get Domain level Info
Get-ADDomain

#To Set the forest level
Set-ADDomainMode -DomainMode <Operating System Name>

#Example: Set-ADDomainMode -DomainMode Windows2012R2Forest

 

Would recommend that you study on the difference between Forest Functional Level and Domain level. I would write a blog post about it soon!

 

Difference of Hyper-V in Legacy Server and Non-Legacy Server (Backup)

To those that wants to perform Live backup or export (to a local drive or external drive) of your virtual machines via Hyper-V, before you jump into that there are few things that you need to take concern of;

  1. Where is your virtual machines located on what server operating system?
  2. Does the server support live backup or export?

What is live backup or export?

  • A live backup or export is where you could run your backup without having to shut down the virtual machines. This require minimal to zero impact or downtime.

 

If your virtual machines are hosted on a legacy server, such as Windows Server 2012 below, you are require to shut down the virtual machines and perform the backup or export. If the virtual machine is not shut down the export button will not be shown to you to perform the backup. However, please do take note that if you were to migrate virtual machines from legacy server to non-legacy server, is best to not use the export feature in the legacy server, please refer the reference below for full explanation and proper way to migrate.

 

If your virtual machines are hosted on a non-legacy server, such as Windows server 2012 and above, then you can perform live backup or export without the need to experiences total downtime. As technology getting more advance this is the benefit to IT admins to perform their tasks without the need to perform after hours, and end users will not experience total downtime.

 

Do also read up and understand when to use checkpoints and when not to use checkpoints. Is basically means snapshots.

 

References:

  1. https://sabrinaksy.wordpress.com/2020/02/20/how-to-migrate-or-import-vm-from-windows-server-2008-r2-to-windows-server-2012-r2/
  2. https://www.petri.com/live-exporting-windows-server-2012-r2-hyper-v-vms
  3. https://blog.workinghardinit.work/2016/06/16/live-export-a-running-virtual-machine-or-a-checkpoint/

 

How to Migrate or Import VM from Windows Server 2008 R2 to Windows Server 2012 R2?

This is my first time doing VM migration or import/export of VM from server 2008 R2 to server 2012 R2. At first, I used the export function from the Hyper-V in server 2008 R2 and I notice the export result was different from the server 2012 R2. Thus, when I try to import the VM from server 2008 R2 to server 2012 R2, it was unable to recognize.

Always make a backup copy! Don’t modify the original!

This is because 2008 or 2008 R2 are legacy servers, and choosing the export feature to export the VM will result of export EXP file instead of XML file. In server 2012 R2, VM that is exported has XML file.

The best way to import VM from legacy server is to copy the entire VM folder to server 2012 R2. When I mean entire VM folder, means its VHD and etc..

This VM that I am importing does not have any checkpoints or snapshot, so I am unsure that do you required to delete the copied snapshots before you import.

So what I did was,

  1. At server 2008 R2, shut down the VM
  2. Locate the entire Data folder of the VM in File Explorer
  3. Right click the folder > Properties > Share > Advanced Sharing > Add the specific user account (server 2012 R2) and the computer (server 2012 R2) > Full Control
    • Is up to your choice on how you want your destination server to retrieve the source information (VM), it could be via a Network Share, a USB, or an external Hard Disk
  4. At server 2012 R2, open file explorer
  5. At the top bar, type “\\<2008 R2 server name/IP address>\<vm folder name>\”
  6. Copy the entire folder and paste it into server 2012 R2 (your comfortably location/driver/directory)
  7. Remember to remove the share permission of the folder in server 2008 R2, after you finish copying the folder  from server 2008 R2 to server 2012 R2
  8. Create a new folder in server 2012 R2 and rename it as your actual/original VM’s folder naming in server 2008 R2, this folder will be the new location of your VM
  9. Go to Hyper-V in server 2012 R2 > select the Import Virtual Machine at the right side bar
  10. Browse and locate the VM folder that you just copied
  11. Select the import type “Copy the virtual machine“, this allows you to create a new unique ID of the virtual machine and also allows you to choose your new location to store this VM in sever 2012 R2
    • Capture
  12. Make sure the new location are browse to the new folder that you just created in server 2012 R2
  13. Then you click next > finish and wait for the importing to complete
  14. Make sure the VM in server 2008 R2 is Shut down
  15. Start or Boot up the VM in server 2012 R2 (If required to change IP address of the VM then change)
  16. Everything is fine and monitor for 48 hours, then only decide to remove the VM in server 2008 R2

 

After import the VM, Hyper-V do not start the VM automatically. You have to start the VM manually, after import completed.

Windows Server 2019: How to activate OS license after promoted the server as Domain Controller?

Happy Chinese New Year to my Chinese friends and Happy holiday to the non-Chinese friends!

There are cases where you have to apply the license later due to you have to wait for the license key. So you had to proceed deploying and running your tasks. However, the GUI of activate the Windows Server license doesn’t prompt to allow you to key in the product key and there is no error shown. (After you have promoted the server as Domain Controller)

The solution is to activate the license key through command prompt or Windows PowerShell and run as administrator.

If you have forgotten the command, is “slmgr” and to see the list of the command’s option just type “slmgr /help“, it will prompt the list.

Here is an example;

Capture

Below is the command to activate your license key;

slmgr /ipk <your product key>

Capture

If you wish to view expiration of your license key, then you could use this command;

slmgr /xpr

Capture

Troubleshoot Group Policy Object showing Extra Registry Settings

When your environment migrates from legacy or lower version of Windows Server to a newer version. Example, from Windows Server 2008 to Windows Server 2016.  You will experience this. This is why I am writing this post.

I notice when I launch the Group Policy Management and direct to one of the Group Policy Object > Settings Tab > Show all and saw a part says “Extra Registry Settings“. I open up the Edit, trying to locate that part but failed to do so. What I did is I research on the browser, checking whether has anyone experience it and what are the solutions to it.

There is a message display inside the “Extra Registry Settings” but not helpful in getting any information in the browser. The message is “Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.”

 

gpo01.PNG
Example, of the part

 

Thank god that PowerShell can remove this registry using the Remove-GPRegistryValue Command. You may refer to the reference below too.

First I run the GET command just to make sure the registry value is valid;

#This command retrieve information of an extra registry of the
Get-GPRegistryValue -Name "<GPO Name>" -Key "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\"

#If result is valid then move on to REMOVE command, note that sensitivity on the Key Path Value "\" at the end must not be included
Remove-GPRegistryValue -Name "<GPO Name>"  -Key "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\" -ValueName "<Registry Value Name>"

#A result will be shown after the REMOVE command executed, result contain GPO Name, Owner, creation time and modification time

 

Reference:

  1. https://sdmsoftware.com/group-policy-blog/tips-tricks/removing-extra-registry-settings-from-gpos/
  2. https://deploywindows.com/2017/10/12/extra-registry-settings-need-access-to-old-group-policy-settings/