Monday, 24 February 2014

Unblock IPAM access to a DC

To roll out the Windows Server 2012 IPAM feature should be "a walk in the park" and it normally is but a while ago I was really struggling helping a customer out with this. I had made the configuration using GPO's and verified my settings several times but I kept getting the error "Unblock IPAM Access":

The solution was actually ridiculously simple. Editing the problem server in the IPAM Server Inventory panel to untick DNS - OK - then reticked DNS fixed it.

Thursday, 13 February 2014

AD DS operation failed - Dcpromo error - FSMO role broken

I was about to remove a domain controller of a customer so many times before when the error below appeared.

Active Directory Domain Services Installation Wizard
The operation failed because:

Active Directory Domain Services could not transfer the remaining data in directory partition DC=ForestDnsZones,DC=company,DC=com to
Active Directory Domain Controller \\

"The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."

Very strange considering that running "netdom query fsmo" gives the result that one of the other domain controllers owns all FSMO roles. The Event Viewer is in this case your best friend.

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          2014-02-01 14:44:13
Event ID:      2091
Task Category: Replication
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      DC.COMPANY.COM
Ownership of the following FSMO role is set to a server which is deleted or does not exist. 

The DC mentioned in the Event Viewer warning was an old Windows Server DC removed more than 5 years ago!

Let's move on, make sure to open ADSIEdit on the affected FSMO Role owner and make the necessary changes there.

How to obtain the correct setting:
  1. On the affected role owner open ADSIEdit.
  2. Click on Default Naming Context [DC.Company.Com].
  3. Click on DC=Company,DC=Com.
  4. Double click on CN=Infrastructure at the bottom of the list of folders.
  5. Locate the fSMORoleOwner attribute and click on it.
  6. Click the Edit button.
  7. CTRL+C to copy the contents of the attribute.
  8. Click CANCEL twice.

  1. Correct the problematic settings:
    1. Right click the ADSI Edit root and click on Connect to…
    2. Use the following connection point:
      1. DC=DomainDNSZones,DC=Company,DC=Com
    3. Click on Default Naming Context [DC.Company.Com] to populate it.
    4. Click on DC=DomainDNSZones,DC=Company,DC=Com folder.
    5. Double click on CN=Infrastructure.
    6. Locate the fSMORoleOwner attribute and click on it.
    7. Click the Edit button.
    8. CTRL+V to paste the correct setting.
    9. Click OK and then Apply.
    10. Repeat steps 2.1-2.9 to correct DC=ForestDNSZones,DC=Comapny,DC=Com.

Once the above steps were completed on the FSMO Role owner for Infrastructure I was able to properly demote the DC.