Tools used when building Windows cluster with iscsi

Posted: January 6, 2016 | Author: | Filed under: active directory, Uncategorized, Windows ACtive Directory, Windows Clustering, Windows Domain Controller Setup | Leave a comment

Tools used when building Windows cluster with iscsi:

  • Control Panel -> Network and Internet -> View network status and tasks including Change adapter settings
  • Control Panel -> System -> Device Manager including View -> show hidden devices
  • Disk Management
  • Server Manager -> Manage -> Add roles and features
  • Server Manager -> Tools -> Failover Cluster Manager
  • Server Manager -> Tools -> iSCSI Initiator
  • Server Manager->Tools->Routing and Remote Access
  • Server Manager -> File and Storage Services on left panel -> iSCSI
  • Server Manager->Tools-> Group Policy Management
  • Server Manager->Tools-> Active Directory Users and Computers
  • diskpart
  • sysprep

Tip and undo hints when things go wrong!:

  • Sysprep everything, see below, technically I read only DC needs sysprep but I was safe.
  • diskpart – to remove GPT protected or recovery partitions – list disk – select disk N – list partitions – select partition N- delete partition override
  • Server Manager->Tools-> Active Directory Users and Computers -> expand domain -> expand computers -> delete computer to allow retry – not only done on my play setup!
  • Backup all VMs BEFORE installing Failover Clustering features

Sysprep myth

After a lot of reading I found Mark Russinovich’s answer.

https://blogs.technet.microsoft.com/markrussinovich/2009/11/03/the-machine-sid-duplication-myth-and-why-sysprep-matters/

So sysprep is only needed when 1 machine will reference another machine’s SID :

  • The first domain controller in a domainhas a machine SID and this becomes the “Domain SID”.
  • All DCs have the their machine SID matching the “Domain SID”.Machines
  • All machines which are not a Domain Controller MUST not have a machine SID matching the “Domain SID”.

I sysprep’ed everything in my cluster builds so I have not tested this!

Advertisement

Windows – Recovering deleted Windows AD objects from longer than the tombstone lifetime.

Posted: March 9, 2015 | Author: | Filed under: active directory, Microsoft Windows Server | Tags: , | Leave a comment

Windows – Recovering deleted Windows AD objects from longer than the tombstone lifetime.

https://technet.microsoft.com/en-gb/library/cc961934.aspx

“You cannot restore into a replicated enterprise a backup image that is older than the tombstone lifetime setting for the enterprise. “

http://blog.pluralsight.com/backup-and-restore-active-directory-on-windows-server-2008

9. But if you want to restore a specific Active Directory object then you can use the ever familiar ntdsutil.

For this example we are going to restore a user account with a distinguished name of CN=Test User,CN=Users,DC=home,DC=local. So the commands would be:

ntdsutil
activate instance ntds
authoritative restore
restore object “cn=Test User,cn=Users,dc=home,dc=local”

 

This implies and autoritative restore is needed to pull back a single object.

http://windowsitpro.com/active-directory/recovering-active-directory-disasters

“In AD forests operating at the Server 2008 R2 forest functional level (FFL), you can enable a new feature known as the Active Directory Recycle Bin.”

“An object in the deleted object phase can be recovered to the exact state it was in at the time of deletion using the same process that’s used to reanimate a tombstone. By default, an object stays in the deleted object phase for the same amount of time as the forest’s tombstone lifetime,”

“After the deleted object lifetime expires, the garbage collector moves the object into the recycled object phase. A recycled object is the functional equivalent of a tombstone, with one important difference: You can’t reanimate a recycled object or restore it from a backup.”

Note the last part “You can’t reanimate a recycled object or restore it from a backup.”!!

Windows Server Manuals https://technet.microsoft.com/en-us/library/cc816627%28v=ws.10%29.aspx

Windows Server 2008 Performing Nonauthoritative Restore of Active Directory Domain Services

https://technet.microsoft.com/en-us/library/cc816627%28v=ws.10%29.aspx

“If your objective is to recover objects that were deleted since the last backup, first perform a nonauthoritative restore from backup to reinstate the deleted objects and then perform an authoritative restore to mark the deleted objects as authoritative so that they are not overwritten during replication. When you are performing both a nonauthoritative restore and an authoritative restore, do not allow the domain controller to restart after the nonauthoritative restore. ”

Performing Authoritative Restore of Active Directory Objects

https://technet.microsoft.com/en-us/library/cc816878%28v=ws.10%29.aspx

Also

https://social.technet.microsoft.com/Forums/en-US/cf56124b-efdd-42f2-ad7e-eb41f584c0b1/active-directory-authoritative-restore-tombstone-lifetime?forum=winserverDS

http://support2.microsoft.com/kb/216993/en-gb

“Windows Server 2003 and Windows 2000 do not allow the restoring of old backup images into a replicated enterprise. Specifically, the useful life of a backup is the same as the “tombstone lifetime” setting for the enterprise.”

http://support.microsoft.com/kb/840001

Windows Server 2003 SP1

ntdsutil “authoritative restore” “restore object <object DN path>” q q

http://support2.microsoft.com/kb/216993/en-gb

“Windows Server 2003 and Windows 2000 do not allow the restoring of old backup images into a replicated enterprise. Specifically, the useful life of a backup is the same as the “tombstone lifetime” setting for the enterprise.”

http://support.microsoft.com/kb/555636/en-us

LDIFDE – Export / Import data from Active Directory – LDIFDE commands

http://www.techrepublic.com/blog/data-center/simplify-admin-tasks-by-exporting-active-directory-data-with-csvde/

“CSVDE – Comma Separated Value Data Exchange”

“CSVDE has two core functions: importing data from a CSV formatted file into Active Directory and exporting data from Active Directory into a CSV formatted file.”

“The first way of excluding unwanted results is to filter down to a specific part of the directory using the -d flag.  Using this we can focus the export on a particular OU within the directory structure:

csvde -d “OU=MyOU,DC=domain,dc=local” -f test.csv”

“To further reduce the number of unwanted records exported, we can use the -r flag.  The -r flag is used to filter out rows of data based on the specific properties of that record. In this example I want to find users and computers only:

csvde -f test.scv -r objectClass=user

Or to use multiple filters:

csvde -f test.csv -r “(&(objectClass=user)(objectCategory=person)”