I am attempting to use dcpromo on a Windows 2008 R2 server. The command produces a warning and an error in the event log. Below are the print outs of those entries:
-Warning-
Ownership of the following FSMO role is set to a server which is deleted or does not exist.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Infrastructure,DC=DomainDnsZones,DC=XXX,DC=XXXX
FSMO Server DN: CN=NTDS Settings\0ADEL:xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,CN=XXX-PDC01\0ADEL:xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=XXXX
User Action:
Determine which server should hold the role in question.
Configuration view may be out of date. If the server in question has been promoted recently, verify that the Configuration partition has replicated from the new server recently. If the server in question has been demoted recently and the role transferred, verify that this server has replicated the partition (containing the latest role ownership) lately.
Determine whether the role is set properly on the FSMO role holder server. If the role is not set, utilize NTDSUTIL.EXE to transfer or seize the role. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
Verify that replication of the FSMO partition between the FSMO role holder server and this server is occurring successfully.
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.
-Error-
The operations master roles held by this directory server could not transfer to the following remote directory server.
Remote directory server:
\XXX-AWSDC2.CSI.local
This is preventing removal of this directory server.
User Action
Investigate why the remote directory server might be unable to accept the operations master roles, or manually transfer all the roles that are held by this directory server to the remote directory server. Then, try to remove this directory server again.
Additional Data
Error value:
5005 The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.
Extended error value:
0
Internal ID:
52498782
The following roles have been successfully transferred to the XXX-awsdc2 server
Schema master
Domain naming master
PDC
RID pool manager
Infrastructure master
How do I remove the CN=CSI-PDC01 object using ADSI? It looks like the XXX-PDC01 held the FSMO Server role at one point and then was removed from the domain with out being demoted properly. I've been unable to find any reference to the XXX-PDC01 server anywhere in the DNS, AD or ADSI.
I've also attempted to delete all the AD metadata. As a last resort, I could always use the dcpromo /forceremoval command but I'd prefer to work through the error and demote this domain controller using the dcpromo command without the forceremoval flag.
Thanks!
Related
I'm pursuing DSC as a lightweight solution for managing local user accounts on distributed Windows instances in favour of connecting said instances to Active Directory.
Adding and removing specified local users works as expected, but I also want to check that ONLY the specified accounts exist (or are enabled) on each configured node.
e.g. - If I were to create a new local admin account with 'xUser CreateUserAccount / Ensure = Present', if I were to remove the code from my DSC script, that user would still exist on the target node. Similarly, if someone were to create a local user account by some other means, there would be no warning of the unexpected configuration drift through the DSC server.
To remove any unexpected accounts, I would first need be made aware of these accounts by some other means, and then specify 'xUser RemoveUserAccount'.
I have not found a way around this with the first 100 Google results on the topic. Has anyone solved this apparent conundrum with DSC? Should I rather look to something else e.g. Terraform?
I have 2 sites. Each site has one SCVMM configured to do Azure Site Recovery
ASR is configured to replicate the VM form one site to another.
Here is the issue, my VM size is big and i want to do the initial replication offline instead of over the Network and it just not allowing me saying permission issues.
Can anyone help me to find, what could be going wrong here?
ERROR MESSAGE
Permissions couldn't be set for one or more hosts on the initial replication folder path.
Provider error code: 31218
Provider error message:
The VMM service couldn't provide permissions for cs\nimbl[enter image description here][1]ecs1$ on \\nimblecs1\f$. Error: Object reference not set to an instance of an object.. During cloud configuration, the VMM service provides permissions for Hyper-V service accounts on the import and export paths used for initial replication.
Provider error possible causes:
The VMM service doesn't have the required privileges to modify the permissions on the import and export paths.
Provider error recommended action:
Ensure that the VMM service account has the required privileges to perform this operation.
POSSIBLE CAUSES
Verify that the initial replication path exists and is accessible.
I have created a Service Principal, and set up the necessary linked services to utilise the credentials and secret key etc in ADF, here is a run down of how this is done:
https://learn.microsoft.com/en-us/azure/data-lake-store/data-lake-store-authenticate-using-active-directory
When i execute my pipeline, and the files are written to the ADL, i can see the top level folder (i am logged in the creator of the ADL service, and am also a contributor on the Resource Group), but i am absolutely unable to drill down any further.
The error i receive basically boils down an ACL error.
Interestingly, i also not at the Execution Location is listed as: East US 2 when using the service principal.
When i manually authenticate the ADL connection in Data Factory (with my own credentials), every works absolutely fine, and the 'execution location' is now listed, correctly, as North Europe.
Has anyone ever seen this?
Helpful Reading: https://learn.microsoft.com/en-us/azure/data-lake-store/data-lake-store-access-control
The problem that you are running into is like an ACL issue as you mentioned. By just having contributor access, you only have access and permission on the Management Plane and not the Data Plane of the account.
Here is the mental model for thinking about ACLs
If you need to be able to read a file, you need r-x access on that file, and --x permissions on the parent folder all the way up to root.
If you create a new folder, and you create an Default ACL entry for yourself, it will apply to all new files and folders created below it.
To address your issue, please ask a Super User (someone from the Owners group) to give you this access.
Alternatively if you are an owner, you will have RWX access to any files/folder indepedent of any ACLs.
This should solve your problem.
I have three Windows Server 2012 R2 without any AD in a DMZ network. Two servers are front end web servers with ASP.NET and one have SQL Server and a network share that both front end servers use for shared data.
My problem is how do I configure the Application Pool identity and the Network Share so the ASP.NET application can read and write to the network share?
This is simple with an AD available when you can use domain accounts for the application pool identity but there is no AD available in this setup.
I will answer my own question since I succeeded to setup the server. This is what I did:
1) Create an account with the same username and password on all three servers. Make sure that does not expire or must be changed.
2) Create a Network Share and give the new account read/write rights. I also tested that I could connect from the front end servers using the new account to verify that no firewalls are in the way.
3) Included the user in the IIS_IUSRS group that indirectly gives it Logon as Batch Job rights.
4) Run the following command to grant rights to the user
aspnet_regiis -ga <your_app_pool_user>
See more: How To: Create a Service Account for an ASP.NET 2.0 Application (MSDN)
5) Restarted WAS and IIS to make sure the changes to the accounts group membership takes hold if tried to use the account.
C:> net stop was /y
C:> net start w3svc
6) Create an Application Pool and set the Identity.
This is the part where I got stuck with error messages when trying to set the identity.
From IIS Manager I got the following error dialog: "There was an error while performing this operation. Details: Value does not fall within the expected range."
Trying to set the App Pool identity from the command line I receive a similar error:
C:> appcmd set config /section:applicationPools
/[name='test-pool'].processModel.identityType:SpecificUser
/[name='test-pool'].processModel.userName:MyAccountName
/[name='test-pool'].processModel.password:P#ssw0rd
ERROR ( hresult:80070057, message:Failed to commit configuration changes.
The parameter is incorrect.
)
When I remove the last parameter, password, the command will succeed changing identity type and setting the username but I did never figure out why I could not set the password so I retorted to editing my applicationHost.config file directly. Unfortunately with the the password ending up in clear text.
<configuration>
...
<system.applicationHost>
<applicationPools>
...
<add name="test-pool" managedRuntimeVersion="v4.0">
<processModel identityType="SpecificUser"
userName="MyAccountName" password="P#ssw0rd" />
</add>
...
</applicationPools>
...
</system.applicationHost>
...
</configuration>
7) Finally I set my Web Application to use the application and it could access the Network Share without any issues.
I had the same problem but couldn't let the password in clear text so I dig a little further and found this article :
http://social.technet.microsoft.com/wiki/contents/articles/30344.custom-iis-app-pool-identity-value-does-not-fall-within-the-expected-range.aspx
The key step to diagnose is to look at the right events :
To figure out how to resolve this, I went into the event viewer. There was nothing in the Application log, so I headed down to Applications and Services Logs => Microsoft => Windows => IIS-Configuration. The logs in here are disabled by default, so they have to be enabled. (To do so, right click the log, and choose Enable log.) Once enabled, re-run the attempt to set the identity, and refresh the view (Actions pane or F5), and voila!, now we have some more information on the error. In the results were two Errors (event ID 42 and 43).
I had the same event errors as in the article :
ID 42: Failed to initialize the 'IISWASOnlyAesProvider' encryption
provider in
'\?\C:\windows\system32\inetsrv\config\applicationHost.config'.
Please check your configuration.
ID 43: Failed to encrypt attribute
'Microsoft.ApplicationHost.AesProtectedConfigurationProvider'.
Then I did the following :
restore an old version of the ConfigEncKey.key file (to c:\windows\System32\inetsrv\config )
replace the <configProtectedData><providers> section by an old one (in c:\windows\System32\inetsrv\config\applicationHost.config )
Then I can again set a custom identity to the application pool.
Had similar problem. Reinstalled the IIS Manager and got a new applicationHost.config
When I did the WinDiff on the new and old files I noticed that the SessionKey were different. Works now.
AesProvider and IISWASOnlyAesProvider
I'm having trouble creating an availability group listener for my newly created SQL 2012 Enterprise AG.
My AG resides on two virtual machines on top of Server 2012 Datacentre with the Hyper-V role. The VM's are part of my domain, and in a WSFC. Each VM has 4 subnets :
(a) 172.33.0.x for management
(b) 172.33.1.x for iSCSI communication
(c) 172.33.2.x for iSCSI communication
(d) 172.33.5.x for inter-VM communication
Only (a) and (d) are set in my cluster to allow cluster communication, and allow client connections.
Whenever I try to create a listener with this query
USE [master]
GO
ALTER AVAILABILITY GROUP [Sharepoint-System-DB-AvailabilityGroup]
ADD LISTENER N'SQL-SHP-AG01-L1' (
WITH IP
((N'172.33.5.203', N'255.255.255.0'),(N'172.33.0.203', N'255.255.255.0'))
, PORT=1433);
GO
I get this error :
Msg 19471, Level 16, State 0, Line 1
The WSFC cluster could not bring the Network Name resource with DNS name 'SQL-SHP-AG01-L1' online. The DNS name may have been taken or have a conflict with existing name services, or the WSFC cluster service may not be running or may be inaccessible. Use a different DNS name to resolve name conflicts, or check the WSFC cluster log for more information.
Msg 19476, Level 16, State 4, Line 1
The attempt to create the network name and IP address for the listener failed. The WSFC service may not be running or may be inaccessible in its current state, or the values provided for the network name and IP address may be incorrect. Check the state of the WSFC cluster and validate the network name and IP address with the network administrator.
I've tried :
Some online posts suggest I try and pre-stage the creation of the computer object in AD, which I did, same error
Set security settings on the Computer OU to allow the computers running the AG to create computer objects, same error
I have another cluster setup (for another AG), that also generates the same error
Something that might be related is, I regularly get one of the following errors on the owner node of the cluster :
Cluster network name resource 'Cluster Name' failed registration of one or more associated DNS name(s) for the following reason:
DNS server failure.
For this, I've tried :
Creating the A record manually, setting the "Allow all authenticated users to change this record"
Allowing "Everyone" full access to the DNS A record
Allowing non-secure updates to my domain's DNS records
Also to no avail, which makes me think there's something deeper wrong. Any suggestions?
We had the same problem. Resolution was to grant the computer object associated with the cluster group 'create computer' rights in Active Directory as per this link - http://technet.microsoft.com/en-us/library/cc731002%28WS.10%29.aspx#BKMK_steps_precreating
It's the cluster group computer object thats needs these permissions.
Open Active Directory Users and Computers, grant permission to the Cluster Name Object (CNO) in which the Availability Group will be created. Two permissions that need to be granted are:
"Read all properties" and "Create computer objects" to the CNO via the container. More details can be found in the following blog
http://blogs.msdn.com/b/psssql/archive/2013/09/30/error-during-installation-of-an-sql-server-failover-cluster-instance.aspx
An additional issue we had was having - versus _ in the name of the AOAG and listener. Once we recreated the AOAG using the underscore we were able to create the listener using an underscore also.
In our case, all the AD permissions were already in place - and yet it was failing to create the Listener with the same error message. In the end, we found that stopping and starting the Cluster Service on both of the Nodes (using cluadmin.msc) somehow rectified the problem and the Listener got created successfully.