Tag Archives: Domain Controller

Why I can’t connect PC to the Domain?

imagen21

This is one of the very common question I get from starters, students, admins who follow my blog. They says, the follow my step-by-step guides to install domain controller on the production or demo setup and at the end they can’t connect the computers to the domain. I’m sure if you are already working on domain infrastructure, you also face same experience in your job some times.

So I thought to share some tips to troubleshoot and get your pc connected to the domain.

Read the Error!!!

This is the very best friend of your initial troubleshooting. Read the error carefully. It will give you some clues where to start. It can be simple typo mistake, so first step, read the error twice or more until you get clear understanding, what it says.

Connectivity

To make successful communication between domain controller and pc it should have reliable connectivity. There are lot of ways where it can be interrupted.

1)    Local host
To start, first try the ping to local host ip from the pc ( ping 127.0.0.1) if it success it means local pc running with correct protocols and required components. If its not, its first place to start.

2)    Ipconfig /all
Try this on both server and pc and make sure client pc got valid ip assign. Make sure its in same range of ip addresses as server so they can talk to each other.

3)    DNS
This is very common issue for the joining pc to a domain. Make sure PC is using the domain DNS servers as its primary DNS resolver. Some time you may have uses a valid domain which ends up with .com, .org, net etc. in such case you need to make sure you have correct DNS entries to identify the local server instead of trying to resolve in to public DNS entry.
If all above are checked, then use “ping” from server as well as PC to make sure both can ping to each other ( if firewall is active in pc or server, allow the ICMP traffic temporally before troubleshooting)
If the pings fails then you need to look in to the network level, it can be the cable, vlan configurations, switch port configuration etc.

Time

This is also very common issue I have seen, make sure your domain controller and computer system time and dates are matched. Even you use common time servers some time there can be mismatch due to sync.

Virtualization

If you using virtualization software to build your home lap or even you production environment there are few things you should check. In these virtualization platforms you can setup the virtual networks as per your requirement. So some time even DC and PC is on same network range, those may not be in same virtual network. Make sure the interfaces are correctly assign for the relevant virtual network.

Beware!! Most of the time if we building a test lab with few virtual machines we use to clone them. Even in production environments engineers doing this. Not a long ago I had to look in to problem with joining virtual machines to domain. It was using one of famous virtualization software. So the engineer who setup the system, used to link-clone ( all vm are runs same initial image ) them. But when go to add those computers to domain only 1 of the vm can add to the domain and only one vm can login to DC. In setup there was 10 vm running. So what you think the problem is ? With the link clone it was copying all the network information as well. So if look in to each pc, every one of them were using same ip address, and same mac address. Interesting thing was even all of them are switched on none of them were giving ip duplication error. So if you used “clone” option to build the VM make sure it got unique ip address and mac address.
I believe above tipe will help you to troubleshoot issues with dc connection.

If you have any question feel free to contact me on rebeladm@live.com

Image source: https://pcpt.wordpress.com/2008/11/11/welcome/

How to enable universal group membership caching (UGMC)?

In one of my previous posts I explain the how to setup a branch network properly. In there I mentioned how we can utilize the bandwidth between corporate office and the branch office. One of the method we can use for that is universal group membership caching. If the branch office AD servers are not acting as global catalog servers, UGMC allows to store data about membership of the universal groups in cache. This cache is set to update in every eight hours by default. As result of UGMC, branch office domain controllers can process the log on or resources requests without going to a GC server via WAN link.

UGMC have to enable per site basis. In order to get this function work, each user must have logged on when GC server available and UGMC feature is enabled.

Let’s see how we can enable this feature.

1)    Log in to the domain controller as member of domain admin group or enterprise admin group.
2)    Then go to server manager > tools > active directory sites and services

UGMC1

3)    Then in mmc, select the Site you need UGMC enabled

UGMC2

4)    In right hand panel right click on “NTDS site settings” and click properties

UGMC3

5)    In properties window click to enable “Enable Universal Group Membership Caching

UGMC4

6)    Under the refresh cache from drop down you can select which site it should use to get the cache.

UGMC5

7)    Once this is done click ok to apply the change

Now it enables UGMC in the given site. If you have any questions about the steps feel free to contact me on rebeladm@live.com

Step-by-Step Guide to clone a Domain Controller

From Windows server 2012 Microsoft introduce feature to allow clone on domain controller. It helps to quickly restore a domain controller in event of failure and also it helps to deploy test environments easily when needed.

In previous, if you clone a domain controller, it will not allow to deploy on same domain or the forest without running sysprep to remove security information before cloning. Then afterwards you need to promote the domain manually. But now when clone domain controller it will do the sysprep and promote process automatically.

For the demo purpose I am using a windows 2012 R2 domain controller which is deployed in Hyper-V environment.
 

1)    Log in to the Source Domain controller as Domain admin or Enterprise administrator
2)    Go to Server Manager > Tools > Active Directory Users and Computers

clone1

3)    Then go to “Domain Controllers” OU. Select the DC needs to clone and right click to select properties.

clone2

4)    Go to member of tab and click on Add.

clone3

5)    Then add security group Cloneable Domain Controllers and click ok.

clone4

6)    Close the mmc and load the windows PowerShell with admin rights. Then type and enter Get-ADDCCloningExcludedApplicationList . This will check the system if there is program which will not compatible with the clone process.

clone5

7)    If it’s comes up with list make sure those services are removed before clone.
8)    After cleanup process type
New-ADDCCloneConfi gFile –Static -IPv4Address “10.10.10.7” -IPv4DNSResolver “10.10.10.2” -IPv4SubnetMask “255.255.255.0” –CloneComputerName “DC2” -IPv4DefaultGateway “10.10.10.1” -SiteName “Default-First-Site-Name”

In here I specify the ip address information it (the clone server) will hold. Also the computer name and site name.

clone6

9)    Once its pass and completed the process, exit from the console and the server.
10)    For next steps we need to turn off the source domain controller. So before proceed make sure organization is aware about the downtime and the impact.
11)    Load the Hyper-V manager and right click on the DC which needs cloning. Then select Turn-off.

clone7

12)    Once its turn off, right click on DC and select export. Then select the path to save the export file.

clone8

clone9

13)    Once export process is completed, right click on the source dc and click on start.
14)    Then in Hyper-V go to Action > Import Virtual Machine

clone10

15)    It will open up the import wizard and click next to continue.

clone11

16)    In next window specify the folder path to the exported DC. Then click next.

clone12

17)    Next window to select the DC and click next

clone13

18)    In next window from the list select “Copy the virtual machine (create a new unique ID )” option can click next.

clone14

19)    In next window it ask for the VM path. You can leave default or the different path based on your requirement. Once done click on next.

clone15

20)    Next it’s ask for storage folder. Again it can change as per requirement. Once done click next.

clone16

21)    Then it gives a summary page. Click on finish to start the import process.

clone17

22)    Once import is completed, right click on the clone dc and click on start.
23)    It will runs under several stages preparing the AD.

clone18

24)    Once process is completed, l logged in to the server as domain admin. In Domain controller OU I can see the new clone dc. Also under site and services I can see the cloned dc located correctly.

clone19

clone20

This is the end of the post and if there is any question feel free to contact me on rebeladm@live.com

How to install Certificate Services in Domain Environment ?

In here with the demonstration I will show how to install active directory certificate services and how we can use the issued certificate for different tasks. specifically i will demonstrate how to issue company’s trusted certificates for each and every client who connects to the domain.

Here i am using a server which is already added to the domain. i have explain how to install domain services in windows 2008 server in one of my previous posts.

The demo environment using windows 2008 standard R2 server and as the client pc i am using windows 7 sp1 pc. This is still valid for windows 2012 as well.

Let’s go ahead and install the certificate services.

To start, log in to the domain server as a domain admin and the open server manager.

Once it open, right click on roles and select add roles.

cert1

Once the wizard is open click on next to continue.

cert2

From the list select “Active Directory Certificate Services” and click next.

cert3

In next window it displays some warning about service and the use of it. Click next to continue.

cert4

From next window select the “Certificate authority” as the service and click next to continue.

cert5

In next window can select the setup type. Use the default enterprise setup as this is a dc server. Click next to continue.

cert6

In next window select the CA type, in here I used the root as this will be the only one used for the demo.

cert7

In next window select “create a new private key” option and click next to create pk for the server.

cert8

In next window you can change the cryptography settings but I will be using default.

cert9

In next window you can change the CA name if need. I will be using the default.

In next window you can define the validity period of the certificates. I will use the default 5 years.

cert10

In next window it will ask about the file path to save the certificates database.

cert11

The next window it will confirm about the installation and click on install to start the installation.

cert12

Once it is installed it will pass the confirmation.

cert13

Now we do have the AD CS is installed. Next step is to configure it to issue secure certificate for the computers which are connecting to the domain.

By default there will not be any certificate issues for the computer. To test this I will be log in to a pc which is connected to greenwich.local as user “cs1”(This user is having local admin rights as if not it want show up the certificates which assigned for the computer level).

Once log in go to start > run > mmc
Then it will open the mmc.
Once it open go to File > Add/Remove Snap in

cert14

From the window click on certificates and click on add button.

cert15

Then in next window select “computer account” as we need to view the certificates issue for the computer. Then click next.

cert16

In next window select local computer and click on finish.

cert17

Then it will show the added snap in and click on ok to open the snap in.

cert18

Once it’s open expand the tree and go to personal > certificates. Then you can see there is on certificate issued for the pc.

cert19

Now we need to configure the AD CS to issue certificates for the client computers.

To do that first we need to log back to the server we have installed the AD CS services as domain admin or enterprise admin. Then need to open mmc console like we did on above.

Then go to add/remove snap in as previous step.
From the available snaps-in select “Certificate Authority” and add it.

cert20

Then also select “Certificate Templates” and click ok.

Then it will open the console as following

cert21

Then click on Certificate templates and from available templates select “Workstation Authentication template”

cert22

On the Action menu, click Duplicate Template. The Duplicate Template dialog box opens. Select the template version appropriate for your deployment, and then click OK . The new template properties dialog box opens.

cert23

cert24

Once its open the window On the General tab, in Display Name , type a new name for the certificate template or keep the default name.

cert25

Go to security tab and then select “Domain Computers” from the list. Then from permissions, Under Allow, select the Enroll and Auto enroll permission check boxes, and then click OK .

cert26

Then click ok to apply the changes.
Then Double-click Certification Authority , double-click the CA name, and then click Certificate Templates .

cert27

On the Action menu, point to New , and then click Certificate Template to Issue . The Enable Certificate Templates dialog box opens.

cert28

Click the name of the certificate template you just configured, and then click OK . For example, if you did not change the default certificate template name, click Copy of Workstation Authentication , and then click OK .

cert29

Then go to “Group Policy Object Editor” and right-click Default Domain Policy and select edit.

Open Computer Configuration, then Policies, then Windows Settings, then Security Settings, and then Public Key Policies.

cert30

In the right hand panel, double-click “Certificate Services Client – Auto-Enrollment” . The Certificate Services Client – Auto-Enrollment Properties dialog box opens.

In the Certificate Services Client – Auto-Enrollment Properties dialog box, in Configuration Model , select Enabled .

cert31

Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box and click ok.

cert32

Now we have everything in place with the configuration. We need to test out by log in to the pc again to see if its issue the certificate now. I will be login in to same computer with user cs1 (these users have local admin rights for this pc otherwise user only can see certificate for the user). After login will load up the mmc as we did in beginning and browse to the same location.

cert33

cert34

This shows clearly the new certificate which is created for the computer by the certificate server.