Error: 9036 (Paused for backup or restore)After reading this Technet article on backing up virtual domain controller, I realised the cause was due to the snapshot back at Hyper-V level. The only supported backup method is running the backup job at the guest VM level. Since then, I've stopped backing up domain controllers at Hyper-V host level and disabled the backup integration services at VM configuration.
I have a wide scope of interests in IT, which includes hyper-v private cloud, remote desktop services, server clustering, PKI, network security, routing & switching, enterprise network management, MPLS VPN on enterprise network etc. Started this blog for my quick reference and to share technical knowledge with our team members.
Thursday, May 15, 2014
Virtualised Domain Controllers Replication Issues
I noticed virtualised domain controllers often have issues replicating new settings in Group Policy Objects. This warning message was also observed:
Labels:
active directory,
hyper-v
Monday, May 12, 2014
WS2012 Domain Controllers stop replication after Power Outage
We had some power outage and noticed newer Group Policy Objects (GPOs) weren't replicated across the AD. After running dcdiag /a diagnostic command, we noticed DRS-R event errors on some WS2012 Domain Controllers. After doing some research, we realised that WS2012 stopped auto-replication by default.
To enable it back, configure this setting on the registry and restart the affected DCs.
To enable it back, configure this setting on the registry and restart the affected DCs.
- Set HKLM\System\CurrentControlSet\Services\DFSR\Parameters\StopReplicationOnAutoRecovery registry key to a DWORD value of 0.
- On evelvated command prompt, run wmic /namespace:\\root\microsoftdfs path dfsrmachineconfig set StopReplicationOnAutoRecovery = FALSE
Labels:
active directory,
windows server 2012
Thursday, May 8, 2014
Verify Domain Controller Certificate for Smartcard Logon
To enable user smartcard logon, all domain controllers must be enrolled with KDC enabled certificates. The correct cert template to deploy is Domain Controller Authentication. If you enrolled the domain controllers with wrong certs, you might encounter this error event on the domain controllers:
This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate.To resolve, you'll have to delete the invalid cert and request for a new valid cert. To verify after enrolling domain controller certificates, run this command:
certutil -dcinfo verifyReference: Event ID 19 — KDC Certificate Availability
Subscribe to:
Posts (Atom)