How to rebuild the SYSVOL tree when none exists in Active Directory

A Windows admin has trouble promoting the second DC in a domain. It seems that AD replication was working and DNS was healthy, but FRS was not. No SYSVOL or Netlogon share, no SYSVOL tree on the second domain controller. The FRS event log was logging Event ID 13508 events but no 13509 events

 

When tying to force SYSVOL replication, using KB 290762 — setting BURFLAGS value on the PDC to D4 and on the other DC to D2 — something went wrong and it wiped out the SYSVOL tree on the primary domain controller. It was as if it had replicated the empty SYSVOL to the PDC instead of the other way around. So there is no SYSVOL tree on either DC.

You can started from scratch, but that is not a good political decision. And you will not have root cause to justify it.

The solution is to create the SYSVOL tree, including junction points and proper ACLs. Of course, you will also need to create the default domain policy and the default domain controller policy.

There is a decent article on the Microsoft Help and Support site, KB 315457 How to rebuild the SYSVOL tree and its content in a domain, but like many articles of this nature, Microsoft tries to cover all the bases.

In addition, the Microsoft’s KB assumes you have a SYSVOL tree in the domain — which we do not have — so we need to generate a new default domain policy and default domain controller policy. you might  run into an additional problem with other policies that had objects in AD but do not exist in SYSVOL.

I would recommend referring to the KB for details, but this is how you solve the problem of no SYSVOL on any DCs.

Step 1: Stop the FRS service on both DCs and create the SYSVOL tree on the PDC. This is pretty basic. Use Windows Explorer or a command prompt. I used a good DC I had in a lab as a guide. The tree looked like this:

    SYSVOL

    • Domain
      • DO_NOT_REMOVE_NtFrs_PreInstall_Directory
      • Policies
      • Scripts
    • Staging
    • Staging Area
    • SYSVOL
      • Corp.net

Step 2: Set the ACLs. Just leave the default ACLs on all directories except the DO_NOT_REMOVE_NtFrs_PreInstall_Directory. Again, looking at my lab domain, we removed all users and groups except domain administrators and System I and defined both of them to have "Special Permissions" only. I also set the "DO_NOT_REMOVE" directory attributes to Hidden and Read.

Step 3: Create the junction points. Remember the junction points connect a "real" directory to a "mirrored" directory. The \SYSVOL\domain is the real (Source) directory connected to \SYSVOL\SYSVOL\corp.net, a junction point. \SYSVOL\Staging\Domain is the real (Source) directory connected to \SYSVOL\Staging Areas\Corp.net.

KB 315457 shows how to determine the actual source directory if you need that information, but here is what we did:

Using the linkd command,

linkd "%systemroot%\SYSVOL\SYSVOL\Corp.net" %SYSTEMROOT%\SYSVOL\DOMAIN

linkd "%systemroot%\Sysvol\staging Areas\Corp.net" %systemroot%\sysvol\Staging\Domain

Step 4: Rebuild default domain policies. Using the DCGPOFix tool, available from Microsoft’s download site, this was pretty easy. Just run the tool and it asks if you want to create a new default domain policy (answer yes) and if you want to create a new default domain controllers policy (answer yes). At this point, we double-checked to make sure the SYSVOL tree and the policies were all correct.

Step 5: Replicate SYSVOL. We had already found that using KB 290762 wiped out SYSVOL on the PDC, so we didn’t want to do that again. Because we only had two DCs and because the file replication service had been stopped, it seemed logical that starting the FRS — first on the PDC and then the other DC — would jump-start FRS. SYSVOL was replicated, and we had the SYSVOL share.

This next part isn’t really a step. It’s something we ran into that you should be aware of. After Step 5, SYSVOL was shared but not NETLOGON. When SYSVOL was deleted from the PDC, it also deleted two custom Group Policies. When SYSVOL was replicated after the rebuild, errors were logged in the event log complaining about these two policies. Using ADSIEdit, we went to Corp.net\system\Policies and deleted the objects for the two deleted policies. Soon, the Netlogon share appeared, and the 1704 event in the application log validated replication of policy.

After doing an operation like this, it’s a good idea to check the event logs for related errors and create a sample GPO and see if it replicates.

——————- End of Document —————–

Tags: Windows Server 2003

Published Date: 20080709

Disable Reading or Writing to USB and other removable mass storage devices

You can prevent users from using any portable USB removable disk or flash drive by using a custom .ADM file that can be imported into the Local Group Policy (thus effecting only the local computer) or by using Active Directory-based Group Policy Objects (also known as GPOs).

Note: This tip will allow you to restrict usage of USB removable disks, but will continue to allow usage of USB mice, keyboards or any other USB-based device that is NOT a portable disk. I am assuming that AD based GPs would be used. The same result can be achieved by changing the location of adm template file and using Local Group Policy instead.

It’s worth mentioning that in Windows Vista Microsoft has implemented a much more sophisticated method of controlling USB disks via GPO. If you have Windows Vista client computers in your organization you can use GPO settings edited from one of the Vista machines to control if users will be able to install and use USB disks, plus the ability to control exactly what device can or cannot be used on their machines.

Step 1: Create a simple text file named removable_storage.adm with the following content and save it to "%systemroot%\inf\" directory on the domain controller you would be creating the GP.

********** Start of File **********

CLASS MACHINE
CATEGORY "Custom Policy Settings"
CATEGORY "Resrtict Removable Drives"
  POLICY "Disable USB Removable Drives"
   KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
   EXPLAIN !!explaintextusb
     PART "usbstore.sys driver status" DROPDOWNLIST REQUIRED
       VALUENAME "Start"
       ITEMLIST
        NAME "Started" VALUE NUMERIC 3 DEFAULT
        NAME "Stopped" VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
  POLICY "Disable CD-ROM"
   KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
   EXPLAIN !!explaintextcd
     PART "cdrom.sys driver status" DROPDOWNLIST REQUIRED
       VALUENAME "Start"
       ITEMLIST
        NAME "Started" VALUE NUMERIC 1 DEFAULT
        NAME "Stopped" VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
  POLICY "Disable Floppy"
   KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
   EXPLAIN !!explaintextflpy
     PART "flpydisk.sys driver status" DROPDOWNLIST REQUIRED
       VALUENAME "Start"
       ITEMLIST
        NAME "Started" VALUE NUMERIC 3 DEFAULT
        NAME "Stopped" VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
  POLICY "Disable High Capacity Floppy"
   KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
   EXPLAIN !!explaintextls120
     PART "sfloppy.sys driver status" DROPDOWNLIST REQUIRED
       VALUENAME "Start"
       ITEMLIST
        NAME "Started" VALUE NUMERIC 3 DEFAULT
        NAME "Stopped" VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
  POLICY "Write Protect USB Removable Drives"
   KEYNAME "SYSTEM\CurrentControlSet\Control\StorageDevicePolicies"
   EXPLAIN !!explaintextwriteprotect
     PART "Write Protect USB Removable Drives status" DROPDOWNLIST REQUIRED
       VALUENAME "WriteProtect"
       ITEMLIST
        NAME "Off" VALUE NUMERIC 0 DEFAULT
        NAME "On" VALUE NUMERIC 1
       END ITEMLIST
     END PART
   END POLICY 
END CATEGORY
END CATEGORY

[strings]
explaintextusb="Disables the USB Removable Drives capability by disabling the usbstor.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the usbstore.sys driver status in the drop-down list.  \n\nNote that this will only prevent usage of newly plugged-in USB Removable Drives or Flash Drives, devices that were plugged-in while this option was not configured will continue to function normally. Also, devices that use the same device or hardware ID (for example – 2 identical Flash Disks made by the same manufacturer) will still function if one of them was plugged-in prior to the configuration of this setting. In order to successfully block them you will need to make sure no USB Removable Drive is plugged-in while you set this option. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the usbstore.sys driver status in the drop-down list."
explaintextcd="Disables the CD-ROM Drive by disabling the cdrom.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the cdrom.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the cdrom.sys driver status in the drop-down list."
explaintextflpy="Disables the Floppy Drive by disabling the flpydisk.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the flpydisk.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the flpydisk.sys driver status in the drop-down list."
explaintextls120="Disables the High Capacity Floppy Drive by disabling the sfloppy.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the sfloppy.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the sfloppy.sys driver status in the drop-down list."
explaintextwriteprotect="Enforces write protection on all USB Removable Drives. \n\nSelect the ENABLED radiobox, then select ON for the Write Protect USB Removable Drives status in the drop-down list. \n\nIn order to disable write protection on USB Removable Drives select OFF for the Write Protect USB Removable Drives status in the drop-down list."

*********** End of File ************

Step 2: Adding .adm files to the Administrative Templates in a GPO

Open the Group Policy Management Console (or GPMC) from the Administrative Tools folder in the Stat menu, or by typing gpmc.msc in the Run command.

Right-click an existing GPO (or create a new GPO, then right-click on it) and select Edit.

clip_image002

clip_image004

clip_image006

Expand either the Computer settings or Users settings sections of the GPO. Go to the appropriate Administrative Templates section and right-click it. Select Add/Remove Templates.

clip_image008

In the Add/Remove Templates window click Add.

clip_image010

Browse to the location of the required .ADM file and click Open.

clip_image012

In the Add/Remove Templates window notice that the new .ADM file is listed, then click Close.

clip_image014

Now re-open the Administrative Templates section and browse to the new settings location.

Step 3: In order to successfully view and configure the new .ADM file settings you will need to change the default filtering view for the GPO Editor (or GPedit.msc). Unless you change these settings, the right pane will appear empty, even though it has the settings in it.

Follow these steps:

In GPEdit.msc (or any other GPO Editor window you’re using) click on View -> Filtering.

clip_image016

Click to un-select the "Only show policy settings that can be fully managed" check-box. Click Ok.

clip_image018

Now you will be able to see the new settings in the right pane:

clip_image020

You can now configure any of the above settings:

clip_image022

Note: You do not need the adm template stored in inf directory any more as it is copied along with the policy folder in the Sysvol share. However you might need it to modify the template if required.

————– End of Document —————–

Tags: Active Directory, Group Policy, Windows 2003

Published Date: 20080507

How to control AD relication using RepAdmin

Replication is controlled by the Options attribute on the NTDS Settings object as shown in the following table. The Options attribute value is found in ADSIEdit by browsing to Configuration -> Sites -> <Site Name> -> Servers – <Server Name> -> NTDS Settings.

RepAdmin Option

NTDS Settings/Options attribute value

 

Enable Inbound and Outbound

1

Enable Inbound, Disable Outbound

5

Enable Outbound, Disable Inbound

3

Disable Inbound and Outbound

7

 

Using RepAdmin /Options

Repadmin /options <dcname> <+/-> <DISABLE_INBOUND_REPL/DISABLE_OUTBOUND_REPL>

Here is what it looks like when you disable or enable replication via RepAdmin using the /Options switch. Note that the minus (-) character in front of the option indicates a negative disable or enable. To disable these values, use the plus (+) sign: +DISABLE_INBOUND_REPLICATION, for example.

To enable both inbound and outbound replication:

C:\>repadmin /options wtec-dc1

Current DC Options: IS_GC

To enable only outbound replication:
C:\>repadmin /options wtec-dc1 -disable_outbound_repl
Current DC Options: IS_GC DISABLE_OUTBOUND_REPL
New DC Options: IS_GC

To disable only inbound replication:
C:\>repadmin /options wtec-dc1 +disable_inbound_repl
Current DC Options: IS_GC
New DC Options: IS_GC DISABLE_INBOUND_REPL

To disable inbound and outbound replication:

C:\>repadmin /options wtec-dc1 +disable_outbound_repl +disable_inbound_repl

Current DC Options: IS_GC

New DC Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL

repadmin /Options *  is a good command that produces a quick report to determine if any other DCs have replication purposely disabled.

CAUTION: These commands remain in effect until changed. That is, if you turn on the Disable inbound repl feature, it will remain on (i.e., inbound replication is disabled) until you enable it again using the –disable_inbound_repl command).

There are several reasons why you would want to do this:

  1. If a report such as RepAdmin / replsum / bysrc / bydest / sort:delta shows that replication has not happened in the past 60 days (tombstone lifetime). Then you would want to disable outbound replication. Of course, if you have strict replication enabled you will be OK, but it’s better to be safe than sorry in this instance. The RepAdmin command is quick and easy. Note that in this case there is really no need to disable inbound replication since the danger is in replicating outbound. Still, I suggest that you play it safe and do both until you determine the existence of lingering objects.
  2. If you suspect corruption or issues with a domain controller that you don’t want replicated, this command is an easy way to prevent replication from that source. Remember, you can remotely execute RepAdmin. And the DCList option in RepAdmin can be used to specify a single DC, or an asterisk (*) can be used to specify all DCs.
  3. For Authoritative Restore: Authoritative restoration is used to move the Active Directory back in time by taking a single system state backup from an earlier date, stopping replication on a DC, then restoring the backup using NTDSUtil’s Authoritative Restore feature. When it boots into normal mode and replication is enabled (using RepAdmin), this copy of the Active Directory is pushed out as authoritative and all DCs get a copy. Since you typically want to at least disable inbound replication before starting this — and then enable it again — it’s easy to forget after the restore that you need to re-enable replication.
  4. Lag Sites can be another cause for replication failure. Lag sites are scheduled to replicate only once or twice per week to provide a sort of online backup for a quick authoritative restore. In case of a disaster recovery situation, such as deleting an OU, it’s important to disable replication on the lag site DC(s). Some prefer to simply keep replication disabled on the lag DC(s) and manually re-enable it when they want replication. Again, it’s easy to forget that it was purposely disabled.

————– End of Document —————–

Tags: Active Directory, Windows Server 2000, Windows Server 2003

Published Date: 20071003

How to convert SID to username and username to SID

PsGetSid makes reading a computer’s SID easy, and works across the network so that you can query SIDs remotely. PsGetSid also lets you see the SIDs of user accounts and translate a SID into the name that represents it.

Usage: psgetsid [\\computer[,computer[,…] | @file] [-u username [-p password]]] [account|SID]

If you want to see a computer’s SID just pass the computer’s name as a command-line argument. If you want to see a user’s SID, name the account (e.g. "administrator") on the command-line and an optional computer name.

Specify a user name if the account you are running from doesn’t have administrative privileges on the computer you want to query. If you don’t specify a password as an option PsGetSid will prompt you for one so that you can type it in without having it echoed to the display.

————– End of Document —————–

Tags: Active Directory, Windows XP, Windows Server 2000, Windows Server 2003

Published Date: 20070905