Thursday, April 9, 2015

Event ID 2042: It has been too long since this machine replicated.

If a domain controller has not replicated with its partner for longer than a tombstone lifetime, it is possible that a lingering object problem exists on one or both domain controllers and an event ID 2042 is created.
When the condition that causes Event ID 2042 to be logged occurs, inbound replication with the source partner is stopped on the destination domain controller and Event ID 2042 is logged in the Directory Service event log. Event ID similar mentioned here.

Troubleshooting Event ID 2042:

Please follow the steps below to rectify the issue:

1. Run below command from SRV-01 (problematic server)
    C:\>repadmin /showrepl
   
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\SRV-01
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: faf7771d-2541-44d0-b605-95701cb6aaa1
DSA invocationID: faf7771d-2541-44d0-b605-95701cb6aaa1

==== INBOUND NEIGHBORS ======================================

DC=hpv,DC=local
    Default-First-Site-Name\SRV-02 via RPC
        DSA object GUID: 4a8717eb-8e58-456c-995a-c92e4add7e8e
        Last attempt @ 2014-07-25 10:25:37 failed, result 8614 (0x21a6):
            The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.
        155228 consecutive failure(s).
        Last success @ 2014-04-19 10:04:41.

CN=Configuration,DC=hpv,DC=local
    Default-First-Site-Name\SRV-02 via RPC
        DSA object GUID: 4a8717eb-8e58-456c-995a-c92e4add7e8e
        Last attempt @ 2014-07-25 09:48:55 was successful.

CN=Schema,CN=Configuration,DC=hpv,DC=local
    Default-First-Site-Name\SRV-02 via RPC
        DSA object GUID: 4a8717eb-8e58-456c-995a-c92e4add7e8e
        Last attempt @ 2014-07-25 09:48:55 was successful.

DC=DomainDnsZones,DC=hpv,DC=local
    Default-First-Site-Name\SRV-02 via RPC
        DSA object GUID: 4a8717eb-8e58-456c-995a-c92e4add7e8e
        Last attempt @ 2014-07-25 09:48:55 was successful.

DC=ForestDnsZones,DC=hpv,DC=local
    Default-First-Site-Name\SRV-02 via RPC
        DSA object GUID: 4a8717eb-8e58-456c-995a-c92e4add7e8e
        Last attempt @ 2014-07-25 09:48:55 was successful.

Source: Default-First-Site-Name\SRV-02
******* 155223 CONSECUTIVE FAILURES since 2014-04-19 10:04:41
Last error: 8614 (0x21a6):
            The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.

C:\>

2. On a domain controller that you expect to have the latest changes (in my case it is SRV-02), open an elevated Command Prompt window. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

3. Type the following command from SRV-02 server. 'repadmin /removelingeringobjects <DestDCName> <SourceDCGUID> <LDAPPartition> /advisory_mode'. To get SourceDCGUID see Step1 DSA object GUID under INBOUND NEIGHBORS.

     repadmin /removelingeringobjects SRV-01 4a8717eb-8e58-456c-995a-c92e4add7e8e dc=hpv, dc=local /advisory_mode

4. Now on the problematic server (directory service error is happening in first server SRV-01) check for the following event log in Directory service.
     Event ID 2014 start with 'Duplicate event log entries were suppressed.'
     Event ID 1937 start with 'Active Directory Domain Services has begun the removal of lingering objects on the local domain controller. All objects on this domain controller will have their existence verified on the following source domain controller.'

5. After verifying the event log type the following command from SRV-02 without advisory_mode to permanently delete the lingering object.
     repadmin /removelingeringobjects SRV-01 4a8717eb-8e58-456c-995a-c92e4add7e8e dc=hpv, dc=local

6. Now on the problematic server following event id will be generated in Directory service if the lingering object are deleted permanently .
    Event ID 1939 start with Active Directory Domain Services has completed the removal of lingering objects on the local domain controller. All objects on this domain controller have had their existence verified on the following source domain controller.

7. Now on the SRV-01 type the following command to restart replication.
    repadmin /regkey SRV-01 +allowDivergent

    Eg:
       C:\>repadmin /regkey SRV-01 +allowDivergent
 HKLM\System\CurrentControlSet\Services\NTDS\Parameters: "Allow Replication With Divergent and Corrupt Partner" value does not exist
New HKLM\System\CurrentControlSet\Services\NTDS\Parameters: "Allow Replication With Divergent and Corrupt Partner" REG_DWORD 0x00000001 (1)

8. Confirm replication is sucess with repladmin /showrepl or use the AD Replication Status tool (http://www.microsoft.com/en-us/download/details.aspx?id=30005)
     For testing copy a simple .txt file in first sever's sysvol folders script directory and check if it is listed in second server's sysvol, if listed then delete from there and check in first server if it is deleted. If both are success then we can confirm the replication is success.

9. After confirming the above step delete the replication registry added in step 7 by typing the following command..
    C:\>repadmin /regkey SRV-01 -allowDivergent
     HKLM\System\CurrentControlSet\Services\NTDS\Parameters: "Allow Replication With Divergent and Corrupt Partner" REG_DWORD 0x00000001 (1)
     New HKLM\System\CurrentControlSet\Services\NTDS\Parameters: "Allow Replication With Divergent and Corrupt Partner" value does not exist

10. For details follow the microsoft article.
      http://technet.microsoft.com/en-us/library/cc949136(v=ws.10).aspx

Posted by at 1 comment:
Labels: , , ,

Tuesday, March 31, 2015

Change Logon background image using GPO

1.     First create a folder named Wallpaper in your DC and make it a shared folder and give read access to Domain Computers group.
2.     Copy the background image which you have modified to the above folder and rename it to backgroundDefault.jpg (images must be less than 245 KB in size).
3.     Logon to the DC as domain administrator and take administrative tool -> Group policy management -> expand Group policy objects.
4.     Right click and edit a Computer policy that is applied to the machines that you want to make this change on. 
5.     From above mentioned computer policy, go to Computer Configuration > Preferences > Windows settings -> right click Folders select New folder, then type %WindowsDir%\System32\oobe\info\backgrounds in the Path text and on Action select Create. Click ok.
6.     Now Right click Files and select New File and type the following:
           a. In the Source file:  \\yourDC\Wallpaper\backgroundDefault.jpg
           b. In the Destination File: %WindowsDir%\System32\oobe\info\backgrounds\backgroundDefault.jpg
7.     After the above step right click the Registry and select New registry Item and type the following entry in the fields.
  Key Path: Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
      Value Name: OEMBackground 
      Value type: REG_DWORD
      Value Data: 1 
8.     Click ok and close the group policy editor.
9.     Take the command prompt and type gpupdate /force.
10.  Reboot all the stations.
Posted by at No comments:
Labels: , ,

Tuesday, February 3, 2015

Distribute Certificates via Group Policy


To add certificates to the Trusted Root Certification Authorities store for a domain and group Policy to distribute the certificate to every Windows computer on your network. Follow the below mentioned procedure to deploy a certificate to multiple computers by using Active Directory Domain Services and a Group Policy object (GPO).

 Steps:
  1. Click Start, point to Administrative Tools, and then click Group Policy Management.
  2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.
  3. Right-click the Default Domain Policy GPO, and then click Edit.
  4. In the Group Policy Management Console (GPMC), go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.
  5. Right-click the Trusted Root Certification Authorities store.
  6. Click Import and follow the steps in the Certificate Import Wizard to import the certificates.
  7. Click next on Certificate import wizard
  8. Click Browse and select the downloaded certificate from the saved location -> click next -> make sure Place all certificates in the following store option button is enabled and 'Trusted Root Certification authorities' are selected, click next -> click Finish.
  9. After few seconds we can see a message that Import is success.
  10. Close the window
  11. Perform a Gpupdate /force from the command prompt.


Additional references
Posted by at No comments:
Labels: , ,

Tuesday, January 20, 2015

Windows NT backup failed error code '2155348010' One of the backup files could not be created.

Issue: The backup error which is "One of the backup files could not be created. Detailed Error: The request could not be performed because of an I/O device error"
Backup started at '10/12/2012 8:33:44 PM' failed with following error code '2155348010' (One of the backup files could not be created.). Please rerun backup once issue is resolved.
Follow the steps to troubleshoot the issue:
  1. Normally Windows 2008 server backup will not work with external HDD formatted with 4K (4096 bytes) Logical sector sizes.
  2. So need to change the Logical sector sizes to 512 bytes by formatting it with WD Quick Formatter.
  3. Download WD Quick Formatter tool from the following link http://wdc.custhelp.com/app/answers/detail/search/1/a_id/3868
  4. Using the WD Quick Formatter tool, select the Factory Default configuration/Most Compatible (Vista or Later required) to reformat the drive to default manufacturer's settings.
          a. XP Compatible—If you are running Windows XP and connect a WD external drive that is larger than 2TB, it will not be recognized by your system until you select the XP compatible option to configure it and change the block size. After running the application using the XP Compatible option, the drive will be recognized and can be used on Windows XP, Windows Vista, and Windows 7.
         b. Most Compatible (Vista or Later required)—If your WD external drive (larger than 2TB) has been configured to change the block size using the XP Compatible option, you might have problems with some applications. If this happens, run the Quick Drive Format application again and select the Most Compatible option to return to the manufacturer's default block size settings.

1. This is how the drive appeared before format:
C:\Windows\system32>fsutil fsinfo ntfsinfo H:
Bytes Per Sector : 4096
Bytes Per Physical Sector : <Not Supported>
Bytes Per Cluster : 4096
Bytes Per FileRecord Segment : 4096

2. This is how the drive appeared after the "Factory Default" format:
C:\Windows\system32>fsutil fsinfo ntfsinfo H:
Bytes Per Sector : 512
Bytes Per Physical Sector : <Not Supported>
Bytes Per Cluster : 4096
Bytes Per FileRecord Segment : 1024








Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)