Sunday, December 11, 2016

Common Misconfigurations of Active Directory

Misconfiguration 1.
    Issue: Administrator cannot join workstation to domain.
Common Cause: 
DHCP is provided by gateway router that receives and subsequently hands the ISP’s DNS servers to clients. Clients there for are unable to query DNS for the AD SRV records.
Fix1: Log into the routers interface, under the DHCP settings, change the dns handed out to point to the Active Directory server(s). Note: If you only have one AD server, hand out only that IP for DNS – do not have an ISP DNS server for a secondary
If the router cannot be changed then move the DHCP function to a windows server and configure the appropriate options in the scope
    Fix3: Statically set each client’s DNS settings to the server – this is really the option of last resort, I never recommend manually touching each PC – commonly called sneakerware

Misconfiguration 2.
Issue: SRV records for DC are missing in DNS
Common Cause: DC points to invalid DNS server or Nic does not have the checkbox to Register in DNS selected.
Fix1: Change the DNS to a valid DC if only one DC then point to its IP Address as primary DNS and its loopback ( as secondary DNS
Fix2: Check the box under TCPIPV4 to Register in DNS
Note: After either of these fixes are applied run the following highlighted commands from an administrative command prompt

Misconfiguration 3.
    Issue: Multiple IP’s are registered for the same domain controller – replication and authentication issues ensue.
Common Cause: Multiple nics in the server, whether or not they are used.
Fix1: Under network and sharing center, disable all unused nics – delete all invalid dns records for this server in DNS
Fix2: If this is a multi-homed server (more than 1 nic enabled and ip’d), select 1 nic to register in DNS and disable registering in DNS for the other nic(s) – delete all invalid dns records for this server in dns
Fix3: If this is a multi-homed server (more than 1 nic enabled and ip’d) and the goal is for load balancing or redundancy – look at the teaming options on the nic which will allow the redundancy and load balancing under a single IP (Windows 2012+ does this natively now)

Misconfiguration 4.
    Issue: Adding a new domain controller to replace old domain controller, when old domain controller is shut down nobody can login
Common Cause: 
Sysvol and Netlogon not shared due 
Old DC is in journal wrap for the sysvol folder
 If replicating via DFS-r, source server may be in dirty shutdown, check for 2213 events in the event log.

Misconfiguration 5
Issue: Multiple issues joining domain controllers, AD stops replicating
Common Cause: IPv6 has been disabled or uninstalled

No comments:

Post a Comment