Friday, April 23, 2010

Remove a Child Domain from AD 2008

So, had multiple issues with this. The real problem was that my original OS install (Server 2008 x64 Standard) had several NetBIOS/File Sharing/General Networking issues. Issues = Wouldn't work worth a crap. Kept getting "network path not found" or "network path does not exist" or "no network provider responded to the given path" errors. Very frustrating. All the other servers could get to my shares, but I couldn't get to theirs. So, I solved this by reinstalling. This time I installed Server 2008 x64 Enterprise R2. Immediately upon finishing the install, I was able to browse all network shares, so, props there. Don't know if Standard just didn't play with the other servers (all other servers are R2) or if it was just a hosed install, but the reinstall fixed that.

Then the new issue: Active Directory. The server in question was the DC for a child domain. I'd tried to demote it, i.e. ran dcpromo again, told it "this is the last dc in the domain" so it would delete the child domain. BUT, this didn't work BECAUSE the stupid network problem. It error'd out and said it couldn't contact the forest DC controller. So, it couldn't demote. Now I have to figure out how to strip the info out manually.

I went into AD on the forest controller, and deleted the record for the server. However, when I tried to re-dcpromo the newly installed server, I got an error. I tried to set it back up to the same child domain, etc, and the menu told me it would replace the old data with new data using the new server install. GREAT! NOT......I clicked next, it failed, and said it couldn't delete the old info. Why? Not sure. Found several great articles on how to manually remove info from AD using ntdsutil.exe. Props to Isaac Oben whose blog had the BEST walkthroughs on doing something that I've seen lately. Links Below:

http://www.isaacoben.com/2009/06/26/remove-a-demoted-or-failed-dc-from-active-directory-using-ntdsutil-exe/#more-188
http://www.isaacoben.com/2009/07/04/how-to-remove-child-domain-and-other-naming-context-from-forest-root-domain/

A couple other links I found were:
http://social.technet.microsoft.com/Forums/en/winserverDS/thread/9532a55f-7483-4d5d-a409-910993cff07c
http://support.microsoft.com/kb/230306

So, back to the issue. When I tried to follow along with these to remove the domain, I got the same error, but in a different wording. Exactly what I got was this:

"DsRemoveDsDomainW error 0x2015"


Hmm... So, what is that? Not sure -> back to google. I finally found a solution, but here, I suppose, was the root problem. When I manually deleted the server record, it did not delete anything else. In other words, the server record was gone, but the "domain" and "naming context" for the old child domain were still there. You couldn't remove them, because SOMETHING had them locked, essentially. That "something" was an "application data partition" for the old domain.

The way to remove this (which also removes the domain and naming contexts) was found in the following link:
http://support.microsoft.com/kb/887424

You follow it's instructions exactly, except for one big change. Instead of "domain management" you use "partition management". The rest works the same. Just delete all references to the old child domain. There will most likely be 2. One for the "DC=DomainDnsZones" that keeps up DNS records for the child domain, and then the "DC=child_domain" which is the AD metadata record for the actual child domain.

Problem solved!

PS - In case you're wondering, YES, I could have just used a new child domain name. But this would have left me with crap data left over from the original one, and I wanted my AD tree to stay clean.

Windows Server 2008 - Offline Disks

So, on a new Server 2008 install, I couldn't figure out why my system disk was showing up in My Computer, but my additional storage disk was not. Apparently Server 2008 sees drives as "SAN Drives" and so some particular security policies take affect that force additional drives to be Offline. I went into disk management and tried to bring it online, and got an error that "This Disk is Offline because of a policy set by the Administrator". If you ever have this problem, the following solution worked for me:

[Taken from http://www.astroarch.com/blog/?p=104#more-104]

Using ‘diskpart’ enter the following commands:

DISKPART> SAN POLICY=OnlineAll
DISKPART> RESCAN
DISKPART> SELECT DISK 1
DISKPART> ATTRIBUTES DISK CLEAR READONLY
DISKPART> ONLINE DISK
DISKPART> CONVERT MBR

NOTE 1: The disk number you select varies. Windows uses a 0-based index for disks, so the system disk should be Disk 0, and additional disks will be 1, 2, 3, etc. If you go into the Disk Management (Server Manager screen -> Storage -> Disk Management) you should see all the disks, and it will give you each of their Disk numbers. Once you use all the commands above, they will go from offline to online in Disk Management.

NOTE 2: The Convert MBR command may not work. That's fine. If it's not the primary/system/bootable disk, it won't have an MBR, so the command will most likely fail.

Tuesday, April 13, 2010

"Network Path Not Found"

I was CURSED with this error for 4 days trying to get WDS to work. I could capture an image and send it to the WDS server just fine, but I could not deploy any images.

Specifically, I could PXE boot to the WDS server and load the "Windows Vista Longhorn Setup" (aka boot.wim - with drivers added), but after hitting "Next" the prompt to authenticate to the WDS server came up, and the problems started. After putting in my valid Domain Admin credentials, i would eventually get a pop-up error box saying "Network Path Not Found."

I was getting the "network path not found" error earlier, but it was because I did not have the NIC drivers added to the boot.wim file. I've added those now. I can successfully CAPTURE images from the clients (this works fine). My issue occurs when I try to send an image to a client (re-image the client). I PXE boot to the WDS server, select the "Windows Vista Longhorn Setup" and it loads. I click next, then I am prompted to authenticate to my DC. I put in my account in the domain\administrator format, enter the password, and hit next. Around 30 seconds later, it pops up an error message that says "An error occurred while processing your request. The network path was not found". However, if I did a Shift-F10 to pull up the command prompt and do an ipconfig /all, I have all the IP information from DHCP. I could ping the server by IP and by its DNS name.

So, I started thinking I'd figure out how do to this through MDT 2010 and LiteTouch, instead of just through WDS. Then I had an issue where I would have needed to add the drivers to the winpe.wim file (I only added them to the boot.wim). I had already upgraded my WAIK to 3.0 (Windows 7 version) so that I could use MDT 2010. WAIK 3.0 DOES NOT let you work with Vista .wim files. So, I was going to load WAIK 2.0 on a laptop, and copy the winpe.wim file across the network from the server to the laptop, modify it, and push it back.

AND THEN I FOUND THE PROBLEM. When I did a "Start->Run->\\machine-name\share-name\", I got a NEW error, but it sounded like a cousin, or maybe even a brother, of the error I'd gotten with WDS. Here was the new error:

"no network provider accepted the given network path"

Interesting. A bit of googling landed me at multiple forum posts, but this one:

http://msmvps.com/blogs/nuoyan/archive/2004/11/07/18250.aspx

was the most helpful. Basically, it boiled down to this:

TURN ON FILE AND PRINT SHARING.

Specifically, in a Vista/Win7/Server2008 system, Go to Network -> Network and Sharing -> Turn on File and Print Sharing, then Turn on "Everyone on the network has access" (You can decide read only or allow everyone to change files as well). Also, go to "Manage Network Connections," go to the properties for the network adapter you're working with, and check the box beside "Microsoft File and Printer Sharing".

Make sure all that saves, then try to run WDS again. This worked for me! Hope it helps...

Wednesday, April 7, 2010

Windows Server 2008, DHCP, AD, and WDS

Ok, this has been RiDiCuLoUs!!!! After fighting, and fighting, and fighting, I have finally gotten this to work. It should've been easy, especially considering Microsoft provides so many menus, but it wasn't, so I'll pass along what I've learned.

First off, on a completely separate topic, if you ever lock out a Windows XP (Pro) user, right-click on My Computer, go to Manage, scroll down to Users and Groups, find that user, right-click, Properties, clear the "Account locked out" checkbox, and hit apply, then OK. That took up an hour of my day right there, since I was in AD mode, and forgot about the stand-alone computer management.

Second, when setting up Server 2008 as an AD server for a new domain in an existing forest, your typical enterprise network setup, BEWARE! What you may not know is that even if you are the local admin, or a domain admin, if your user is not a member of the Enterprise Admins group of the PARENT domain (ex: new domain is forrest.test.com; parent domain is test.com) then you will NOT be able to configure several items. For example, you can add the DHCP server role, but if you're not an Enterprise Admin of the parent domain, you cannot Authorize the DHCP server....Interesting, not sure why that is, but it is. Also, for WDS to work, you must authorize it with the DHCP server. You need to be a parent domain enterprise admin to do this as well.

Also, AD automatically adds the DNS role as well. However, for WDS to function correctly, you also need a REVERSE DNS zone, which is not added by default. Adding one is simple, just go the the Server Manager, Roles, DNS, and right-click on the server name. Select "Add Zone" from the menu, select "Reverse Zone" and follow the prompts.

Last, if you set up the WDS role on the same server that is running the DHCP role, watch out! You MUST select the "Don't listen on port 67" option in the WDS setup wizard. This is because DHCP is already listening (has already bound) UDP port 67, so your WDS service will fail to start. Last, before you can actually get WDS to run, you have to configure it (yeah, sounds like common sense, I know). But, what's funny, is configuring it is not part of the setup wizard. First you have to install it, then go to Start -> Administrative Tools -> WDS. In the window that pops up, right-click on your server name, and select "Configure Server." After this, it should run.

This took a LOT of googling, but that's the final result.

Now that all this runs, I can figure out how to use the MDT 2010 software to dump my master images to the server so I can deploy these to new clients.

Friday, March 5, 2010

Education and Certs

So, here's a question. I'm already working in Information Security. Started out as an Auditor (compliance scans, analysis, etc). Now I'm an IA Task Lead, and I'm responsible for the Certification and Accreditation of a Systems Integration Lab Facility (asset management, configuration management, network security, system security, the whole 9 yards).

Am I qualified? I think so: I have a Bachelor of Science in Telecommunications Systems Management with a Concentration in Information Security. I have the following certs: CCNA, Security+, OSCP (awesome!), CEH, and ATSP (the Adtran CCNA equivalent). I'm about to do Linux+, CCNA Security, and CISSP.

Here's my first question: I want to start a Master's program, and I've looked at several. I like working in IA, but I don't want to trap myself in it either because I also enjoy systems analysis and design, and I'd like to move into management after a few years. So, do I do an MS in IA, an MS in Information Systems and concentrate in IA, or do I just leave the technical to certs, and get my MBA to help me get into management?

And my last question: As far as HR/Hiring Managers go, what is more important for mid- to upper-level positions? The Certs that show I know about the field and experience, or a Graduate degree specific to the field? (i.e. would it hurt me to get an MBA if I was staying in IA for a while ?)

And last, as an FYI, I'm also involved in Pen-Testing, and would like to continue to be. So, I don't want to sabotage that either.... so many variables

Friday, April 24, 2009

First official post

Hello everyone! Based on the recommendation of several professors and professionals at this year's ITERA conference in Atlanta, I am creating a "professional blog." I don't necessarily know how often I will post, but I will at least attempt to make sure that all posts I do make are of good professional quality, and are worth the time to read.

In this post, I might as well introduce myself. To start, my name is Forrest Carver (if you haven't gathered that so far). I've just graduated from Murray State University, and have taken a job in Huntsville, Alabama working as an Information Assurance Analyst with Dynetics, Inc. I look forward to starting work there in the next few weeks. Hopefully I will soon have something useful to post here, so stay tuned!

-Forrest

PS - feel free to follow my twitter, which is updated much more regularly, at www.twitter.com/forrestcarver.