Server core domain controller installation HELP!!

Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
Hi, i'm trying to create a domain controller on my server core machine for my starwars.com domain. I'm entering:

install-addsdomaincontroller -domainname starwars.com -credential (get-credential starwars\administrator) -installationmediapath "e:\IFM"

I'm entering the credentials in the popup box and it then wants me to enter the safe mode administrator password, which i do not know and i have forgotten. Is it the safe mode administrator password for the local server core machine or the one on the primary DC?
After i try and enter one it responds with an error saying it could not verify the users credentials.

Is it best me just deleting the server core hyper-v machine and just starting again and remembering the password this time.

Comments

  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    For local machine. The same as local admin password. The same as SAM administrator password.

    If you are able to issue such a command on a server core server it means that somehow you can work on it not having a password and if you work on it with admin rights just issue a net user command to reset local administrator's password.

    If you already lost any admin control over it, it still recoverable unless you use bitlocker. Download any offline SAM editing tool such as ntpasswd or locksmith and reset the password from a bootable device.
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    Just to be sure i reset the DSRM password just then to something i could remmeber, i tried the commands again and i'm still getting the same errors! I tried 2 different DSRM passwords when prompted this time, the local administrator password for the server core machine and the domain controller DSRM password. I havent tried the DC normal admin password in it though.

    I dont know why this isn't working to be honest. The server core machine is not a member of the domain at the moment but that shouldn't matter for this should it?
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    Robbo777 wrote: »
    Just to be sure i reset the DSRM password
    What DSRM password? You don't have one according to your description as you are about to promote a regular server to a DC. "DSRM password" applies to DCs only. You need to supply a local admin password of the server you are trying to promote.
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    What DSRM password? You don't have one according to your description as you are about to promote a regular server to a DC. "DSRM password" applies to DCs only. You need to supply a local admin password of the server you are trying to promote.

    The DSRM password of my primary gui DC, the server core one isn't a domain controller yet so quite right i cant change the password.

    I'm typing the admin password for the sever core machine for the safe mode administrator password prompt and its still not doing anything. I'm getting the same "Cannot validate user credentials" message
  • ArkrainArkrain Member Posts: 55 ■■■□□□□□□□
    Robbo777 wrote: »
    Just to be sure i reset the DSRM password just then to something i could remmeber, i tried the commands again and i'm still getting the same errors! I tried 2 different DSRM passwords when prompted this time, the local administrator password for the server core machine and the domain controller DSRM password. I havent tried the DC normal admin password in it though.

    I dont know why this isn't working to be honest. The server core machine is not a member of the domain at the moment but that shouldn't matter for this should it?

    Add to the domain, and then try again.
  • BornToBeMildBornToBeMild Member Posts: 69 ■■□□□□□□□□
    When you run the install-addsdomaincontroller command, the safe mode administrator password it asks for is a new DSRM password for the server you're promoting. It doesn't get checked against any existing password.

    I suspect the "Cannot validate user credentials" message relates to the domain credentials you supplied for the promotion. Do you have your DNS pointing to the existing DC? Can you ping the domain name?
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    Thanks for the first clarification, and i set the DNS on the server core to point to the primary GUI domain controller which solved that error so thanks for that. I now have another error (typical), its telling me that my directory for c:\IFM does not exist and i'm assuming thats because i dont have a file in the server core machine and i'm telling it to look on the C drive of my GUI machine haha, so how do i go about creating or loading those files into the core machine from my USB drive i have them on to?

    Another query more than a problem i suppose, when it comes up with the inevitable "cannot create a delegation for this DNS server because the parent zone cannot be found", I was just wondering, i dont actually need to create a delegation for this server do I because its in the same domain "starwars.com", the new domain controller i want to create is not for a different subdomain. So is all that is needed is 1 host record on each sever pointing to each other in the main zones? (Go easy on me still with DNS on server 2012, i've a far greater understanding of it now but with EVERYTHING in it i'm still trying to take it all in)

    Thanks again
  • BornToBeMildBornToBeMild Member Posts: 69 ■■□□□□□□□□
    Try it without the -installationmediapath "e:\IFM" option. IFM is actually an advanced option that needs a file generated from your other DC, designed to reduce replication across a slow network.

    You can ignore the delegation message. I think your DC is trying to tell the .com servers that starwars.com has a new name server. Reassuringly for whoever owns that domain, the .com servers are refusing that request.

    OK, I'll go easy :). Think of DNS as a way of translating names to IP addresses. A client PC would usually have just one host record (type A). A domain controller on the other hand registers a bunch of records in it's domain, all of which serve a specific purpose. That's probably why you're confused.

    My advice would be don't try to understand everything at once. The more you use it, the easier it gets.
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    I'm trying to install it from media though that i have saved on my USB drive. It will more than likely work if i take it out and wont the replication just take place over the DC then?
    Question actually with that in mind then...How often does replication take place and what protocol and services are used in this? Is the DFS used for this along with a protocol?

    Yeah, i'm aware of most of the processes in DNS now, one or 2 creep up though now and then that i'm not sure of.
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□

    I've just gone to install the DC without the install from media, i've left it to install but how long does it normally take? This has been going on for about an hour now, i know its on a hyper-v machine but still, i'm thinking something else has gone wrong with this. Is this normal?
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    More or less. Depends on how fat your directory is.

    In large enterprises, it can take tens of hours to promote a DC without IFM option.
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    So is it replicating all the data across the DC right now? Everything from polices to DNS records?
  • BornToBeMildBornToBeMild Member Posts: 69 ■■□□□□□□□□
    I wouldn't expect it to take more than a couple of minutes. It looks like you are running your new DC in a VM on your DC. While I can't immediately think why that might be a problem, its not something I've done. Have you checked the performance of the VM and Host PC?
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    Everything is running fine and the PC isnt at full max on any of its hardware, not even close. No idea why its taking so long.
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    I have fixed the problem, i just canceled the installation and looked at the event log on my main domain controller and it said that the KCC needed my admin password changed on my primary DC.

    I now have the DC running on server core along with DNS, but i want to make the starwars.com zone on the server core machine a secondary zone! But it seems as if the server core machine has adopted all the zones and records but i dont know if they're primary zones or not! i;m assuming they're but i dont know what has actually gone on behind the scenes with all of this because I've never installed a DNS server on a server core machine before, any knowledge and advice would be appreciated here.
  • BornToBeMildBornToBeMild Member Posts: 69 ■■□□□□□□□□
    If you want to see what's going on on a server core machine you could just add the GUI - no need to reinstall anything.

    You could also administer DNS on the server core machine remotely from the GUI server. Just run the DNS console and add the remote server. If you look at the properties of the starwars.com zone, you'll see the type is "Active Directory Integrated". It should also say something like "Replicate to all DNS servers in the Domain."

    That's why you don't need (or want) to create a secondary zone. When you promoted the DC and made it a DNS server, it replicated the zone for you. Active Directory integration is a Microsoft "add-on" to DNS. It incorporates the zone into the appropriate partition in the AD database, and then replicates changes with it's other replication traffic. This essentially gives the multi-master functionality of AD to DNS.
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    Thanks for the tip, i've wondered how to go about that, i've tried to add it by selecting "connect to dns server" on my gui server and entered in my server core machine but i keep getting "access denied" back. Any idea why?
  • BornToBeMildBornToBeMild Member Posts: 69 ■■□□□□□□□□
    Probably the server firewall, try running this PS command on Server Core:

    Enable-NetFirewallRule -DisplayGroup "Remote Administration"

    For all the options see this

    https://technet.microsoft.com/en-gb/library/jj574205.aspx
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    Thanks for the tip but all i got was a message back saying no object found for display group remote administrators, i'm not sure what that means.
  • BornToBeMildBornToBeMild Member Posts: 69 ■■□□□□□□□□
    I just checked on my server and got the same result, rule group doesn't exist - interesting. Looking on my 2008 R2 server that rule group does exist. The document says it applies to 2012 R2, but maybe they didn't update it properly. In any case, since both servers are on the same domain it should work as long as Remote Management is enabled. Run sconfig and check option 4.

    If Configure Remote Management is set to Enabled it should work.
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    I just checked on my server and got the same result, rule group doesn't exist - interesting. Looking on my 2008 R2 server that rule group does exist. The document says it applies to 2012 R2, but maybe they didn't update it properly. In any case, since both servers are on the same domain it should work as long as Remote Management is enabled. Run sconfig and check option 4.

    If Configure Remote Management is set to Enabled it should work.

    Thanks for the tip, i used sconfig to enable remote desktop and management but no luck and it doesn't seem to have any network discovery services running also such as SSDP etc... and they cant be started also because they're not visible in the get-service command, strange.
Sign In or Register to comment.