Click an Ad

If you find this blog helpful, please support me by clicking an ad!

Tuesday, November 18, 2014

The $500 Checkbox

It's been a long time since I've posted, but my desire to write has returned, and I've written down a number of projects to post about in the coming days and weeks.

Today's tale is a precautionary one, that hopefully can save you some grief (and money) down the road.

A couple of months ago, I was replacing my primary domain controller. By "primary", I mean that this was DC number 1. It's a physical box (as opposed to my other 4 virtual DCs), and it runs my DHCP scope, the domain's external NTP client, and holds all of the FSMO roles.

I've done this a few times and have a checklist, so I really wasn't that concerned. I had some issues when migrating DHCP to another 2008R2 DC. Old DHCP superscopes which had been removed somehow made their way back, and not all server options were transferred correctly. This wouldn't be apparent for a couple of days because, silly me, I trusted a Microsoft migration process. Next time I'll just rebuild the DHCP from scratch, thankyouverymuch.

My problem came when I was demoting DC1. I couldn't. I kept getting access denied messages, despite trying multiple logins and multiple group membership combinations (Domain Admins, Enterprise Admins, DNS Admins, Schema Admins, all of the above, some but not others). Furthermore, my DCDIAG's, which I run daily, had all been sparkling clean for some time. Finally, at the end of my rope and with my Google-Fu failing me, I decided to bite the bullet and call MS support (which I've found is really good, by the way). This was after hours, so it ended up costing about $500.

After poking around, support came to the conclusion that we should forcefully remove the problematic domain controller and do a manual cleanup of Active Directory. We still had problems altering the computer object, due to some funky permission issues. After changing them manually, this rectified the problem, but they, and I, still didn't know the actual root cause of the issue.

As often occurs, after stepping away from the problem the answer hit me like a lightning bolt. The next day while eating breakfast, I remembered:

A while ago I used Powershell to enable the "Protect object from accidental deletion" feature on every user, computer, and group object in my Active Directory. I did this to protect myself from doing something stupid, like pressing a sequence of keyboard shortcuts while my window focus was in the wrong place and screwing up AD.

I looked at my other domain controllers and they all had the "Protect object from accidental deletion" option enabled. You can see this if you open Active Directory Users and Computers, click the View menu and then "Advanced Features". Now open a computer or user and click on the "Object" tab.

Fast forward a couple of weeks later and it was time to rebuild another DC. I had the same issue with demoting the domain controller. I went into AD and unchecked this box, then let it sit for 15 minutes to let AD replicate. When I tried again, I had no issues!