I am coming to the forum because I have a big problem with the replication of my domain controllers.
I explain the situation:
Context :
I have 2 local sites connected with IPSec, let's call them site A and site B.
In each site I have two domain controllers let's call them for site A DC1 and DC2 and for site B DC3 and DC4.
The 4 controllers are synchronized between them in inter site and intra site.
The 2 DC of site A are virtualized with Hyper V.
The 2 DC of site B are physical.
Normally DC1 is the master DC.
Problem:
I ran a domain configuration audit script on DC1 that was supposed to run in audit mode but unfortunately made big changes on the domain. Basically the script applied the best practices of all the CIS checkpoints (which in fact is fine) but it impacted the business of the company. This is because all the DC's synced with the DC1 which pushed the changes automatically to the other DC's.
Fortunately, we have an extremely recent backup (snapshot) of the hyper V that we used to restore the DC1. However, when we start the restored DC1 VM, the other DCs (2,3,4) that have the bad changes replicate them to the DC1 automatically (15 seconds) so we can't restore our domain controllers from the DC1 snapshot.
In order to find a solution, we disabled the auto replication in INBOUND and OUTBOUND on the DC2,3,4 (repadmin /options DCx +DISABLE_INBOUND_REPL) (repadmin /options DCx +DISABLE_OUTBOUND_REPL) then restored the snapshot of the DC1 VM and launched the DC1. It works perfectly, the DC1 keeps the good modifications (the old ones, before the script execution), so we now want to apply the settings of the DC1 on all the DCs to get a homogeneous domain. So we force the replication of DC1 on the other DCs with the command: Repadmin /syncall DC1 /APed.
This propagated the good configuration of DC1 on the other DCs so it's perfect.
However, by reactivating the INBOUND and OUTBOUND (repadmin /options DCx -DISABLE_INBOUND_REPL) (repadmin /options DCx -DISABLE_OUTBOUND_REPL) auto replication on the DCs, the bad modifications unfortunately reappeared and propagated on all the DCs almost immediately.
How is this possible knowing that at a given time "T" the 4 domain controllers all had the old good configuration (before the script was executed)?
Where did the DC's go to get the wrong configuration (after the script was executed)?
How do we keep the right config on all the DCs once we reactivate the replications by reactivating the INBOUND and OUTBOUND?
I thank you in advance for your answers, the situation is very critical.
Related
The MaxScale distributes the requests to the MariaDB database -> master/slave server on which the database is located.
What i need is a script running as a cron or something similar which verifies the GTID from master and slaves. If the slaves GTID differs from the masters GTID i want to be informed/alarmed via email.
Unfortunately i have no idea if this is possible somehow and how to do it
You can enable gtid_strict_mode to automatically stop the replication if GTIDs from the same domain conflict with what is already in the binlogs. If you are using MaxScale, it will automatically detect this and stop using it.
Note that this will not prevent transactions from other GTID domains from causing problems with your data. This just means you'll have to pay some attention if you're using multi-domain replication.
If you want to be notified of this, you can use the script option in MaxScale to trigger a custom script to be launched whenever the server stops replicating.
One of our offices has an application that utilizes databasemail to send emails from the application to users listed in the application's user directory.
In their live environment, the emails are sent without issue. On their training environment, the emails are not sent. On the application side, the settings to send emails are the same, and the database on the training side is a copy of the live database from a recent restore.
I've tried checking the databasemail logs, but the only events are event_type of information, mostly "DatabaseMail process is started", usually followed 10-20 minutes later by a "DatabaseMail process is shutting down" message.
I'm at a loss for why messages for the live database are working while the training database isn't, even though both databases are on the same SQL Server instance and the applications both live on the same server.
Your live and test environments must have the same permissions to run Database Mail service. Check that your test user has DatabasemailUserRole for msdb database. As well as any other permissions which could be needed to run some part of your application, e.g. stored procedures in test database querying msdb, etc.
I created MySQL database in RDS of AWS, and successfully connected it from MySQL workbench and Spring Boot application. However, it only works for the 10 to 20 minutes. Then, I can't connect to it anymore.
If I delete the database and create a new one, same problem will happen. It only works in the beginning. Although I haven't changed anything since I created the databases, it still stopped being connectable.
What can be possibly causing it.
Can you check the security group attached to RDS. If you specify a rule to access from specific IP address/address space. Maybe the IP has changed
Reference - RDS Security Groups
We herited the following architecture :
2 physicals server Windows 2008 R2
a SAN
The 2 server are clustered and use a common LUN that contains all our production Hyperv VM. The primary domain controller is as well an hyperv VM.
Our problem is the following: Power stops during a while. When starting back the 2 HW machines, the cluster node can't mount because the Active directory ID can't be found (which is normal, as the VM is not started).
Here is the error message : Cluster network name resource 'xxxx' cannot be brought online, Unable to get Computer Object using GUID
Thus, if the cluster node can't start, impossible to access to the LUN.
And we are unable to find a DC single save.
Is there a way to force cluster to start without GUID ?
thanks a million in advance :(
PS: IBM recent hw for the 3
I haven't messed with hardware Cluster servers for a while, but it used to be best practice to have cluster nodes DCs in thier own domain, if it where likely, that they could start without being able to contact a DC for exactly the reason you stated.
ActiveDirectory Server 2003
I am using the ActiveDirectoryMembershipProvider and ADroleProvider. They work great. Until my active directory server restarts in the middle of the day to get updates. (I'm not in charge of the server and can't change this). When this happens, for the five minutes the server is rebooting, my users can't use my website because I've tied my menu to the Role Provider. So, here are my questions:
Is it possible to tell my RoleProvider to use the "next" available ADS? If so, how so that while the initial one reboots, I don't frustrate my users with ADS connection messages?
Should I be using some kind of connection pool that automatically reconnects to the available server? If so, how?
Let's imagine that all my active directory servers go down. Is there a way to keep my web application running? Obviously there are bigger problems if all servers are down, but what I'm after is a possible "disconnected" active directory authentication that will still move forward if the server somehow goes kaput. Is this wise AND possible?
You probably have the server connection string set to "server01.domain.local". If you change it to just "domain.local" you're no longer depending on "server01" being online. Instead you will use the Round Robin feature of Active Directory DNS to get a list of all domain controllers and use one that's online. (I don't think your admins reboot all of the domain controllers at the same time...)
Also try running nslookup domain.local a couple of times in succession in a command prompt to see the order changing.