SYSVOL is a folder shared by domain controller to hold its logon scripts, group policies and other items related to AD. All the domain controllers in network will replicate the content of SYSVOL folder. The default path for SYSVOL folder is %SystemRoot%\SYSVOL. This folder path can define when you install the active directory.
Windows Server 2003 and 2003 R2 uses File Replication Service (FRS) to replicate SYSVOL folder content to other domain controllers. But Windows server 2008 and later uses Distributed File System (DFS) for the replication. DFS is more efficient than FRS. Since windows server 2003 is going out of support, most people already done or still looking for migrate in to latest versions. However migrating FSMO roles WILL NOT migrate SYSVOL replication from FRS to DFS. Most of the engineers forget about this step when they migrate from windows 2003 to new versions.
For FRS to DFS migration we uses the Dfsrmig.exe utility. More info about it available on https://technet.microsoft.com/en-au/library/dd641227(v=ws.10).aspx
For the demo I am using windows server 2012 R2 server and I migrated FSMO roles already from a windows server 2003 R2 server.
In order to proceed with the migration forest function level must set to windows server 2008 or later. So if your organization not done this yet first step is to get the forest and domain function level updated.
You can verify if the system uses the FRS using dfsrmig /getglobalstate , To do this
1) Log in to domain controller as Domain admin or Enterprise Admin 2) Launch powershell console and type dfsrmig /getglobalstate. Output explains it’s not initiated DFRS migration yet.
Before move in to the configurations we need to look into stages of the migration.
There are four stable states going along with the four migration phases.
1) State 0 – Start 2) State 1 – Prepared 3) State 2 – Redirected 4) State 3 – Eliminated
State 0 – Start
With initiating this state, FRS will replicate SYSVOL folder among the domain controllers. It is important to have up to date copy of SYSVOL before begins the migration process to avoid any conflicts.
State 1 – Prepared
In this state while FRS continues replicating SYSVOL folder, DFSR will replicate a copy of SYSVOL folder. It will be located in %SystemRoot%\SYSVOL_DFRS by default. But this SYSVOL will not response for any other domain controller service requests.
State 2 – Redirected
In this state the DFSR copy of SYSVOL starts to response for SYSVOL service requests. FRS will continue the replication of its own SYSVOL copy but will not involve with production SYSVOL replication.
State 3 – Eliminated
In this state, DFS Replication will continue its replication and servicing SYSVOL requests. Windows will delete original SYSVOL folder users by FRS replication and stop the FRS replication.
In order to migrate from FRS to DFSR its must to go from State 1 to State 3.
Let’s look in to the migration steps.
Prepared State
1. Log in to domain controller as Domain admin or Enterprise Admin 2. Launch powershell console 3. Type dfsrmig /setglobalstate 1 and press enter
4. Type dfsrmig /getmigrationstate to confirm all domain controllers have reached prepared state
Redirected State
1. Log in to domain controller as Domain admin or Enterprise Admin 2. Launch powershell console 3. Type dfsrmig /setglobalstate 2 and press enter
4. Type dfsrmig /getmigrationstate to confirm all domain controllers have reached redirected state
Eliminated State
1. Log in to domain controller as Domain admin or Enterprise Admin 2. Launch powershell console 3. Type dfsrmig /setglobalstate 3 and press enter
4. Type dfsrmig /getmigrationstate to confirm all domain controllers have reached eliminated state
This completes the migration process and to confirm the SYSVOL share, type net share command and enter.
Also make sure in each domain controller FRS service is stopped and disabled.
Sometimes you will want to install a switch or router update, and you will find that there is not enough space:
root@Switch01> request system software add /var/tmp/ex-2300-18.3R1.9.tgz reboot
ERROR: estimate of space required: 115 Mbytes, available: 89 Mbytes
One option is to request a ‘cleanup’. The dry-run option below lists the files that are candidates to be removed. If you’re happy with the list, run the command again without ‘dry-run’ to do the actual cleanup.
root@Switch01> request system storage cleanup dry-run
fpc0:
--------------------------------------------------------------------------
List of files to delete:
Size Date Name
6B Jan 1 13:07 /var/jail/tmp/alarmd.ts
7416B Jan 1 14:01 /var/log/interactive-commands.0.gz
25.1K Jan 1 14:01 /var/log/messages.0.gz
27B Jan 1 10:03 /var/log/wtmp.0.gz
27B Jan 1 10:06 /var/log/wtmp.1.gz
45B Jan 1 10:05 /var/preserve/jdhcp_client_data
45B Jan 1 10:05 /var/preserve/jdhcp_client_data_bkp
50B Jan 1 10:36 /var/tmp/bcast.bdisp.log
73B Jan 1 10:36 /var/tmp/bcast.disp.log
57B Jan 1 10:36 /var/tmp/bcast.rstdisp.log
64B Jan 1 10:36 /var/tmp/bcast.undisp.log
321.4M Jan 1 13:44 /var/tmp/ex-2300-18.3R1.9.tgz
4740B Jan 1 10:04 /var/tmp/ex_autod_config
3701B Jan 1 10:03 /var/tmp/ex_autod_rollback_cfg
6298.8K Jan 1 13:44 /var/tmp/jweb-ex-app-x86-32-18.3A1.tgz
57B Jan 1 10:03 /var/tmp/krt_rpf_filter.txt
72B Jan 1 13:53 /var/tmp/package.log
42B Jan 1 10:05 /var/tmp/pfe_debug_commands
0B Jan 1 10:06 /var/tmp/pkg_cleanup.log.err
0B Jan 1 10:03 /var/tmp/rtsdb/if-rtsdb
0B Jan 1 10:04 /var/tmp/stable
WARNING: This cleanup cleans out the /var/tmp directory, which may contain the image that you’re trying to install.
Cleaning up Packages
Sometimes a regular cleanup will not free up enough space, especially after the system has been updated.
In this case, we can look at cleaning up unused packages:
User@Switch01> start shell user root
root@Switch01:RE:0% pkg setop rm previous
root@Switch01:RE:0% pkg delete old
If you run df -h before and after these commands, you can see how much was cleaned up.
Further Cleanup
There may be packages installed that you don’t need. For example, you may not need jweb and phone-home. If you don’t need these, you can uninstall them:
request system software delete jweb-ex request system software delete jweb-ex-app request system software delete jphone-home
If you still don’t have enough space, it’s time to look for bigger files:
Specifies the name of the remote server on which the service is located. The name must use the Universal Naming Convention (UNC) format (for example, \\myserver). To run SC.exe locally, omit this parameter.
<ServiceName>
Specifies the service name returned by the getkeyname operation.
?
Displays help at the command prompt.
Remarks
Use Add or Remove Programs on Control Panel to delete DHCP, DNS, or any other built-in operating system services. Note that Add or Remove Programs will not only remove the registry subkey for the service, but it will also uninstall the service and delete any shortcuts to it.
Examples
To delete the service subkey NewServ from the registry on the local computer, type:Copy
First of all check the VPN configuration. This is also useful if and when you need to confirm the Phase 1 and Phase 2 parameter’s with the remote end.
admin@srx> show configuration security ike admin@srx> show configuration security ipsec
{loadposition content_lock}
2. Confirm Phase 1
To confirm the successful completion of Phase 1 run the following command. If Phase 1 fails to complete revisit your Phase 1 parameters using the commands shown in Section 1.
admin@srx> show security ike security-associations node1: ————————————————————————– Index Remote Address State Initiator cookie Responder cookie Mode 6950 [LOCAL PEER IP] UP 33204fba87663d94 70acacd5f938f89b Main
3. Confirm Phase 2
To confirm the successful completion of Phase 2 run the following command. If Phase 2 fails to complete revisist your Phase 2 parameters using the commands shown in Section 1.
admin@srx> show security ipsec security-associations node1: ————————————————————————– Total active tunnels: 2 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <131073 [LOCAL PEER IP] 500 ESP:aes-128/sha1 4fb2c1cc 2041/ unlim – root >131073 [LOCAL PEER IP] 500 ESP:aes-128/sha1 3e576ead 2041/ unlim – root
If Phase 2 has completed you can confirm further details on each of the SA`s (Security Associations) by using the SA index.
To confirm statistics based on the Phase 2 SA run the following command. The output will contain a number of counters. The most interesting of these (for troubleshooting purposes) are the Encrypted and Decrypted counters.
If Phase 1 and Phase 2 are both establishing but traffic is still not passing the VPN tunnel, a packet-filter traffic debug of the tunnel will provide further granularity into each of the steps the packet takes.
[edit security flow traceoptions] admin@srx# set file vpn-debug admin@srx# set flag basic-datapath admin@srx# set flag packet-drops admin@srx# set level 15
admin@srx# set packet-filter filter1 source-prefix [LOCAL PEER IP] admin@srx# set packet-filter filter1 destination-prefix [REMOTE PEER IP] admin@srx# set packet-filter filter1 protocol esp admin@srx# set packet-filter filter2 destination-prefix [LOCAL PEER IP] admin@srx# set packet-filter filter2 source-prefix [REMOTE PEER IP] admin@srx# set packet-filter filter2 protocol esp
admin@srx# set packet-filter filter3 destination-prefix [INTERNAL SERVER IP] admin@srx# set packet-filter filter3 destination-port ssh admin@srx# set packet-filter filter3 protocol tcp admin@srx# set packet-filter filter4 source-prefix [INTERNAL SERVER IP] admin@srx# set packet-filter filter4 destination-port ssh admin@srx# set packet-filter filter4 protocol tcp
admin@srx# run show log vpn-debug
6. Perform Debug (Crypto)
To debug the crypto engine the following commands are run.
admin@srx> configuration admin@srx# edit security ike traceoptions
[edit security ike traceoptions] admin@srx# set file vpn-debug-ike admin@srx# set flag all admin@srx# set level 15 admin@srx# top
[edit security ipsec traceoptions] admin@srx# set file vpn-debug-ipsec admin@srx# set flag all admin@srx# set level 15
admin@srx# run show log vpn-debug-ike admin@srx# run show log vpn-debug-ipsec
7. Additional
A useful tip when viewing the debug logs is to tail the file via the shell whilst also removing the empty lines. This a) makes it easier to view and 2) also (as long as your ssh client buffer is configured correctly) allows you to go back over previous output should the debug log reach its maximum size.
To force Active Directory replication run the command ‘repadmin /syncall /AeD’ on the domain controller. Run this command on the domain controller in which you wish to update the Active Directory database. For example, if DC2 is out of Sync, run the command on DC2.
A = All Partitions e = Enterprise (Cross Site) D = Identify servers by distinguished name in messages.
By default, this does a pull replication – which is how AD works by default. If you want to do a push replication use the following command:
repadmin /syncall /APeD
P = Push
You want to do a push replication if you make changes on a DC and you want to replicate those changes to all other DC’s. For example, you make a change on DC1 and you want all other changes to get that change instantly, run repadmin /syncall /APeD on DC1.
This configuration is set up on Juniper SRX 340 running JUNOS 20.2R1.10
Note: The username is the same for everyone btbusinesshub@business.btclick.com password is anything chap authentication method outside/untrust interface being ge-0/0/7.0
set interfaces ge-0/0/7 unit 0 encapsulation ppp-over-ether
–Optional — set security zones security-zone Internet interfaces pp0.0 host-inbound-traffic system-services ping set security zones security-zone Internet interfaces pp0.0 host-inbound-traffic system-services ssh set interfaces pp0 traceoptions flag all set interfaces pp0 unit 0 bandwidth 900m –Optional — set interfaces pp0 unit 0 ppp-options chap default-chap-secret “$9$kmPTn/A” set interfaces pp0 unit 0 ppp-options chap local-name “btbusinesshub@business.btclick.com” set interfaces pp0 unit 0 ppp-options chap passive set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/7.0 set interfaces pp0 unit 0 pppoe-options idle-timeout 0 set interfaces pp0 unit 0 pppoe-options auto-reconnect 1 set interfaces pp0 unit 0 pppoe-options client set interfaces pp0 unit 0 no-keepalives set interfaces pp0 unit 0 family inet mtu 1492 set interfaces pp0 unit 0 family inet negotiate-address
Troubleshooting
show ppp statistics show pppoe statistics
show interfaces pp0 Check for LCP state: Opened NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls: Not-configured CHAP state: Success
Cabling guide:
Plug the RJ45 cable direct from the Openreach socket to ge-0/0/7
error: certificate ‘aamw-srx-cert’: certificate does not exist . error: trusted-ca ‘aamw-cloud-ca’ does not exist! error: trusted-ca ‘aamw-secintel-ca’ does not exist!
{primary:node0}[edit] root# commit and-quit warning: You have changed enhanced services mode. You must reboot the system for your change to take effect. If you have deployed a cluster, be sure to reboot all nodes. node0: commit complete Exiting configuration mode
Once joined to the cluster sync this with working SRX that will update all the cert.
Location of Certificates
The certificates/key-pairs used for IKE negotiations are stored in following locations,
