Ubuntu Static IP

 Ubuntu Static IP KB ID 0001892

Problem

Like most OSs out of the box the system is set to get it’s IP address from a DHCP server (i.e. dynamically). On the rare occasions I’m deploying Linux its to perform a specific task, so in nearly all cases I want it to have a static IP. Here is how to achieve that.

Solution : Ubuntu Static IP

Disable Cloud-Init

Since Ubuntu version 18.04, it has shipped with this enabled, you can proceed with it enabled, but the procedure is different and your efforts can be ignored, so I simply disable it. the first command sees if its running (if it yields any output, {as shown} then it is).

Remember: This procedure changes the IP address, if you are connected remotely by SSH for example, you may lose connectivity. Perform this at the console or ensure you can reconnect to the new IP address (post change).

[box]

apt-cache pkgnames | grep cloud-init
sudo nano /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg

ENTER YOUR PASSWORD

[/box]

Paste in the following, then save and exit (CTRL+X >  Y > Enter).

[box]

network: {config: disabled}

[/box]

Then reboot the machine.

[box]

reboot

[/box]

Ubuntu Static IP Netplan

Ubuntu will apply a set of network configuration settings that are formatted as YAML. Before we create that file let’s look to find out what our network interface is called, what the current IP address and network range is, and where the default gateway (or default route) has been pointed to.

[box]

ip addr
ip route

[/box]

From the above we can see our interface is called ens33 (yours may be called something different like eth0), it has an IP address of 192.168.100.103/24 (i.e it has a netmask of 255.255.255.0), and its default gateway is 192.168.100.1 To see the current netplan we need to look in/etc/netplan as you can see (below) mines called 50-cloud-init.yaml (yours may have a slightly different name, so change to the directory and list is contents to make sure.

[box]

cd /etc/netplan
ls
sudoedit {name-of-your-netplan-file}.yaml

[/box]

Here is an idea of what your file may currently look like.

And here is one I’ve edited to include the required IP 192.168.100.20/24 and the default route (gateway) 192.168.100.1, and my local DNS servers 192.168.100.10 and 192.168.100.3.

[box]

network:
ethernets:
  ens33:
  dhcp4: no 
  addresses: 
    - 192.168.100.20/24
  routes:
    - to: default
    via: 192.168.100.1
  nameservers:
    addresses: [192.168.100.10,192.168.100.3]
Version: 2

[/box]

Save and exit the file, then apply the netplan (Note: if you are connected via SSH you may lose connectivity).

Note: For an example of setting up a bridged network see the link below.

[box]

sudo netplan apply

AT THIS POINT CHECK CONNECTIVITY

[/box]

Related Articles, References, Credits, or External Links

KVM Bridge Network

KVM Bridge Network

Bridge Network KB ID 0001891

Problem

Not sure why KVM does not come preconfigured for this out of the box, and it took me a very long time to work out how to do this. But if you want your KVM VMs to behave as if they are on your production LAN (rather than the default of setting up DHCP and NAT). The default is fine but if you want to access your VMs from outside the host you need to setup bridged networking.

In my example I want my VMs to get an IP address from my DHCP server.

Solution : Bridge Network

Currently you probably have an IP address on the host itself (192.168.100.20) the process is to create a network bridge, Move the IP address from your network interface so that it is now ON THE BRIDGE, add the network interface to the bridge, then finally move the VMs onto the bridge.

The following commands with display your current virtual networks, and current bridges, then we will create a new bridge (br0), and finally make sure that new switch is listed.

[box]

virsh net-list --all
brctl show
sudo brctl addbr br0
brctl show

[/box]

We need to change the IP address location so edit your current netplan.

[box]

ls /etc/netplan
TAKE NOTE OF THE NAME
sudoedit /etc/netplan/{name-of-netplan-file}.yaml

[/box]

Edit Netplan

Example (Note: you will need to enter YOUR details and your interface mat have a different name e.g. eth0)

[box]

network:
  version: 2
  renderer: networkd

  ethernets:
    ens33:
      dhcp4: false 
      dhcp6: false 

  bridges:
    br0:
      interfaces: [ens33]
      addresses: [192.168.100.20/24]
      routes:
      - to: default
        via: 192.168.100.1
        metric: 100
        on-link: true
      mtu: 1500
      nameservers:
        addresses: [192.168.100.10,192.168.100.3]
      parameters:
        stp: true
        forward-delay: 4
      dhcp4: no
      dhcp6: no

[/box]

Save and exit the file.

Now we need to exempt traffic going through the bridge from being sent though the netfilter (i.e. for iptables inspection).

[box]

sudoedit /etc/sysctl.d/bridge.conf

[/box]

Paste in the following text, then save and exit.

[box]

net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0
net.bridge.bridge-nf-call-arptables=0

[/box]

Those settings would be lost in a reboot, to make them permanent.

[box]

sudoedit /etc/udev/rules.d/99-bridge.rules

[/box]

Paste in the following, then save and exit.

[box]

ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \ 
RUN+="/sbin/sysctl -p /etc/sysctl.d/bridge.conf"

[/box]

Now we will delete and undefine the built in default network.

[box]

virsh net-list --all
virsh net-destroy default
virsh net-undefine default
virsh net-list --all

[/box]

Now before we apply the netplan we created earlier take a look, our IP address is currently on interface ens33 when we have finished it will move to the br0 network.

[box]

ip addr
sudo netplan apply

[/box]

Now check again, and ensure the bridge now has the IP address.

[box]

ip addr

[/box]

We are now going to define the bridge, sudoedit won’t work in the home directory so I’m using vi instead.

[box]

vi host-bridge.xml

[/box]

Text

Paste in the following, then save and exit (Esc > wq!)

[box]

<network>
  <name>host-bridge</name>
  <forward mode="bridge"/>
  <bridge name="br0"/>
</network>

[/box]

From the file we just created, we will define the new bridge network, start the network, then set it to autostart with the host, then finally we make sure its defined and listed.

[box]

virsh net-define host-bridge.xml
virsh net-start host-bridge
virsh net-autostart host-bridge
virsh net-list --all

[/box]

Connecting VMs to the Bridge Network

List the registered VMs, then edit the VM you want to change.

[box]

virsh list all
virsh edit {VM-Machine-Name}

[/box]

Locate the source network= section and change it from default .

To host-bridge then save and exit the file.

I manage my VMs with Cockpit, and they were working fine, but they were asking to be restarted. I did that with mixed results. (some worked others didn’t).

I had 100% success by removing the old network connections, and adding a new one like so, this was for an Ubuntu guest VM (Note: if it’s a Windows VM, use a e1000e model card instead).

Related Articles, References, Credits, or External Links

Install Ubuntu KVM

Install Ubuntu KVM

Ubuntu KVM KB ID 0001890

Problem

I’ve been looking at KVM for a couple of reasons, firstly people are looking at VMware alternatives, now there’s no ‘free version‘, and secondly the firm I work for have potentially a large KVM to VMware migration on the horizon, so I thought I’d build it on the test bench and see how best to address that migration scenario.

Note: This was written with Ubuntu version 24.04, which was current at the time of publication, if the experience has taught me anything it’s the commands and procedures may well change in future versions. If you are reading this in the distant future and something needs tweaking let me know below, so I can try to keep things up to date.

Solution : Ubuntu KVM

Update Ubuntu.

I’m assuming you’ve already got an Ubuntu server installed ready to go, the first task is to ensure its fully up to date.

[box]

sudo apt update && sudo apt upgrade -y

[/box]

    

Go and have a coffee, when complete simply reboot the server.

[box]

[ -e /var/run/reboot-required ] && sudo reboot

[/box]

Ubuntu KVM (CPU Checker)

All modern physical servers will now have the virtualisation CPU elements enabled in BIOS, It’s been many years since I had to go and enable them, but if you on an old piece of tin, or someone’s disabled them, you need to check they are available. Note: This is more a problem id you intent to run Ubuntu nested inside another hypervisor like VMware ESX, or Hyper-V where you have to manually expose the virtualisation elements to a guest VM (often called nested virtualisation).

To make sure, we install cpu-checker.

[box]

sudo apt install cpu-checker

[/box]

Then to test the CPU run the kvm-ok command and ensure it responds KVM acceleration can be used.

[box]

sudo kvm-ok

[/box]

Ubuntu Install KVM

Use the following command.

[box]

sudo apt -y install libvirt-daemon-system bridge-utils qemu-kvm libvirt-daemon

[/box]

Then install the additional components and tools we may require.

[box]

sudo apt install virtinst libosinfo-bin virt-top libguestfs-tools 

[/box]

Finally ensure all is well run virsh version and ensure the components look like the following (note some may have newer versions depending on how far in the future you are following along).

[box]

virsh version 

[/box]

     

Ubuntu KVM: Install Cockpit

Cockpit is a web based GUI where you can directly interrace with Linux, you can create run and manage your virtual machines from command line, but this is a little easier for most people.

[box]

sudo apt install cockpit 

[/box]

When complete add the machines plugin (for managing virtual machines) and podman plugin (for managing containers).

[box]

sudo apt install cockpit-{machines,podman}

[/box]

 

Then enable Cockpit to AutoStart with the host and check its status. Take note of the port it is running on (highlighted below, this is usually TCP port 9090).

[box]

sudo systemctl enable --now cockpit.socket
systemctl status cockpit.socket

[/box]

 

Connect to the Ubuntu KVM server using a web browser to port 9090 (https://{ip-address-or-host-name}:9090 and log in.

Select “Turn on administrative access” and supply your password to authenticate again.

Ubuntu KVM Creating Guest VMs

I prefer to have the ISO files that I will build my VMs from on the server itself, so I upload them into the /tmp directory on the Ubuntu host. Below I’m using WinSCP because its free and it’s simple to use,

In Cockpit navigate to virtual Machines > Create VM.

Enter the details, and the path to the ISO file you uploaded above > Create and Run.

Now if you select the server you get a nice VNC remote console which you can interact with to build and manage the server remotely.

What you will notice is at this point your VMS get an IP address from the KVM host which will NAT the traffic to the outside world, which is fine. But if you want to access these VMs FROM the outside world then you have a problem (no, routing the traffic back to the KVM server manually or adding static routes to your other devices does not work) Well it didn’t for me! So a more likely scenario is you want bridged networking, where your VMs will get an IP address on your live LAN. I’ll be showing you how to do that next

Related Articles, References, Credits, or External Links

Ubuntu Setting a Static IP

SSH: Host Identification Has Changed

Host Identification Has Changed KB ID 0001889

Problem

I’ve been doing a lot of building and destroying Linux boxes lately, and came across this problem, (while attempting to SSH into one).

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256: xxxxxxxxxxxxxxxxx
Please contact your system administrator.
Add correct host key in /Users/sysadm/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/sysadm/.ssh/known_hosts:20
RSA host key for xxxxxxxxxxx has changed and you have requested strict checking.
Host key verification failed.

Solution: Host Identification Has Changed

So essentially, there’s a record kept of all the ssh keys presented, along with their associated hosts, your PC is warning you that the key now being presented is simply different from the one that was presented last time it connected.

You can see (above) the command I used to remove the ‘cached’ key so I could proceed.

[box]

ssh-keygen -R {host}

[/box]

In my case the host is simply the IP address 192.168.100.103, yours may be the hostname or FQDN (to which you were attempting to connect)

Once purged, try to connect again and you should be prompted to accept and save the new presented SSH key.

Related Articles, References, Credits, or External Links

NA

Convert Certificates CER/CRT/PEM

Convert Certificates KB ID 0001847

Problem

This post was written because of a follow up question in this article. How do you go about convert certificates? Sometimes you get a certificate issued or sent toy you that is in a format you cannot import, so you need to convert it. Regardless of whether you are a mac/Linux user or a Windows user, the tool that I find best to use is OpenSSL.

OpenSSL is built into macOS to use OpenSSL on Windows you need to download, install, then run the openssl.exe (usually form command line, but you can also run from PowerShell (Note: See comment below if you intend to use PowerShell).

 

Linux Note: To install OpenSSL, different flavours of Linux differ e.g. sudo apt-get install openssl should work in most cases.

Windows Note: Remember to change to the directory in which OpenSSL.exe resides before executing the following command(s). See the Windows Examples for clarification.

Solution : Convert Certificates

The most common form of issued x509 certificates have a .crt or a .cer extension, CRT is based on DER Distinguished Encoding Rules, and the other (CER) is based on PEM Privacy Enhanced Mail. OpenSSL can convert form one to the other. Note: Below I’ve shown the process on my mac and a Windows PC to illustrate the process is the same.

Convert Certificates CRT to CER

Use the following Syntax to convert from CRT to CER format. (Change the values in Red to match your source and destination certificate locations).

[box]

openssl x509 -inform PEM -outform DER -in /Users/petelong/CERTS/Source-Certificate.crt -out /Users/petelong/CERTS/Output-Certificate.cer

[/box]

Convert Certificates CER to CRT

Use the following Syntax to convert from CER to CRT format. (Change the values in Red to match your source and destination certificate locations).

[box]

openssl x509 -inform DER -outform PEM -in /Users/petelong/CERTS/Source-Certificate.cer -out /Users/petelong/CERTS/Output-Certificate.crt

[/box]

Convert Certificates CRT to PEM

Disclaimer: This is a bit of a misnomer, because .crt certificates are already in PEM format. You can simply open a .crt file and view it as a PEM file. Use the following Syntax to view a CRT in PEM format. (Change the values in Red to match your source and destination certificate locations).

[box]

Linux / macOS

cat /Users/petelong/CERTS/My-Certificate.crt

Windows 

type C:/Certs/My-Certificate.crt

[/box]

Then copy the ‘text’ as shown in the examples above. DO NOT include any additional spaces (as shown above). And you have a PEM file you can paste this into a text editor and save it with a .pem extension if you need to ‘send’ it somewhere.

Can I simply rename .crt to .pem (YES YOU CAN)

Convert Certificates CER to PEM

This is slightly more complicated as .cer files are in DER format, if you try and open one with a text editor you will simply see gobbledegook. So you need to convert it into PEM format with he following syntax.

[box]

openssl x509 -inform DER -outform PEM -in /Users/petelong/CERTS/My-Certificate.cer -out /Users/petelong/CERTS/PEM-Certificate.pem

[/box]

Once that’s done (as above) you can simply open the .pem file in a text editor or cat (mac/Linux) or type (Windows) the content.

Converting Certificates (PowerShell)

Be Aware: When calling OpenSSL form a PowerShell command, you need to prefix the command with a ‘dot slash’ see the examples below for clarification.

Related Articles, References, Credits, or External Links

Digital Certificates Explained

TinyCore Linux: Build a ‘Persistent’ Web Server

KB ID 0001697

Problem

Recently I was building a lab for testing load balancing, and needed some web servers, I could have built three Windows servers, but I wanted to run them in EVE-NG, so they had to be as light as I could make them. I chose TinyCore Linux, (I know there are smaller options, but it’s light enough for me to run, and work with).

The problem occurs when you reboot the TinyCore host, it (by default) reverts back to its vanilla state, (that’s not strictly true, a couple of folders are persistent).

So I had to build a server that would let me SFTP some web content into it and allow me to reboot it without losing the web content, settings, and IP address.

Step 1: Configure TinyCore IP & Web Server

This is a two step procedure, firstly I’m going to give it a static IP.

[box]

sudo ifconfig eth0 192.168.100.110 netmask 255.255.255.0
sudo route add default gw 192.168.100.1

[/box]

I don’t need DNS, if you do, then simply edit the resolve.conf file;

[box]

sudo vi /etc/resolv.conf
Add a value e.g.
Nameserver 8.8.8.8

[/box]

If you are scared of  the VI editor see Using the VI Editor (For Windows Types)

To connect via SSH/SFTP you will need opnessh installing, and to run the website, we will use Busybox, to install those, do the following;

[box]

tce-load -wi busybox-httpd.tcz
tce-load -wi openssh

[/box]

You will now need to set a password for the root account, (so you can log on and trasfer web files in!)

[box]

su
passwd
Type in, and confirm a new password!

[/box]

Start the OpenSSH, and TFTP services;

[box]

cd /usr/local/etc/init.d/
./openssh start
cd /etc/init.d/services/
./tftpd start

[/box]

Now create a basic web page, (index.html) which you can update later. Setup the website, then copy that file to a location that will be persistent (you will see why later).

[box]

cd /usr/local/httpd/bin
sudo ./busybox httpd -p 80 -h /usr/local/httpd/bin/
sudo vi index.html {ENTER SOME TEXT TO TEST, AND SAVE}
sudo mkdir /mnt/sda1/wwwsite/
sudo cp /usr/local/httpd/bin/index.html /mnt/sda1/wwwsite/index.html

[/box]

At this point, (if you want) you can use your favourite SFTP client, (I recommend FileZilla or WinSCP) and copy in some live web content to /mnt/sda1/wwwsite/ But ensure the home/landing page is still index.html though!

Step 2: Make TinyCore Settings ‘Persistent’

There may be better ways to do this, this just worked for me, and made sense! There’s a shell script that is executed as the TinyCore machine boots (bootlocal.sh) so if you edit that file and put in the commands to configure the IP, copy the website files from the permanent mount folder, start the web server, then start SSH and TFTP, you end up with a server doing what you want, every time the server boots.

[box]

sudo vi /opt/bootlocal.sh

ADD THE FOLLOWING TO THE BOTTOM OF THE FILE;

sudo ifconfig eth0 192.168.100.110 netmask 255.255.255.0 
sudo route add default gw 192.168.100.1
cp /mnt/sda1/wwwsite/index.html /usr/local/httpd/bin/index.html
cd /usr/local/httpd/bin/
Sudo ./busybox httpd -p 80 -h /usr/local/httpd/bin/
cd /usr/local/etc/init.d/
./openssh start
cd /etc/init.d/services/
./tftpd start

[/box]

Save and exit the file, then finally BACKUP THE CHANGES with the following command;

[box]

filetool.sh -b

[/box]

Related Articles, References, Credits, or External Links

NA

EVE-NG: Committing / Saving Qemu Virtual Machine Settings

KB ID 0001695

Problem

I’ve been working on a load balancing lab in EVE-NG this last week or so. I created some web servers (in TinyCore Linux,) to act as the web servers in that lab. (Essentially they serve a different colour web page so I can test the load balancing is working OK).

Now I wanted to save the changes I made so that I could redeploy the configured servers to multiple labs. But when you deploy a qemu VM as a node in a lab, EVE-NG copies the VM to the lab, and the changes you make, only apply to the node, in the lab, in the pod, you are working on!

So I wanted to update the ‘Master‘ image in EVE-NG, with the one I configured. Here is how to do that;

Solution

Firstly you need to get your POD NUMBER, you can get that from the user management screen, below you can see my user, (you can see already logged on), is using pod number 1.

Now you need to get the LAB ID NUMBER. Open the lab > Shut down the machine that you want to save the changes from > Lab Details > Copy the lab ID number.

Lastly you need the NODE ID NUMBER. Either  select Nodes and take note of the number, or right click the node and the node ID is shown (in brackets).

Armed with those three pieces of information, SSH into the EVE-NG host, and execute the following commands;

[box]

cd /opt/unetlab/tmp/POD-NUMBER/LAB-ID/NODE-ID/

for example;

cd /opt/unetlab/tmp/1/2277307f-b0bc-45a4-831f-a89a716b5841/3/

[/box]

Now depending on the VM/Appliance in question, it may be called hda.qcow2, or virtioa.qcow2 (a quick ls command will tell you!) Take the name and commit the changes with the following command;

[box]

/opt/qemu/bin/qemu-img commit hda.qcow2

[/box]

Job done!

Yes but you wanted three different servers? Correct, I then copied the server (twice) edited the IP address, and the web page served on the two copies and committed the changes back to the original VMs!

Related Articles, References, Credits, or External Links

NA

XenServer: Enable SNMP

KB ID 0001629

Problem

We had to enable SNMP on a XenServer today, I’d never even logged onto one, but it turns out, much like ESX, it’s just a Linux server, at least the good folk at Citrix included nano on there so I didn’t have to struggle with the vi editor!

Solution

First from the web console ensure that SSH access is enabled > Remote Services Configuration > Enable/Disable Remote Shell.

SSH into the host and execute the following commands to start the SNMP daemon,  take a backup of the config file, and finally edit the ‘live’ config file.

[box]

chkconfig snmpd
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.backup
nano /etc/snmp/snmpd.conf

[/box]

You can delete EVERYTHING (At the beginning of the file press CTRL+6 to mark the file, then Press ALT+Shif+T (or ALT+T) to cut the text away). Then type in;

[box]

rocommunity {SNMP-String} {IP address or range with /{bits}}

i.e.
rocommunity public 192.168.1.0/24

[/box] 

Save and Exit (CTRL+X > ‘Y’ > {Enter}). Now you need to edit the firewall on the host (iptables). To allow the IP addresses of your SNMP collector(s).

[box]

nano /etc/sysconfig/iptables

[/box]

At the bottom, (usually) you will see a deny for ICMP, put an entry for each collector BEFORE that in the following format;

[box]

-A RH-Firewall-1-INPUT -s {Collector-IP-Address} -p udp -m udp --dport 161 -j ACCEPT

[/box]

Save and Exit (CTRL+X > ‘Y’ > {Enter}). then restart iptables and the snmp daemon.

[box]

service iptables restart
service snmpd restart

[/box]

If you are polling it though a firewall you can test it locally using this piece of freeware, (I use this to test, but remember to add the local IP you are testing from to the sump config and the iptables!)

Related Articles, References, Credits, or External Links

NA

Certificate Chain Incomplete

KB ID 0001570

Problem

The certificate here at PNL expired over the weekend, I got a new one and installed it. All appeared to be fine until I did an online check to make sure it was OK. 

The server’s certificate chain is incomplete

Solution

I had this problem once before, back then I was using Apache and CentOS7, and things were a little different, (now I’m using NGINX and Ubuntu 18.04). Essentially you see this error because you have bought a ‘cheap‘ SSL certificate. There’s nothing wrong with that per se, but they tend to be issued from an ‘Intermediate CA‘. Again there’s nothing wrong with that either, but to improve your score you need to ‘Embed‘ the intermediate certificate, into your SSL certificate, (or all the intermediates back to a Root CA Server, if you have multiple intermediate certificates!) 

Here I have ONE intermediate, (which is pretty normal.)

There a no special tools you require to be able to do this, other than a simple text editor, you open your SSL certificate and ‘Paste” the intermediate certificate on the bottom. (DO NOT ADD ANY EXTRA SPACES). Like so;

Note: As you can see, you DON’T put the Root CA certificate at the bottom, (clients should already have them!) I made this mistake then got the following error;

[box]

Jun 23 14:12:29 localhost nginx[1197]: nginx: [emerg] PEM_read_bio_X509("/etc/nginx/ssl/www_petenetlive_com.crt") failed (SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line)
Jun 23 14:12:29 localhost nginx[1197]: nginx: configuration file /etc/nginx/nginx.conf test failed

[/box]

Retry your test.

Related Articles, References, Credits, or External Links

NA

Domain Controller Wont Boot: Stop Code ‘0x00002e2’

KB ID 0001494

Problem

I had this problem after a VMware host upgrade last night, this domain controller would not boot, I tried ‘Last Known Good Configuration’, I tried ‘Safe Mode’ it would not boot. More out of desperation than procedure, I tried to boot to ‘Directory Services Restore Mode’ and it booted up (hooray!) I tried all the client’s usual passwords, and could not log in, I messaged them to ask for the DSRM password, and tried all the ones they sent me, it seems I was defeated!

They had other domain controllers, and their critical systems were up, so I arranged for this server to be restored the following morning from tape.

A lot of you will (I hope) know your DSRM password, so you have less problems that I had, so you can skip reseting the DSRM password part.

Reset DSRM Password (From Boot Disk)

If you Google resetting the DSRM password you get a ton of posts telling you to use ntdsutil, which is great if you can logon, but I could not. I’ll let you into a secret: The DSRM password is actually the LOCAL administrators password on the Domain Controller, and resetting the local admin password, (using a Linux boot disk, {don’t panic it’s simple!}) well we have been able to do this since the days of NT4! (DON’T PAY FOR A UTILITY TO DO THIS).

To download the boot disk and see how this is done follow the instructions I’ve already written in THIS POST. The only difference is, I chose to {blank} the password, rather than reset it, (you can reset it afterwards using ntdsutil if you want to).

Select option 1: Clear (blank) user password;

Boot Into DSRM Mode and Repair Active Directory

You can now boot into DSRM mode, (if you don’t see these options Press F8 as the server boots).

As soon as you enter ‘administrator’ and then click in the password box, the ‘Sign in to‘ option will change from the domain name to the domain controllers name. This usually happens on all machines, that are NOT domain controllers, but in this case, it’s expected behaviour, (as we will be logging in with a LOCAL password.) Remember I blanked the password, so I’m leaving it empty.

First let’s take a backup of AD. Open a command window, and execute the following command;

[box]

xcopy C:\Windows\NTDS\* C:\Backup\NTDS-Backup /E /Y /V /C /I

[/box]

Then execute the following commands;

[box]

cd C:\Windows\NTDS
ren *.log *.log.old
esentutl /p C:\Windows\NTDS\ntds.dit

[/box]

When prompted; CLICK OK.

Now run the following commands;

[box]

ntdsutil
activate instance ntds
files
compact to C:\Windows\NTDS\TEMP
quit
quit

[/box]

As it’s telling us (above), we now need to copy the compacted and repaired database, over the top of the live database, and then get rid of the logs. To do that, run the following commands;

[box]

copy "C:\Windows\NTDS\TEMP\ntds.dit" "C:\Windows\NTDS\ntds.dit"
Yes
del *.log
del *.log.old
shutdown -r -f

[/box]

The server will reboot, and boot back into Windows as normal.

Related Articles, References, Credits, or External Links

A big thank you to Alex at iThinkVirtual.com, for the AD repair procedure, I would not have got over  the line without his excellent ‘Fixing a corrupt Domain Controller’ post.