Networking – IT Blog

Lance LingerfeltJuly 3, 2019

The Windows Time Service, Hyper-V Hosts, and DCs that are VMs.

The sheer craziness of it all! I noticed that my clocks were off on my servers by FOUR minutes. I had originally set in group policy for the PDC emulator for my domain, a VM on one of my Hyper-V hosts, to get the time from the Public NTP hosts. I then configured a group policy to have all the other machines get their time from the PDC Emulator.

This was working great for me until I realized that my Hyper-V hosts were actually controlling the time of the VMs. They were also configured to get the time from the PDC Emulator, but essentially, due to how Hyper-V is configured, the PDC Emulator VM was getting the time from the Host. So, once the time got thrown off, everything went wacky on me!

I’d read through a couple of articles and found the configuration flaw of Hyper-V and the need for those servers to get their time from the external NTP hosts as well as be configured as NTP servers themselves. This totally went against my Group Policy configuration which caused the issue!

Luckily, I had a stand alone server that is a tertiary DC in the domain not running Hyper-V. I was able to get my time synced again properly after performing the following configuration.

I had to move the FSMO roles to the tertiary DC with the following cmdlet:

Move-ADDirectoryServerOperationMasterRole -Identity backupdc01 -OperationMasterRole 0,1,2,3,4 -Confirm:$False

1	Move-ADDirectoryServerOperationMasterRole -Identity backupdc01 -OperationMasterRole 0,1,2,3,4 -Confirm:$False

I then made sure the tertiary DC was syncing time correctly by running the following on that server:

Stop and Start the time service:
net stop w32time
net start w32time

Resync with the NTP servers:
w32tm /resync /nowait

Query the Source NTP server for the server you are running:
w32tm /query /source
(Should return your Public NTP server)
2.us.pool.ntp.org,0x1

Stop and Start the time service:

net stop w32time

net start w32time

Resync with the NTP servers:

w32tm /resync /nowait

Query the Source NTP server for the server you are running:

w32tm /query /source

(Should return your Public NTP server)

2.us.pool.ntp.org,0x1

I then removed the Group Policy Object for syncing the time source to the DC that I had linked to my Hyper-V Servers OU in Active Directory
Ran a gpupdate /force on the Hyper-V host to remove the policy there
I then had to reconfigure the Hyper-V hosts to be NTP Servers and clients that got their time from a public NTP server:

Cmdlets in order:

Unregister the Time Service:
w32tm /unregister

Stop the Time Service:
net stop w32time

Register the Time Service:
w32tm /register

Start the service:
net start w32time

Query the Source NTP server for the server you are running:
w32tm /query /source
(Should return the default public NTP server)
time.windows.com,0x1

Configure the NTP time servers you want to use:
w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org" /update /reliable:yes

Resync with the NTP servers:
w32tm /resync /nowait

Verify the Source NTP Server being used:
w32tm /query /source
(Should return the Public NTP server you set)
1.pool.ntp.org,0x1

Time should be correct on the Hyper-V host now.

Cmdlets in order:

Unregister the Time Service:

w32tm /unregister

Stop the Time Service:

net stop w32time

w32tm /register

Start the service:

net start w32time

Query the Source NTP server for the server you are running:

w32tm /query /source

(Should return the default public NTP server)

time.windows.com,0x1

Configure the NTP time servers you want to use:

w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org" /update /reliable:yes

Resync with the NTP servers:

w32tm /resync /nowait

Verify the Source NTP Server being used:

w32tm /query /source

(Should return the Public NTP server you set)

1.pool.ntp.org,0x1

Time should be correct on the Hyper-V host now.

The one problem Hyper-V host that was syncing with the DC VM would not change settings via Group Policy nor through the w32tm cmdlet. I even went into the registry and tried to modify the following keys to make the changes stick:

Path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

Keys - Value (Decimal):
w32time\Config\AnnounceFlags - 10 
w32time\Parameters\NtpServers - 0.us.pool.ntp.org,0x1 1.us.pool.ntp.org,0x1 2.us.pool.ntp.org,0x1 
w32time\TimeProviders\NtpClient\SpecialPollInterval - 900 (15 minutes)
w32time\TimeProviders\NtpServer\Enabled - 1

Path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

Keys - Value (Decimal):

w32time\Config\AnnounceFlags - 10

w32time\Parameters\NtpServers - 0.us.pool.ntp.org,0x1 1.us.pool.ntp.org,0x1 2.us.pool.ntp.org,0x1

w32time\TimeProviders\NtpClient\SpecialPollInterval - 900 (15 minutes)

w32time\TimeProviders\NtpServer\Enabled - 1

The values would just not change, most likely due to the time not being synchronized. I had to reboot the server and then run through the process again in order for the changes to stick.

I did look at another article that said to do the following on the DC VM in order for time NOT to sync with the Hyper-V Host:

Go into Hyper-V console on the host machine, right-click on the client VM AD server, and select Settings. Once in here, on the left look under:

Management –> Integration Services
Untick Time Synchronization
Click Apply/OK

Things are running smoothly now. Please view the references at the bottom of the post. There are a couple of great articles about the Time Synchronization process with Hyper-V and why it needs to be setup the way I have it now. I wished I had read it before I originally set this up. I will post the article about getting group policy to handle the time sync process. Just remember, if your PDC Emulator is a VM, don’t sync it to a public NTP server. Sync it to your Hyper-V Host and have the Host sync publicly.
In the long run, I think it is a good design solution to have your Hyper-V hosts time synced to the Public NTP servers than having to remember to configure each VM DC you create to NOT time sync with the host. To each is own though, and one thing I learned from working Microsoft, there are multiple ways to get to the same goal that are technically sound methods.

THANKS FOR READING!
PLEASE COMMENT!

REFERENCES:
Setup of NTP on Hyper-V servers
Time Synchronization in Hyper-V
“It’s Simple!” – Time Configuration in Active Directory
NTP Circular Time Sync – Windows Server 2012 R2 / Hyper-V

Lance LingerfeltJune 12, 2019June 12, 2019

Installing an ‘IP-less’ Exchange Server 2019 Database Availability Group

Yesterday, I posted on how Exchange now uses the Resilient File System (ReFS) to optimize and protect Exchange critical files. Another layer of protection is using a database availability group (DAG) for redundancy and is a necessary factor when designing an Exchange Enterprise Environment.
In this example, I will walk you through the installation of an Exchange Server 2019 DAG as I configured in my environment. This DAG will contain two Exchange Servers in the same site with a third Windows Server 2019 server being the File Share Witness (FSW).

For my configuration, I configured two identical Windows Server 2019 VMs (same procs, RAM, vhdx drives, partitions, etc…). I configured the Exchange Data Volume using ReFS and mounted them to the same folder on the C: Drive on each server. This is very important for replication to take place successfully when the databases are added to the DAG.

Get-MailboxDatabase | fl Name,EDBFilePath,LogFolderPath

Name          : EX01-DB01
EdbFilePath   : C:\Exchange\Data-ReFS\DB\EX01-DB01\EX01-DB01.edb
LogFolderPath : C:\Exchange\Data-ReFS\Logs\EX01-DB01

Name          : EX01-ARCHIVE-DB
EdbFilePath   : C:\Exchange\Data-ReFS\DB\EX01-ARCHIVE-DB\EX01-ARCHIVE-DB.edb
LogFolderPath : C:\Exchange\Data-ReFS\Logs\EX01-ARCHIVE-DB

Name          : EX02-DB01
EdbFilePath   : C:\Exchange\Data-ReFS\DB\EX02-DB01\EX02-DB01.edb
LogFolderPath : C:\Exchange\Data-ReFS\Logs\EX02-DB01

Get-MailboxDatabase | fl Name,EDBFilePath,LogFolderPath

Name : EX01-DB01

EdbFilePath : C:\Exchange\Data-ReFS\DB\EX01-DB01\EX01-DB01.edb

LogFolderPath : C:\Exchange\Data-ReFS\Logs\EX01-DB01

Name : EX01-ARCHIVE-DB

EdbFilePath : C:\Exchange\Data-ReFS\DB\EX01-ARCHIVE-DB\EX01-ARCHIVE-DB.edb

LogFolderPath : C:\Exchange\Data-ReFS\Logs\EX01-ARCHIVE-DB

Name : EX02-DB01

EdbFilePath : C:\Exchange\Data-ReFS\DB\EX02-DB01\EX02-DB01.edb

LogFolderPath : C:\Exchange\Data-ReFS\Logs\EX02-DB01

I next went to the Admin server where the FSW would be hosted and added the Exchange Trusted Subsystem Account to the local Administrators group on that server:

IMPORTANT!
Add the Exchange Trusted Subsystem Account to the Local Administrators Group on the FSW.

NOTE: The reason that this is an ‘IP-less’ DAG is that I’m creating a DAG with no cluster administrative access point (CAAP). The DAG has no IP address of its own, and no computer object in Active Directory. The main implication of this is that backup software that relies on the CAAP or backup operations won’t work. This option of an ‘IP-less’ DAG was first introduced in Exchange Server 2013 SP1/CU4, so by now any decent backup products should support this configuration. But you should always verify this with your backup vendor of choice. Also be aware that this is only supported for DAGs that are running on Windows Server 2012 R2 (or later).

Next, we create the DAG from Exchange PowerShell using the New-DatabaseAvailabilityGroup cmdlet. Now remember that since you are using the ReFS system for your database volumes, you will need to specify the -FileSystem parameter within the cmdlet to assure proper setup and replication of the data files.

New-DatabaseAvailabilityGroup -Name LDLNETDAG01 -WitnessServer admin01.ldlnet.org -FileSystem ReFS
 
Name             Member Servers                                      Operational Servers
----             --------------                                      -------------------
LDLNETDAG01      {}

New-DatabaseAvailabilityGroup -Name LDLNETDAG01 -WitnessServer admin01.ldlnet.org -FileSystem ReFS

Name Member Servers Operational Servers

---- -------------- -------------------

LDLNETDAG01 {}

Next, we add the Exchange Servers that hold the databases that will be replicated within the DAG:

Add-DatabaseAvailabilityGroupServer -Identity LDLNETDAG01 -MailboxServer EX01

1	Add-DatabaseAvailabilityGroupServer -Identity LDLNETDAG01 -MailboxServer EX01

Add-DatabaseAvailabilityGroupServer -Identity LDLNETDAG01 -MailboxServer EX02

1	Add-DatabaseAvailabilityGroupServer -Identity LDLNETDAG01 -MailboxServer EX02

The DAG will now show the two servers as Operational Member Servers:

Get-DatabaseAvailabilityGroup -Status | ft -a -wr

Name        Member Servers         Operational Servers
----        --------------         -------------------
LDLNETDAG01 {EX01, EX02}           {EX01, EX02}

Get-DatabaseAvailabilityGroup -Status | ft -a -wr

Name Member Servers Operational Servers

---- -------------- -------------------

LDLNETDAG01 {EX01, EX02} {EX01, EX02}

The FSW Directory was created on the admin01 server when the DAG was created. We can verify that with the following cmdlet:

Get-DatabaseAvailabilityGroup -Status | fl *Witness*


WitnessServer             : admin01.ldlnet.org
WitnessDirectory          : C:\DAGFileShareWitnesses\LDLNETDAG01.ldlnet.org
AlternateWitnessServer    :
AlternateWitnessDirectory :
WitnessShareInUse         : Primary
DxStoreWitnessServers     :

Get-DatabaseAvailabilityGroup -Status | fl *Witness*

WitnessServer : admin01.ldlnet.org

WitnessDirectory : C:\DAGFileShareWitnesses\LDLNETDAG01.ldlnet.org

AlternateWitnessServer :

AlternateWitnessDirectory :

WitnessShareInUse : Primary

DxStoreWitnessServers :

Next, we add the databases that we want replicated to the DAG as replicated databases. I want all my Databases on EX01 to replicate to EX02 and vice versa for the EX02 Databases. I want the activation preference to remain on the server that the databases were originally created on so I will use the -ActivationPreference parameter to accomplish that. I will go into more detail on Activation Preference in another post.

Add-MailboxDatabaseCopy -Identity EX01-DB01 -MailboxServer EX02 -ActivationPreference 2

1	Add-MailboxDatabaseCopy -Identity EX01-DB01 -MailboxServer EX02 -ActivationPreference 2

Add-MailboxDatabaseCopy -Identity EX01-ARCHIVE-DB -MailboxServer EX02 -ActivationPreference 2

1	Add-MailboxDatabaseCopy -Identity EX01-ARCHIVE-DB -MailboxServer EX02 -ActivationPreference 2

Add-MailboxDatabaseCopy -Identity EX02-DB01 -MailboxServer EX01 -ActivationPreference 2

1	Add-MailboxDatabaseCopy -Identity EX02-DB01 -MailboxServer EX01 -ActivationPreference 2

Now we verify that the Database Copies are healthy on each replication member using the Get-MailboxDatabaseCopyStatus cmdlet. You will see a Healthy Status on the replicated copies:

Get-MailboxDatabaseCopyStatus -Server EX01 | ft -a -wr

Name                        Status  CopyQueueLength ReplayQueueLength LastInspectedLogTime  ContentIndexState
----                        ------  --------------- ----------------- --------------------  -----------------
EX01-DB01\EX01              Mounted 0               0                                       NotApplicable
EX01-ARCHIVE-DB\EX01        Mounted 0               0                                       NotApplicable
EX02-DB01\EX01              Healthy 0               0                 6/12/2019 11:03:03 AM NotApplicable

Get-MailboxDatabaseCopyStatus -Server EX01 | ft -a -wr

Name Status CopyQueueLength ReplayQueueLength LastInspectedLogTime ContentIndexState

---- ------ --------------- ----------------- -------------------- -----------------

EX01-DB01\EX01 Mounted 0 0 NotApplicable

EX01-ARCHIVE-DB\EX01 Mounted 0 0 NotApplicable

EX02-DB01\EX01 Healthy 0 0 6/12/2019 11:03:03 AM NotApplicable

Get-MailboxDatabaseCopyStatus -Server EX02 | ft -a -wr

Name                        Status  CopyQueueLength ReplayQueueLength LastInspectedLogTime  ContentIndexState
----                        ------  --------------- ----------------- --------------------  -----------------
EX02-DB01\EX02              Mounted 0               0                                       NotApplicable
EX01-ARCHIVE-DB\EX02        Healthy 0               0                 6/12/2019 11:06:44 AM NotApplicable
EX01-DB01\EX02              Healthy 0               0                 6/12/2019 10:46:40 AM NotApplicable

Get-MailboxDatabaseCopyStatus -Server EX02 | ft -a -wr

Name Status CopyQueueLength ReplayQueueLength LastInspectedLogTime ContentIndexState

---- ------ --------------- ----------------- -------------------- -----------------

EX02-DB01\EX02 Mounted 0 0 NotApplicable

EX01-ARCHIVE-DB\EX02 Healthy 0 0 6/12/2019 11:06:44 AM NotApplicable

EX01-DB01\EX02 Healthy 0 0 6/12/2019 10:46:40 AM NotApplicable

POSITIVE ENERGY!
KILL NARCISSISM!
HAPPY TROUBLESHOOTING!

REFERENCES:
Installing an Exchange Server 2016 Database Availability Group

Lance LingerfeltMay 7, 2019

Issue with NAT on Cisco ASA

I was working on upgrading my ASA firewall and was running into an issue with internet working on my device, but none of my server services were responding to requests:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-adjacency) No valid adjacency

I had configured 1-to-1 Object Based NAT translations for my servers for this purpose as had been configured on my prior ASA device. I had just copied the NAT rules to the new device thinking that it should just work. Needless to say, I had to call Cisco TAC and open a case. This seemed to be an issue for them as well. We kept getting the same error as above with another error listed during the NAT translation of the packets:

ifc selected is not same as preferred ifc
Doing route lookup again on ifc inside

We could ping internally to the server successfully from the ASA through the inside port:

LDLNET-FW01(config)# ping LDLNET-LAN 192.168.100.x
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.x, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Packet Capture:

4 packets captured
1: 01:01:21.086894 192.168.100.2 > 192.168.100.x: icmp: echo request
2: 01:01:21.087153 192.168.100.x > 192.168.100.2: icmp: echo reply
3: 01:01:21.087886 192.168.100.2 > 192.168.100.x: icmp: echo request
4: 01:01:21.088069 192.168.100.x > 192.168.100.2: icmp: echo reply

Again, I had created Object based NAT translations that should have worked for all the inside ports and allowed the packet traffic through properly:

object network Exchange_Server
nat (any,any) static ExchOut net-to-net

Not having knowledge what the net-to-net statement within the NAT Rule stood for, we ended up scrapping all of the Object based NAT rules and created a new rule using a static route:

nat (LDLNET-LAN,outside) source static Exchange_Server ExchOut description Exchange NAT Both Directions

Doing this worked for us and allowed traffic that was NOT translating correctly to be translated and flowing correctly through the ASA.

Phase: 17
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 12345, packet dispatched to next module
Module information for forward flow …
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow …
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: LDLNET-LAN
output-status: up
output-line-status: up
Action: allow

Great! This is working now! The only issue is that I had to create static rules that go through the single interface on the ASA. What if I need to connect other devices to the ASA on different interface ports? Well, I will have to create the static NAT rules for those ports as well. If the current interface fails, I will have to recreate the static NAT Rules for the interface port that I change to. Secure in a way, but not how I think it should be designed.

If anyone has any suggestions for the configuration of this, why I was getting the error, or a way to get the Object Based NAT rules working properly, PLEASE COMMENT!

Category: Networking

The Windows Time Service, Hyper-V Hosts, and DCs that are VMs.

THANKS FOR READING!
PLEASE COMMENT!

Installing an ‘IP-less’ Exchange Server 2019 Database Availability Group

POSITIVE ENERGY!
KILL NARCISSISM!
HAPPY TROUBLESHOOTING!

Issue with NAT on Cisco ASA

I’M ALWAYS LOOKING FOR THE BEST SOLUTION!
PLEASE LEAVE YOUR COMMENTS!

THANKS FOR READING!PLEASE COMMENT!

POSITIVE ENERGY!KILL NARCISSISM!HAPPY TROUBLESHOOTING!

I’M ALWAYS LOOKING FOR THE BEST SOLUTION!PLEASE LEAVE YOUR COMMENTS!

Cookies Notice for itblog.ldlnet.net

THANKS FOR READING!
PLEASE COMMENT!

POSITIVE ENERGY!
KILL NARCISSISM!
HAPPY TROUBLESHOOTING!

I’M ALWAYS LOOKING FOR THE BEST SOLUTION!
PLEASE LEAVE YOUR COMMENTS!