Update AD RMS Config Database using SQL Server Management Studio during Parallels Upgrade

Description:

During AD RMS Parallels Upgrade, you need to modify the restored database to point to the new database servers.

Resolution:

1. Log on to the AD RMS configuration database server as local Administrator or another user account that is a member of the local Administrators group.
2. Click Start, point to All Programs, point to Microsoft SQL Server 2012, and then click SQL Server Management Studio.
3. On the Connect to Server page, ensure that the new database server name is listed in the Server name box, and then click Connect.
4. Expand Databases, expand DRMS_Config_<RMS cluster name>_<Port>, and then expand Tables.
5. Right-click DRMS_ClusterPolicies, and then click Open Table.
6. In the results pane, change the value in the PolicyData column of the LoggingDatabaseServer row to the new RMS database server name.
7. Change the value in the PolicyData column of the CertificationUserKeyStorageConnectionString row to reflect the new database server. The value should be data source=<new database server name>;integrated where <new database server name> is the name of the new database server.
8. Repeat steps 6–7 for the value in the PolicyData column of the DirectoryServicesCacheDatabase row.
9. Close Microsoft SQL Server Management Studio.

Active Directory Rights Management Services - Parallels Upgrade

Description:
You have an Active Directory Rights Management Services (ADRMS) being deployed in your IT Environment. You need to upgrade the version of ADRMS, the Windows OS, and also the Database with minimal downtime and minimal risk to new Windows 2019 and SQL 2019 machines.
You decided to do a Parallel Upgrade.

Resolution:

You would need to perform the following:

1. Prepare the new Windows 2019 OS and SQL 2019 Databases on different machines. Install all the necessary patches.
2. Back up the existing AD RMS database.
3. Restore the AD RMS databases to a new location (new instance, new SQL server, etc.).
4. The following SQL changes must be made on the restored databases.
• Database: DRMS_Config
• Table: DRMS_ClusterPolicies
• PolicyName entries in which the PolicyData value needs to reflect the new SQL connection string information.
• LoggingDatabaseServer
• CertificationUserKeyStorageConnectionString
• DirectoryServicesCacheDatabase
5. Built a new Windows Server of the desired version for the AD RMS cluster upgrade.
6. Add the AD RMS role.
7. When it gets to the role configuration choose the “join an existing cluster” option.
8. At the SQL database dialog enter the NEWLY RESTORED SQL database location, not the actual production database currently in use.
9. Complete the role configuration using all the same settings, service accounts, etc.
10. Edit the NTFS permissions on new AD RMS server's "C:\inetpub\wwwroot\_wmcs\certification\ServerCertification.asmx" file. Configure the same permissions as on the existing AD RMS server.

PowerShell Command to Identify Local Admin Account

Description:

You have several local account on your computer. One day, you need to find out which one is the real local Admin Account.

Resolution:

You can run the following PowerShell command on the local computer:

Get-CimInstance -ClassName Win32_UserAccount -Filter "LocalAccount = TRUE and SID like 'S-1-5-%-500'"

Cannot Publish or Missing Certificates Template

Description:

You created a certificate template in your Windows Enterprise CA. However when you want to publish it, you cannot saw the templates inside the "Enable Certificate Templates" wizard. All other Certification Authority function works normally and you've used the account which has proper permission.

Resolution:

Try to use the following command:
Certutil -setcatemplates +templatename

Note: The plus (+) sign is mandatory. Otherwise it will replace all of the other published template.

Error while creating Windows 2016 Cluster at "Find a suitable Domain Controller"

Description:

You want to create Windows 2016 cluster on Windows 2012 R2 Domain. You run the Wizard, however encountered error and the cluster cannot be created. 

During investigation, you saw several error message such as:
"Check whether the computer object "clustername" for node "hostnameFQDN" exists in the domain. More data is available".

At event viewer (after enabling Debug Log) you could see:
"Failed to find suitable DC. Error 234"
"Searching for object "clustername" on first choice DC failed. Error 234"
"Couldn't resolve RPC binding to cluster, Status = 1753"

You then try to run the Cluster Validation wizard but everything seems to pass. You validated that the required AD permission for the User Account creating the Cluster are already meet. You also verify the Group Policy setting for "Deny Access to this computer from the Network" is correct. You check the network port requirement and verify all the necessary port are open.

Resolution:

First, verified the DNS record in your DNS Server. Especially the record for all of your Domain Controllers. Make sure the Active Directory required Zones has the correct NS records, CNAME records, A Records, and also SRV DNS records. Remove the stale records for old or unknown broken Domain Controllers.

Second, check the Application partition (DomainDnsZone and ForestDnsZone) in your Active Directory. Use ADSIedit to connect to the application partition and try to browse the content. If you encountered error, you may need to delete the application partition using NTDSUtil.

You should be able to create the Windows Cluster afterwards.