azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-5070 at 2026-06-13 20:21:10

Browse Source 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-13 20:21:10
This commit is contained in:
Mike Swanson
2026-06-13 20:21:37 -07:00
parent 609a6acaf2
commit f7045ecda1
3 changed files with 261 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
.tmp-xen-token.py Normal file
View File

@@ -0,0 +1,18 @@
import os, paramiko
host="192.168.0.104"; user="root"; pw=os.environ["XEN_PW"]
c=paramiko.SSHClient(); c.set_missing_host_key_policy(paramiko.AutoAddPolicy())
c.connect(host, username=user, password=pw, timeout=20,
disabled_algorithms={'pubkeys': ['rsa-sha2-256','rsa-sha2-512']},
look_for_keys=False, allow_agent=False)
def run(cmd):
i,o,e=c.exec_command(cmd,timeout=60); return (o.read().decode(errors="replace")+e.read().decode(errors="replace")).strip()
# Generate a temporary XenAPI session ref for the HTTP export (avoids putting root pw in the RMM command log)
pyc = (
"import XenAPI;"
"s=XenAPI.Session('https://localhost');"
"s.login_with_password('root', __import__('os').environ['XPW'], '1.0', 'g-migration');"
"print(s._session)"
)
out=run(f"XPW='{pw}' python -c \"{pyc}\"")
print("SESSION_REF:", out)
c.close()

72
clients/peaceful-spirit/AD-DC2-REBUILD-RUNBOOK.md Normal file
View File

@@ -0,0 +1,72 @@
# Peaceful Spirit — PST-SERVER2 evict + re-promote runbook
**Created:** 2026-06-13 by Mike Swanson (GURU-5070)
**Why:** PST-SERVER2 is a past-tombstone-lifetime DC. AD replication dead both directions
(err 8614 "exceeded tombstone lifetime"; err 0x8009030C broken secure channel). SYSVOL +
data DFS-R in State 5 (InError), stale 200-224 days. A past-TSL DC must NOT be allowed to
resume replication (lingering-object reanimation risk). So: evict SERVER2, metadata-clean,
re-promote fresh.
**Authoritative/healthy DC:** PST-SERVER (192.168.0.2) — holds ALL 5 FSMO. Server 2016
Essentials. Domain PEACEFULSPIRIT.local (Win2016 functional level).
**DC to rebuild:** PST-SERVER2 (192.168.1.127, NW site) — Server 2019 Standard, additional DC only.
**Execution channel:** GuruRMM (SYSTEM context). PST-SERVER `87293069-33b6-45e8-a68f-6811216cdb96`,
PST-SERVER2 `5d2d7ba0-3903-4aa3-9e97-6ca4424ffe65`. Domain admin = `sysadmin` (vault:
clients/peaceful-spirit/server.sops.yaml). NOTE: promotion needs Domain Admin creds passed in
the RMM command — that password lands in RMM command_text/history (internal). Consider rotation
after if RMM DB exposure is a concern.
---
## Gates (confirm with Mike before each)
### Gate 0 — Pre-flight + safety backup (SAFE: read-only + backup)
- Confirm PST-SERVER is a Global Catalog. (If SERVER2 were the only GC, must GC-flag SERVER first.)
- Confirm all 5 FSMO on PST-SERVER (done: yes).
- dcdiag focused (Advertising/FSMOCheck/Services) on PST-SERVER — must be clean.
- Enable Strict Replication Consistency on PST-SERVER (protective; reg key) — *change, but safe/recommended*.
- BACK UP authoritative SYSVOL: robocopy `C:\Windows\SYSVOL\domain\Policies` -> `C:\PST-Backup\SYSVOL-Policies`
and `Backup-GPO -All`. Insurance before any AD change.
### Gate 1 — Force-demote PST-SERVER2 (DESTRUCTIVE to SERVER2; reboots SERVER2)
- On SERVER2: `Uninstall-ADDSDomainController -ForceRemoval -DemoteOperationMasterRole -Force
-LocalAdministratorPassword <new, vaulted>` (graceful demote impossible — replication dead).
- SERVER2 becomes a member/standalone server and reboots. Blast radius = SERVER2 only.
- Risk: AD changes made ONLY on SERVER2 during isolation are lost (already stranded; PDC authoritative).
### Gate 2 — Metadata cleanup on PST-SERVER (DESTRUCTIVE to AD metadata for SERVER2)
- Remove SERVER2 NTDS Settings / server object (ntdsutil metadata cleanup, or Remove-ADObject of the
NTDS Settings object with -Credential domain admin).
- Remove SERVER2 from AD Sites & Services (NW site server object).
- DNS cleanup: SERVER2 host A, _msdcs CNAME/GUID, NS records, SRV records.
- DFSR cleanup: remove SERVER2 member from "Domain System Volume" (SYSVOL) and "PST-DFS" groups.
- Verify: `repadmin /viewlist *` shows only PST-SERVER; dcdiag clean.
### Gate 3 — Re-promote PST-SERVER2 (re-introduces a DC)
- Ensure SERVER2 DNS points to PST-SERVER (192.168.0.2) primary. (Currently 192.168.0.2,192.168.1.5,8.8.8.8,1.1.1.1.)
- `Install-ADDSDomainController -DomainName PEACEFULSPIRIT.local -Credential <DA> -InstallDns
-SiteName NW -SafeModeAdministratorPassword <new, vaulted>` — fresh promotion.
- SYSVOL initializes clean via DFSR initial sync from PST-SERVER (no D2/D4 needed).
- Verify: repadmin /replsummary 0% fails; SYSVOL+NETLOGON shared on SERVER2; dcdiag clean;
GPO count matches SERVER (11).
### Gate 4 — Rebuild data DFS-R (deferred — separate decision)
- Provision SERVER2 data volume (shrink C: / add disk / folder-on-C: — TBD after G: cleanup + sizing).
- Recreate `Shares` folder target on SERVER2 + re-establish PST-DFS replication.
- Add PST-SERVER2 as 2nd namespace ROOT target (namespace HA for VPN-outage resilience).
- Confirm backlog drains to 0.
### Gate 5 — G: cleanup on PST-SERVER (separate)
- ~160 GB candidates: G:\Windows (32), G:\Program Files (x86) (13), G:\ProgramData (10),
G:\Users (51), G:\$Recycle.Bin (5.6), VSS in System Volume Information (~46). Confirm junk first.
- D: recovery junk (~700 GB): Recovery-EXT, Recovery2019, "Unknown folder" — confirm before delete.
---
## Rollback notes
- Gate 0 changes (strict consistency reg) are trivially reversible.
- After Gate 1 demotion, SERVER2 is a plain member server — re-promotion (Gate 3) restores it.
No rollback needed for the eviction itself; the domain runs fine on PST-SERVER alone meanwhile.
- The SYSVOL/GPO backup from Gate 0 is the restore point if PST-SERVER's SYSVOL were ever harmed
(it should not be touched by this procedure).

171
clients/peaceful-spirit/session-logs/2026-06/2026-06-13-mike-pst-server2-dc-rebuild-and-g-cleanup.md Normal file
View File

@@ -0,0 +1,171 @@
## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-5070
- **Role:** admin
## Session Summary
Resumed the Peaceful Spirit multi-site AD+DFS work from the 2026-06-11 plan. Read-only recon
(via GuruRMM) revealed the environment was far past the plan baseline AND broken: PST-SERVER2
had already been promoted as a second DC with DFS roles ~200+ days ago, then the site
disconnected for ~7 months. PST-SERVER2 was a **past-tombstone-lifetime DC** — AD replication
dead both directions (err 8614 "exceeded tombstone lifetime", err 0x8009030C broken secure
channel), SYSVOL DFSR stale 224 days (Event 4012), data DFS-R (`PST-DFS`/`Shares`) stale 200
days, and its DFS-R data target drive (a dynamic disk holding `D:\Shares`) was physically
**missing** (`diskpart` showed "Disk M0 Missing"). A past-TSL DC must never resume replication
(lingering-object reanimation risk), so the plan shifted from "fix SYSVOL" to **evict + rebuild
SERVER2**.
Executed a gated runbook (`clients/peaceful-spirit/AD-DC2-REBUILD-RUNBOOK.md`): Gate 0 pre-flight
+ SYSVOL/GPO backup; Gate 1 force-demote PST-SERVER2; Gate 2 metadata cleanup on PST-SERVER; an
authoritative **D4 SYSVOL restore** on PST-SERVER; Gate 3 re-join + re-promote PST-SERVER2 as a
fresh DC, then a **D2 non-authoritative SYSVOL sync** to fix its stale leftover DFSR database.
End state: **two healthy DCs**, AD replication 0 errors both directions, SYSVOL DFSR State 4
Normal on both (11 GPOs each), both GC, both advertising as logon servers. The 224-day-broken AD
is fully repaired and NW now has a local DC surviving a VPN outage.
Then did Gate 5 — **G: cleanup on PST-SERVER**. Investigation showed G: is the OLD server's
former C: drive (live OS runs from C:; everything OS-related on G: dated 2009-2018, profiles named
`*.NEWSERVER`). Deleted the entire dead old-OS install (~99 GB: Windows, Users, Program Files*,
ProgramData, $Recycle.Bin, 13 misc folders) using takeown + robocopy-mirror for
TrustedInstaller-protected files, and bounded G: VSS shadow storage from UNBOUNDED to 25 GB
(trimmed 41 GB -> 9.6 GB). G: free went **51 GB -> 182 GB** (~131 GB reclaimed). Live data
(`G:\Shares`, `ServerFolders`, `System Volume Information`) untouched.
Gate 4 (data DFS-R rebuild + SERVER2 data-volume decision) and several follow-ups remain.
## Key Decisions
- **Evict + rebuild SERVER2 (not repair).** Past tombstone lifetime -> resuming replication risks
lingering-object reanimation. Force-demote -> metadata cleanup -> clean re-promote sidesteps the
whole stale-AD/SYSVOL mess. Safe because PST-SERVER holds ALL 5 FSMO + is GC; SERVER2 was only
an additional DC.
- **D4 authoritative on PST-SERVER, D2 non-authoritative on SERVER2.** PST-SERVER's SYSVOL was
State 5 (InError) from the old 4012; D4 made it the authoritative source. After re-promotion,
SERVER2's SYSVOL hit 4012 again from a **leftover DFSR database** from its prior DC life -> D2
forced it to discard the stale DB and re-sync fresh.
- **Forced-removal method.** `Uninstall-ADDSDomainController -ForceRemoval` is blocked by a
non-skippable test (General.21) while the DC is a DNS server + GC. Fix: clear the GC flag
(nTDSDSA options=0) and uninstall the DNS role (reboot), THEN force-remove. `-SkipPreChecks` /
`-Force` / `-Confirm:$false` do NOT bypass General.21.
- **AD writes need DA creds via FQDN.** Agent SYSTEM context can't do metadata cleanup. Use
`-Credential sysadmin -Server PST-SERVER.PEACEFULSPIRIT.local` (FQDN, valid SPN). `-Server
localhost` fails with a Kerberos SPN error; WinRM loopback with creds also failed.
- **G: cleanup confirmed as old-OS drive.** Live OS on C:; G: = old server's C: (2009-2018 dates,
`*.NEWSERVER` profiles). Deleted whole old OS; kept Shares/ServerFolders/SVI. Bounded VSS rather
than clearing (keep recent Previous-Versions history).
## Problems Encountered
- **`get-field` dot-notation bug:** `vault.sh get-field clients/peaceful-spirit/server credentials.password`
returned the literal string **"null"** -> every DA attempt sent password "null" -> auth rejected
(~6 bad attempts; harmless, domain LockoutThreshold=0). Real password `r3tr0gradE99!` was read
from the full `vault.sh get`. **Use full `get` (or verify the field path) for nested creds.**
- **PowerShell-over-RMM quoting traps (recurring):** scripts are wrapped in bash single quotes, so
(a) can't use single quotes inside (property names like `$obj."prop"` must use double quotes),
(b) `\"` over-escaping breaks `-join`, (c) `$g:` parsed as a drive ref -> use `${g}`. Several
commands failed to parse (no-ops) until fixed.
- **`Uninstall-ADDSDomainController` parameter-set / General.21** — see Key Decisions.
- **AV grabbed mingw curl** ("curl: Permission denied") intermittently; Mike disabled AV.
- **SERVER2 slow reboots** — DNS-role removal + DC promotion finalize add several minutes to boot;
RMM `last_seen` gave false "online" before the real reboot took hold (verify actual state, not
just the timestamp).
- **dcdiag SysVolCheck/NetLogons failed** right after SYSVOL init -> fixed by `Restart-Service
Netlogon` (re-advertise).
- **Stubborn OS files** survived `rd /s /q` even after takeown -> robocopy-mirror-from-empty +
`rd` cleared them.
- **Free-space readout bug:** WMI filter `DeviceID=''G:''` (doubled quotes) returned 0; used
`(Get-PSDrive G).Free` / `Get-Volume` instead.
## Configuration Changes
AD / DC (domain PEACEFULSPIRIT.local, via GuruRMM):
- PST-SERVER: SYSVOL backup -> `C:\PST-Backup\SYSVOL-Policies-20260613-1611`; GPO backup ->
`C:\PST-Backup\GPO-20260613-1611` (11 GPOs). Strict Replication Consistency already =1.
- PST-SERVER: **D4 authoritative SYSVOL restore** (msDFSR-Enabled FALSE+options=1, then TRUE) ->
Event 4602, SYSVOL State 4.
- PST-SERVER: metadata cleanup of PST-SERVER2 (server object + NTDS Settings + computer account
removed; DNS A/NS/CNAME/7xSRV removed in both zones).
- PST-SERVER2: cleared GC flag (nTDSDSA options 1->0); uninstalled DNS Server role; force-removed
AD DS (became WORKGROUP member); re-joined PEACEFULSPIRIT.local; **re-promoted** as DC (site NW,
InstallDns, GC); **D2 non-authoritative SYSVOL sync** (Event 4604) -> State 4, 11 GPOs, SYSVOL+
NETLOGON shared; Netlogon restarted (dcdiag green); DNS client set to 192.168.0.2.
- PST-SERVER: **G: cleanup** — deleted old-OS dirs (Windows, Users, Program Files, Program Files
(x86), ProgramData, $Recycle.Bin, MSOCache, v12, v13, RAPID, 8x8, Brother, Intel, inetpub,
Support, BackupTemp, Documents and Settings, $WINDOWS.~BT). VSS shadow storage for G: resized
to maxsize=25GB. G: free 51 -> 182 GB.
Repo / vault:
- Created `clients/peaceful-spirit/AD-DC2-REBUILD-RUNBOOK.md`.
- Vault: created `clients/peaceful-spirit/server2.sops.yaml` with `local_admin_password` and
`dsrm_password` (see below). **Pending publish** via sync.
## Credentials & Secrets
- **PST domain admin:** `PEACEFULSPIRIT\sysadmin` / `r3tr0gradE99!` (vault
`clients/peaceful-spirit/server`, field `credentials.password`). NOTE the get-field dot bug above.
- **PST-SERVER2 new local admin + DSRM:** generated this session, stored in vault
`clients/peaceful-spirit/server2` (`local_admin_password`, `dsrm_password`). Values are in the
vault only (not pasted here per policy); entry is **not yet pushed** to Gitea.
- **[WARNING] DA password exposure:** the sysadmin password was passed (base64-wrapped) in RMM
command_text for the cleanup/D4/D2/promote/join commands, so it is recoverable from the GuruRMM
command history/DB. RMM is internal; consider rotating `sysadmin` if RMM DB exposure is a concern.
## Infrastructure & Servers
- Domain **PEACEFULSPIRIT.local** (NetBIOS PEACEFULSPIRIT? -> uses PEACEFULSPIRIT\). Win2016
domain/forest functional level. LockoutThreshold=0 (lockout disabled).
- **PST-SERVER** — 192.168.0.2, site **CC**, holds all 5 FSMO, GC, DNS, Server 2016 Essentials.
GuruRMM `87293069-33b6-45e8-a68f-6811216cdb96` (v0.6.66). G: 465.7 GB (182 GB free post-cleanup);
C: 931 GB; D: 931 GB (Recovery-EXT/Recovery2019/"Unknown folder" ~700 GB of old backup junk).
- **PST-SERVER2** — 192.168.1.127 (DHCP), site **NW**, GC, DNS, Server 2019 Standard. GuruRMM
`5d2d7ba0-3903-4aa3-9e97-6ca4424ffe65` (v0.6.66). Single 1 TB NVMe (Crucial P2), C: only (no
D:); old dynamic data disk is MISSING.
- AD Sites & Services (pre-existing, correct): sites CC + NW; subnets 192.168.0.0/24 -> CC,
192.168.1.0/24 -> NW. S2S VPN between sites is UP (389/445/135/88 reachable SERVER2->SERVER).
- DFS namespace `\\PEACEFULSPIRIT.local\PST-Files` -> folder `Shares` (root target only on
PST-SERVER). DFS-R group `PST-DFS` replicated `Shares` (G:\Shares <-> D:\Shares) — currently
broken/stale, to be rebuilt at Gate 4.
- Business data on PST-SERVER `G:\Shares`: Private ~154 GB, Scanned ~105 GB, ITServices ~5 GB
(~265 GB). A service `SshWiaRestart` runs from `G:\Shares\ITServices\...` (Fujitsu scanner).
## Commands & Outputs
- Tombstone evidence: `repadmin /replsummary` -> 8614 / 0x8009030C, 100% fails (pre-rebuild).
- Force-demote (after clearing GC + DNS role): `Uninstall-ADDSDomainController -ForceRemoval
-LocalAdministratorPassword <pw> -NoRebootOnCompletion -Force` -> Status=Success.
- Metadata cleanup: `Remove-ADObject -Recursive -Server PST-SERVER.PEACEFULSPIRIT.local -Credential
$cred` on `CN=PST-SERVER2,CN=Servers,CN=NW,CN=Sites,...` + computer object; DNS via
`Remove-DnsServerResourceRecord`.
- D4/D2: `Set-ADObject <SYSVOL Subscription DN> -Replace @{ "msDFSR-Enabled"=$false/$true;
"msDFSR-options"=1 (D4 only) }` + `net stop/start dfsr` + `dfsrdiag pollad`. Events 4114 -> 4602
(D4) / 4614 -> 4604 (D2).
- Re-promote: `Install-ADDSDomainController -DomainName PEACEFULSPIRIT.local -Credential $cred
-SafeModeAdministratorPassword $dsrm -SiteName NW -InstallDns -Force -NoRebootOnCompletion`.
- Final health: `repadmin /replsummary` 0/5 fails both DCs; dcdiag PST-SERVER2 passed
Advertising/SysVolCheck/NetLogons after `Restart-Service Netlogon`.
- G: cleanup: takeown /f <dir> /r /d y; icacls grant; robocopy <empty> <dir> /MIR; rd /s /q.
`vssadmin resize shadowstorage /for=G: /on=G: /maxsize=25GB`.
## Pending / Incomplete Tasks
- **Gate 4 — data DFS-R rebuild:** decide PST-SERVER2 data volume (shrink C: / add disk /
folder-on-C:), recreate `Shares` folder target on SERVER2, re-establish PST-DFS replication,
and ADD PST-SERVER2 as a 2nd **namespace root target** (namespace HA for VPN-outage). Clean the
orphaned PST-DFS member left from metadata cleanup.
- **PST-SERVER2 static IP** — currently DHCP 192.168.1.127; DCs should be static (dcpromo warned).
- **Stale DNS tidy:** extra `192.168.1.5` A record for PEACEFULSPIRIT.local; `.240` RRAS-pool
registration on PST-SERVER. Identify what 192.168.1.5 is (a resolver in SERVER2's DNS list).
- **Vault publish:** push `clients/peaceful-spirit/server2.sops.yaml` (handled by this save's sync).
- **Optional:** rotate `sysadmin` (RMM command_text exposure); clean D: backup junk on PST-SERVER
(~700 GB) if not needed; remove `C:\PST-Backup\*` once rebuild confirmed stable.
- **Wiki:** update `wiki/clients/peaceful-spirit.md` (now 2 DCs; SERVER2 rebuilt; G: cleaned).
## Reference Information
- Runbook: `clients/peaceful-spirit/AD-DC2-REBUILD-RUNBOOK.md`.
- Backups on PST-SERVER: `C:\PST-Backup\SYSVOL-Policies-20260613-1611`, `C:\PST-Backup\GPO-20260613-1611`.
- Vault: `clients/peaceful-spirit/server` (DA), `clients/peaceful-spirit/server2` (new local admin+DSRM).
- GuruRMM agents: PST-SERVER `87293069-33b6-45e8-a68f-6811216cdb96`; PST-SERVER2
`5d2d7ba0-3903-4aa3-9e97-6ca4424ffe65`. RMM API `http://172.16.3.30:3001`.
- KB 2218556 (authoritative/non-authoritative DFSR SYSVOL D4/D2).