Failover clustering validation report error: Validate Active Directory Configuration - windows-server-2016

I am deploying failover clustering on windows server 2016 enterprise
When validate configuration, failover cluster validation report an error
At system configuration > Validate Active Directory Configuration
This is error message:
Connectivity to a writable domain controller from node EC2AMAZ-AER2HV3.ccdomain.net could not be determined because of this error: Could not get domain controller name from machine EC2AMAZ-AER2HV3.
Node(s) EC2AMAZ-AER2HV3.ccdomain.net cannot reach a writable domain controller. Please check connectivity of these nodes to the domain controllers.
Node(s) EC2AMAZ-AER2HV3.ccdomain.net, EC2AMAZ-PCQP28E.ccdomain.net cannot reach a writable domain controller. Please check connectivity of these nodes to the domain controllers.
I have 1 domain controller, 2 member server (joined domain and login with domain user)
Can anyone help me?
Thank you

In the Cluster Validation, my error was:
Connectivity to a writable domain controller from node p2.xdba.exagriddba.com could not be determined because of this error: Could not get domain controller name from machine p2.
Solution:
Server Manager
Local Server
Click on one of the network adapter links, like "Ethernet".
Control Panel\Network and Internet\Network Connections
Right click on the first network adapter
Internet Protocol Version 4 (TCP/IPv4)
Properties
Advanced
DNS
Click radio button:
Append primary and connection specific DNS suffixes

This is expected in muiltisite clusters and can be ignored.
https://support.microsoft.com/en-us/help/4025260/cluster-validation-test-fails-for-multi-site-cluster

Related

Wildfly 12 - EJB invocations from remote servers under domain controller (Elytron)

I am following the instructions from this link: https://developer.jboss.org/people/fjuma/blog/2017/09/08/getting-started-with-ejbs-and-elytron-part-2
Trying to replicate those configurations under domain controller but without success.
I have two server groups, one is client of other. But the servers of server group "B" still unable to lookup the remote EJB from servers of server group "A"
I tried to configure the servers with jboss-cli.sh from domain controller. Applying the configurations at the corresponding profiles.
Ex:
From Domain Controller's jboss-cli.sh:
/profile=my-custom-profile-full-ha/subsystem=elytron/authentication-configuration=ejb-auth-config:add(authentication-name=ejb, credential-reference={clear-text="ejbejb"})
and so on...
The socket-binding-group is defined at domain.xml as well.
But my client server still getting errors when lookup the remote EJB.
Is there other configuration for servers running under domain controller to get remote invocations work?
The error:
javax.ejb.NoSuchEJBException: EJBCLIENT000079: Unable to discover destination for request for EJB StatelessEJBLocator for "/portal/SampleEJB", view is interface my.company.ejb.interfaces.SampleEJBRemote, affinity is None
Thanks!

Clustered BizTalk SSO configuration error

While configuring the clustered SSO on the second server, I got an error, while running the command :
C:\Program Files\Common Files\Enterprise Single Sign-On>ssoconfig
-restoresecret SSOSecret.bak Password : ******* Confirm Password : *******
The error is :
Could not contact the SSO server ''. Check that SSO is
configured and that the SSO service is running on that server. (RPC:
0x800706D9: There are no more endpoints available from the endpoint
mapper.)
The architecture is the following:
A windows Failover Cluster, with two nodes, each with BizTalk Server
A second Windows Failover Cluster, with two nodes, each with SQL Server. Always ON is on.
The SSO db belongs to an availibity group.
The error occurs when trying to restore the secret on the second node.
The SSO is installed on the SQL Server cluster. I configured the SSO (BizTalk configuration tool) on the two nodes. On the first, I created the SSO group, on the second I joined the group.
I configured the cluster resource by selecting the "Use Network Name for computer name", but I still have the same error while restoring the secret.
There a few things you'll need to do at some point.
You run -restoresecret with the MSS running on that node.
The Enterprise Single Sign-On Service resource needs a dependent Network Name.
The Use Network Name as computer name box must be checked.

Multiple Default Website IIS

Right now, i have my default website in my server. Here is the binding details
Port : 80
HostName : (Blank)
IP Address: *
And then my custom Application
Port : 80
Hostname : myPortal.com
IP Address : *
If I browse my application with myPortal.com, its coming up fine and I dont have any issues. Here is the Problem. For application availability purpose, i have four failover servers and the application is configured in the same way for each server.
If I want to browse my application with server name in order to find when one of the server is having issues, i m not able to do it
say for eg, if i browse, myPortal.com, its working but if i want to browse myserverA.com, its going to default website
Approach 1 which i tried:
To Overcome this issue, i made host name field as blank for my custom application and updated it with localhost for IIS Default website.
Doubt 1:
It served my purpose but i scare if i have to host one more application in the server default port, i will be getting into trouble. Are there any best approach to solve this issue
Approach 2 which i tried
I left the host name as blank for Default Web site and had myPortal.com for my custom Application and then edited the IP address field for my custom Application. I changed the IP address from "All Unassigned" to "Server IP address"
Doubt 2:
It served by purpose of browsing my application with myPortal.com and myServer.com but what is the impact of changing the IP from "All unassinged" to "Specific Address"?
Also, in future, if i host one more application in default port with different host name, how would i be accessing that server with server name or IP name?
That's exactly what's desired.
To access a certain site with host name on a specific server, you can go and modify hosts file, add an entry for the host name and point to the IP of he target server. Then in your browser you can access it correctly.
Here is the solution which finally worked out
In the custom application, under EditBindings, add one more binding
Leave the hostname as blank for the new binding. Add a port number other than 8080
It helped to solve below issues
I m able to access my custom application through myportal.com and
Also in scenarios, when i have issue with one of the shared servers,
i can try accessing each of the server site individually through
serverNameA:port
So in future, if i want to host one more application in the default port, i have to register new host name for that server and will add one more additional binding for browsing with server name

BizTalk SSO Configuration - There are no more endpoints available from the endpoint mapper

I have a two node BTS2010 group with a separate SQL Server hosting the BTS databases including SSODB; Biz01, Biz02 and Sql01. This environment was configured by a previous employee and I have no documentation available.
There seems to be something not right with the SSO config but I'm not sure how to resolve it.
When I run ssoconfig -status on Biz02 all looks good - it tells me that the SSO Server is Biz02 and the SQL Server is Sql01 plus a load of other stuff. However, when I run the same command on Biz01 I get the message: "Error 0xC0002A0F: Could not contact the SSO server 'Sql01'. Check that SSO is configured and that the SSO service is running on that server'
I'm not clear on what Biz01 is trying to do here - is it trying to reach the EntSSO windows service on Biz02 via an RPC call, before ultimately attempting to retrie config info from Sql01?
I have checked that the ENTSSO service is running on Biz01, Biz02 and that the RPC service is running on each of the three servers.
Can anyone help advise what further steps I can take to determine the root cause of this configuration problem?
Many thanks
Rob.
I'm not sure if you have your servers clustered or not but I've run into something similar before within a cluster. Your SSO name should be your network name and not the individual computers name. Here's an post about the issue I had. Hope it helps.

How to connect to AD LDS over SSL? Dealing with "The server is not operational" error

I am trying to connect to an instance of Active Directory Lightweight Directory Services 2008 R2 via a secured SSL connection from a .NET 4 web service, and I'm getting "The server is not operational." error.
I am using a user which was created using the ADSI Editor and placed in the Administrator Role.
I am able to login/connect via ADSI editor with this user using SSL and simple binding, and
I can connect with the web service using the same user credentials but using the non-SSL port.
I am using the distinguished name and
the user is definitely not inactive.
Here is the code that I use to bind:
DirectoryEntry entry = new DirectoryEntry("LDAP://2.2.2.2:636/DC=nfa,DC=local");
entry.Username = "CN=ldapadmin,DC=nfa,DC=local";
entry.Password = "P#ssw0rd";
entry.AuthenticationType = AuthenticationTypes.SecureSocketsLayer;
I have tried it like this as well:
DirectoryEntry entry2 = new DirectoryEntry("LDAP://2.2.2.2:636/DC=nfa,DC=local", "CN=ldapadmin,DC=nfa,DC=local", "P#ssw0rd", AuthenticationTypes.SecureSocketsLayer);
The server needs an SSL certificate installed that meets the documented requirements. Test connectivity with LDP. You will need to connect using the fully qualified domain name of the machine. Replace the IP address above with the FQDN and you should be all set.
As #ColinBowern mentions you need to provide the Fully Qualified Domain Name (FQDN) instead of the IP since the certificate was issued to the FQDN.
First, verify that the certificate registered with the AD LDS on the remote machine is correctly installed:
Run certmgr.
Verify the Certificate Authority (CA) that issued the certificate exists in the Trusted Root Certification Authority\Certificates store.
Verify the certificate exists in the Personal\Certificates store with the correct FQDN (the domain name of the remote machine), issued by the above CA and of type "Server Authentication".
Second, the FQDN might not resolve correctly to the remote machine due to a DNS registration error. Verify that the hosts file (located at C:\Windows\System32\drivers\etc) for the local machine maps the correct IP to the FQDN (as shown in the certificate name). If no entry exists, it needs to be added,
192.168.1.34 domain.name # <-- FQDN as shown in the certificate

Resources