none
Missing Account NT Virtual machine\Virtual Machines after Planned Fail Over

    Question

  • I have a two Host servers (2012r2) ONYX, SmartGateway.  Onyx hosted a "MAIL" as a VM which replicated to SmarterGateway.  During our planned downtime over the weekend I did a "Planned Failover" from ONYX to SmarterGateway.  Afterwards I reversed the replication.  I failed to notice that replication did not work.  Today when thinking about the setup I removed the replication and pointed it towards our offsite replication Host across campus (same subnet) and discovered that it would not replicate.  Would not checkpoint either.  Googled errors.  Turns out permissions are screwed.  Read all of those.  HOW DO I ADD the Special user group NT VIRTUAL MACHINE\Virtual Machines.  Yes the local group policy is defined to allow it to Log On as a Service.  There is not a Domain Group Policy defined.  Nothing seems to let me fix this.  This is our production email server.  I really can't just turn it off and uninstall Hyper-V, reboot, reinstall and then add the Virtual Machine back.  Is there any way to fix this short of another couple hours of downtime?  Also note, the VM is running and doing it's job.  Scared of what will happen if I have to restart it or shut it down.

    • Edited by American Lenders Tuesday, February 07, 2017 3:57 AM Added information
    Tuesday, February 07, 2017 3:55 AM

Answers

  • Power outage at lunch caused the server to crash.  So I did the fell deed.  Shut down the VM, uninstall Hyper-V Roles and Features, rebooted, reinstalled Hyper-V, added a new VM with the same name and the original VM's virtual drive.  Up and running.  Really wish there was a tool that allowed you to work with the GROUP\User and their ACL's both in terms of creation and in terms of editing.  
    Thursday, February 09, 2017 2:17 PM

All replies

  • Hi,

    >>discovered that it would not replicate.  Would not checkpoint either.  Googled errors.

    What errors did you get?

    >>There is not a Domain Group Policy defined.

    Run gpresult /r and check if there is Group Policy applied. And you could also see if the local policy is applied through the output.

    Best Regards,

    Leo


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 07, 2017 8:10 AM
    Moderator
  • I think I did not communicate well.  Here are the listed Events.  Each of them is clearly referencing the missing special windows group and account "NT VIRTUAL MACHINE\Virtual Machines"  No Domain policy is defined for this.  Per this artcle TechNet Blog I edited the Domain Policy on the Host Onyx and added a defined policy, ran the back up, edited the GptTmpl.ini, added the well known SID for the missing group *S-1-5-83-0 and then reimported the policy with that change. Checked to see that it now shows the missing Group\User.  Ran GPUPDATE /force.  All Good.  Still No Group.  No User.  As this is a working production email server I am somewhat limited in what I can do.  I have gone so far as to use NET commands to add the local group and user but after testing it did not make any changes.   Kind of at a loss for what to do next.   My next best guess is a 3am shutdown.  Delete the VM in HyperV Manager.  Uninstall HyperV roles. Reboot.  Reinstall HyperV and then make a new VM with the HyperV hard drive.  Is there something else to try? 

    Tuesday, February 07, 2017 3:51 PM
  • Hi,

    When you modified the policy, have you checked if it is applied through the command gpresult /r?

    >>Is there something else to try? 

    I suppose reinstall is easier than troubleshooting.

    Best Regards,

    Leo


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 08, 2017 2:58 AM
    Moderator
  • PS C:\Users\Administrator.ALSCONETXXX> gpresult /r

    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    © 2013 Microsoft Corporation. All rights reserved.

    Created on 2/8/2017 at 10:33:14 AM


    RSOP data for ALSCONETXXX\Administrator on SMARTERGATEWAY : Logging Mode
    --------------------------------------------------------------------------

    OS Configuration:            Member Server
    OS Version:                  6.3.9600
    Site Name:                   Default-First-Site-Name
    Roaming Profile:             N/A
    Local Profile:               C:\Users\Administrator.ALSCOXXX
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
        CN=SMARTERGATEWAY,OU=Servers,DC=alscoXXX,DC=com
        Last time Group Policy was applied: 2/8/2017 at 9:58:29 AM
        Group Policy was applied from:      NDC2.alscoXXX.com
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        ALSCOXXX
        Domain Type:                        Windows 2008 or later

        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy
            Local Group Policy

        The computer is a part of the following security groups
        -------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            SQLServerMSSQLServerADHelperUser$SMARTERGATEWAY
            BUILTIN\Users
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            This Organization
            smartergateway$
            Domain Computers
            Authentication authority asserted identity
            System Mandatory Level


    USER SETTINGS
    --------------
        CN=Administrator,CN=Users,DC=alscoXXX,DC=com
        Last time Group Policy was applied: 2/8/2017 at 10:32:53 AM
        Group Policy was applied from:      NDC1.alscoXXX.com
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        ALSCOXXX
        Domain Type:                        Windows 2008 or later

        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

        The user is a part of the following security groups
        ---------------------------------------------------
            Domain Users
            Everyone
            BUILTIN\Users
            BUILTIN\Administrators
            REMOTE INTERACTIVE LOGON
            NT AUTHORITY\INTERACTIVE
            NT AUTHORITY\Authenticated Users
            This Organization
            LOCAL
            Group Policy Creator Owners
            Domain Admins
            Enterprise Admins
            Schema Admins
            Authentication authority asserted identity
            Denied RODC Password Replication Group
            High Mandatory Level

    There is the output of GPRESULT /R

    Again not sure what this accomplishes when the Original special windows group and user NT VIRTUAL MACHINE\Virtual Machines does NOT exist on the host.  The SID User for the VM that I need to change does not exist either. So I am not sure how manipulating the GPO is going to fix this.

    Wednesday, February 08, 2017 4:37 PM
  • Hi,

    Well, I suppose you may try reinstallation.

    And welcome to share the information if you got any updates on the issue. 

    Best Regards,

    Leo


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 09, 2017 6:20 AM
    Moderator
  • Power outage at lunch caused the server to crash.  So I did the fell deed.  Shut down the VM, uninstall Hyper-V Roles and Features, rebooted, reinstalled Hyper-V, added a new VM with the same name and the original VM's virtual drive.  Up and running.  Really wish there was a tool that allowed you to work with the GROUP\User and their ACL's both in terms of creation and in terms of editing.  
    Thursday, February 09, 2017 2:17 PM