How to identify FSMO Roles owner

 

This topic is not new to administrators. I have just wondered if I could simplify that action somehow and I realized that this would be possible.

I’m learning C# coding with .NET so I decided to try creating a simple application (of course with GUI) to do the job itself without an administrator’s involvement.

So, you can download simple application written by me in C# using .NET framework and execute it on any domain member workstation/server, does not have to be necessarily Domain Controller (but may be), and get results on the screen.

The only one requirement is to have appropriate version of .NET framework installed on a machine from which this application is executed.

To simplify the entire process, I have compiled the application with .NET 3.5 and .NET 4.5 versions.

Both applications are identical but the only one difference is that one supports .NET 3.5 and the other one .NET 4.5

You can use .NET 3.5 application of Windows Vista/7/2008/2008R2 and .Net 4.5 on Windows 8/8.1/10/2012/2012R2/2016 as those .NET versions are defaults for that servers.

Of course you can always use the existing methods like command-line utilities or check that with PowerShell or even with Microsoft GUI consoles. The first two of them requires some knowledge about command and cmd-let syntax and the last one needs couple of consoles to check all of them.

My application is nothing new but helps a little bit. Just execute it and get results on the screen, that’s all.

Get FSMO Roles GUI

Get FSMO Roles GUI

When you click on any of server names in application’s window, you will copy server’s name into clipboard

Get FSMO GUI copy role owner name

Get FSMO GUI copy role owner name

and you can paste it, in example, to your documentation.

Copied FSMO Roles owner

Copied FSMO Roles owner

So, let’s give a try to the app to do a job for you. Download it and execute within a domain from any supported operating system with appropriate .NET framework installed on it.

  • Get FSMO GUI application for .NET 3.5
    (MD5 checksum: dcda3cca863320077b05f71a2dea4cc1)
    
    (SHA-1 checksum: 74e07d284e670a142bf0a02de8a7daeb975dbf0f)
    
    (SHA-256 checksum:55083852d36a8c5839f74a2ef8b91e18d2db327779d76b717ef9210679a20826)
  • Get FSMO GUI application for .NET 4.5
    (MD5 checksum: 2618e57525f60b98a2ce30da1776e272)
    
    (SHA-1 checksum: 023c7e0c77007ae746e6c8de0d1e7f30f97daf1d)
    
    (SHA-256 checksum: f23280ea26917c7005114d7a106f479808b377bd14179407ddfc22ce18cb410c)

I hope it would be useful for you.

Author: Krzysztof Pytko

Configuring a forest root domain on Windows Server 2016

 

You may heard that new Microsoft Windows Server 2016 has been released. This Windows version you can download for free from Microsoft Technet Evaluation Center at this link

Domain Controller promotion process did not change from previous Windows Server 2012/2012R2 version and there is still no possibility to do that over dcpromo utility. First of all, you need to install Active Directory Domain Services role from Server Manager console.

But before you will do that, let’s see what information do you need to start promoting DC.

  • Company name – which will be helpful in choosing forest/domain name
  • Network configuration – valid IP addresses range for our company, router’s IP (as default gateway)
  • ISP DNS servers on any public DNS servers to be able to access the Internet resources from our company
  • Services we need to run – what additional services will be required to fulfil a company requirements

Let’s start collecting them all.

  • Company name – Test Environment
  • Network configuration – IP addresses range 192.168.1.0/24; the first available IP address is a router (default gateway)
  • Public DNS servers – 8.8.4.4 and 8.8.8.8 (Google public DNS servers)
  • Services – Active Directory: Directory Services, DNS server(s)

Now, you can install your first Windows Server 2016 and configure it. After that you would be able to promote this server as a Domain Controller.

When your server is installed, then you need to log on there on local administrator account and you can start its preparation.

Open Server Manager (or wait short time because it runs itself by default), set up static IP address for your server (in this case it’s 192.168.1.10 with 255.255.255.0 network mask), configure time zone and change server name accordingly to naming convention in your company.

You may also set up there other options like NIC teaming, remote management and remote access.

This is very important part of network configuration before promoting server as a Domain Controller. In DNS preferred IP address type 127.0.0.1 (loopback interface) or the same IP address as server is configured 192.168.1.10 to point the server to DNS itself.

To configure network parameters, click on “Local Server” node on the left side of Server Manager

Local server configuration

Local server configuration

and then click on “Ethernet” to configure these settings

Network card configuration

Network card configuration

You will see “Network connections” where you network card is being seen

Network card

Network card

edit its properties and set up required IP information under IPv4 section

IPv4 settings

IPv4 settings

Under its properties put valid IP address, network mask, default gateway and DNS server IP address

IPv4 settings

IPv4 settings

Now, let’s configure server name and reboot it to be able start Domain Controller promotion. To change server name, click on “Computer name” section and provide appropriate name

Server name change

Server name change

Server name change

Server name change

Server name change

Server name change

Server name change

Server name change

apply changes and reboot server. When your server is up and running again, you can start promotion process.

Install Active Directory: Directory Services role and after all, follow post-install steps which promotes server to Domain Controller. To do that open Server Manager and go to “Add roles and features” on Dashboard screen

Adding roles

Adding roles

You will see a wizard which will guide you through role installation process. Go further up to a screen with roles selection using default options and choose “Active Directory Domain Services” role. Confirm all dependent roles/features to be installed with AD:DS role

Active Directory Domain Services role installation

Active Directory Domain Services role installation

confirm also features which will be installed with selected role

AD:DS role installation

AD:DS role installation

Go “Next” to screen with installation summary and click “Install”

Roles and features installation

Roles and features installation

and wait until Active Directory: Domain Services role will be installed

Role installation

Role installation

When role is installed, you will see yellow exclamation mark in notification area

Post-installation steps

Post-installation steps

That means, there are additional steps to do after role installation. Click on that field and you will see what do to next

Post-installation steps

Post-installation steps

Click on “Promote this server to a domain controller” and promotion wizard will be displayed.

It is similar to previous wizard from DCPROMO on older OS versions. Promotion process is much more simple than previously and requires less steps to be finished.

In your case, you are configuring new forest root domain, so you need to choose “Add a new forest” option and specify DNS domain name for this new forest. As it was mentioned before, in this example you will use testenv.local as DNS domain name

Domain Controller promotion

Domain Controller promotion

On the next screen, you need to specify Domain and Forest Functional Levels.

When you are configuring new forest root domain then you cannot set up Windows Server 2003 Domain or Forest Functional Level. The lowest possible mode is Windows Server 2008. You need to know that when you are planning new infrastructure because Windows Server 2003 Domain Controllers are not supported in this scenario anymore because Windows Server 2003 support is end.

Information! Currently, the highest possible Domain and Forest Functional Level is Windows Server 2012R2! It looks like Technical Preview version is not ready for new levels or they are unstable to be implemented yet.

For more details about raising domain and forest functional levels, please check another articles on my blog:

Important! When you set up Domain/Forest Functional level it cannot be changed to lower mode, so be careful when you choose them. If you are not sure which functional level is adequate for you, choose the lower one. You can always raise it without any business continuity disruption later.

Define if that server would have DNS role installed and if it would be Global Catalog. As this is the first Domain Controller, all these roles must be installed.

Specify Directory Services Restore Mode (DSRM) password which will be also used for domain administrator account at this stage

Domain Controller promotion

Domain Controller promotion

As this is the first Domain Controller and forest root domain, do not worry about DNS delegation and go to the next step

Domain Controller promotion

Domain Controller promotion

When you specified DNS domain name, you need to type also NetBIOS domain name. By default wizard suggests the first part from DNS domain name. If you have no reasons to use different NetBIOS name, I would suggest to leave that as after this name change, you will have an issue with Active Directory Administrative Center which does not recognize changed NetBIOS domain name (it uses the first part of  DNS domain name).

Domain Controller promotion

Domain Controller promotion

Specify location of AD database and SYSVOL. You may leave defaults or move them to dedicated drive

Domain Controller promotion

Domain Controller promotion

You will see summary screen with all details before installation. As in Windows Server 2012 everything from Server Manager is translated into PowerShell and executed in the background, you may click on “View script” to see what will be done to install and configure Domain Controller

PowerShell script for Domain Controller promotion

PowerShell script for Domain Controller promotion

when you are ready, click on next to go to the final screen where script will be executed in a background

Domain Controller promotion

Domain Controller promotion

If all prerequisites will pass, you can start installation

Domain Controller promotion

Domain Controller promotion

Wait a while and server will be rebooted. After reboot, your server will be a Domain Controller.

Congratulations! Your Domain Controller for a forest root domain is ready! You can log on, onto it, using password specified during server preparation process (the same password as for local Administrator or probably the same as for Directory Services Restoration Mode 🙂 )

Domain Controller desktop

Domain Controller desktop

Log on, using domain administrator credentials into your new Domain Controller.

We have to configure DNS server to send unresolved DNS queries to ISP DNS server(s) or any other public DNS server(s). This configuration is necessary to be able to access the Internet resources from our internal network.

If you do not have public DNS server(s) IP address or you do not want to define them, do not put anything under “Forwarders” tab and by default “Root hints” will be used. For that, skip few below steps.

Open DNS management console from Tools in Server Manager and select server name.

DNS forwarders configuration

DNS forwarders configuration

In the right pane at the bottom of that window, double click on Forwarders

DNS forwarders configuration

DNS forwarders configuration

When Forwarders window appears, click on “Edit” button to put there public DNS server for the Internet access

DNS forwarders configuration

DNS forwarders configuration

You should see a window, where you can put ISP or public DNS servers. Add DNS to the list. In this case we will use Google public DNS servers (8.8.4.4. and 8.8.8.8) Wait until they will be validated and close console

DNS forwarders configuration

DNS forwarders configuration

After all, you should consider Domain Controller and DNS server redundancy in your network by placing additional server with these roles. Another very important part is performing System State backup of Domain Controllers regularly.

In case of lack hardware resources in your network, you can consider placing DHCP server on this Domain Controller. However, it’s not recommended to install additional roles on DCs because of security reasons and right delegation scenarios.

Author: Krzysztof Pytko

Be Wary of your Network Events Activities – Audit Active Directory for Enhanced Security

 

The role of auditing network events/activities in maintaining a secure IT environment

If you’re an IT administrator, you probably already know that most security breaches occur because of insider abuse/misuse and the total number of breaches is increasing exponentially each year. The majority of organisations house sensitive data somewhere on their system that, if exposed, could be costly and damaging to the reputation of the business.

Thankfully, Windows comes pre-packed with numerous auditing capabilities that can be used to track events or activities within the network. In this blog, we will discuss the nine audit settings that you can configure through the Windows operating system that will allow you to better monitor your Active Directory environment.

1. Audit Account Logon Events

When active, this audit setting monitors each time your computer is validating the credentials of user accounts with the right level of authority to generate account logon events.

Audit account logon events Properties

There are only two audit options that are available – successful attempts and failed attempts. You can check either one or both options (or neither if you require no auditing) as per your Active Directory monitoring requirements. In the above image, we have checked the “success” option.

After configuring this setting, you can view successful audit events in the audit log generated in the Event Viewer. All you need to do is navigate to the Windows Logs -> Security in the left panel and all the audit success events will be shown in the right panel. Click on a particular event to get detailed information in the lower right section of the window.

Refer to the highlighted portion in the below image for reference.

Event viewer console

2. Audit Account Management

Configuring this audit setting enables you to audit user account management and get details on the following:

  • User accounts or groups that are created, changed, or deleted
  • User accounts that are renamed, disabled or enabled
  • User accounts where the password has been set or changed

Audit account management Properties

3. Audit Directory Service Access

This audit setting determines whether the operating system you have on your computer audits users or user accounts attempting to access objects in the Active Directory. The only objects that can be audited are ones in which the SACL (System Access Control List) is specified by the user and the requested access type, including “Write”, “Read” or “modify,” matches with the settings that have been configured in the SACL.

4. Audit Logon Events

This setting enables users to audit every instance of a user attempting to log in and out of the system.

5. Audit Object Access

The “Audit Object Access” setting enables auditing of user attempts to access objects that are not present in the Active Directory; such as files, emails, Exchange groups or SharePoint items. However, the system will only generate audits for those objects specified in the System Access Control List.

6. Audit Policy Change

Configuring this setting enables users to audit each instance of users attempting to modify critical policies – including trust policy, account policy, audit policy and the user rights assignment policy.

7. Audit Privilege Use

This audit setting is configured to monitor the levels of permissions and rights that each user has to perform specific tasks. Defining this policy setting not only helps track the actions of privileged users but also facilitates in ensuring they don’t misuse the rights granted to them. If you wish to generate an audit entry when a user succeeds in exercising the right or permission assigned to him/her, check the “Success” option. To generate audit entries where the exercise of a user right fails, select the “Failure” option.

8. Audit Process Tracking

Configuring this security setting tracks any process-related activities including the creation of process, duplication handling, termination of process and objects that have been accessed indirectly.

9. Audit System Events

“Audit System Events” monitors details of users who attempt a security system startup or shutdown, try to change system time or aim to load extensible authentication components for personal benefits or other malicious purposes.

Defining this security policy allows you to keep track of the loss of audited events that have occurred due to the auditing system failure. It also shows you whether the security log size has exceeded the configured warning threshold level.

The Alternative

Enabling all these settings and keeping track of them can be quite a laborious and time consuming task. Often, administrators seek the help of third-party solutions to automate the auditing and monitoring of their critical IT systems. LepideAuditor for Active Directory tracks changes across Active Directory and sends real-time alerts and notifications straight to the inbox and generates detailed reports with just a single click.

How to install server GUI on Windows Server 2016 from PowerShell

 

As you probably know, Microsoft Windows Server 2016 Technical Preview 3 has been released and you can get it from Microsoft Technet Evaluation center for free.

You can install server system with or without GUI, you have two choices:

  • install core edition

Windows Server 2016 Technical Preview 3

  • install server with GUI

Windows Server 2016 Technical Preview 3 – Server with Desktop Experience

Windows Server 2016 installation type

Windows Server 2016 installation type

if you choose the second installation option, that’s all in this case. After server OS installation you will get Windows Server desktop with complete GUI.

What if you decided to install full core edition and after some time you don’t want to use it anymore. There is an option to use PowerShell and install missing features to have full server with GUI. This time with Windows Server 2016 it is not so simple as it was in Windows Server 2012/2012R2.

When you try to install missing feature from PowerShell console and your server has no access to the Internet, installation fails!

This happens because from Windows Server 2016, GUI features are removed from installation image and you cannot simply activate them to turn on/off core edition.

Open PowerShell console and search for features name to install

Get-WindowsFeature -Name *GUI*
Get-WindowsFeature PowerShell cmd-let

Get-WindowsFeature PowerShell cmd-let

in “Install state” column you will see that features state is “removed”.

If you simply try to install these features and your server has no access to the Internet or installation source is not defined by Group Policy, operation will fail. This is highly possible that your server has no access to the Internet and if this is the first Windows Server 2016 installation, you would probably not have central location where shared components for this system are available.

In case where your server has access to the Internet, simply type in PowerShell console this syntax and wait couple of minutes

Install-WindowsFeature -Name Server-Gui-Shell,Server-Gui-Mgmt-Infra
Install-WindowsFeature PowerShell cmd-let

Install-WindowsFeature PowerShell cmd-let

but if you have no access to the Internet, you will see similar error in the console

Error during Windows feature installation

Error during Windows feature installation

then you have to use your installation media to successfully install server GUI features. Before you can do that, you need to identify appropriate index of Windows Server 2016 edition from which you want to install features. They are only available in full editions, so you need to skip indexes for core editions in the list. To get information of available editions in install.wim installation file, you need to use below PowerShell cmd-let

Get-WindowsImage -ImagePath d:\sources\install.wim

where d:\ is a letter of you drive with installation media

install.wim Windows Server 2016 editions and their index

install.wim Windows Server 2016 editions and their index

Check index number for Standard of Datacenter edition and remember it. As you can see in the screen above, appropriate image index is 2 or 4

In these images, all required features are available and they can be used as a source of installation.

To install feature from non-default location, you need to specify -Source switch to Install-WindowsFeature cmd-let. The switch requires appropriate syntax

InstallationProvider:WIMFileLocation:ImageIndex

wim:d:\sources\install.wim:2

or

wim:d:\sources\install.wim:4

the full installation syntax is available below

Install-WindowsFeature -Name Server-Gui-Shell,Server-Gui-Mgmt-Infra -Source wim:d:\sources\install.wim:2
Install-WindowsFeature cmd-let with -Source switch

Install-WindowsFeature cmd-let with -Source switch

and now, you installation should succeed even if your server does not have an access to the Internet

Windows feature installation progress

Windows feature installation progress

after some time, you would be prompted to reboot the server to apply the changes

Prompt for server restart

Prompt for server restart

use PowerShell cmd-let to restart server and wait couple of minutes to apply changes

Restart-Computer
Restarting server

Restarting server

when server is booting you should see on the screen features configuration

Feature configuration at server's startup

Feature configuration at server’s startup

when it is done, you should see logon screen

Log in into Windows Server 2016

Log in into Windows Server 2016

Provide appropriate credentials and check if you can see desktop

Server GUI in Windows Server 2016

Server GUI in Windows Server 2016

If you are able to see START tile and other desktop features, congratulations. Everything is configured properly. You can do whatever you want with your server, now.

 

Author: Krzysztof Pytko

Manual Active Directory schema extension with Windows Server 2012/2012R2 adprep

 

When you are using Windows Server 2003 or Windows Server 2008 32bit Domain Controllers, it seems that you cannot simply extend schema manually using Windows Server 2012/2012R2 adprep utility. Especially if you do not need to promote new Windows Server 2012/2012R2 Domain Controller.

Previous Windows Server versions like:

  • Windows Server 2003
  • Windows Server 2008

contained only 32bit adprep utility.

In Windows Server 2008R2 there were two adprep tool versions:

  • adprep32.exe for 32bit operating systems
  • adprep.exe for 64bit operating systems

When Windows Server 2012 was released only one 64bit adprep version is available. There is no more 32bit tool to extend schema. With this Windows version new feature called transparent adpreping was introduced. This feature allows Active Directory promotion wizard automatically extend schema and prepare Infrastructure Master if it was ran with appropriate credentials:

  • Enterprise Admin or Schema Admin to extend schema
  • Enterprise or Domain Administrator to prepare Infrastructure Master

But what if you have 32bit Domain Controllers in your environment and you wish to extend schema without implementing Windows Server 2012/2012R2 DC?

You cannot execute adprep tool on 32bit OS directly, because you will get an error message

Adprep error message on 32bit OS

Adprep error message on 32bit OS

But new adprep released with Windows Server 2012 supports new switches which can be executed remotely on any 64bit OS.

To check them, mount DVD media or ISO file to any 64bit OS machine in your domain environment. In this example Windows 7 Enterprise 64bit workstation joined to the domain is used.

Go to X:\Support\ADPREP folder where X: is your DVD drive letter. In this example Windows Server 2012R2 adprep is used in environment where only Windows Server 2003 32bit Domain Controller is available.

d:
cd support\adprep
adprep.exe /?
New adprep help

New adprep help

Adprep switches

Adprep switches

Adprep switches

Adprep switches

As you can see there is a lot of new switches but they would not be discussed here. You can now simply start extending schema. Execute elevated command prompt and type

adprep.exe /forestprep /user <EnterpriseOrSchemaAdmin> /userdomain <ForestRootDNSDomainName> /password *

in example:

adprep.exe /forestprep /user administrator /userdomain testenv.local /password *
adprep syntax

adprep syntax

instead of /password * you can simply put account’s password but this might be seen by others, so it’s better to leave * because you will be prompted for the password

type password (it will not show on the screen) and press enter to start the action

adprep password input

adprep password input

adprep will start extension procedure

Schema extension start

Schema extension start

just wait couple of minutes to complete schema extension

Schema extension completed

Schema extension completed

and after all, run ADSI Editor (adsiedit.msc) to verify if schema version has changed

ADSIEdit

ADSIEdit

Changed schema version

Changed schema version

When you are able to see version 69, then Windows Server 2012R2 schema was applied!

Above procedure showed you how to do that for single forest, single domain environment. What if you have multiple forests in your organization? How to handle that scenario? Let’s see how to do that.

You need to add within adprep syntax one more switch /forest and specify for which forest you would like to extend schema. Of course, you need to be a member of Enterprise or Schema Admins group in that forest, to successfully perform an action.

adprep.exe /forestprep /forest <ForestDNSNameToApplySchema> /user <EnterpriseOrSchemaAdminForThatForest> /userdomain <ForestDomainDNSName> /password *
adprep.exe /forestprep /forest testenv.local /user administrator /userdomain testenv.local /password *
adprep for any forest

adprep for any forest

Just repeat above step for every forest you need to extend schema in.

Everything was done on a workstation which is added into domain. There is also another possibility. All those steps are available to any 64bit OS which is not joined to the domain.

In this case you need to be sure that NIC is configured properly to pointing on DNS server which is able to resolve forest root domain name

64bit OS NIC configuration for DNS settings

64bit OS NIC configuration for DNS settings

check if you can successfully ping forest DNS name and of course if Schema Master server is available from this network

ping <ForestDNSName>
ping testenv.local
Pinging forest DNS name

Pinging forest DNS name

and use adprep as it was shown for other forests with /forest switch

That’s all! I hope it would help you if you need to extend schema manually on 32bit Domain Controllers.

Author: Krzysztof Pytko

Configuring a forest root domain on Windows Server Technical Preview

 

You may heard that new Microsoft Windows server is being developed. Currently this Windows version is called Technical Preview and you can download it for free from Microsoft Technet Evaluation Center at this link

Now, this is a good time to start testing new Windows Server version. Before final edition, you can get familiar with new features and test roles to be prepared for migration in the future. This article will describe forest root domain controller promotion based on Windows Server Technical Preview.

Domain Controller promotion process did not change from previous Windows Server 2012/2012R2 version and there is still no possibility to do that over dcpromo utility. First of all, you need to install Active Directory Domain Services role from Server Manager console.

But before you will do that, let’s see what information do you need to start promoting DC.

  • Company name – which will be helpful in choosing forest/domain name
  • Network configuration – valid IP addresses range for our company, router’s IP (as default gateway)
  • ISP DNS servers on any public DNS servers to be able to access the Internet resources from our company
  • Services we need to run – what additional services will be required to fulfil a company requirements

Let’s start collecting them all.

  • Company name – Test Environment
  • Network configuration – IP addresses range 192.168.1.0/24; the first available IP address is a router (default gateway)
  • Public DNS servers – 8.8.4.4 and 8.8.8.8 (Google public DNS servers)
  • Services – Active Directory: Directory Services, DNS server(s)

Now, you can install your first Windows Server Technical Preview and configure it. After that you would be able to promote this server as a Domain Controller.

When your server is installed, then you need to log on there on local administrator account and you can start its preparation.

Open Server Manager (or wait short time because it runs itself by default), set up static IP address for your server (in this case it’s 192.168.1.10 with 255.255.255.0 network mask), configure time zone and change server name accordingly to naming convention in your company.

You may also set up there other options like NIC teaming, remote management and remote access.

This is very important part of network configuration before promoting server as a Domain Controller. In DNS preferred IP address type 127.0.0.1 (loopback interface) or the same IP address as server is configured 192.168.1.10 to point the server to DNS itself.

To configure network parameters, click on “Local Server” node on the left side of Server Manager

Local server basic configuration

Local server basic configuration

and then click on “Ethernet” to configure these settings

Network card configuration

Network card configuration

You will see “Network connections” where you network card is being seen

Network card

Network card

edit its properties and set up required IP information under IPv4 section

IPv4 settings edition

IPv4 settings edition

Under its properties put valid IP address, network mask, default gateway and DNS server IP address

IPv4 settings

IPv4 settings

Now, let’s configure server name and reboot it to be able start Domain Controller promotion. To change server name, click on “Computer name” section and provide appropriate name

Server name change

Server name change

Server name change

Server name change

Server name change

Server name change

Server name change

Server name change

apply changes and reboot server. When your server is up and running again, you can start promotion process.

Install Active Directory: Directory Services role and after all, follow post-install steps which promotes server to Domain Controller. To do that open Server Manager and go to “Add roles and features” on Dashboard screen

Adding roles

Adding roles

You will see a wizard which will guide you through role installation process. Go further up to a screen with roles selection using default options and choose “Active Directory Domain Services” role. Confirm all dependent roles/features to be installed with AD:DS role

Active Directory Domain Services role installation

Active Directory Domain Services role installation

confirm also features which will be installed with selected role

AD:DS role installation

AD:DS role installation

Go “Next” to screen with installation summary and click “Install”

Roles and features installation

Roles and features installation

and wait until Active Directory: Domain Services role will be installed

Role installation

Role installation

When role is installed, you will see yellow exclamation mark in notification area

Post-installation steps

Post-installation steps

That means, there are additional steps to do after role installation. Click on that field and you will see what do to next

Post-installation steps

Post-installation steps

Click on “Promote this server to a domain controller” and promotion wizard will be displayed.

It is similar to previous wizard from DCPROMO on older OS versions. Promotion process is much more simple than previously and requires less steps to be finished.

In your case, you are configuring new forest root domain, so you need to choose “Add a new forest” option and specify DNS domain name for this new forest. As it was mentioned before, in this example you will use testenv.local as DNS domain name

Domain Controller promotion

Domain Controller promotion

On the next screen, you need to specify Domain and Forest Functional Levels.

When you are configuring new forest root domain then you cannot set up Windows Server 2003 Domain or Forest Functional Level. The lowest possible mode is Windows Server 2008. You need to know that when you are planning new infrastructure because Windows Server 2003 Domain Controllers are not supported in this scenario anymore because Windows Server 2003 support is ending soon.

Information! Currently, the highest possible Domain and Forest Functional Level is Windows Server 2012R2! It looks like Technical Preview version is not ready for new levels or they are unstable to be implemented yet.

For more details about raising domain and forest functional levels, please check another articles on my blog:

Important! When you set up Domain/Forest Functional level it cannot be changed to lower mode, so be careful when you choose them. If you are not sure which functional level is adequate for you, choose the lower one. You can always raise it without any business continuity disruption later.

Define if that server would have DNS role installed and if it would be Global Catalog. As this is the first Domain Controller, all these roles must be installed.

Specify Directory Services Restore Mode (DSRM) password which will be also used for domain administrator account at this stage

Domain Controller promotion

Domain Controller promotion

As this is the first Domain Controller and forest root domain, do not worry about DNS delegation and go to the next step

Domain Controller promotion

Domain Controller promotion

When you specified DNS domain name, you need to type also NetBIOS domain name. By default wizard suggests the first part from DNS domain name. If you have no reasons to use different NetBIOS name, I would suggest to leave that as after this name change, you will have an issue with Active Directory Administrative Center which does not recognize changed NetBIOS domain name (it uses the first part of  DNS domain name).

Domain Controller promotion

Domain Controller promotion

Specify location of AD database and SYSVOL. You may leave defaults or move them to dedicated drive

Domain Controller promotion

Domain Controller promotion

You will see summary screen with all details before installation. As in Windows Server 2012 everything from Server Manager is translated into PowerShell and executed in the background, you may click on “View script” to see what will be done to install and configure Domain Controller

PowerShell script for Domain Controller promotion

PowerShell script for Domain Controller promotion

when you are ready, click on next to go to the final screen where script will be executed in a background

Domain Controller promotion

Domain Controller promotion

If all prerequisites will pass, you can start installation

Domain Controller promotion

Domain Controller promotion

Wait a while and server will be rebooted. After reboot, your server will be a Domain Controller.

Congratulations! Your Domain Controller for a forest root domain is ready! You can log on, onto it, using password specified during server preparation process (the same password as for local Administrator or probably the same as for Directory Services Restoration Mode 🙂 )

Domain Controller desktop

Domain Controller desktop

Log on, using domain administrator credentials into your new Domain Controller.

We have to configure DNS server to send unresolved DNS queries to ISP DNS server(s) or any other public DNS server(s). This configuration is necessary to be able to access the Internet resources from our internal network.

If you do not have public DNS server(s) IP address or you do not want to define them, do not put anything under “Forwarders” tab and by default “Root hints” will be used. For that, skip few below steps.

Open DNS management console from Tools in Server Manager and select server name.

DNS forwarders configuration

DNS forwarders configuration

In the right pane at the bottom of that window, double click on Forwarders

DNS forwarders configuration

DNS forwarders configuration

When Forwarders window appears, click on “Edit” button to put there public DNS server for the Internet access

DNS forwarders configuration

DNS forwarders configuration

You should see a window, where you can put ISP or public DNS servers. Add DNS to the list. In this case we will use Google public DNS servers (8.8.4.4. and 8.8.8.8) Wait until they will be validated and close console

DNS forwarders configuration

DNS forwarders configuration

After all, you should consider Domain Controller and DNS server redundancy in your network by placing additional server with these roles. Another very important part is performing System State backup of Domain Controllers regularly.

In case of lack hardware resources in your network, you can consider placing DHCP server on this Domain Controller. However, it’s not recommended to install additional roles on DCs because of security reasons and right delegation scenarios.

Author: Krzysztof Pytko

Active Directory Topology Visualization

 

My friend Wojciech has started his blog recently and you can find there a lot of interesting articles. His knowledge base is increasing, so keep an eye on his blog, it’s worth!

One of really useful articles at this moment is about Active Directory Topology Visualization

If you have ever considered documenting your Domain Controllers connection map but you could not find free and easy tool for that, Wojciech prepared Visual Basic Script generating your AD topology which you can simply use in your documentation.

It is really simple in use, just double click on it and wait couple of minutes (depend on the environment size – how many DCs are in your domain). After some time you will receive Domain Controllers connection map.

Generated Active Directory topology - downloaded from http://wojciech.pazdzierkiewicz.pl

Generated Active Directory topology – downloaded from http://wojciech.pazdzierkiewicz.pl

This is also helpful in process of troubleshooting. But for the details just take a look at http://wojciech.pazdzierkiewicz.pl/?p=533

And do not forget visiting his blog to extend your Active Directory knowledge!

Author: Krzysztof Pytko
Sources: http://wojciech.pazdzierkiewicz.pl

Active Directory objects naming convention

 

Have you ever wondered about Active Directory objects naming convention in your domain environment? If not, but you wish to standardize their naming convention because your current one is not satisfactory then this article is for you.

Of course this is only a suggestion how to build the naming convention because there is no default and suitable template for all environments.

I will try to show you couple of examples for particular Active Directory objects and I hope you would be able to adjust them to your environment’s requirements.

Users

Every domain environment is full of users. That’s why good to have some naming convention for them to avoid mess.

The most popular template is based on user’s first and last name. This allows you to define variety naming conventions.

One of them defines user’s login combined with first name and last name separated by special character like:

  • dot
  • hyphen
  • underscore
  • no special character

Let’s take a look closer to an example for a person: Krzysztof Pytko. Possible logins could look like:

  • Krzysztof.Pytko
  • KrzysztofPytko
  • Krzysztof_Pytko
  • KrzysztofPytko

There is nothing wrong in this convention but what will happen if some day another Krzysztof Pytko would be hired in a company? In this case you need to somehow differentiate users. One of available options is to add a digit/number at the end of user’s login for example:

  • Krzysztof.Pytko1
  • Krzysztof.Pytko2

and so on.

Another option uses user’s last name and part of first name (let’s say 3 letters), in example:

  • pytkokrz

You can of course use a lot of variants based on a solution shown above but this also does not guarantee unique logins in the environment.

It’s good to have a naming convention which defines unique logins. One of option is to use employee number assigned by HR department. This should be unique for every employee in the company. Of course this might be difficult to remember by user but after few usages it should be easily remembered.

Let’s take a look for few examples

  • 1001000001
  • 0000001
  • 1150010001

everything depends on your company’s policy assigning employee numbers.

The last one example uses country and location identifiers with the next free number. Let’s consider this for Poland/Wroclaw for 15th employee

  • PLWRO015 (for smaller environments up to 1000 users in a location)
  • PLWRO0015 (for medium environments up to 10000 users in a location)
  • PLWRO00015 (for larger environments up to 100000 users in a location)
  • PLWRO000015 (for huge environments up to 1000000 users in a location)

That was not all possible options but this should show you a direction to create your own user’s naming convention.

Groups

As in previous paragraph, every domain is also full of groups. They are mostly used to grant access to resources but they have other purpose like:

  • role
  • fine-grained password policy
  • mail group
  • or other not mentioned here

However, regardless of their destination, every group must belongs to one of those types:

  • domain local
  • global
  • universal

So, you can use as group prefix, its type and it would look like:

  • l – for domain local groups
  • gfor global groups
  • ufor universal groups

OK, I have mentioned group prefix, so this probably means that I have some template to build group’s name? Yes, you’re right, I have something like that. Group naming convention relies on 2 variants in this case and depends on:

  • group is for resource access
  • group is not for resource access

 Let’s take a look what we need for group’s name, designated for resource access control:

  • group prefix
  • department owner
  • group role
  • group suffix

As group prefix, it’s good to choose group type, to simply underline what kind of type it is. Another possibility is to use prefix indicating for a group role. For department owner, specify short name or unique id of team to which it is designated. Group role should clearly define for what this group is used and it may be few words separated by hyphen () or underscore (_). However, I would recommend using hyphens only, it is much more readable form. Group suffix is mostly used only for resource access groups, which states if group has read-only (-r) or modify (-rw) permissions.

OK, let’s see few examples of resource groups for couple of departments:

  • IT department with licensing data
  • HR department with payroll data
  • Finance department with invoices
  • Common resources for all departments with instructions

All group types for IT department in above example are presented below:

  • litlicensing-datar (for read-only access); litlicensing-datarw (for modify access)
  • gitlicensing-datar (for read-only access); gitlicensing-datarw (for modify access)
  • uitlicensing-datar (for read-only access); uitlicensing-datarw (for modify access)

All group types for HR department with payroll data in above example are presented below:

  • lhrpayrollr; lhrpayrollrw
  • ghrpayrollr; ghrpayrollrw
  • uhrpayrollr; uhrpayrollrw

All group types for finance department with invoices data:

  • lfinanceinvoicer; lfinanceinvoicerw
  • gfinanceinvoicer; gfinanceinvoicerw
  • ufinanceinvoicer; ufinanceinvoicerw

and all group types for common resources share in read-only mode as modify is rarely used for all departments:

  • lallinstructionsr
  • gallinstructionsr
  • uallinstructionsr

That was not all possible options but this should show you a direction to create your own groups’s naming convention.

Computers and Servers

OK, now we are going into another important part on naming convention. This scheme is related with user devices and servers. It is really good to have common template for those machines as it would simply allow identifying them without logging on onto them.

There is a lot of possibilities and they rely on how much big is your environment. I will show you just couple of options which may direct you into your own scheme.

Computers

You need to remember that we are still limited to 15 characters in a computer name which is caused by NetBIOS.

Let’s start with the environments where up to 10000 computers in single location is enough.

CCLLLSVVFFFXXXX

where:

  • CC – is for country code
  • LLL – is a location code
  • S – is for operating system type (Windows, Unix, Linux, Solaris, BSD)
  • VV – is operating system version (XP, 07, 08, 81, 10)
  • FFF – is machine function (WKS, NTB, TAB, MOB)
  • XXXX – next number for machine

and below you can find few examples of scheme usage for 2 locations (Poland/Wroclaw and England/London):

  • PLWROW07WKS0001 (for computer with Windows 7)
  • PLWROW81WKS0005 (for computer with Windows 8.1)
  • PLWROW81NTB0015 (for notebook with Windows 8.1)
  • PLWROW81TAB0002 (for tablet with Windows 8.1)
  • UKLONWXPWKS0001 (for computer with Windows XP)
  • UKLONW07NTB0004 (for notebook with Windows 7)
  • UKLONW81TAB0150 (for tablet with Windows 8.1)

in a companies where more devices (up to 100000) are needed in one location, this convention might be selected (this is modification of this one above)

CCLLLSVVFFXXXXX

  • CC – is for country code
  • LLL – is a location code
  • S – is for operating system type (Windows, Unix, Linux, Solaris, BSD)
  • VV – is operating system version (XP, 07, 08, 81, 10)
  • FF – is machine function (PC, NB, TA, MO)
  • XXXXX – next number for machine

just short single example: PLWROW81PC00005

and a case for really large companies where up to 1000000 devices are needed in one location (this is modification of this one above)

  • CC – is for country code
  • LLL – is a location code
  • S – is for operating system type (Windows, Unix, Linux, Solaris, BSD)
  • VV – is operating system version (XP, 07, 08, 81, 10)
  • F – is machine function (Pc, Notebook, Tablet, Mobile)
  • XXXXXX – next number for machine

just short single example: UKLONW81T000015

Servers

Situation with servers name is similar to computers with the same limitation to 15 characters of NetBIOS name. You can simply apply the same scheme with small modifications.

Below scheme is good for environments where no more than 1000 servers of the same role are located within the same site.

CCLLLSVVRFFFXXX

where:

  • CC – is for country code
  • LLL – is a location code
  • S – is for operating system type (Windows, Unix, Linux, Solaris, BSD)
  • VV – is operating system version (03 – 2003, 08 – 2008, 12 – 2012)
  • R – is for operating system release (1 – release 1, 2 – release 2)
  • FFF – is machine function (DCR, DCW, FIL, PRT, APP, MGM)
  • XXX – next number for machine

Machine function in template above states:

  • DCR – Read-Only Domain Controller
  • DCW – Domain Controller
  • FIL – File Server
  • PRT – Print Server
  • APP – Application Server
  • MGM – Management Server

Ok, let’s consider few servers according to above naming convention:

  • PLWROW121DCW001
  • PLWROW122DCW002
  • PLWAWW122DCR001
  • PLWROW082FIL001
  • PLWROW082PRT001
  • PLPOZW032MGM003

this should be enough for most environments but if this is too less then you need to replace one server function character for the digit like:

CCLLLSVVRFFXXXX

you have less letters to describe more detailed server’s role but this allows you to have up to 10000 servers with the same role in the same site.

Let’s see short example of this scheme usage  PLWROW121APP0001

 Printers

To define printer naming convention you have a lot of possibilities, so I will present only one which seems to be good in my opinion. This is using:

SSSPMMMXXX

where:

  • SSS – printer signature
  • P – is it pooled or not (0 – no , 1 – pooled)
  • MMM – device manufacturer (SAM – Samsung, LEX – Lexmark, CAN – Cannon, HPP – HP Printer, KYO – Kyocera, RIC – Ricoh)
  • XXX – device number

Let’s see how this looks in practice:

  • PRT0LEX001
  • PRT0HPP002
  • PRT0RIC001
  • PRT1SAM001

Remember! Put detailed information of the printer’s location in printer’s properties as this is not available in naming convention.

I think that’s all for printers. As I said there is a lot of possibilities but I chose this one.

Group Policies

One more object remained on my list. This is GPO which is rarely used according to any naming convention. Especially in outsourced environments where many administrators are managing group policies.

I strongly suggest to apply some good scheme for those objects as it is much more convenient in management where a lot of policies are deployed.

For Group Policy naming convention you can use:

  • GPO prefix
  • GPO function (words separated by hyphen ““)
  • GPO suffix
  • GPO description (optional out of naming convention)

where GPO prefix is one of:

  • WIN – for Windows policies
  • CTX – for Citrix policies
  • RDS – for Terminal/Remote Desktop Services
  • TST – test policies
  • CUS – customer policies
  • OLD – old policies awaiting for removal

where GPO suffix is one of:

  • LPM – for loopback policy in merge mode
  • LPR – for loopback policy in replace mode
  • SCF – security filtering enabled
  • WMI – WMI filter applied
  • GPP – group policy preferences defined

basing on that, you can create GPOs in your environment. Below couple of examples:

  • winie-restrictions-control-panel
  • ctxscreen-saverlpr
  • tstwsus-updatescf
  • winfolder-mapping-drive-hgpp

and that’s all about naming convention in this article. I hope it was somehow helpful for you and you could build your custom naming convention for Active Directory objects.

Author: Krzysztof Pytko

iSiek’s forum has been launched

 

I would like to announce you that iSiek’s forum about Microsoft Windows services has been launched!

iSiek's forum

iSiek’s forum

I hope you would participate in building new IT community on this forum. I hope we would be able to help each other.

You are invited! I encourage you to register your account for free and start posting your issues or try to help others.

Just some simple forum’s rules

  1. Forum is free of charge. It is maintained from ads.
  2. To contribute in community, free registration is required
  3. Write posts in English
  4. Check forums if similar problem does not exist
  5. Use appropriate forum to post issue
  6. Do not spam
  7. Use external services to attach images/logs and place only link to them
  8. Be polite and do not use vulgarism
  9. If you do not want to help, do not answer

Be a part of this new community and make family atmosphere here.

I hope we will make this IT world better!

Forum address is http://kpytko.pl/forum

Author: Krzysztof Pytko

Installing Windows Server 2012R2 – video

 

I have created a video blog on Youtube – iSiek’s video blog about Microsoft Windows services.

You will find there a video showing how to install Windows Server 2012R2 for Domain Controller role. Of course this may be applied to other Windows Server roles too and works the same way for installing Windows Server 2012.

and after server installation, please see another one for post-installation steps

I hope this method would be also useful for you. At this moment there is no voice in the video. I will try to change that in the nearest future 🙂

Author: Krzysztof Pytko