Archive | August 2011

Decommissioning broken Domain Controller

 

Sometimes, we want to remove Domain Controller from a network but it is not possible. We see some errors that DC cannot be demoted. We are afraid because on that server we have also another services or data (which is not recommended, DC should have only AD:DS, DNS and possibly DHCP roles to avoid server overloading or corruption). This situation mostly can be found in small organizations where only very few servers are available.

What we can do in this case when formatting or reinstalling server is not an option? We can use special mode of demoting Domain Controller in case that we see similar error message

decommissioning error

on this broken server in run box we need to run dcpromo but with additional switch to be able to decommission a DC. This switch is /forceremoval

 Log on to that faulty DC and type dcpromo /forceremoval

forcing Domain Controller demotion

If Domain Controller holds any of FSMO roles you will get a warnings that you should transfer them to another server.

FSMO roles warning

It is unfortunately impossible because DC cannot contact to another Domain Controller within network. In this case you have to seize FSMO roles.

How to do that you can find in another article at http://kpytko.wordpress.com/2011/08/28/seizing-fsmo-roles/

To continue press “Yes” on each warning related with FSMO roles. At the final step (if your DC held also DNS role) you will be warned that you should fix your network settings according to DNS servers after its removal. If you didn’t do that before, remember that you have to fix it after DC demotion. Confirm that you are sure with Active Directory services to remove

DNS removal confirmation

When your DC held also Global Catalog you will be warned to check if at least one GC is available in a network to prevent problem with logon to the domain.

Global Catalog removal confirmation

Now, you should see standard Active Directory Installation wizard which helps you in decommission process. Follow with its suggestions

Active Directory Installation wizard

Before this process starts, there is the last information that after all you have to do metadata cleanup because it won’t be done automatically.

Active Directory Installation wizard

Also DNS needs to be clean up after DC demotion, click “OK”

Now, set up local administrator password which will be necessary, to log on to that server. Decommission process removes Active Directory role from a server and makes it a domain member box.

Setting local administrator password

after role removal, reboot server to fully complete a task

on Windows Server 2003 you have to do it manually

Reboot Windows Server 2003

on Windows Server 2008/2008 R2 you can select a checkbox to reboot server automatically

Reboot server

Voila! Your DC has been decommissioned and now it’s a domain member server with all other roles and data on it. You can log on, on a password specified during demotion process

A domain member server - Windows 2008

A domain member server - Windows 2003

Now, you need to do metadata cleanup, remove DNS records related with that server and delete it from Sites and Services.

How to do metadata cleanup you can find in another article at

http://kpytko.wordpress.com/2011/08/29/metadata-cleanup-for-broken-domain-controller/

You can promote this server as DC again or change its name and use only as standard box in your network.

 To clean DNS records, open DNS management console and delete all DNS records related with removed Domain Controller. Next, run Active Directory Sites and Services console and from appropriate Site, remove a server.

Sites and Services

Confirm that you want to remove this object and that’s it.

Removing demoted DC from Sites and Services

It’s done.

Author: Krzysztof Pytko

Decommissioning the old Domain Controller

 

When you connect into your network new Domain Controllers, you may wish to remove the old ones. The reason can vary, you have newer hardware on which DC is running or you just want to remove old Windows 2000/2003 Domain Controllers which were replaced by Windows Server 2008.

To do that you need to have a Domain Admin account. When you are sure that decommissioning DC can be done, you need to do some additional steps before you really remove it from your network.

First of all, you need to check the forest/domain condition if there are no errors. To do that, you need to use dcdiag and repadmin tools. Dcdiag is available on Domain Controller by default but repadmin must be installed from Support Tools from Windows Server CD.

Run command-line and type dcdiag /v to check condition of your domain environment. Review an output and check if everything is ok. If not, you have to fix errors before continuing with Domain Controller decommissioning.

dcdiag check

you should also check if Active Directory replication between Domain Controllers occurs regularly. To check that use repadmin tool from Support Tools. You need to install them from Windows Server CD. After installation they are located by default in “C:Program FilesSupport Tools”

enter this syntax and review an output to see if there is no error in AD replication.

repadmin /showrepl /all /verbose

AD data replication check

You should also check if DC which will be decommission, do not hold any of FSMO roles. Don’t worry, decommission process will transfer them automatically to another available Domain Controller but it’s better to control this process by yourself. Please ensure also if at least one Global Catalog server is available in your network after decommission process.

Now, when you are sure that you have no errors in your Domain Environment, you can start decommissioning Domain Controller. Log on to that particular server with Domain Admin credentials and in run box type dcpromo (like in DC promotion process)

Demoting DC

Active Directory installation wizard will be displayed. Continue this process

Active Directory Installation wizard

you will be warned to ensure that at least one Global Catalog will be left in your environment

Active Directory Installation wizard

on the next screen do not select “This server is the last domain controller in the domain” checkbox. This option is only used when you are demoting the last Domain Controller and you also want to remove the domain. So, go further without any changes on this screen in this case

Active Directory Installation wizard

Set up a server’s password. After decommission it will be a domain member server and you need to specify local administrator’s password.

Active Directory Installation wizard

to permanently remove Active Directory role from this server click “Next”

Active Directory Installation wizard

wait until Active Directory services will be removed from the server and when your DC is decommissioned, you need to reboot it, to complete a process

Active Directory Installation wizard

Active Directory removed

As you can see, your box is a domain member now.

a domain member server

If you wish to keep this server in your environment it’s good to consider its name change (if it was related with DC – as in my example). When you don’t want to use this server anymore, you can shut it down and then clean up DNS records and Sites and Services.

To do that, open DNS management console and delete all DNS records related with removed Domain Controller. Next, run Active Directory Sites and Services console and from appropriate Site, remove a server.

Removing demoted DC from Sites and Services

Confirm that you want to remove this object and that’s it.

DC removal from Sites and Services - confirmation

It’s done.

Author: Krzysztof Pytko

Metadata cleanup for broken Domain Controller

 

Sometimes we have problem with broken Domain Controller(s) within our environment. Then we do not think about consequences from removing failed DC from network. We just shut it down and replace with the new one, because mostly we have no system state backup of the old Domain Controller. Everything looks fine for us; we have no failed DC in a network. But Active Directory still knows about it and uses that DC for AD data replication which can cause errors. To prevent replicating data between broken DC and the rest, you need to perform metadata cleanup. This can be done using ntdsutil on any workstation/server in a network. You just need to have Domain Admin account to do that.

When you do metadata cleanup, tool tries to automatically seize FSMO roles which were held on that Domain Controller. This process is automatic and you cannot control it. If you wish to choose which DC should hold them, you need to seize roles by yourself.

Let’s start to do metadata cleanup. Open command-line and type: ntdsutil

ntdsutil tool

Now, you need to use appropriate context to enter into metadata cleanup.

ntdsutil: metadata cleanup (enter)

ntdsutil – metadata cleanup context

you have to choose Domain, Site and then Domain Controller which you want to remove from Active Directory metadata. For that you need to go into “select operation target” context and select appropriate data

metadata cleanup: select operation target (enter)

ntdsutil – performing metadata cleanup

To successful remove DC from Active Directory metadata we need to know in which domain and site that controller was located. Follow below steps to connect to domain in which you want to perform metadata cleanup.

select operation target: connections (enter)

server connections: connect to domain <DNS-Domain-Name> (enter)

server connections: quit (enter)

ntdsutil – performing metadata cleanup

Now, you are connected to particular domain and you are in context where you can enumerate Domains, Sites and Domain Controllers. List available domains and choose appropriate one (this where your broken DC was located)

select operation target: list domains (enter)

ntdsutil – performing metadata cleanup

choose domain using its number from the list

select operation target: select domain <Domain-Number> (enter)

ntdsutil – performin metadata cleanup

you’re connected to the domain, now list available Sites and choose appropriate one (this where your broken DC was located)

select operation target: list sites (enter)

ntdsutil – performing metadata cleanup

Select Site’s number to connect to that Site

select operations target: select site <Site’s-Number> (enter)

ntdsutil – performing metadata cleanup

and now, list all Domain Controllers in this Site

select operation target: list servers in site (enter)

ntdsutil – performing metadata cleanup

the last thing to do is to select failed Domain Controller from displayed list. In my case this is DC03 (its number on the list is 2). You need to select DC using its number from the list.

 select operation target: select server <Failed-DC-Number> (enter)

ntdsutil – performing metadata cleanup

finally, we have all necessary data collected to perform metadata cleanup. Go one level up in ntdsutil context by typing quit (enter)

select operation target: quit (enter)

metadata cleanup:

the final step will remove all metadata of failed Domain Controller from Active Directory. To do that type remove selected server and confirm that you want to do that

metadata cleanup: remove selected server (enter)

Confirm DC metadata removal

you will see that broken server was removed from a network

metadata cleanup completed

leave ntdsutil by typing quit twice and close command-line.

metadata cleanup: quit (enter)

ntdsutil: quit (enter)

To summarize metadata cleanup commands:

ntdsutil: metadata cleanup (enter)

metadata cleanup: select operation target (enter)

select operation target: connections (enter)

server connections: connect to domain <DNS-Domain-Name> (enter)

server connections: quit (enter)

select operation target: list domains (enter)

select operation target: select domain <Domain-Number> (enter)

select operation target: list sites (enter)

select operations target: select site <Site’s-Number> (enter)

select operation target: list servers in site (enter)

select operation target: select server <Failed-DC-Number> (enter)

select operation target: quit (enter)

metadata cleanup: remove selected server (enter)

metadata cleanup: quit (enter)

ntdsutil: quit (enter)

Review DNS management console and Sites and Services if there are no records about that DC. You can simply remove them, it’s not necessary anymore.

It’s done.

You may also wish to view how to do Metadata cleanup over GUI

Author: Krzysztof Pytko

Seizing FSMO Roles

 

Probably you ask yourself “why should I need to use this option”? I can transfer FSMO roles to the new Domain Controller and that’s it. You’re right, but transferring FSMO roles is not always possible. What if, your Domain Controller which held FSMO role(s) is broken and cannot be repaired? Even if you don’t need any of them at this moment, they need to be in your network, for sure.

Seizing FSMO roles is the last possible way of making another DC, FSMO holder to keep your Active Directory environment working. This option should be used as the last step. After you seize FSMO roles to another Domain Controller, previous cannot be connected into network, before complete reinstallation! This will corrupt your environment because seizing roles doesn’t clean them on the old DC. So, this option should be use only if your old DC won’t be possible to repair.

If you wish you may also check an article about Seizing FSMO roles with PowerShell

To seize FSMO roles you need to use ntdsutil tool. It’s not possible to do that over GUI.

Open command-line and type: ntdsutil

ntdsutil

Next step, is to connect to appropriate Domain Controller to which you want to seize roles

Type these commands:

ntdsutil: roles (enter)

fsmo maintenance: connections (enter)

server connections: connect to server <DC-Name> (enter)

Connecting to Domain Controller

Now, you’re connected to that Domain Controller, go one level up to context where you will be able to seize roles.

server connections: quit (enter)

fsmo maintenance:

Seizing FSMO roles

It’s time to seize FSMO roles to the new DC. It look similarly to transferring roles but instead of transfer you have to use seize word.

  • Schema master

fsmo maintenance: seize schema master (enter)

Confirm that you want to seize Schema master role to this server and wait until ntdsutil will do that.

Schema master seize

First, tool tries to do safe transfer role. But it cannot contact to broken DC and you will get an error, that it wasn’t possible. Then, role will be seized

Attempt to transfer FSMO role

Continue with role seizing.

  • Domain Naming master

Be aware that ntdsutil has small syntax difference in 2003 and 2008 server for seizing Domain Naming master.

for Windows Server 2003

fsmo maintenance: seize domain naming master (enter)

 for Windows Server 2008

fsmo maintenance: seize naming master (enter)

accept the change and wait until role will be seized

Domain Naming master seize

  • RID master

Follow the same steps for another FSMO roles

fsmo maintenance: seize rid master (enter)

RID master seize

  • PDC Emulator master

fsmo maintenance: seize pdc

PDC Emulator master seize

  • Infrastructure master

Important! In multi-domain environment where not all Domain Controllers are Global Catalogs, Infrastructure master has to be placed on a non-Global Catalog Domain Controller to prevent conflicts between them.

fsmo maintenance: seize infrastructure master

Infrastructure master seize

That was the last FSMO role to seize. You can verify that your new DC holds all of them

FSMO roles seizing summary

Leave ntdsutil tool by typing quit

fsmo maintenance: quit (enter)

ntdsutil: quit (enter)

and close command-line window.

You can also use netdom command to verify FSMO roles holder. Type in command-line: netdom query fsmo and review an output

Veryfing FSMO roles holder

You will see that your new Domain Controller hold all of FSMO roles right now.

Roles have been seized. Now, it’s time to do metadata cleanup to remove information about broken Domain Controller from your Active Directory environment, clean DNS records and Sites and Services.

To summarize ntdsutil commands:

ntdsutil (enter)

ntdsutil: roles (enter)

fsmo maintenance: connections (enter)

server connections: connect to server <DC-Name> (enter)

server connections: quit (enter)

fsmo maintenance: seize schema master (enter)

2003 server:fsmo maintenance: seize domain naming master (enter)

2008 server: fsmo maintenance: seize naming master (enter)

fsmo maintenance: seize rid master (enter)

fsmo maintenance: seize pdc (enter)

fsmo maintenance: seize infrastructure master (enter)

fsmo maintenance: quit (enter)

ntdsutil: quit (enter)

It’s done.

Author: Krzysztof Pytko

Transferring FSMO roles from command-line

 

When you demoting the old Domain Controller which holds any of Single Master Operation Roles or simply known as Flexible Single Master Operation roles (FSMO), you may wish to manually transfer them into another Domain Controller.

This is not necessary because during DC decommission process, they would be transferred automatically to any other DC within network but it’s nice to control this process.

 FSMO roles should be placed in well-connected, reliable location to prevent disruption in access to them.

There are 2 ways of transferring FSMO roles. You can do that using graphical consoles available on a DC or any server/workstation with Administrative Tools / Remote Server Administration Tools installed or using command-line tool called ntdsutil.

 Transferring FSMO roles using command-line tool

There are five FSMO roles. Two of them are Forest-wide and three are Domain-wide roles. That means, the Forest-wide FSMO roles are common for entire forest and by default are held on the first Domain Controller within forest-root domain.

These roles are:

  • Schema master
  • Domain Naming master

other three Domain-wide roles are:

  • Relative Identifier (RID) master
  • PDC Emulator master
  • Infrastructure master

and they are separate for each domain within the forest.

To be able to transfer any of them, it’s necessary to use ntdsutil tool and choose a Domain Controller for them.

In this scenario, we transfer FSMO roles from the old Windows Server 2003 to the new one, based on Windows Server 2008 R2.

Important! Before you will start transferring FSMO roles, it’s good to check your forest/domain condition using: dcdiag and repadmin tools to be sure that there is no problem with replication or Domain Controller(s) functionality.

Open command-line console and type: ntdsutil

You will see command prompt. To get help you have to use ? “question mark” and press enter

ntdsutil

First of all you need to connect to Domain Controller to which you want to transfer FSMO roles. To do that you have to type:

ntdsutil: roles (enter)

fsmo maintenance: connections (enter)

server connections: connect to server <DC-Name> (enter)

server connections: quit (enter)

fsmo maintenance:

and now you will be able to transfer FSMO roles to selected Domain Controller.

  • Schema master

fsmo maintenance: transfer schema master (enter)

click “Yes” button to move role.

Role transfer confirmation

the role is transferred

Role transfer confirmation

  • Domain Naming master

To transfer Domain Naming master, you need to know small syntax difference between ntdsutil in 2003 and 2008.

In 2003 server:

fsmo maintenance: transfer domain naming master (enter)

In 2008 server:

fsmo maintenance: transfer naming master (enter)

click “Yes” button to move role.

Role transfer confirmation

the role is transferred

Role transfer confirmation

  •  RID master

fsmo maintenance: transfer rid master (enter)

click “Yes” button to move role.

Role transfer confirmation

the role is transferred

Role transfer confirmation

  • PDC Emulator master

fsmo maintenance: transfer pdc (enter)

click “Yes” button to move role.

Role transfer confirmation

the role is transferred

Role transfer confirmation

  • Infrastructure master

Important! In multi-domain environment where not all Domain Controllers are Global Catalogs, Infrastructure master has to be placed on a non-Global Catalog Domain Controller to prevent conflicts between them.

fsmo maintenance: transfer infrastructure master (enter)

click “Yes” button to move role.

Role transfer confirmation

the role is transferred

Role transfer confirmation

fsmo maintenance: quit (enter)

ntdsutil: quit (enter)

All FSMO roles have been transferred!

 You need to only verify if there are in place where you wanted to. Open command-line and type: netdom query fsmo to check that

FSMO roles verification

To summarize ntdsutil commands:

ntdsutil (enter)

ntdsutil: roles (enter)

fsmo maintenance: connections (enter)

server connections: connect to server <DC-Name> (enter)

server connections: quit (enter)

fsmo maintenance: transfer schema master (enter)

2003 server:fsmo maintenance: transfer domain naming master (enter)

2008 server: fsmo maintenance: transfer naming master (enter)

fsmo maintenance: transfer rid master (enter)

fsmo maintenance: transfer pdc (enter)

fsmo maintenance: transfer infrastructure master (enter)

fsmo maintenance: quit (enter)

ntdsutil: quit (enter)

If you wish, you may also check the article about Transferring FSMO roles with PowerShell

It’s done.

Author: Krzysztof Pytko

Transferring FSMO roles from GUI

 

When you demoting the old Domain Controller which holds any of Single Master Operation Roles or simply known as Flexible Single Master Operation roles (FSMO), you may wish to manually transfer them into another Domain Controller.

 This is not necessary because during DC decommission process, they would be transferred automatically to any other DC within network but it’s nice to control this process.

 FSMO roles should be placed in well-connected, reliable location to prevent disruption in access to them.

 There are 2 ways of transferring FSMO roles. You can do that using graphical consoles available on a DC or any server/workstation with Administrative Tools / Remote Server Administration Tools installed or using command-line tool called ntdsutil.

 Transferring FSMO roles using GUI consoles

 There are five FSMO roles. Two of them are Forest-wide and three are Domain-wide roles. That means, the Forest-wide FSMO roles are common for entire forest and by default are held on the first Domain Controller within forest-root domain.

These roles are:

  • Schema master
  • Domain Naming master

other three Domain-wide roles are:

  • Relative Identifier master (RID)
  • PDC Emulator master
  • Infrastructure master

and they are separate for each domain within the forest.

To be able to transfer any of them, it’s necessary to use appropriate console(s) and choose a Domain Controller for them.

In this scenario, we transfer FSMO roles from the old Windows Server 2003 to the new one, based on Windows Server 2008 R2.

Important! Before you will start transferring FSMO roles, it’s good to check your forest/domain condition using: dcdiag and repadmin tools to be sure that there is no problem with replication or Domain Controller(s) functionality.

  • Schema Master

This role can be transferred using Active Directory Schema snap-in. It’s possible only, when you register appropriate library within a system. By default AD Schema snap-in is not available in OS.

To do that, you need to run in command-line on a DC or a system with Administrative Tools / Remote Server Administration Tools installed this syntax

 regsvr32 schmmgmt.dll

Registration Active Directory Schema snap-in

When snap-in is registered, we can add it into MMC console. Open run box and type mmc to open empty console.

Running MMC

then add “Active Directory Schema” from menu “File -> Add/Remove snap-in”

Active Directory Schema snap-in

Now, we can select Domain Controller to which we want to transfer this role. Click right mouse button (RMB) on “Active Directory Schema” node and choose “Change Active Directory Domain Controller”. From the list select target Domain Controller for Schema Master role.

Choosing Domain Controller

You will be informed that you cannot do any schema changes on a DC which is not a Schema Master owner. Don’t worry, you won’t be modifying any schema object, we will change Schema owner only.

Warning

We are now connected to a DC to which we want to transfer Schema Master role. To finalize this operation click once again “Active Directory Schema” node by RMB and choose “Operations Master”. You will see two fields. The first is pointing to actual FSMO holder and the second shows to which the role can be transferred. Click on “Change” button

Schema master

confirm that you are sure you want to change Operation Master owner

Role transfer confirmation

and you will get information that it’s transferred

Role transfer information

Schema master changed

Close MMC console without saving changes.

  • Domain Naming Master

This role can be transferred using “Active Directory Domains and Trusts” console. It’s available on any DC or server/workstation with Administrative Tools / Remote Server Administrative Tools installed. Run the console and click RMB on “Active Directory Domains and Trusts”, choose “Change Active Directory Domain Controller” and select from the list this one to which you want to move role.

Domain Controller selection

Now, click root node once again, and choose “Operations Master” then click on “Change” button

Domain Naming master

confirm that you want to transfer role

Role transfer confirmation

Role transfer information

Close “Active Directory Domains and Trusts” console.

  • RID, PDC Emulator and Infrastructure Masters

These Domain-wide roles can be moved to another Domain Controller from common console. To do that, you need to run “Active Directory Users and Computers” console.

 Click root node and choose “Change Domain Controller”, select appropriate target DC.

Domain Controller selection

Select domain within console for which you want to transfer roles and choose “Operations Master”. You will see a windows with three tabs:

  • RID master
  • PDC master
  • Infrastructure master

On each of them you can move role to selected Domain Controller.

Select each tab separately and transfer particular roles to target DC(s).

Important! In multi-domain environment where not all Domain Controllers are Global Catalogs, Infrastructure master has to be placed on a non-Global Catalog Domain Controller to prevent conflicts between them.

  • RID master

Relative Identifier (RID) master

confirm role transfer

Role transfer confirmation

a window with information will appear

Role transfer information

  • PDC Emulator master

PDC Emulator master

confirm role transfer

Role transfer confirmation

a window with information will appear

Role transfer information

  • Infrastructure master

Infrastructure master

confirm role transfer

Role transfer confirmation

a window with information will appear

Role transfer information

All of FSMO roles have been transferred!

 It’s time to verify if all of them are in place where we wanted to. The most simple way is review each console and check “Operations Master” or use netdom a command-line tool. The last one method is very fast and shows output in one window.

 Open command-line and type: netdom query fsmo

FSMO roles verification

If you wish, you may also check the article about Transferring FSMO roles with PowerShell

It’s done.

Author: Krzysztof Pytko

Adding first Windows Server 2008 R2 Domain Controller within Windows 2003 network

 

Prerequisites

To be able to configure Windows Server 2008 R2 Domain Controller within Windows 2003 network we need to check if Domain Functional Level is set up at least in Windows 2000 native mode. But preferable Domain Functional Level is Windows Server 2003. When it’s set up in Windows Server 2003 mode, and you have only one domain in a forest or each domains have only Windows 2003 Domain Controllers, you are also able to raise Forest Functional Level to Windows Server 2003 to use Read-Only Domain Controller (RODC) within your network.

We can check this in domain, where we want to install first 2008 R2 DC. To verify that, we need to use “Active Directory Users and Computers” or “Active Directory Domains and Trusts” console.

Using “Active Directory Users and Computers” console, select your domain and click right mouse button (RMB) on it. Choose “Raise Domain Functional Level” and check that.

If you see screen like this (mixed mode), it means that you need to raise your Domain Functional Level.

Domain Functional Level

But remember, raising Domain Functional Level is one time action and cannot be reverted. Before you raise it to 2000 native mode, please ensure that all of your Domain Controllers are running at least on Windows 2000 Server.

Windows 2000 native mode do not support DCs based on earlier Microsoft Windows systems like NT4.

If your environment doesn’t have any NT4, 2000 Domain Controllers, you can raise Domain Functional Level to Windows Server 2003 mode.

Now, when you checked that you do not have any pre-2000 OS, select appropriate level and click on “Raise” button

Raising Domain Functional Level

and accept the change. You will be warned that revert changes won’t be possible!

Warning

information about successful change will be displayed

Information

After successful change, you should see changed domain operation mode.

Veryfication

Another way for that is using Active Directory Domains and Trusts console. Run this console, select domain for which you want to check Domain Functional Level and choose “Raise Domain Functional Level”

Follow the same steps as in previous console.

In this place, you can also raise your Forest Functional Level if all of your Domain Controllers in entire forest are running on Windows Server 2003. If not, please skip below steps and go to Single Master Operation Roles section.

To raise Forest Functional Level, select “Active Directory Domains and Trusts” node, click on it RMB and choose “Raise Forest Functional Level”. On the list accept “Windows Server 2003” mode by clicking on “Raise” button.

Raising Forest Functional Level

You will be notified that it is also not reversible action. Confirm that you know what you are doing and then verify if your Forest Functional Level is set up to Windows Server 2003

Forest Functional Level

Now, it’s time to determine which Domain Controller(s) hold(s) Single Master Operation Roles. The most important for preparing environment for 2008 R2 DC are

  • Schema Master
  • Infrastructure Master

On that/those DC(s) we have to run Active Directory preparation tool.

To determine which DC(s) hold(s) these roles we need to use:

  • Active Directory Users and Computers and Active Directory Schema consoles

or

  • netdom command from Support Tools (Support Tools have to be installed from Windows 2000 Server CD from Support folder)

Determining which DC holds Schema Master we need to run on one of the DCs or workstation with Administrative Tools installed in command-line

regsvr32 schmmgmt.dll

 to register Schema snap-in within OS.

Registration ActiveDirectory Schema console

Now, open MMC console from run box

MMC console

Within that console add Active Directory Schema snap-in

Active Directory Schema snap-in

Click RMB on “Active Directory Schema” node and choose “Operation Master

Write down or remember which DC holds it.

Schema Master owner

Close MMC without saving changes.

Now we need to identify Infrastructure Master within your network. To do that, open Active Directory Users and Computers console, select your domain and click RMB on it. From pop up menu, choose “Operation Masters”. Select “Infrastructure” tab

Infrastructure Master owner

In my case, both Operation Masters are located on the same DC.

To verify necessary Operation Masters much faster, we can use netdom command installed from Support Tools. Open command-line and go to default installation directory:

C:Program FilesSupport Tools

then type: netdom query fsmo

and identify DC(s) from an output

netdom output

We collected almost all necessary information to start AD preparation for the first Windows Server 2008 R2 Domain Controller. The last and the most important part before we start preparation, is checking Forest/Domain condition by running:

  • Dcdiag (from Support Tools)
  • Repadmin (also from Support Tools)

Run in command-line on a DC where you have installed Support Tools

dcdiag /v

and check if there are no errors. If so, please correct them.

An example part of output from dcdiag tool

dcdiag

now run in command-line:

repadmin /showrepl /all /verbose

to check if your DCs are replicating data without errors.

repadmin

After those checks, you can start with Active Directory preparation.

Active Directory preparation

Before we start preparing AD for new Windows Server 2008 R2 DC, we need to be sure that we are members of:

  • Enterprise Admins group or
  • Schema Admins group

and we have DVD with Windows Server 2008 R2

Let’s start preparing Active Directory for the first Windows Server 2008 R2 Domain Controller.

Log on to Schema Master owner (we identified it in previous steps) on a user from one of mentioned above groups and put into DVD-ROM installation media. Run command-line and go to

 <DVD-Drive-Letter>:supportadprep

example:

d:supportadprep

You will find there two AD preparation tools:

  • adprep (64-bit application for 64-bit platforms)
  • adprep32 (32-bit application for 32-bit platforms)

We need to use adprep32 on Schema Master (because it is 32-bit OS) In case that you have 64-bit Windows Server 2003 then use adprep. So, type in command-line

adprep32 /forestprep

Forest preparation

as you can see, adprep informs you that all of your Windows 2000 Domain Controllers require at least SP4 to start extending schema.

Warning

if you followed previous steps of this article, all of your DCs have SP4 installed or you have no 2000 DCs at all. You can continue by pressing C letter on a keyboard and wait until AD preparation tool will finish its actions.

adprep32 /forestprep

Your schema in a forest is extended.

You may also wish to run adprep32 /rodcprep if you have Windows Server 2003 at Forest Functional Level. If not, you would be able to do that any time in the future.

Preparing environment for RODC

If everything would go fine, you will see no errors.

/rodcprep output

The last step before we can introduce 2008 R2 as DC is to prepare domain for it.

Log on to Infrastructure Master owner as Domain Administrator and put DVD installation media into DVD-ROM. Open command-line and as previously go to supportadprep directory.

Type then adprep32 /domainprep /gpprep

Preparing domain

and wait until adprep will finish its actions

Congratulations! Your domain is now ready for the first Windows 2008 R2 Domain Controller.

You can check that by using ADSIEdit console or free ADFind command-line tool which can be downloaded from the Internet.

Open run box and type adsiedit.msc to open ADSI Editor

Running ADSIEdit

Expand “Schema” node and select “Schema” container. Click on it RMB and choose “Properties”. You will see schema “Attribute Editor” tab. Check “Show only attributes that have values” and  search for “objectVersion” attribute.

Veryfying schema version

Value 47 tells you that your Schema version is Windows Server 2008 R2

Using adfind tool, run in command-line this syntax

adfind –sc schver

Veryfying schema version

Adding first Windows 2008 R2 Domain Controller

Install your new box with Windows Server 2008 R2 and configure its IP address correspondingly to your network settings.

Remember that it’s very important to properly configure Network Card settings to be able to promote your new box as domain controller!

 The most important part of configuring NIC is setting up DNS server(s). Point your new box to one of the existing Domain Controllers where you have installed and configured DNS.

Network card configuration

Log on as local administrator and in command-line type: dcpromo

Running dcpromo

Domain Controller promotion will start automatically. If you haven’t installed Active Directory: Directory Services role before, it will be done by wizard at this moment.

Active Directory: Directory Services role

When role is installed, you will see DC promotion wizard. I would suggest using advanced mode during promotion process. So, please check “Use advanced mode installation” and let’s start.

Domain Controller promotion wizard

We are adding new DC within existing forest to the existing domain, so choose appropriate option and click “Next”

Adding new DC into existing domain

Type DNS Domain name to which you want to add new domain controller and specify Domain Administrator credentials for that process

Adding new DC into existing domain

Choose domain from a list

Adding new DC into existing domain

If you didn’t use previously /rodcprep switch with adprep, you will be notified that you won’t be able to add Read-Only Domain Controllers. To install RODC within network it’s required to have at least Windows 2003 Forest Functional Level and you can advertise this option later (before first RODC installation). Skip this warning and press “yes” to continue.

RODC warning

Select appropriate site for this Domain Controller and continue.

Install on your new DC:

  • DNS
  • Global Catalog

They’re suggested by default. Continue and start AD data replication process from the existing DC within network.

Adding new DC into existing domain

Now, you can select from which Domain Controller data should be replicated or leave choice for the wizard (use the second option)

Adding new DC into existing domain

Leave default folders for Directory Services data (or change path if you need)

Adding new DC into existing domain

Set up Directory Services Restoration Mode password in case that you would need to use this mode. Password should be different that domain administrator’s account and should be also changed periodically.

DSRM password set up

Now you will see summary screen, click “Next” and Domain Controller promotion wizard will start preparing new DC for you.

Summary screen

To have fully operational DC, you need to reboot it after promotion. So, let’s check “Reboot on completion” checkbox and wait until it will be up and ready.

Installing Directory Services

Your new Windows Server 2008 R2 Domain Controller is not available in your network!

New DC available

Give DC some time to replicate Directory Services data and you can enjoy with new DC.

Post-Installation steps

Now, you need to do small changes within your environment configuration.

On each server/workstation NIC properties configure alternative DNS server IP address pointing to the new Domain Controller.

Open DHCP management console and under server/scope options (it depends on your DHCP configuration) modify option no. 006

Add there IP address of your new Domain Controller as DNS server.

DHCP reconfiguration

It’s done

Author: Krzysztof Pytko

Adding first Windows Server 2008 R2 Domain Controller within Windows 2000 network

 

Prerequisites

To be able to configure Windows Server 2008 R2 Domain Controller within Windows 2000 network we need to check if we have installed Service Pack 4 on each of Domain Controllers based on 2000 Server. Additionally we have to check if Domain Functional Level is set up at least in Windows 2000 native mode.

To verify if Domain Controllers have installed the latest Service Pack, log on onto each of them and in run box type: winver

Running winver

check if you have installed SP4

winver

Alternatively, you can click right mouse button (RMB) on “My computer” and choose “Properties”.

My computer - properties

When you don’t want to log on to each DC, you can download PsInfo from SysInternals Suite and use this syntax structure for each DC

C:SysInternalsPsinfo.exe “Service Pack” \DC_Name

In example:

C:SysInternalsPsinfo.exe “Service Pack” \DC01

PsInfo output

If any of your Domain Controllers do not have installed SP4, you need to update it.

Now, we can check if Domain Functional Level for domain where we want to install first 2008 R2 DC is set up to at least Windows 2000 native mode. To verify that, we need to use “Active Directory Users and Computers” or “Active Directory Domains and Trusts” console.

Using “Active Directory Users and Computers” console, select your domain and click RMB on it. Choose “Properties” and verify it.

If you see screen like this (mixed mode), it means that you need to raise your Domain Functional Level.

Domain Functional Level

But remember, raising Domain Functional Level is one time action and cannot be reverted. Before you raise it to 2000 native mode, please ensure that all of your Domain Controllers are running at least on Windows 2000 Server.

Windows 2000 native mode do not support DCs based on earlier Microsoft Windows systems like NT4.

Now, when you checked that you do not have any pre-2000 OS, click on “Change Mode” button.

Changing Domain Functional Level

and accept the change. You will be warned that revert changes won’t be possible!

Warning message

After successful change, you should see changed domain operation mode.

Changed Domain Functional Level

Another way for that is using Active Directory Domains and Trusts console. Run this console, select domain for which you want to check Domain Functional Level and choose “Properties”

Follow the same steps as in previous console.

Now, it’s time to determine which Domain Controller(s) hold(s) Single Master Operation Roles. The most important for preparing environment for 2008 R2 DC are

  • Schema Master
  • Infrastructure Master

On that/those DC(s) we have to run Active Directory preparation tool.

To determine which DC(s) hold(s) these roles we need to use:

  • Active Directory Users and Computers and Active Directory Schema consoles

or

  • netdom command from Support Tools (Support Tools have to be installed from Windows 2000 Server CD from Support folder)

Determining which DC holds Schema Master we need to run on one of the DCs or workstation with Administrative Tools installed in command-line

regsvr32 schmmgmt.dll

to register Schema snap-in within OS.

ActiveDirectory Schema snap-in registration

Now, open MMC console from run box

Running MMC

Within that console add Active Directory Schema snap-in

Adding snap-in into MMC

Click RMB on “Active Directory Schema” node and choose “Operation Masters

Write down or remember which DC holds it. Additionally check its status.

Schema Master owner

Close MMC without saving changes.

Now we need to identify Infrastructure Master within your network. To do that, open Active Directory Users and Computers console, select your domain and click RMB on it. From pop up menu, choose “Operation Masters”. Select “Infrastructure” tab

Infrastructure Master owner

In my case, both Operation Masters are located on the same DC.

To verify necessary Operation Masters much faster, we can use netdom command installed from Support Tools. Open command-line and go to default installation directory: C:Program FilesSupport Tools

then type: netdom query fsmo

and identify DC(s) from an output

netdom Operation Masters check

We collected almost all necessary information to start AD preparation for the first Windows Server 2008 R2 Domain Controller. The last and the most important part before we start preparation, is checking Forest/Domain condition by running:

  • Dcdiag (from Support Tools)
  • Repadmin (also from Support Tools)

Run in command-line on a DC where you have installed Support Tools

dcdiag /v

and check if there are no errors. If so, please correct them.

An example part of output from dcdiag tool

Part of dcdiag output

now run in command-line:

repadmin /showreps /verbose

 to check if your DCs are replicating data without errors.

repadmin output

After those checks, you can start with Active Directory preparation.

Active Directory preparation

Before we start preparing AD for new Windows Server 2008 R2 DC, we need to be sure that we are members of:

  • Enterprise Admins group

or

  • Schema Admins group

and we have DVD installation media with Windows Server 2008 R2

Important! Remember that all Windows 2000 Servers are only 32-bit platforms and Windows Server 2008 R2 is only 64-bit platform, so you need to use 32-bit version of adprep during preparation process to successfully extend Schema.

Let’s start preparing Active Directory for the first Windows Server 2008 R2 Domain Controller.

Logon to Schema Master owner (we identified it in previous steps) on a user from one of mentioned above groups and put into DVD-ROM installation media. Run command-line and go to

 <DVD-Drive-Letter>:supportadprep

example:

d:supportadprep

You will find there two AD preparation tools:

  • adprep (64-bit application for 64-bit platforms)
  • adprep32 (32-bit application for 32-bit platforms)

We need to use adprep32 on Schema Master. So, type in command-line

 adprep32 /forestprep

Extending schema

as you can see, adprep informs you that all of your Windows 2000 Domain Controllers require at least SP4 to start extending schema.

Warning before schema update

if you followed previous steps of this article, all of your DCs have SP4 installed. You can continue by pressing C letter on a keyboard and wait until AD preparation tool will finish its actions.

Schema extended

Your schema in a forest is extended.

The last step before we can introduce 2008 R2 as DC is to prepare domain for it.

Log on to Infrastructure Master owner as Domain Administrator and put DVD installation media into DVD-ROM. Open command-line and as previously go to supportadprep directory.

Type then adprep32 /domainprep /gpprep

Running adprep on Infrastructure Master

and wait until adprep will finish its actions

Domain prepared for Windows Server 2008 R2 DC

Congratulations! Your domain is now ready for the first Windows 2008 R2 Domain Controller.

You can check that by using ADSIEdit console or free ADFind command-line tool which can be downloaded from the Internet.

Open run box and type adsiedit.msc to open ADSI Editor.

ADSIEdit

Expand “Schema” node and select “Schema” container. Click on it RMB and choose “Properties”. You will see schema “Attributes” tab. Expand “Select a property to view” and find “objectVersion

Schema version

Value 47 tells you that your Schema version is Windows Server 2008 R2

Using adfind tool, run in command-line this syntax

adfind –sc schver

Schema version

Adding first Windows 2008 R2 Domain Controller

Install your new box with Windows Server 2008 R2 and configure its IP address correspondingly to your network settings.

 Remember that it’s very important to properly configure Network Card settings to be able to promote your new box as domain controller!

 The most important part of configuring NIC is setting up DNS server(s). Point your new box to one of the existing Domain Controllers where you have installed and configured DNS.

Network card configuration

Log on as local administrator and in command-line type: dcpromo

Running DC promotion tool

Domain Controller promotion will start automatically. If you haven’t installed Active Directory: Directory Services role before, it will be done by wizard at this moment.

Active Directory: Directory Services role installation

When role is installed, you will see DC promotion wizard. I would suggest using advanced mode during promotion process. So, please check “Use advanced mode installation” and let’s start.

dcpromo wizard

We are adding new DC within existing forest to the existing domain, so choose appropriate option and click “Next”

Adding DC

Type DNS Domain name to which you want to add new domain controller and specify Domain Administrator credentials for that process

Adding DC

Choose domain from a list

Domain for new DC

You will be informed that you won’t be able to install Read-Only Domain Controller (RODC) in your network because during ActiveDirectory preparation, you didn’t use /rodcprep switch. It’s not relevant here because our network contains 2000 Domain Controllers, so it means that the highest possible Forest Functional Level is Windows 2000. To install RODC within network it’s required to have at least Windows 2003 Forest Functional Level. Skip this warning and press “yes” to continue.

Warning about Read-Only Domain Controller

Select appropriate site for this Domain Controller and continue.

Install on your new DC:

  • DNS
  • Global Catalog

They’re suggested by default. Continue and start AD data replication process from the existing DC within network.

AD data replication

Now, you can select from which Domain Controller data should be replicated or leave choice for the wizard (use the second option)

DC for AD data replication

Leave default folders for Directory Services data (or change path if you need)

Folders location

Set up Directory Services Restoration Mode password. Password should be different than domain administrator’s account and should be also changed periodically.

DSRM mode password

Now you will see summary screen, click “Next” and Domain Controller promotion wizard will start preparing new DC for you.

Summary screen

To have fully operational DC, you need to reboot it after promotion. So, let’s check “Reboot on completion” checkbox and wait until it will be up and ready.

DC configuration

Your new Windows Server 2008 R2 Domain Controller is not available in your network!

New DC

Give DC some time to replicate Directory Services data and you can enjoy with new DC.

Post-Installation steps

Now, you need to do small changes within your environment configuration.

On each server/workstation NIC properties configure alternative DNS server IP address pointing to the new Domain Controller.

Open DHCP managementconsole and under server/scope options (it depends on your DHCP configuration) modify DHCP option no. 006

Add there IP address of your new Domain Controller as DNS server.

DHCP configuration

It’s done

Author: Krzysztof Pytko


Configuring DHCP server from command-line on Windows Server 2003

 

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP servers in short time or our DHCP server is in location where network connection is very slow? Do we have to configure it manually? Do we have to be patient and waste our valuable time? Answer is: NO, we can use a command-line tool which is available on each Windows 2003/2008 server. It’s very powerful utility and it’s simple in use.

This article describes how to do that on Microsoft Windows Server 2003.

If our server has installed DHCP service, we can configure it remotely from command-line using netsh command. We have to login to any Windows 2003 server and run command-line console. In this console we have to type netsh

netsh command-line

Next, we use dhcp context of netsh to configure our DHCP server(s).

Before we start configuring server, we need some details:

  • Hostname or IP address of DHCP server(s)
  • Scope IP address (Network ID) and network mask
  • Scope name
  • Description for scope
  • IP pool for scope
  • Any IP reservation
  • Any IP exclusion
  • Default gateway IP address
  • IP address of DNS servers
  • Domain suffix name
  • IP address of WINS servers (if required)

In our example we use:

  • 192.168.1.1 as DHCP server IP address
  • 192.168.1.0/24 as network ID
  • TestScope as scope name
  • “This is my test scope” as description
  • 192.168.1.100 – 192.168.1.149 as scope’s pool
  • 192.168.1.125 reserved IP address for device with 00-03-EF-15-9A-6B MAC address
  • 192.168.1.130 – 192.168.1.134 as excluded IP addresses
  • 192.168.1.254 as default gateway
  • 192.168.1.10 and 192.168.1.11 as DNS servers
  • testenv.local as DNS domain name
  • 192.168.1.10 and 192.168.1.12 as WINS servers
  • Hostname or IP address of DHCP server(s)

If we collect all of these settings we can start to configure DHCP server(s).

The very first thing is to create a scope on DHCP server. To do this we have to type command

netsh> dhcp server <DHCP_IP_Address_or_hostname> add scope <Scope_Network_ID> <Mask> <Scope_name> <”Scope_description”>

netsh> dhcp server 192.168.1.1 add scope 192.168.1.0 255.255.255.0 TestScope “This is my test scope”

netsh output

Each time we will see this message it means that we set an option properly.

We have created a scope on our DHCP server. Now, we need to activate it

netsh> dhcp server <DHCP_IP_Address_or_hostname> scope <Scope_Network_ID> set state 1

If we don’t want to set it as active during creation process, set state value should be 0.

netsh> dhcp server 192.168.1.1 scope 192.168.1.0 set state 0

We don’t want to active scope right now. We will do it later.

After that, we have to define IP addresses pool

netsh> dhcp server <DHCP_IP_Address_or_hostname> scope <Scope_Network_ID> add iprange <Start_IP_Address> <End_IP_Address>

netsh> dhcp server 192.168.1.1 scope 192.168.1.0 add iprange 192.168.1.100 192.168.1.149

We have defined scope’s pool and we will exclude some IP addresses, now.

netsh> dhcp server  <DHCP_IP_Address_or_hostname> scope <Scope_Network_ID> add excluderange <Start_excluded_IP_Address> <End_excluded_IP_Address>

netsh> dhcp server 192.168.1.1 scope 192.168.1.0 add excluderange 192.168.1.130 192.168.1.134

So, if we want to exclude only one IP address we should use this syntax (let’s say only 192.168.1.130)

netsh> dhcp server 192.168.1.1 scope 192.168.1.0 add excluderange 192.168.1.130 192.168.1.130

Now, we will enable reservation IP address for a device

netsh> dhcp server <DHCP_IP_Address_or_hostname> scope <Scope_Network_ID> add reservedip <Reserved_IP_Address> <MAC_Address> <Reservation_Name> <”Description_for_reservation”> <DHCP_Flags>

netsh> dhcp server 192.168.1.1 scope 192.168.1.0 add reservedip 192.168.1.125 0003EF159A6B My_PC “” BOTH

DHCP_Flags are: BOOTP only, DHCP only or BOTH

The last steps we need to provide are DNS servers and domain suffix. This time we have to consider where to place them, in the scope options or in a server options. What is the difference?

If our DHCP server contains only one scope we don’t have to worry where we will place these settings, because they will only impact one scope.

Settings applied in “Scope options” affect only that particular scope. Settings configured on “Server options” will be inherited by all scopes, even the new ones. When we set “Server options” and then we additionally configure “Scope options” they will overwrite those global settings.

This is very helpful if we have more than one scope on DHCP settings (most VLAN scenarios) and we have common settings for them. Let’s say that we need to configure the same DNS servers and domain suffix for all scopes then we do it in “Server options”. The only thing we will set in “Scope options” is default gateway.

In our scenario we don’t have more that one scope, so we will configure “Scope options” providing default gateway, DNS servers and WINS servers.

netsh> dhcp server  <DHCP_IP_Address_or_hostname> scope <Scope_Network_ID> set optionvalue <option_value> IPADDRESS <Default_Gateway_IP_Address or DNS_Server_IP_Addresses or WINS_Server_IP_Addresses>

for WINS we need to set

netsh> dhcp server <DHCP_IP_Address_or_hostname> scope <Scope_Network_ID> set optionvalue <option_value> BYTE <one of these node types: 1,2,4,8>

 

WINS node types:

1 b-node (broadcasts)

2 p-node (point-to-point name queries to WINS)

4 m-node (broadcasts then query name server)

8 h-node (query name server then broadcasts)

netsh> dhcp server 192.168.1.1 scope 192.168.1.0 set optionvalue 003 IPADDRESS 192.168.1.254

netsh> dhcp server 192.168.1.1 scope 192.168.1.0 set optionvalue 006 IPADDRESS 192.168.1.10 192.168.1.11

netsh> dhcp server 192.168.1.1 scope 192.168.1.0 set optionvalue 044 IPADDRESS 192.168.1.10 192.168.1.12

netsh> dhcp server 192.168.1.1 scope 192.168.1.0 set optionvalue 046 BYTE 8

Now, we set  domain suffix

netsh> dhcp server <DHCP_IP_Address_or_hostname> scope <Scope_Network_ID> set optionvalue <option_value> STRING <Domain_suffix>

 

netsh> dhcp server 192.168.1.1 scope 192.168.1.0 set optionvalue 015 STRING testenv.local

We’ve just finished DHCP configuration. Now, we have to enable scope for serving IP addresses and authorize our DHCP server

netsh> dhcp server 192.168.1.1 scope 192.168.1.0 set state 1 (now scope is active)

netsh> dhcp server initiate auth (now DHCP server is authorized)

We finished our DHCP server configuration. If we need any other “Scope/Server options” we can set them like we did it with DNS,WINS and others.

OK, but you wrote that it will be automated and simple configuration but we lost so much time configuring DHCP server from command-line? We could do it via console! Yes, you’re right we have to prepare a template for automated configuration.

Preparing template for automated DHCP configuration is very simple. We have to put all those commands into text file without NETSH command, so let’s create i.e. text file named dhcp_conf.txt and put there

dhcp server 192.168.1.1 add scope 192.168.1.0 255.255.255.0 TestScope “This is my test scope”

dhcp server 192.168.1.1 scope 192.168.1.0 set state 0

dhcp server 192.168.1.1 scope 192.168.1.0 add iprange 192.168.1.100 192.168.1.149

dhcp server 192.168.1.1 scope 192.168.1.0 add excluderange 192.168.1.130 192.168.1.134

dhcp server 192.168.1.1 scope 192.168.1.0 add reservedip 192.168.1.125 0003EF159A6B My_PC “” BOTH

dhcp server 192.168.1.1 scope 192.168.1.0 set optionvalue 003 IPADDRESS 192.168.1.254

dhcp server 192.168.1.1 scope 192.168.1.0 set optionvalue 006 IPADDRESS 192.168.1.10 192.168.1.11

dhcp server 192.168.1.1 scope 192.168.1.0 set optionvalue 044 IPADDRESS 192.168.1.10 192.168.1.12

dhcp server 192.168.1.1 scope 192.168.1.0 set optionvalue 046 BYTE 8

dhcp server 192.168.1.1 scope 192.168.1.0 set optionvalue 015 STRING testenv.local

dhcp server 192.168.1.1 scope 192.168.1.0 set state 1

dhcp server initiate auth

and save this file on the network drive which is available from any Windows Server 2003/2008 machine. Now, we can modify necessary parts of this template to adjust it for any other DHCP server configuration.

The only thing that we have to do is running NETSH command on Windows 2003/2008 Server in context of EXEC <full_path_to_dhcp-conf.txt_file>

in example:

netsh exec c:dhcp_conf.txt

netsh script execution

It’s done!

Author: Krzysztof Pytko