Archive | September 2012

Windows Management Framework 3.0 for Windows Server 2008/2008R2

 

Microsoft has released Windows Management Framework 3.0 for Windows Server 2008/2008R2. You can download it from http://www.microsoft.com/en-us/download/details.aspx?id=34595

This allows you to use Windows Remote Management (WinRM) services, WMI and PowerShell in 3.0 version on Windows Server 2008/2008R2

To be able to run that package, you need to install Microsoft .NET Framework 4 first. Its package is available at http://www.microsoft.com/en-us/download/details.aspx?id=17718

Windows Management Framework 3.0 allows you to use PowerShell in version 3 and manage server over WinRM from new Server Manager on Windows Server 2012 (which required WinRM 3.0)

When you download required packages and install them on a server, you need to enable remote management to allow remote server management. To do that, run in command-line

winrm qc

or

winrm quickconfig

Windows Remote Management configuration

and confirm that you want to enable remote management.

Windows Remote Management configuration

After that, please ensure if all required ports are opened on Windows firewall or just disable required firewall’s profile before you would be able to manage that server over Server Manager in Windows Server 2012 or RSAT in Windows 8

Now, you are able to add those Windows Server 2008/2008R2 into Server Manager and manage them. However, there is one limitation for this kind of management. You cannot install roles/features remotely on Windows Server 2008/2008R2 machines.

Open Server Manager in Windows Server 2012 or RSAT in Windows 8, select “All Servers” on the left side and click right mouse button, choose “Add Servers

Adding Windows Server 2008/2008R2 into Server Manager for remote management

You will see new window where you can select a server to add. You can add servers by one of these criteria:

  • using Active Directory computer object

You can search AD for computers using their

  1. name
  2. OS type
  3. or just display them all and choose from the list

Adding server(s) to Server Manager

  • using existing DNS record
  1. host (A) record – machine name (forward lookup zone)
  2. pointer (PTR) record – machine IP address (reverse lookup zone)

Adding server(s) to Server Manager

  • using text file for import

Adding server(s) to Server Manager

Using one of above methods, add server to Server Manager and we promote it to Domain Controller (select server from the list and click an arrow to add it)

Adding server(s) to Server Manager

and as you can see, server is available on the list (ready to manage)

Windows Server 2008/2008R2 in new Server Manager

From now on, you can manage server(s). Select it on a list, click right mouse button and you will see all available options to manage (except roles/features installation)

Remote server management

Author: Krzysztof Pytko

Active Directory Recycle Bin

 

This time, we will focus on Active Directory Recycle Bin feature in domain environment using Windows Server 2012. This feature was introduced for the first time by Microsoft in Windows Server 2008R2 when your Forest Functional Level was set up to Windows Server 2008R2.

To be able to enable this feature in Windows Server 2008, you needed to run PowerShell command as Enterprise Administrator. When you wanted to restore deleted object, you needed also use PowerShell and this was real nightmare for beginner.

Whole required procedure you will find in Microsoft article titled “Active Directory Recycle Bin Step-by-Step Guide

When Windows Server 2012 was released, this feature is much more easy to set up and manage. New Active Directory Administrative Center allows to manage that over GUI. To enable Active Directory Recycle Bin over GUI, you need just few clicks to accomplish that.

Let’s see how to do that in Windows Server 2012.

First of all, we need to ensure if our Forest Functional Level is at least at Windows Server 2008R2 mode. To check that, please follow my other article which address that requirement:

and if you need to raise Domain and/or Forest Functional Level:

when above requirements are met, we need to run Active Directory Administrative Center on Windows Server 2012 or run it from RSAT for Windows 8

Active Directory Administrative Center

In ADAC, select domain name on the left side to see available tasks for this forest/domain

Tasks in ADAC

Now, you can see in ADAC on the right side, that you can enable AD Recycle Bin. If this option is grayed that means:

  • Forest Functional Level is lower than Windows Server 2008R2
  • Active Directory Recycle Bin is already enabled

If everything is OK then this option can be used. Click on it to enable the feature in your forest.

Note! Remember that ADAC console must be running on Enterprise Administrator credentials

Enabling Active Directory Recycle Bin

Confirm that you wish to enable this feature

Important!Once, you enabled AD Recycle Bin you cannot disable it!

Confirmation

Confirmation

So, due to information after AD Recycle Bin has been enabled, you need to wait for replication between all Domain Controllers in entire forest to start it working.

After refresh of Active Directory Administrative Center, you should see new container named “Deleted Objects

New container

From now on, all deleted objects would go to that container. You are able to restore any of those objects until their tombstone lifetime would not pass.

Deleted objects

During deleted object restoration, you may choose one of following actions:

  • Restore
  • Restore To
  • Locate parent
  • Properties

Restore allows you deleted object restoration into the original location where this object was before it has been deleted

Restore To allows you to choose new location where you want to restore deleted object

Locate parent redirects you to the location where object resided before deletion

Properties show information about deleted object

Mostly, you may wish to restore object into original location, so for that select deleted object, click right mouse button on it and choose “Restore”

Deleted object restoration

and you can simply verify if object was restored by going into its original location. Hey, it works! What a great feature! 🙂

Restored object

Author: Krzysztof Pytko

Remote Domain Controller promotion

 

In previous versions of Windows Server operating system, if we needed to promote any server as Domain Controller, we had to log on directly onto that server and run “dcpromo” command to start promotion process. Now, in Windows Server 2012 we don’t have to log on onto remote server to start role/feature installation and finally, we can promote any remote server to Domain Controller. All these features are available over new Server Manager console which is available in new operating system or in Windows 8 RSAT.

You can add any Windows Server 2012 to install roles/features remotely and you can also promote Windows Server 2012 to DC.

Let’s see how this process looks and open Server Manager in Windows Server 2012.

On the left side of Server Manager, click right mouse button on “All Servers” node and choose “Add servers

Adding server(s) to Server Manager

You will see new window where you can select a server to add. You can add servers by one of these criteria:

  • using Active Directory computer object

You can search AD for computers using their

  1. name
  2. OS type
  3. or just display them all and choose from the list

Adding server(s) to Server Manager

  • using existing DNS record
  1. host (A) record – machine name (forward lookup zone)
  2. pointer (PTR) record – machine IP address (reverse lookup zone)

Adding server(s) to Server Manager

  • using text file for import

Adding server(s) to Server Manager

Using one of above methods, add server to Server Manager and we promote it to Domain Controller (select server from the list and click an arrow to add it)

Adding server(s) to Server Manager

When you do that, your remote server should be available in the manager. Click on it right mouse button and choose “Add Roles and Features” to install any. In this case we will install “Active Directory: Directory Services” role

Add Roles and Features on remote server

You will see standard wizard for role/features installation. Just follow it and as in all other cases but on “Server Selection” screen, choose added server

Selecting remote server in Server Manager

the rest of the process looks the same as for local server. Install role and at the end, follow post-installation steps to promote server to Domain Controller

You may wish to follow another article on my blog, showing how to Add additional Windows Server 2012 Domain Controller

On the installation screen, you will see that role and features are installing on remote server, not on the local one

Role and Features installation on remote server

When you finish all post-installation steps and you will promote remote server to Domain Controller, you will see that it requires restart

Remote server reboot

Then open Active Directory Users and Computers console, select “Domain Controllers” OU and check if you can see your new DC there

New Domain Controller

That’s all about new feature. Of course it is not limited to install AD:DS role only. You can use it for any role/feature installation

Author: Krzysztof Pytko

Active Directory and SYSVOL replication status

 

This time some short article about new feature in Group Policy Management console in Windows Server 2012. You can very simply and in quick time see current status of GPO on your Domain Controllers. Using GPMC console you can see if group policies are replicated between all Domain Controllers in a domain.

To check that, select requested GPO and in the right pane click on “Status” tab.

As you can see, GPMC in Windows Server 2008/2008R2 has no that tab to see that directly

GPMC in Windows Server 2008/2008R2

when you do the same in GPMC console in Windows Server 2012 or using RSAT for Windows 8, you will see the new tab

GPMC in Windows Server 2012

This new tab allows you to see in quick way current status of every GPO. You can see if any Domain Controller is requesting GPO replication or not and you will also see error(s) for GPO when it is not replicated.

To see how it works, create some example GPO and select it in GPMC, click on “Status” tab and check what there is displayed in default view

Default view for GPO under status tab

You can see there, that no information is gathered for specified Domain Controller. If you wish to check GPO status on particular DC, click “Change” and select it from the list

Changing Domain Controller

Changing Domain Controller

now, click “Detect” button to gather information about current policy

Gathering GPO information

and you can see if any DC is being replicated policy or if there is any issue. When everything is OK, you should see all information under green area

Correct GPO status

In this case everything is OK, and GPO is properly replicated between current DC and DC with PDC Emulator.

When some Domain Controller is replicating data or replication failed, you will see appropriate information under red question mark area.

Inproper GPO status

So, thankfully to this new feature, you can simply verify if your policies are replicating between Domain Controllers.

Author: Krzysztof Pytko

Fine-Grained Password Policy

 

As you know, in Windows 2000 and 2003 Server, you could only have one password policy in a domain. If your company required different password policies for particular departments, you needed to set up separate domain(s) for them or search for 3rd party tools to fulfill these requirements. That was yours only one choice.

In Windows Server 2008 (Domain Functional Level) Microsoft introduced new feature called “Fine-Grained Password Policy“. This still does not allow to have more than one global domain-wide password policy defined in GPO but allows for defining additional password policies in your environment without creating additional domains. This objects are created in a domain and are stored on “domain partition“. The main difference between GPO password policy and FGPP is that you cannot assign it to Organizational Unit (OU). These kind of password policies may be only applied to:

  • user
  • group

In Windows Server 2008/2008R2 setting up this policies is not so convenient as you need to use ADSI Editor for that. It is also a little bit difficult to track which policy takes affect in case that more than one is applied to user or group. In Windows Server 2012 Microsoft created GUI for FGPP management and it is available over new Active Directory Administrative Center

In this article we will focus only on Windows Server 2012 and its new GUI feature within ADAC. However, if you are also interested how to create FGPP in Windows Server 2008/2008R2, please read below Microsoft article for that:

Important! Remember, that to be able to use Fine-Grained Password policies, your Domain Functional Level must be at least at Windows Server 2008 level

Let’s try to configure example Fine-Grained Password policy in Windows Server 2012. To be able to do that we need access to Windows Server 2012 or Windows 8 RSAT, where new Active Directory Administrative Center is available.

When you have Server Manager up and running, go to “Tools” and open ADAC console

ADAC console

In Active Directory Administrative Center console, select “Tree” view and expand your domain node.

Active Directory Administrative Center

Now, select “System” container and go to the middle window. Search there for “Password Settings Container

Password Settings container

Click right mouse button on it, and choose “New -> Password Settings” to create to password policy.

Note! When you see grayed fields for “New” and “Delete” that means your domain does not fulfill FGPP requirements. This is mostly caused by to low Domain Functional Level. you need to raise DFL into Windows Server 2008 and then you will have possibility to use password policies.

Too low Domain Functional Level

OK, but this should be checked before you start creating password policy 🙂

New Fine-Grained Password Policy

When you do that, you will see new window in which you can define all password settings like in GPO. Below you can find a screen from default view

Default view of password settings policy

On that screen in policy, you need to define below parameters:

  • Policy name
  • Policy precedence number
  • Minimum password length
  • Minimum password age
  • Maximum password age
  • Number of passwords remembered
  • Number of failed logon attempts allowed
  • Reset failed logon attempts count after (mins)
  • Account will be locked out
  • Password must meet complexity requirements
  • Store password using reversible encryption
  • Protect from accidental deletion

I will try to explain each of those parameters in few words to better understand what they do

Policy name

This parameter defines policy name which will be identified by administrators. Set up policy name the way you can easily evaluate what is it for.

Policy precedence number

The number specified there is for user/group to which you assign the policy. In case that you assigned more than one password policy, you need to determine which one should take precedence. Lower value means that policy will be applied.

Minimum password length

Specify here, how many characters (at least) will be required to create password.

Minimum password age

Here, you can define when user is able to changes its password after the last change. This setting prevents user from password change before specified number of days will pass.

Maximum password age

After that time, user is obligated to change password.

Number of passwords remembered

This setting stores information about number of last used passwords which cannot be reused.

Number of failed logon attempts allowed

Value tells the domain how many wrong logons are accepted before an account is being locked.

Reset failed logon attempts count after (mins)

Option configuring amount of time, after bad logons counter is reset to allow user one more chance to log on into domain

Account will be locked out

Setting time for how long account will be locked out. When value is set up to 0 or “Account will be locked out until an administrator manually unlocks the account” is enabled then account is locked until some administrator will unlock it.

Password must meet complexity requirements

This, defines that password must contain 3 out o 4 characters group to be valid. These groups are:

  • lower characters [a-z]
  • upper characters [A-Z]
  • special characters [!@#$%^&*()]
  • digits [0123456789]

Store password using reversible encryption

Setting responsible for storing password in plain text for some applications requiring access to user password. Should not be used until any of application really requires that

Protect from accidental deletion

Nothing directly connected to password settings. This setting is for password policy object which defines that it cannot be deleted from domain until you uncheck this box.

Now, we have a better understanding of these policy parameters and we can define some example Fine-Grained Password policy. Below you can find settings used for that policy:

  • Policy name – it-domain-administrators
  • Policy precedence number – 1
  • Minimum password length – 8
  • Minimum password age – 5
  • Maximum password age – 90
  • Number of passwords remembered – 10
  • Number of failed logon attempts allowed – 3
  • Reset failed logon attempts count after – 30
  • Account will be locked out – 40
  • Password must meet complexity requirements – yes
  • Store password using reversible encryption – no
  • Protect from accidental deletion – yes

Example Fine-Grained Password Policy

After adding this policy into domain, you need to specify user or group to which you want to apply it. As an example policy name suggests that it is for Domain Administrators, i need to choose their group in displayed window

Target group for FGPP

and you can see that it is directly applied to “Domain Admins” group in “Directly applies to” section

Confirmation for applying FGPP

that’s all for Fine-Grained Password policies in this article. Each time you need to see FGPPs and their assigned  users/groups, open ADAC and go to System -> Password Settings Container and review those settings.

Author: Krzysztof Pytko

Adding additional Domain Controller (Windows Server 2012)

 

Why do we need to add additional Domain Controller? This answer is very simple: “for services redundancy” or “for domain authentication improvement in remote Site”.

In case of server failure, we still have another one which can provide necessary services in our network, which avoids business discontinuity.

First of all, we need to install new box or virtual machine with a server operating system that is supported in domain environment. To check what Windows Server versions can be installed and promoted as Domain Controller, we need to check Domain Functional Level.

To determine Domain Functional Level, please follow my another article on the blog titled: Determine DFL and FFL using PowerShell

You may find one of these Domain Functional Levels supported by Windows Server 2012 Domain Controllers:

  • Windows Server 2003 – supports Windows Server 2003 and above
  • Windows Server 2008 – supports Windows Server 2008 and above
  • Windows Server 2008 R2 – supports Windows Server 2008 R2 and above
  • Windows Server 2012 – only Windows Server 2012 is supported

When you already know you Domain Functional Level, you can start adding additional Domain Controller

First of all, you need to install new machine based on Windows Server 2012. When server is already installed, you have to configure its network card properties to be able to start promotion process. As it is Domain Controller, server requires static IP address from the same subnet or subnet which is routable within a network. As directory services rely on DNS server, you need to properly point where the service is running. In this example additional server is using 192.168.1.1 DNS IP address (a forest root domain DC).

IPv4 settings

After IP address verification and server name change, you can simply start Active Directory: Directory Servicesrole installation. As you already know, Windows Server 2012 does not support server promotion over dcpromo, you need  to do that in post-installation steps.

Open Server Manager and click on “Add roles and features” under Dashboard screen

Active Directory: Directory Services role installation

Using default settings in a wizard go up to “Server roles” step (in this article those steps are not described. You may expect their description in another article) and select Active Directory Directory Services role. Accept also default features which are required during installation. Verify if check box is in proper place and go to the next step

Active Directory: Directory Services role installation

On “Features” screen also go to the next step as we do not need more at this step to be installed. All required features will be installed as you accepted them a little bit earlier

Active Directory: Directory Services role installation

Read information about role you are installing and go to confirmation screen to install it

Active Directory: Directory Services role installation

Wait some time until selected role is being installed before you will be able to promote server to Domain Controller

Active Directory: Directory Services role installation

Active Directory: Directory Services role installation

Now, when role is installed, you can see in notification area an exclamation mark. It tells you that post-installation steps might be required

Notification area

Click on it to see what can be done. You will see that now, you can promote your server to Domain Controller and information that features were installed successfully

Notification area

OK, let’s start server promotion to Domain Controller! Click on “Promote this server to a domain controller” and you will see a wizard.

As we are adding Domain Controller into existing domain, we need to select proper option. It is selected by default, however, please ensure if you can see that “Add a domain controller to an existing domain” is selected

Domain Controller promotion

When you verified that, place in field with red star DNS domain name to which you are promoting DC. Provide Enterprise Administrator credentials and go to the next step

Domain Controller promotion

Domain Controller promotion

Domain Controller promotion

Define if server should be DNS server and Global Catalog. I would strongly recommend installing both roles on each Domain Controller in your environment. Select a Site to which this DC should belongs to and define Directory Services Restoration Mode (DSRM) password for this DC

Domain Controller promotion

Do not worry about DNS delegation as this server is not DNS already. Go to the next step

In”Additional options” you can define if you want to install this Domain Controller from Install From Media (IFM) (if you have it) and point from which DC replication should be done. When you do not specify, server will choose the best location for AD database replication. If you have no special requirements for that, just leave “Any domain controller”

Domain Controller promotion

Specify location for AD database and SYSVOL (if you need different that suggested) and go to the next step

Domain Controller promotion

You will see a summary screen where you can check all selected options for server promotion. As in Windows Server 2012 everything done over Server Manager is translated into PowerShell code and it is executed in a background, you can check code by clicking on “View script” button. You will see what exactly will be run. This is transparent process and you cannot see PowerShell window in front of you

Domain Controller promotion

PowerShell code for adding Domain Controller

 #
 # Windows PowerShell script for AD DS Deployment
 #
 Import-Module ADDSDeployment
 Install-ADDSDomainController `
 -NoGlobalCatalog:$false `
 -CreateDnsDelegation:$false `
 -Credential (Get-Credential) `
 -CriticalReplicationOnly:$false `
 -DatabasePath "C:WindowsNTDS" `
 -DomainName "testenv.local" `
 -InstallDns:$true `
 -LogPath "C:WindowsNTDS" `
 -NoRebootOnCompletion:$false `
 -SiteName "Default-First-Site-Name" `
 -SysvolPath "C:WindowsNTDS" `
 -Force:$true

If all prerequisites will pass and you are sure that all setting you have set up properly, you can start installation

Domain Controller promotion

After you clicked on “Install” button, wait until wizard will do its job and after server restart you will have additional Windows Server 2012 Domain Controller.

Additional Domain Controller logon screen

Give DC some time to replicate Directory Services data and you can enjoy with new DC.

Author: Krzysztof Pytko

Adding first Windows Server 2012 Domain Controller within Windows 2003/2008/2008R2 network

 

Prerequisites

To be able to configure Windows Server 2012 Domain Controller within Windows 2003/2008/2008R2 network we need to check if Forest Functional Level is set up at least in Windows 2003 mode. This is the lowest required Forest Functional Level allowing Windows Server 2012 Domain Controller installation. That means, Windows 2000 DCs are not supported anymore. Microsoft does not support them with cooperation with 2012 Domain Controllers. It’s time to forget about these old DCs.

Windows Server 2012 DC Forest Functional Level requirements

Windows Server 2012 DC Forest Functional Level requirements

We can check this in domain, where we want to install first 2012 DC. To verify that, we need to use “Active Directory Users and Computers” or “Active Directory Domains and Trusts” console.

Using “Active Directory Users and Computers” console, select your domain and click right mouse button (RMB) on it. Choose “Raise Domain Functional Level” and check that.

If you see screen like this (Windows 2003 mode), it means that you do not need to raise your Domain Functional Level. In other case you have to remove all Windows 2000 Domain Controllers or if you have no any, raise DFL to Windows 2003 mode or higher

Current Domain Functional Level

But remember, raising Domain Functional Level is one time action and cannot be reverted. Before you raise it to 2003 mode, please ensure that all of your Domain Controllers are running at least on Windows Server 2003. In this case all of them are running at least 2003 DCs as DFL is set up to 2003 mode, which would not be possible when any of 2000 DCs are still available.

Windows 2003 mode do not support DCs based on earlier Microsoft Windows systems like NT4 and Windows 2000

Another way for that is using Active Directory Domains and Trusts console. Run this console, select domain for which you want to check Domain Functional Level and choose “Raise Domain Functional Level”

Current Domain Functional Level

Follow the same steps as in previous console.

More about Raising Domain Functional Level you can find in another article on my blog.

In this place, you can also raise your Forest Functional Level if all of your Domain Controllers in entire forest are running on Windows Server 2003. If not, please skip below steps and go to Single Master Operation Roles section.

To raise Forest Functional Level, select “Active Directory Domains and Trusts” node, click on it RMB and choose “Raise Forest Functional Level”. On the list accept “Windows Server 2003” mode by clicking on “Raise” button.

In this case FFL is set up on Windows Server 2003 mode and there is no need to raise it.

Raising Forest Functional Level

For more information about Raising Forest Functional Level please check another article on my blog.

You can also try to determine DFL and FFL levels following artilce on my blog titled: Determine DFL and FFL using PowerShell

Now, it’s time to determine which Domain Controller(s) hold(s) Single Master Operation Roles. The most important for preparing environment for 2012 DC are

  • Schema Master
  • Infrastructure Master

We need to be sure that connection to this/these DC(s) are available during set up process. In previous versions we need to prepare environment using adprep command to extend schema and configure Infrastructure Master. From Windows Server 2012 we don’t have to run adprep first. Of course, if you wish, you can still do that but it is not mandatory step. From, now, Windows Server 2012 will do that for you if it will detect that adprep was not used before for Schema and Infrastructure preparation. That’s the newest feature in Windows Server 2012 which simplifies promotion process as much as it can. You need to only check if connection to DC(s) with mentioned operators master roles is available (it is based on similar solution applied in Exchange 2010 where you do not have to use setup.com to extend Schema yourself).

To verify necessary Operation Masters, we can use netdom command installed from Support Tools on Windows Server 2003 (in 2008/2008R2 it is available by default). Open command-line and go to default installation directory:

C:Program FilesSupport Tools and type:

netdom query fsmo

and identify DC(s) from an output

Operation Master (FSMO) roles

We collected almost all necessary information to start AD preparation for the first Windows Server 2008 R2 Domain Controller. The last and the most important part before we start preparation, is checking Forest/Domain condition by running:

  • Dcdiag (from Support Tools)
  • Repadmin (also from Support Tools)

Run in command-line on a DC where you have installed Support Tools

dcdiag /e /c /v

and check if there are no errors. If so, please correct them (in case that your forest/domain has a lot of Domain Controllers, please skip /e switch)

now run in command-line:

repadmin /showrepl /all /verbose

to check if your DCs are replicating data without errors.

For more about Active Directory Troubleshooting Tools check one of my articles on this blog

After those checks, you can start with Active Directory preparation.

Adding first Windows 2012 Domain Controller

Before we start preparing AD for new Windows Server 2012 DC, we need to be sure that we are members of:

  • Enterprise Admins group

when we are sure for that, we can start installation.

Install your new box with Windows Server 2012 and configure its IP address correspondingly to your network settings and change default server name to yours.

Remember that it’s very important to properly configure Network Card settings to be able to promote your new box as domain controller!

The most important part of configuring NIC is setting up DNS server(s). Point your new box to one of the existing Domain Controllers where you have installed and configured DNS.

IPv4 settings verification

After you verified IP settings, you can start server promotion to Domain Controller. However, you cannot use old good known dcpromo command as it is not valid anymore 🙂

dcpromo

Microsoft removed it and now everything is done over new Server Manager console. You need to install Active Directory: Directory Servicesrole and after that in post-installation steps, you can promote it to Domain Controller. Let’s start

Open Server Manager console (if it was not already opened) and click on “Add roles and features” on Dashboard screen

Adding Roles and Features

Using default settings in a wizard go up to “Server roles” step (in this article those steps are not described. You may expect their description in another article) and select Active Directory Directory Services role. Accept also default features which are required during installation

Required features for AD:DS role

Verify if check box is in proper place and go to the next step

Adding AD:DS role

On “Features” screen also go to the next step as we do not need more at this step to be installed. All required features will be installed as you accepted them a little bit earlier

Adding AD:DS role

Read information about role you are installing and go to confirmation screen to install it

Adding AD:DS role

Wait some time until selected role is being installed before you will be able to promote server to Domain Controller

Installing AD:DS role

Installing AD:DS role

Now, when role is installed, you can see in notification area an exclamation mark. It tells you that post-installation steps might be required

Notification area

Click on it to see what can be done. You will see that now, you can promote your server to Domain Controller and information that features were installed successfully

Notification area

OK, let’s start server promotion to Domain Controller! Click on “Promote this server to a domain controller” and you will see a wizard.

As we are adding Domain Controller into existing domain, we need to select proper option. It is selected by default, however, please ensure if you can see that “Add a domain controller to an existing domain” is selected

Domain Controller promotion

When you verified that, place in field with red star DNS domain name to which you are promoting DC. Provide Enterprise Administrator credentials and go to the next step

Domain Controller promotion

Domain Controller promotion

Domain Controller promotion

Define if server should be DNS server and Global Catalog. I would strongly recommend installing both roles on each Domain Controller in your environment. Select a Site to which this DC should belongs to and define Directory Services Restoration Mode (DSRM) password for this DC

Domain Controller promotion

Do not worry about DNS delegation as this server is not DNS already. Go to the next step

Domain Controller promotion

In”Additional options” you can define if you want to install this Domain Controller from Install From Media (IFM) (if you have it) and point from which DC replication should be done. When you do not specify, server will choose the best location for AD database replication. If you have no special requirements for that, just leave “Any domain controller”

Domain Controller promotion

Specify location for AD database and SYSVOL (if you need different that suggested) and go to the next step

Domain Controller promotion

Now, wizard informs you that Schema and Domain preparation need to be done. As you did not run adprep before, it will be executed in a background for you

Domain Controller promotion

You will see a summary screen where you can check all selected options for server promotion. As in Windows Server 2012 everything done over Server Manager is translated into PowerShell code and it is executed in a background, you can check code by clicking on “View script” button. You will see what exactly will be run. This is transparent process and you cannot see PowerShell window in front of you

Domain Controller promotion

PowerShell code for adding Domain Controller

 #
 # Windows PowerShell script for AD DS Deployment
 #
Import-Module ADDSDeployment
 Install-ADDSDomainController `
 -NoGlobalCatalog:$false `
 -CreateDnsDelegation:$false `
 -Credential (Get-Credential) `
 -CriticalReplicationOnly:$false `
 -DatabasePath "C:WindowsNTDS" `
 -DomainName "testenv.local" `
 -InstallDns:$true `
 -LogPath "C:WindowsNTDS" `
 -NoRebootOnCompletion:$false `
 -SiteName "Default-First-Site-Name" `
 -SysvolPath "C:WindowsNTDS" `
 -Force:$true

If all prerequisites will pass and you are sure that all setting you have set up properly, you can start installation

Domain Controller promotion

You can observe that Forest and Domain are being prepared by adprep running in backgroun. Wait until wizard will do its job and after server restart you will have new Windows Server 2012 Domain Controller.

Domain Controller promotion

Give DC some time to replicate Directory Services data and you can enjoy with new DC.

Post-Installation steps

Now, you need to do small changes within your environment configuration.

On each server/workstation NIC properties configure alternative DNS server IP address pointing to the new Domain Controller.

Open DHCP management console and under server/scope options (it depends on your DHCP configuration) modify option no. 006

Add there IP address of your new Domain Controller as DNS server.

DHCP server reconfiguration

That’s all!

Congratulations! You have promoted your first Windows Server 2012 in existing domain

Author: Krzysztof Pytko

Configuring a forest root domain on Windows Server 2012

 

This scenario is suitable mostly for test environments because it is very rarely that someone wants to do that in production (because it already exists). But of course, maybe you start creating domain environment for new company which doesn’t have it or you are preparing new forest for migration. Then this article is also for you.

This article describes only single forest, single domain scenario.

If you wish, you may also view a video on my Youtube channel. It is without voice but I will try to fix that in the nearest future 🙂

We need some details before we will start configuration.

  • Company name – which will be helpful in choosing forest/domain name
  • Network configuration – valid IP addresses range for our company, router’s IP (as default gateway)
  • ISP DNS servers on any public DNS servers to be able to access the Internet resources from our company
  • Services we need to run – what additional services will be required to fulfill a company requirements

Let’s start to prepare them all.

  • Company name – Test Environment
  • Network configuration – IP addresses range 192.168.1.0/24; the last available IP address is a router (default gateway)
  • Public DNS servers – 8.8.4.4 and 8.8.8.8 (Google public DNS servers)
  • Services – Active Directory: Directory Services, DNS server(s), DHCP server(s)

Now, we can install our first Windows Server 2012 and configure it. After that we would be able to promote this box as a Domain Controller.

When our server is installed, then we need to log on there on local administrator account and we can start its preparation.

Open Server Manager (or wait short time because it runs itself by default), set up static IP address for your server (in this case it’s 192.168.1.1 with 255.255.255.0 network mask), configure time zone and change server name accordingly to naming convention in your company. You may also set up there other options like NIC teaming, remote management and remote access.

This is very important part of network configuration before promoting server as a Domain Controller. In DNS preferred IP address type 127.0.0.1 (loopback interface) or the same IP address as server is configured 192.168.1.1 to point the server to DNS itself.

To configure network parameters, click on “Local Server” node on the left side of Server Manager

Local server basic configuration

and then click on “Ethernet” to configure these settings

Network card configuration

You will see “Network connections” where you network card is being seen

Network card

edit its properties and set up required IP information under IPv4 section

IPv4 settings edition

Note! Do not disable IPv6 if you do not use it. Just go go to its properties and disable dynamic DNS registration for it only. This can be done under “Advanced” settings on “DNS” tab under IPv6 section

So, going back to IPv4 IP settings, under its properties put valid IP address, network mask, default gateway and DNS server IP address

IPv4 settings

Now, let’s configure server name and reboot it to be able start promotion to Domain Controller. To change server name, click on “Computer name” section and provide appropriate name

Server name change

Server name change

Server name change

Server name change

apply changes and reboot server. When your server is up and running again, you can start promotion process.

Now, small change in Domain Controller promotion 🙂 There is no more dcpromo command valid. Microsoft decided to simplify this process as much as it was possible.

dcpromo

This time, you need to install Active Directory: Directory Services role and after all, follow post-install steps which promotes server to Domain Controller. To do that open Server Manager and go to “Add roles and features” on Dashboard screen

Adding roles

You will see a wizard which will guide you through role installation process. Go further up to a screen with roles selection using default options and choose “Active Directory Directory Services” role. Confirm all dependent roles/features to be installed with AD:DS role

Active Directory: Directory Services role installation

confirm also features which will be installed with selected role

AD:DS role installation

Go “Next” to screen with installation summary and click “Install”

Roles and features installation

and wait until Active Directory: Directory Services role will be installed

Role installation

When role is installed, you will see yellow exclamation mark in notification area

Post-installation steps

That means, there are additional steps to do after role installation. Click on that field and you will see what do to next

Post-installation steps

Click on “Promote this server to a domain controller” and promotion wizard will be displayed.

It is similar to previous wizard from DCPROMO on older OS versions. Promotion process is much more simple than previously and requires less steps to be finished.

In our case, we are configuring new forest root domain, so we need to choose “Add a new forest” option and specify DNS domain name for this new forest. As it was mentioned before, in this example we will use testenv.local as DNS domain name

Domain Controller promotion

On the next screen, you need to specify Domain and Forest Functional Levels. For more details about that, please check another articles on my blog:

Important! When you set up Domain/Forest Functional level it cannot be changed to lower mode, so be careful when you choose them. If you are not sure which functional level is adequate for you, choose the lower one. You can always raise it without any business continuity disruption later.

also, define if that server would have DNS role installed and if it would be Global Catalog. As this is the first Domain Controller, all these roles must be installed.

Specify Directory Services Restoration Mode (DSRM) password which will be also used for domain administrator account at this stage

Domain Controller promotion

As this is the first Domain Controller and forest root domain, do not worry about DNS delegation and go to the next step

Domain Controller promotion

When you specified DNS domain name, you need to type also NetBIOS domain name. By default wizard suggests the first part from DNS domain name. If you have no reasons to use different NetBIOS name, I would suggest to leave that as after this name change, you will have an issue with Active Directory Administrative Center which does not recognize changed NetBIOS domain name (it uses the first part of  DNS domain name).

Domain Controller promotion

Specify location of AD database and SYSVOL. You may leave defaults or move them to another drive

Domain Controller promotion

You will see summary screen with all details before installation. As in Windows Server 2012 everything from Server Manager is translated into PowerShell and executed in the background, you may click on “View script” to see what will be done to install and configure Domain Controller

PowerShell script for Domain Controller promotion

when you are ready, click on next to go to the final screen where script will be executed in a background

Domain Controller promotion

If all prerequisites will pass, you can start installation

Domain Controller promotion

Wait a while and server will be rebooted. After reboot, your server will be a Domain Controller.

Congratulations! Your Domain Controller for a forest root domain is ready! You can log on, on it, using password specified during promotion process (the same password as Directory Services Restoration Mode)

Domain Controller logon screen

Log on, using domain administrator credentials into your new Domain Controller.

We have to configure DNS server to send unresolved DNS queries to ISP DNS server(s) or any other public DNS server(s). This configuration is necessary to be able to access the Internet resources from our internal network.

Open DNS management console from Tools in Server Manager and select server name.

DNS forwarders configuration

In the right pane at the bottom of that window, double click on Forwarders

DNS forwarders configuration

When Forwarders window appears, click on “Edit” button to put there public DNS server for the Internet access

DNS forwarders configuration

You should see a window, where you can put ISP or public DNS servers. Add DNS to the list. In this case we will use Google public DNS servers (8.8.4.4. and 8.8.8.8) Wait until they will be validated and close console

DNS forwarders configuration

After all, you should consider Domain Controller and DNS server redundancy in your network by placing additional server with these roles. Another very important part is performing SystemState backup of Domain Controllers regularly.

In case of lack hardware resources in your network, you can consider placing DHCP server on this Domain Controller. However, it’s not recommended to install additional roles on DCs because of security reasons.

Author: Krzysztof Pytko