Archive | Windows Server 2003 RSS for this section

Adding first Windows Server 2016 Domain Controller within Windows 2003/2008/2012 domain environment

 

Prerequisites

The first and the most important part within preparation phase is… installing Windows Server 2016 server. If you do not have it installed, you would not be able to promote it as DC 🙂

This topic does not cover Windows Server 2016 installation process, so you should do this by yourself.

To be able to configure Windows Server 2016 Domain Controller within Windows 2003/2008/2012 domain environment we need to check if Forest Functional Level is set up at least in Windows 2003 mode. This is the lowest allowed Forest Functional Level for Windows Server 2016 Domain Controller. That means, Windows 2000 DCs are not supported anymore. Microsoft does not support them with cooperation with 2012 and 2016 Domain Controllers. It’s time to forget about these old operating systems.

If you do not know how to identify current domain or forest functional level, please follow this article on my blog Determine DFL and FFL using PowerShell

In case of need to raise them, please follow:

You are ready to go with the first Windows Server 2016 Domain Controller installation process

Preparation for Domain Controller promotion

 

Just before we can go with Domain Controller promotion, we need to identify 2 FSMO Role owners for:

  • Schema Master
  • Infrastructure Master

These 2 role owners must be online and need to be accessible by our new Windows Server. It is required because from Windows Server 2012 forest and domain preparation is done in a background and the entire schema and domain extensions might be done by wizard itself, which is really convenient.

That’s right, there is no more adprep tool needed to be used manually by administrator. Everything can be covered by promotion wizard!

To check which Domain Controller(s) hold appropriate FSMO roles, you can follow one of below steps:

  • use command line netdom utility
netdom query fsmo

and check the output

  • use PowerShell cmd-lets
Get-ADForest

Get-ADDomain

and check servers holding particular role

  • you can give a try to my new C# application written recently

Identify FSMO Role owners

  • follow any other way you wish, to enumerate the roles

We collected almost all necessary information to start AD preparation for the first Windows Server 2016 Domain Controller. The last and the most important part before we start preparation, is checking Forest/Domain condition by running:

  • dcdiag tool for environment’s health status
  • repadmin tool for environment’s replication status

Run in command-line on a DC:

dcdiag /e /c /v /f:c:\dcdiag.log

review log file and check if there are no errors. If so, please correct them (in case that your forest/domain has a lot of Domain Controllers, please skip /e switch)

now run in command-line:

repadmin /showrepl /all /verbose >c:\repadmin.log

to check if your DCs are replicating data without errors.

For more about Active Directory Troubleshooting Tools check one of my articles on this blog

After those checks, you can start with Active Directory preparation.

Adding first Windows Server 2016 Domain Controller

Before we start preparing AD for new Windows Server 2012 DC, we need to be sure that we are members of:

  • Enterprise Administrators group
  • Schema Administrators group

These 2 groups membership is required to extend forest schema and prepare domain(s) for new DC’s deployment.

Install your new box with Windows Server 2012 and configure its IP address correspondingly to your network settings and change default server name to yours.

Remember that it’s very important to properly configure Network Card settings to be able to promote your new box as domain controller!

The most important part of configuring NIC is setting up DNS server(s). Point your new box to one of the existing Domain Controllers where you have installed and configured DNS or any other DNS server responsible for your domain’s DNS zone.

IPv4 settings verification

IPv4 settings verification

After you verified IP settings, you can start server promotion to Domain Controller. However, you cannot use old good known dcpromo command as it is not valid anymore.

Open Server Manager console (if it was not already opened) and click on “Add roles and features” on Dashboard screen

Adding Roles and Features

Adding Roles and Features

Using default settings in a wizard go up to “Server roles” step (in this article those steps are not described. You may expect their description in another article) and select Active Directory Directory Services role. Accept also default features which are required during installation

Select AD DS role to install

Select AD DS role to install

confirm you wish to install all required tools to manage domain from this server after promotion

Confirm tools installation

Confirm tools installation

Verify if check box is in proper place and go to the next step

Select AD DS role to install

Select AD DS role to install

On “Features” screen also go to the next step as we do not need more at this step to be installed. All required features will be installed as you accepted them a little bit earlier

Adding AD:DS role

Adding AD:DS role

Skip this step as it refers to Active Directory in Azure which is not part of this guide

Adding AD:DS role

Adding AD:DS role

Read information about role you are installing and go to confirmation screen to install it

Adding AD:DS role

Adding AD:DS role

Wait some time until selected role is being installed before you will be able to promote server to Domain Controller

Installing AD:DS role

Installing AD:DS role

Installing AD:DS role

Installing AD:DS role

Now, when role is installed, you can see in notification area an exclamation mark. It tells you that post-installation steps might be required

Notification area

Notification area

Click on it to see what can be done. You will see that now, you can promote your server to Domain Controller and information that features were installed successfully

Notification area

Notification area

 

OK, let’s start server promotion to Domain Controller! Click on “Promote this server to a domain controller” and you will see a wizard.

As we are adding Domain Controller into existing domain, we need to select proper option. It is selected by default, however, please ensure if you can see that “Add a domain controller to an existing domain” is selected

Domain Controller promotion

Domain Controller promotion

On the screen when you are prompt to provide domain in which new Domain Controller is promoted click on select button

Domain Controller promotion

Domain Controller promotion

You will be asked to provide credentials to discover available domains. Provide Enterprise Administrator credentials and go to the next step

Domain Controller promotion

Domain Controller promotion

You can provide credentials using User Principal Name or user name followed by NetBIOS domain name

Domain Controller promotion

Domain Controller promotion

Domain Controller promotion

Domain Controller promotion

When your credentials are appropriate you get a window with all available domains. Select this one in which you want to introduce Windows Server 2016 Domain Controller and click “OK

Domain Controller promotion

Domain Controller promotion

You should see a screen with all provided details from previous steps

Domain Controller promotion

Domain Controller promotion

Define if server should be DNS server and Global Catalog. I would strongly recommend installing both roles on each Domain Controller in your environment. Select a Site to which this DC should belongs to and define Directory Services Restoration Mode (DSRM) password for this DC.

Important! DSRM password needs to be remembered as it is different than domain administrator’s   and is unique for every Domain Controller (if not configured to be replicated from model account in a domain – this is not a part of this guide)

Domain Controller promotion

Domain Controller promotion

If you have DNS delegation in place, update it here, or skip and do this later

Domain Controller promotion

Domain Controller promotion

In”Additional options” you can define if you want to install this Domain Controller from Install From Media (IFM) (if you have it) and point from which DC replication should be done. When you do not specify, server will choose the best location for AD database replication. If you have no special requirements for that, just leave “Any domain controller”

Important! If you wish to use IFM installation media, you need to be aware that it MUST be prepared on the same Windows Server version as promoted DC. It is not possible to promote Windows Server 2016 DC from Windows Server 2012 IFM or any other than 2016.

Note! As this is your first Windows Server 2016 DC in the environment, you cannot use IFM as deployment option.

Domain Controller promotion

Domain Controller promotion

Specify location for AD database and SYSVOL (if you need different that suggested) and go to the next step

Domain Controller promotion

Domain Controller promotion

Now, wizard informs you that Schema and Domain preparation need to be done. As you did not run adprep before, it will be executed in a background for you

Domain Controller promotion

Domain Controller promotion

You will see a summary screen where you can check all selected options for server promotion. As in Windows Server 2012 everything done over Server Manager is translated into PowerShell code and it is executed in a background, you can check code by clicking on “View script” button. You will see what exactly will be run. This is transparent process and you cannot see PowerShell window in front of you

Domain Controller promotion

Domain Controller promotion

PowerShell code for adding Domain Controller

#
# Windows PowerShell script for AD DS Deployment
#

Import-Module ADDSDeployment
Install-ADDSDomainController `
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$false `
-Credential (Get-Credential) `
-CriticalReplicationOnly:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainName "testenv.local" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-ReplicationSourceDC "plwrow082wdc001.testenv.local" `
-SiteName "EUPLWROHQ01" `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true

If all prerequisites will pass and you are sure that all setting you have set up properly, you can start installation

Domain Controller promotion

Domain Controller promotion

As it was stated earlier, wizard needs to extend schema and prepare domain for the first Windows Server 2016 Domain Controller. You can see this during promotion process

Trnsparent adprep /forestprep

Trnsparent adprep /forestprep

Transparent adprep /domainprep

Transparent adprep /domainprep

wait until wizard will do its job and after server restart you will have new Windows Server 2016 Domain Controller logon screen

Windows Server 2016 Domain Controller logon screen

Windows Server 2016 Domain Controller logon screen

Log on into DC and enjoy its new features

Windows Server 2016 DC's desktop

Windows Server 2016 DC’s desktop

Give DC some time to replicate Directory Services data to be fully operational.

You can check if everything is replicated over LDP utility. Open run box and type ldp

Running LDP

Running LDP

From menu select “Connection -> Connect

LDP utility replication status check

LDP utility replication status check

Specify Windows Server 2016 Domain Controller’s name or leave it blank to connect to the DC itself

LDP utility replication status check

LDP utility replication status check

After connection verify at window bar if you are connected to appropriate Domain Controller

ldap://plwrow161wdc002.testenv.local/DC=testenv,DC=local

From Active Directory RootDSE context you can read Domain Controller’s functionality level, which in this case is 7 – Windows Server 2016

and search for

  • isGlobalCatalogReady
  • isSynchronized

if both attributes have TRUE as a status, everything is up-and-running properly. If not, you need to wait some time to give replication finish its job.

LDP utility replication status check

LDP utility replication status check

Post-installation steps

Now, you need to do small changes within your environment configuration.

On each server/workstation NIC properties configure alternative DNS server IP address pointing to the new Domain Controller.

Open DHCP management console and under server/scope options (it depends on your DHCP configuration) modify option no. 006

Add there IP address of your new Domain Controller as new DNS server.

That’s all!

Congratulations! You have promoted your first Windows Server 2016 Domain Controller in existing domain. Enjoy!

Author: Krzysztof Pytko

Active Directory Topology Visualization

 

My friend Wojciech has started his blog recently and you can find there a lot of interesting articles. His knowledge base is increasing, so keep an eye on his blog, it’s worth!

One of really useful articles at this moment is about Active Directory Topology Visualization

If you have ever considered documenting your Domain Controllers connection map but you could not find free and easy tool for that, Wojciech prepared Visual Basic Script generating your AD topology which you can simply use in your documentation.

It is really simple in use, just double click on it and wait couple of minutes (depend on the environment size – how many DCs are in your domain). After some time you will receive Domain Controllers connection map.

Generated Active Directory topology - downloaded from http://wojciech.pazdzierkiewicz.pl

Generated Active Directory topology – downloaded from http://wojciech.pazdzierkiewicz.pl

This is also helpful in process of troubleshooting. But for the details just take a look at http://wojciech.pazdzierkiewicz.pl/?p=533

And do not forget visiting his blog to extend your Active Directory knowledge!

Author: Krzysztof Pytko
Sources: http://wojciech.pazdzierkiewicz.pl

Active Directory objects naming convention

 

Have you ever wondered about Active Directory objects naming convention in your domain environment? If not, but you wish to standardize their naming convention because your current one is not satisfactory then this article is for you.

Of course this is only a suggestion how to build the naming convention because there is no default and suitable template for all environments.

I will try to show you couple of examples for particular Active Directory objects and I hope you would be able to adjust them to your environment’s requirements.

Users

Every domain environment is full of users. That’s why good to have some naming convention for them to avoid mess.

The most popular template is based on user’s first and last name. This allows you to define variety naming conventions.

One of them defines user’s login combined with first name and last name separated by special character like:

  • dot
  • hyphen
  • underscore
  • no special character

Let’s take a look closer to an example for a person: Krzysztof Pytko. Possible logins could look like:

  • Krzysztof.Pytko
  • KrzysztofPytko
  • Krzysztof_Pytko
  • KrzysztofPytko

There is nothing wrong in this convention but what will happen if some day another Krzysztof Pytko would be hired in a company? In this case you need to somehow differentiate users. One of available options is to add a digit/number at the end of user’s login for example:

  • Krzysztof.Pytko1
  • Krzysztof.Pytko2

and so on.

Another option uses user’s last name and part of first name (let’s say 3 letters), in example:

  • pytkokrz

You can of course use a lot of variants based on a solution shown above but this also does not guarantee unique logins in the environment.

It’s good to have a naming convention which defines unique logins. One of option is to use employee number assigned by HR department. This should be unique for every employee in the company. Of course this might be difficult to remember by user but after few usages it should be easily remembered.

Let’s take a look for few examples

  • 1001000001
  • 0000001
  • 1150010001

everything depends on your company’s policy assigning employee numbers.

The last one example uses country and location identifiers with the next free number. Let’s consider this for Poland/Wroclaw for 15th employee

  • PLWRO015 (for smaller environments up to 1000 users in a location)
  • PLWRO0015 (for medium environments up to 10000 users in a location)
  • PLWRO00015 (for larger environments up to 100000 users in a location)
  • PLWRO000015 (for huge environments up to 1000000 users in a location)

That was not all possible options but this should show you a direction to create your own user’s naming convention.

Groups

As in previous paragraph, every domain is also full of groups. They are mostly used to grant access to resources but they have other purpose like:

  • role
  • fine-grained password policy
  • mail group
  • or other not mentioned here

However, regardless of their destination, every group must belongs to one of those types:

  • domain local
  • global
  • universal

So, you can use as group prefix, its type and it would look like:

  • l – for domain local groups
  • gfor global groups
  • ufor universal groups

OK, I have mentioned group prefix, so this probably means that I have some template to build group’s name? Yes, you’re right, I have something like that. Group naming convention relies on 2 variants in this case and depends on:

  • group is for resource access
  • group is not for resource access

 Let’s take a look what we need for group’s name, designated for resource access control:

  • group prefix
  • department owner
  • group role
  • group suffix

As group prefix, it’s good to choose group type, to simply underline what kind of type it is. Another possibility is to use prefix indicating for a group role. For department owner, specify short name or unique id of team to which it is designated. Group role should clearly define for what this group is used and it may be few words separated by hyphen () or underscore (_). However, I would recommend using hyphens only, it is much more readable form. Group suffix is mostly used only for resource access groups, which states if group has read-only (-r) or modify (-rw) permissions.

OK, let’s see few examples of resource groups for couple of departments:

  • IT department with licensing data
  • HR department with payroll data
  • Finance department with invoices
  • Common resources for all departments with instructions

All group types for IT department in above example are presented below:

  • litlicensing-datar (for read-only access); litlicensing-datarw (for modify access)
  • gitlicensing-datar (for read-only access); gitlicensing-datarw (for modify access)
  • uitlicensing-datar (for read-only access); uitlicensing-datarw (for modify access)

All group types for HR department with payroll data in above example are presented below:

  • lhrpayrollr; lhrpayrollrw
  • ghrpayrollr; ghrpayrollrw
  • uhrpayrollr; uhrpayrollrw

All group types for finance department with invoices data:

  • lfinanceinvoicer; lfinanceinvoicerw
  • gfinanceinvoicer; gfinanceinvoicerw
  • ufinanceinvoicer; ufinanceinvoicerw

and all group types for common resources share in read-only mode as modify is rarely used for all departments:

  • lallinstructionsr
  • gallinstructionsr
  • uallinstructionsr

That was not all possible options but this should show you a direction to create your own groups’s naming convention.

Computers and Servers

OK, now we are going into another important part on naming convention. This scheme is related with user devices and servers. It is really good to have common template for those machines as it would simply allow identifying them without logging on onto them.

There is a lot of possibilities and they rely on how much big is your environment. I will show you just couple of options which may direct you into your own scheme.

Computers

You need to remember that we are still limited to 15 characters in a computer name which is caused by NetBIOS.

Let’s start with the environments where up to 10000 computers in single location is enough.

CCLLLSVVFFFXXXX

where:

  • CC – is for country code
  • LLL – is a location code
  • S – is for operating system type (Windows, Unix, Linux, Solaris, BSD)
  • VV – is operating system version (XP, 07, 08, 81, 10)
  • FFF – is machine function (WKS, NTB, TAB, MOB)
  • XXXX – next number for machine

and below you can find few examples of scheme usage for 2 locations (Poland/Wroclaw and England/London):

  • PLWROW07WKS0001 (for computer with Windows 7)
  • PLWROW81WKS0005 (for computer with Windows 8.1)
  • PLWROW81NTB0015 (for notebook with Windows 8.1)
  • PLWROW81TAB0002 (for tablet with Windows 8.1)
  • UKLONWXPWKS0001 (for computer with Windows XP)
  • UKLONW07NTB0004 (for notebook with Windows 7)
  • UKLONW81TAB0150 (for tablet with Windows 8.1)

in a companies where more devices (up to 100000) are needed in one location, this convention might be selected (this is modification of this one above)

CCLLLSVVFFXXXXX

  • CC – is for country code
  • LLL – is a location code
  • S – is for operating system type (Windows, Unix, Linux, Solaris, BSD)
  • VV – is operating system version (XP, 07, 08, 81, 10)
  • FF – is machine function (PC, NB, TA, MO)
  • XXXXX – next number for machine

just short single example: PLWROW81PC00005

and a case for really large companies where up to 1000000 devices are needed in one location (this is modification of this one above)

  • CC – is for country code
  • LLL – is a location code
  • S – is for operating system type (Windows, Unix, Linux, Solaris, BSD)
  • VV – is operating system version (XP, 07, 08, 81, 10)
  • F – is machine function (Pc, Notebook, Tablet, Mobile)
  • XXXXXX – next number for machine

just short single example: UKLONW81T000015

Servers

Situation with servers name is similar to computers with the same limitation to 15 characters of NetBIOS name. You can simply apply the same scheme with small modifications.

Below scheme is good for environments where no more than 1000 servers of the same role are located within the same site.

CCLLLSVVRFFFXXX

where:

  • CC – is for country code
  • LLL – is a location code
  • S – is for operating system type (Windows, Unix, Linux, Solaris, BSD)
  • VV – is operating system version (03 – 2003, 08 – 2008, 12 – 2012)
  • R – is for operating system release (1 – release 1, 2 – release 2)
  • FFF – is machine function (DCR, DCW, FIL, PRT, APP, MGM)
  • XXX – next number for machine

Machine function in template above states:

  • DCR – Read-Only Domain Controller
  • DCW – Domain Controller
  • FIL – File Server
  • PRT – Print Server
  • APP – Application Server
  • MGM – Management Server

Ok, let’s consider few servers according to above naming convention:

  • PLWROW121DCW001
  • PLWROW122DCW002
  • PLWAWW122DCR001
  • PLWROW082FIL001
  • PLWROW082PRT001
  • PLPOZW032MGM003

this should be enough for most environments but if this is too less then you need to replace one server function character for the digit like:

CCLLLSVVRFFXXXX

you have less letters to describe more detailed server’s role but this allows you to have up to 10000 servers with the same role in the same site.

Let’s see short example of this scheme usage  PLWROW121APP0001

 Printers

To define printer naming convention you have a lot of possibilities, so I will present only one which seems to be good in my opinion. This is using:

SSSPMMMXXX

where:

  • SSS – printer signature
  • P – is it pooled or not (0 – no , 1 – pooled)
  • MMM – device manufacturer (SAM – Samsung, LEX – Lexmark, CAN – Cannon, HPP – HP Printer, KYO – Kyocera, RIC – Ricoh)
  • XXX – device number

Let’s see how this looks in practice:

  • PRT0LEX001
  • PRT0HPP002
  • PRT0RIC001
  • PRT1SAM001

Remember! Put detailed information of the printer’s location in printer’s properties as this is not available in naming convention.

I think that’s all for printers. As I said there is a lot of possibilities but I chose this one.

Group Policies

One more object remained on my list. This is GPO which is rarely used according to any naming convention. Especially in outsourced environments where many administrators are managing group policies.

I strongly suggest to apply some good scheme for those objects as it is much more convenient in management where a lot of policies are deployed.

For Group Policy naming convention you can use:

  • GPO prefix
  • GPO function (words separated by hyphen ““)
  • GPO suffix
  • GPO description (optional out of naming convention)

where GPO prefix is one of:

  • WIN – for Windows policies
  • CTX – for Citrix policies
  • RDS – for Terminal/Remote Desktop Services
  • TST – test policies
  • CUS – customer policies
  • OLD – old policies awaiting for removal

where GPO suffix is one of:

  • LPM – for loopback policy in merge mode
  • LPR – for loopback policy in replace mode
  • SCF – security filtering enabled
  • WMI – WMI filter applied
  • GPP – group policy preferences defined

basing on that, you can create GPOs in your environment. Below couple of examples:

  • winie-restrictions-control-panel
  • ctxscreen-saverlpr
  • tstwsus-updatescf
  • winfolder-mapping-drive-hgpp

and that’s all about naming convention in this article. I hope it was somehow helpful for you and you could build your custom naming convention for Active Directory objects.

Author: Krzysztof Pytko

iSiek’s forum has been launched

 

I would like to announce you that iSiek’s forum about Microsoft Windows services has been launched!

iSiek's forum

iSiek’s forum

I hope you would participate in building new IT community on this forum. I hope we would be able to help each other.

You are invited! I encourage you to register your account for free and start posting your issues or try to help others.

Just some simple forum’s rules

  1. Forum is free of charge. It is maintained from ads.
  2. To contribute in community, free registration is required
  3. Write posts in English
  4. Check forums if similar problem does not exist
  5. Use appropriate forum to post issue
  6. Do not spam
  7. Use external services to attach images/logs and place only link to them
  8. Be polite and do not use vulgarism
  9. If you do not want to help, do not answer

Be a part of this new community and make family atmosphere here.

I hope we will make this IT world better!

Forum address is http://kpytko.pl/forum

Author: Krzysztof Pytko

Windows Server 2003 end of lifetime coming soon

 

As you may heard, Microsoft Windows Server 2003 extended support is ending this year. Exact date is 14.07.2015 !!!

Windows Server 2003 end of support

Windows Server 2003 end of support

You may confirm this information at this site Microsoft Support Lifecycle

If you are surprised reading this note that means you should act quickly. After this date if you still want to have server system updates, you need to pay a lot of money to the company from Redmond.

I think it’s better to replace the old infrastructure with the new one. Especially Domain Controllers.

If you still are using Windows Server 2003 DCs you can start replacing them with newer operating system versions. Below you will find a list of articles which are helpful during this process.

Installing first Domain Controller with newer operating system

  1. Adding first Windows Server 2008 R2 Domain Controller within Windows 2003 network
  2. Adding first Windows Server 2012 Domain Controller within Windows 2003/2008/2008R2 network
  3. Adding first Windows Server 2012 R2 Domain Controller within Windows 2003/2008/2008R2/2012 network

Installing additional Domain Controllers

  1. Adding additional Windows Server 2008R2 Domain Controller
  2. Adding additional Domain Controller (Windows Server 2012)
  3. Adding additional Domain Controller (Windows Server 2012 R2)

Transferring FSMO roles to the new Domain Controller(s)

  1. Transferring FSMO roles from GUI
  2. Transferring FSMO roles from command-line
  3. Transferring FSMO roles with PowerShell

Advertising new time server

  1. Advertising new time server in domain environment

Decommissioning Windows Server 2003 Domain Controller(s)

  1. Decommissioning the old Domain Controller

Raising Domain and Forest functional levels

  1. Raising Domain Functional Level
  2. Raising Forest Functional Level

Setting domain password policy

  1. Domain Password Policy
  2. Setting default domain password policy
  3. Fine-Grained Password Policy in Windows Server 2008/2008R2
  4. Fine-Grained Password Policy in Windows Server 2012/2012R2

Enabling Active Directory Recycle Bin

  1. Active Directory Recycle Bin

Remote Domain Controller promotion

  1. Remote Domain Controller promotion

In case of issues you might find those articles useful:

  1. Decommissioning broken Domain Controller
  2. Seizing FSMO Roles
  3. Seizing FSMO roles with PowerShell
  4. Metadata cleanup for broken Domain Controller
  5. Metadata cleanup over GUI
  6. Re-registering time services
  7. Non-authoritative SYSVOL restore (FRS)
  8. Authoritative SYSVOL restore (FRS)
  9. Active Directory troubleshooting tools

I hope you would be able successfullt replace Windows Server 2003 Domain Controllers with newer operating systems.

Author: Krzysztof Pytko

Setting default domain password policy

 

Every domain environment needs a default domain password policy.

You have it, am I right?

Even if you don’t know, default password policy is available in your domain. By default, you will find all its settings within “Default Domain Policy“. This policy is applied at domain level.

Default Domain Policy

Default Domain Policy

To start with domain password policy, please read the article I published some time ago: Domain Password Policy

The question is: did you review password policy settings and considered password requirements for your environment?

Or just like the most administrators: “Hey, I was hired to this company much more later when password policy was in-place. I did not need to touch it!

Oh really?! Do you know that you (as a domain administrator) are responsible for password security? Yes, you are! So, let’s take closer look at those settings and what you can configure as reasonable default password policy.

 Default password settings

When you deploy new domain, you don’t have to configure password policy from the scratch. There are default values set up.

Default password settings

Default password settings

Of course, password settings should be adjusted to your company needs. Leaving the defaults might not be appropriate and I would strongly recommend to do that.

Let’s see what we can configure there. You will find password policies in two nodes under

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies

These nodes are:

  • Password Policy
  • Account Lockout Policy

In Password Policy node you can configure:

  • Enforce password history
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Password must meet complexity requirements
  • Store passwords using reversible encryption

and in Account Lockout Policy node are these options:

  • Account lockout duration
  • Account lockout threshold
  • Reset account lockout counter after

Above options are responsible for building good password policy – default domain password policy.

Let’s see what they mean and what you can set up there.

Password Policy settings

This is really important node where you can define how the password would be built and how much secure it is. You need to remember that you are setting default password policy for your domain. All those settings will be applied to every domain account.

Password Policy settings

Password Policy settings

Remember! Users may complain about password setting but only then if you will force them to use very long passwords and if it will expire to often.

Enforce password history

To start building password policy you need to consider how many unique passwords user must set, before it would be possible to go back and use the oldest one.

For that “Enforce password history” setting is responsible. You need to define value, how many unique passwords are required to be set by user, before allowing him to use previous passwords.

Enforce password history explanation

Enforce password history explanation

Allowed value is between 0 (no password history) and 24 (maximum)

For default domain password policy I would suggest to set value of 10.

Changed enforce password history setting

Changed enforce password history setting

This is quite secure and allow much more simple calculation for other setting showed a little bit later in this article.

In this case, the setting means that user must set 10 unique passwords before he can go back and use first from the previous list of passwords.

There is slight chance that user would not reuse his passwords 🙂

Maximum password age

Another important setting in the policy is how often users must change their password.

Maximum password age explanation

Maximum password age explanation

Maximum password age value must be between 0 and 998 days.

Setting value of 0 causes that password expires every 0 days! That means in reality – password never expires

You definitively should avoid of using this value in productive environments! Especially that this is not easy to find out, because password never expires flag is not modified and you cannot see this directly in Active Directory Users and Computers console. Password never expires checkbox is NOT selected then!

Note! Good practice shows that password should be changed in range of 30 – 90 days.

When you set this value up too short, users would complain that they have to change password too often. This might cause a problem with “yellow sticks” around computer where users write their passwords!

For default domain password policy 90 days look reasonable and users are not complaining too much.

Maximum password age setting

Maximum password age setting

I would recommend of setting this value for the maximum password age. Password change once per 3 months is acceptable and no one should complain.

Minimum password age

This is really important setting and as I can see many administrators are afraid of setting this value to custom time.

Information! Minimum password age policy is responsible for controlling how often user is allowed to change the password.

Mostly, in the environments I see one of these two values:

  • 0 days
  • 1 day

By the default, you can find 1 day as minimum password age setting.

This means that user can change the password and in if he wants to do that again, he needs to wait 1 day before it would be possible again.

Minimum password age explanation

Minimum password age explanation

OK, but what’s wrong in this setting?

User is allowed to change the password once per day. That means, user can repeat this procedure every day to go back to his first (favourite) password.

At current stage, you defined 10 unique passwords, so after 10 days, user would be able to reuse his previous password again and use it for the next 80 days until system will force its change!

The situation looks even worse if the setting contains 0 days as a value.

There is no restriction to password change time limit for user! This means, user can simply go back to the previous password within the same day!

Setting strength options in other policies does not make sense as you can see, user would be able to have always the same password, all the time.

That’s why this setting is really important!

So, how should I set up this value?

I was wondering how to adjust this value in different environments and I figured it out.

I invented a formula to calculate appropriate value. Because password policies vary in every environment, I needed some common way to achieve this.

To simply calculate this value I used:

  • Enforce password history count
  • Maximum password age
Minumum password age formula

Minumum password age formula

This is really secure and reasonable value. You may be sure that user would not be able to reuse the first password during one password life cycle.

Hey, but users start complaining that they cannot change password on demand!

No, they would not! Believe me 🙂

The number of regular users, who are changing their passwords before forced by the system, is less than 1% in every environment.

Even administrator would not do that themselves 😀

Besides, they are allowed to change their password, but not every day.

That would help you to find out what is going on in your domain when some users will call IT department or HelpDesk too frequenty and request password change. Maybe an account is shared between other users? 🙂

Relying on this formula Minimum password age value is 10 days

Minimum password age

Minimum password age

and put calculated minimum password age into policy

Minimum password age setting

Minimum password age setting

Minimum password length

Ok, password life cycle is defined but we need to set up its length. You know that above settings would be nothing if you allow to use too simple password, rigth?

The setting should be chose wisely as enforcing users to set very long password might cause an issue with forgoten passwords or account lockouts. Sometimes it might be worse, they would use “yellow sticks” where password is written.

Possible values for this setting are between 1 and 14 characters.

Minimum password length explanation

Minimum password length explanation

When you set this up to 0 characters then password would not be required. Of course this is strongly not recommended!

Setting it between 8 -12 charactes is good enough and no one should complain.

Minimum password length setting

Minimum password length setting

Password must meet complexity requirements

Another important password policy setting.

If you do not use this option, your password policy would be weak.

Thanks to this setting you have to use 3 types of different characters out of 4 groups:

  • uppercase characters [A – Z]
  • lowercase characters [a – z ]
  • digits [0 – 9]
  • special characters [!@#$%^&*()-=_+]

This policy may be enabled or disabled. When it’s enabled, password is much more secure and of course I would recommend to have it enabled.

Password must meet complexity requirements explanation

Password must meet complexity requirements explanation

Store passwords using reversible encryption

That setting should never be enabled in default domain password policy unless you really need it and you have Windows Server 2000/2003 Domain Functional Level where Fine-Grained Password Policies are unavailable.

Enabling this setting causes that password is unsafe as it is stored like it would be saved in plain text!

Store passwords using reversible encryption explanation

Store passwords using reversible encryption explanation

That’s all about defined password policy strength.

Now it’s time to configure policies responisble for account lockout behavior.

Account Lockout Policy settings

Policies located under this node are responsible for locking account if user types password incorrectly few times in a row.

By default, they are unconfigured and account is not locking at all!

So, if this is not configured should I take care of it? If you are asking me – yes, always!

This should be configured in every domain environment. Even if you think that it is not necessary, turn it on.

Just set up Account lockout threshold value to something really high like 50. That’s quite enough failed logon attempts for users and still prevents infinite password guess by hackers or other dangerous stuff.

Let’s take a look at those policies and try to configure them reasonably.

Account lockout threshold

As mentioned above, if you think that you do not need this policy, turn it on and specify high number like 50 attempts

That’s quite enough failed logon attempts for users and still prevents infitite password guess by hackers or other dangerous stuff.

Account lockout threshold explanation

Account lockout threshold explanation

In other case when you would like to implement this feature in your environment, please follow below formula

Account lockout threshold formula

Account lockout threshold formula

This would allow your users to check every password used in the past and gives them extra 2 tries if some typo would appear in the password box. After that they will call IT or HelpDesk team 🙂

Based on that formula, current value is 12 failed logon attempts before account is locked out

Account lockout threshold value

Account lockout threshold value

Just set this up in the policy and 2 other option would activate

Account lockout threshold setting

Account lockout threshold setting

When you apply changes, another windows with 2 other settings appear filled with deafult values

Account lockout options

Account lockout options

Account lockout duration

Account lockout duration policy is responsible for locking a domain account for specified duration of time. When failed attempt logon count is reached, this policy locks temporarily the account.

When specified time passes, the account is unlocked and user may try to logon again using his credentials. To logon sooner, user needs to contact with IT or HelpDesk department and request manual account unlock.

Account lockout duration time explanation

Account lockout duration time explanation

Default value for this policy is reasonable. 30 minutes of account lockout is acceptable, after that time user is able to try to logon again.

If you need much more control when account is locked out, set up 0 as a value. Then account must be always unlocked by administrator.

Reset account lockout counter after

This setting must be less or equal to Account lockout duration time. It defines after what time failed logon attempt is reset and user may try to logon once again.

The setting gives user one more chance and if password is provided inproperly, account is locked out again for time specified in Accout lockout duration policy.

Reset account lockout counter after explanation

Reset account lockout counter after explanation

I would strongly recommend leaving the value with the same time as in Account lockout duration. Then users would not try to experiment with their password and do not extend lockout period.

When you implement all those setting in your password policy, take a look at its summary

New password policy summary

New password policy summary

it looks much better and much more secure than the deafult one and maybe better than your previous policy 🙂

Now, you need to only refresh password policy on your Domain Controllers and test if it is working fine for the next password change.

On Windows Server 2003, 2008 and 2008R2 open command line and type

gpudate /force
gpupdate /force

gpupdate /force

to start refreshing group policies

GPOs refreshed

GPOs refreshed

On Windows Server 2012 and 2012R2 use PowerShell cmd-let for that

Invoke-GPUpdate
Invoke-GPUpdate cmd-let

Invoke-GPUpdate cmd-let

to get the same result as above.

And that’s all. Your default domain password policy is wisely implemented.

If you wish to deploy other password policies for other group of users and you have at least Windows Server 2008 Domain Functional Level please read these articles on my blog how to do that.

Fine-Grained Password Policy in Windows Server 2008/2008R2

Fine-Grained Password Policy in Windows Server 2012/2012R2

Author: Krzysztof Pytko

Moving Active Directory database

 

Sometimes, you may need to move Active Directory database from one location to another. This location may be a different folder or different drive. When you need to do that, you are not allowed to use standard copy/move option within Windows operating system.

This kind of action is not supported when Active Directory services/Active Directory:Domain Services are running!

You need to use a tool named: ntdsutil

This is command-line tool which allows to move Active Directory database to another location.

Important! When you are moving AD database, specified location must exists! You cannot move database to non-existing drive or folder!

To move Active Directory database, you need to evaluate on which operating system version this particular Domain Controller is running

Windows Server 2003

In Windows Server 2003 you need to restart Domain Controller into Directory Services Restore Mode which is accessible when you press F8 key, during Windows system startup. Choose this mode from the list and press “enter” to run it

DSRM mode startup

DSRM mode startup

Warning! Remember, when you do that, your Domain Controller does not support Active Directory authentication and other roles/services are unavailable for users! Be aware in locations/Sites where you have only single DC, because during this operation, DC and all its roles ( i.e. DNS, DHCP) are not working!

Wait until logon screen will appear

DSRM mode logon screen

DSRM mode logon screen

Press “CTRL+ALT+DEL” and provide Directory Services Restore Mode administrator password.

Note! This password may be different (and it should be) than standard domain administrator password! If you did not change it since DC promotion, then you need to find it in your documentation before you can proceed.

DSRM mode administrator password

DSRM mode administrator password

You will be informed that server is running in Safe mode

Safe mode warning

Safe mode warning

Now, you need to start command-line where you will execute ntdsutil tool

Running command-line

Running command-line

To run ntdsutil type in command prompt

ntdsutil
Running ntdsutil tool

Running ntdsutil tool

and check if desired folder structure is available before you will move AD database. If not, create it or attach the drive into system.When you do not create a folder, it is created by ntdsutil automatically during database move process.

Warning! You cannot use removable disk to store Active Directory database. Disk needs to be NTFS formatted partition. AD DB does not support FAT/FAT32/ReFS file systems!

Veryfying target folder for AD database

Veryfying target folder for AD database

now, you need to go into files context of ntdsutil tool where you are allowed to operate on AD database files (DB and logs)

ntdsutil - file maintenance context

ntdsutil – file maintenance context

there are few options for file maintenance but in this article only 2 options are interesting for us:

  • Move DB to Path-to-the-new-location
  • Move logs to Path-to-the-new-location
File maintenance options

File maintenance options

so, let’s move Active Directory database to the new location (in this example E:ADDB)

Put this syntax into command prompt window

move DB to E:ADDB
Moving AD database

Moving AD database

and wait some time, while AD DB is being moved to the new location

AD DB is moving

AD DB is moving

As you could see in the screen above, AD DB was move with built-in command move while Active Directory services/Active Directory:Domain Services are not running!

Let’s verify if Active Directory database was moved to specified location. Just check that using Windows Explorer and go to that location

AD database new location

AD database new location

or type in command prompt inside of ntdsutil

info
AD database new location

AD database new location

ok, Active Directory database was moved and I strongly suggest to move also its log files to the same location. For that you need to use the option

move logs to E:ADDB

where E:ADDB is a folder on your server

Moving AD logs to the new location

Moving AD logs to the new location

and wait some time, while logs are being moved to the new location

AD logs are moving

AD logs are moving

OK, let’s verify if Active Directory logs were moved to specified location. Just check that using Windows Explorer and go to that location

AD logs new location

AD logs new location

All logs are in the same location as AD database. You can also verify that within ntdsutil typing

info
AD logs new location

AD logs new location

Now, you need to schedule System State backup of your Domain Controller to have an up-to-data backup with AD database and its logs in the new location.

That’s all, you may close ntdsutil by typing quit twice and close command-line window

Leaving ntdsutil

Leaving ntdsutil

Reboot server into its regular mode and you’re done!

Windows Server 2008/2008R2

With Windows Server 2008/2008R2 this process is much more quick than with previous Microsoft OSes. Windows Server 2008 introduced for the first time Active Directory role as a service. This improvement allows you to simply stop the service without rebooting a server into Directory Services Restore Mode.

What are the main benefits of this solution?

  • You do not waste time required for server reboot
  • Other services are still available for users
  • Even DNS or DHCP servers are still runnig while at least one Domain Controller is available!

Note! Please remember, when you have single Domain Controller and you stop Active Directory Domain Services service, DC will not provide services as it was in Windows Server 2003 DSRM mode!

So, how can you do that in Windows Server 2008/2008R2? The same way as in Windows Server 2003 except server reboot into DSRM mode. Just simply stop Active Directory Domain Services service and run from elevated command-line ntdsutil tool.

First of all, you have to stop Active Directory Domain Services service, run elevated command-line

Running elevated command prompt

Running elevated command prompt

and type below command to stop Active Directory Domain Services (NTDS) service

net stop ntds
Stopping Active Directory: Domain Services service

Stopping Active Directory: Domain Services service

confirm you are sure that follwing services also will be stopped by typing Y and pressing enter

Stopping dependent services

Stopping dependent services

Now, you can start ntdsutil tool to initite Active Directory database move process. Type in command-line

ntdsutil
Executing ntdsutil tool

Executing ntdsutil tool

and check if desired folder structure is available before you will move AD database. If not, create it or attach the drive into system.When you do not create a folder, it is created by ntdsutil automatically during database move process.

Warning! You cannot use removable disk to store Active Directory database. Disk needs to be NTFS formatted partition. AD DB does not support FAT/FAT32/ReFS file systems!

Target folder verification

Target folder verification

and before you are allowed to execute files context, you have to set up active AD DB instance. To do that type

activate instance NTDS
Activating NTDS instance

Activating NTDS instance

now, you can go into files context of ntdsutil tool where you are allowed to operate on AD database files (DB and logs). Type

files
ntdsutil - files maintenance

ntdsutil – files maintenance

there are few options for file maintenance but in this article only 2 options are interesting for us:

  • Move DB to Path-to-the-new-location
  • Move logs to Path-to-the-new-location
Files maintenance options

Files maintenance options

so, let’s move Active Directory database to the new location (in this example E:ADDB)

Put this syntax into command prompt window

move DB to E:ADDB
Moving AD DB to the new location

Moving AD DB to the new location

and wait some time, while logs are being moved to the new location

AD DB moved

AD DB moved

As you could see in the screen above, AD DB was move with built-in command move while Active Directory services/Active Directory:Domain Services are not running!

Let’s verify if Active Directory database was moved to specified location. Just check that using Windows Explorer and go to that location

AD DB new location

AD DB new location

or type in command prompt inside of ntdsutil

info
Active Directory database new location

Active Directory database new location

ok, Active Directory database was moved and I strongly suggest to move also its log files to the same location. For that you need to use the option

move logs to E:ADDB

where E:ADDB is a folder on your server

Moving AD log files

Moving AD log files

and wait some time, while logs are being moved to the new location

Moving AD logs

Moving AD logs

OK, let’s verify if Active Directory logs were moved to specified location. Just check that using Windows Explorer and go to that location

Active Directory logs new location

Active Directory logs new location

All logs are in the same location as AD database. You can also verify that within ntdsutil typing

info
Active Directory logs new location

Active Directory logs new location

Now, you need to schedule System State backup of your Domain Controller to have an up-to-data backup with AD database and its logs in the new location.

That’s all, you may close ntdsutil by typing quit twice

Leaving ntdsutil

Leaving ntdsutil

and now it’s time to start Active Directory Domain Services service, type in command-line

net start NTDS
Starting AD DS service

Starting AD DS service

just verify if these services were also started with AD DS service (should be ran automatically)

  • File Replication Service (NtFRS)
  • Kerberos Key Distribution Center (KDC)
  • Intersite Messaging (IsmServ)
  • DNS Server (DNS)

if so, you’re done!

Windows Server 2012/2012R2

In Windows Server 2012/2012 R2 this procedure is exactly the same as for Windows Server 2008/2008R2. All steps described for previous Microsoft operating system version apply to these two new operating systems too.

Let’s see how this procedure looks like on Windows Server 2012/2012R2

Note! Please remember, when you have single Domain Controller and you stop Active Directory Domain Services service, DC will not provide services as it was in Windows Server 2003 DSRM mode!

So, how can you do that in Windows Server 2012/2012R2? The same way as in Windows Server 2008. Just simply stop Active Directory Domain Services (NTDS) service and run from elevated command-line ntdsutil tool.

First of all, you have to stop Active Directory Domain Services service, run elevated command prompt

Running elevated command prompt

Running elevated command prompt

and type below command to stop Active Directory Domain Services (NTDS) service

net stop ntds
Stopping NTDS service

Stopping NTDS service

confirm you are sure that follwing services also will be stopped by typing Y and pressing enter

Dependent services to be stopped

Dependent services to be stopped

Now, you can start ntdsutil tool to initite Active Directory database move process. Type in command-line

ntdsutil
Executing ntdsutil

Executing ntdsutil

and check if desired folder structure is available before you will move AD database. If not, create it or attach the drive into system.When you do not create a folder, it is created by ntdsutil automatically during database move process.

Warning! You cannot use removable disk to store Active Directory database. Disk needs to be NTFS formatted partition. AD DB does not support FAT/FAT32/ReFS file systems!

Target folder verification

Target folder verification

and before you are allowed to execute files context, you have to set up active AD DB instance. To do that type

activate instance NTDS
Setting NTDS instance

Setting NTDS instance

now, you can go into files context of ntdsutil tool where you are allowed to operate on AD database files (DB and logs). Type

files
Files maintenance context

Files maintenance context

there are few options for file maintenance but in this article only 2 options are interesting for us:

  • Move DB to Path-to-the-new-location
  • Move logs to Path-to-the-new-location
Active Directory database and logs move options

Active Directory database and logs move options

so, let’s move Active Directory database to the new location (in this example E:ADDB)

Put this syntax into command prompt window

move DB to E:ADDB
Moving Active Directory database

Moving Active Directory database

and wait some time, while logs are being moved to the new location

Moving Active Directory database

Moving Active Directory database

As you could see in the screen above, AD DB was move with built-in command move while Active Directory services/Active Directory Domain Services are not running!

Let’s verify if Active Directory database was moved to specified location. Just check that using Windows Explorer and go to that location

New Active Directory database location

New Active Directory database location

or type in command prompt inside of ntdsutil

info
New Active Directory database location

New Active Directory database location

ok, Active Directory database was moved and I strongly suggest to move also its log files to the same location. For that you need to use the option

move logs to E:ADDB

where E:ADDB is a folder on your server

Moving Active Directory logs

Moving Active Directory logs

and wait some time, while logs are being moved to the new location

Moving Active Directory logs

Moving Active Directory logs

OK, let’s verify if Active Directory logs were moved to specified location. Just check that using Windows Explorer and go to that location

New Active Directory logs location

New Active Directory logs location

All logs are in the same location as AD database. You can also verify that within ntdsutil typing

info
New Active Directory logs location

New Active Directory logs location

Now, you need to schedule System State backup of your Domain Controller to have an up-to-data backup with AD database and its logs in the new location.

That’s all, you may close ntdsutil by typing quit twice

Leaving ntdsutil

Leaving ntdsutil

and now it’s time to start Active Directory Domain Services service, type in command-line

net start NTDS
Starting Active DIrectory Domain Services service

Starting Active DIrectory Domain Services service

just verify if these services were also started with AD DS service (should be ran automatically)

  • File Replication Service (NtFRS)
  • Kerberos Key Distribution Center (KDC)
  • Intersite Messaging (IsmServ)
  • DNS Server (DNS)

if so, you’re done!

Author: Krzysztof Pytko

Authoritative SYSVOL restore (FRS)

 

In my previous article “Non-authoritative SYSVOL restore (FRS)” I showed you, how to do a non-authoritative restore of SYSVOL.

What if you have bigger mess on your Domain Controllers with SYSVOL?
What if the most of DCs do not replicate SYSVOL or its changes?

What can you do, if you want to restore SYSVOL from a backup and you prefer it as a replication source?  Then you have another option, authoritative SYSVOL restore.

Today, I will show you, how to do that.

But, first of all. What is the basic difference between non-authoritative and authoritative SYSVOL restore?

In the first case (non-authoritative) you only touch SYSVOL on one DC at the time. The rest of your Domain Controllers are running and sharing SYSVOL for users. Only this particular DC has disabled SYSVOL during non-authoritative restore procedure.

The second case (authoritative) is much more visible for users. All of Domain Controllers do not run and share SYSVOL where Group Policies and logon scripts are located. When you decide to do authoritative SYSVOL restore, you need to inform all administrators to not create/modify Group Policies during that time. All other domain services are running except access to SYSVOL. So, this action should be performed out of office business hours.

How to start authoritative SYSVOL restore? What do you need to do first?

You should identify which Domain Controller is holding PDC Emulator operation master role. As you know, one of its functions is to manage and maintain GPOs. When you create or modify existing GPO, it is done directly on this Domain Controller.

If you need to restore SYSVOL from backup, it should also be done directly on PDC Emulator operation master role holder, from which you will initiate authoritative SYSVOL restore.

So, let’s see, how we can do that.

Log on to PDC Emulator FSMO role holder. If you do not know, which Domain Controller holds this role, run in command-line/elevated command-line on any of your DCs

netdom query fsmo
Finding PDC Emulator role holder

Finding PDC Emulator role holder

and you’ll see which DC is holding this role.

When you are logged on on this Domain Controller, you need to evaluate how many DCs are in your domain. The most simple way to check that is using Microsoft DS tools on a DC. Type in command-line

dsquery server -name * -limit 0 | dsget server -dnsname | find /v "dnsname" | find /v "dsget" >c:dcslist.txt
Collecting all Domain Controllers in a domain

Collecting all Domain Controllers in a domain

after you ran this command, on your DC’s C-Drive, you should find a text file named dcslist.txt Check its content, there are all Domain Controllers for your domain

All Domain Controllers in a file

All Domain Controllers in a file

On all of those Domain Controllers, you have to stop File Replication Service before you will be able to initiate authoritative SYSVOL restore, type in command prompt

net stop ntfrs
Stopping File Replication Service

Stopping File Replication Service

When you are sure that all of Domain Controllers have stopped FRS service, you can start restore.

You need to run registry editor on your PDC Emulator operation master role holder

Executing registry editor

Executing registry editor

and go to BurFlags value location

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNtFrsParametersBackup/RestoreProcess at Startup
BurFlags value location

BurFlags value location

to be able to modify BurFlags value, double-click on it and put D4 (hexadecimal) as a value

Setting BurFlags value

Setting BurFlags value

This sets Domain Controller as an authoritative source for SYSVOL replication. All other DCs will pull SYSVOL content from this server.

Now, you have to start File Replication Service on PDC Emulator role holder DC. Type in command-line

net start ntfrs
Running File Replication Service

Running File Replication Service

Refresh (F5 key) registry editior and you should see that BurFlags value is reset to 0

BurFlags value reset

BurFlags value reset

Check File Replication Service event log and search event IDs

  • 13566
  • 13516

If both of them are available then authoritative restore is configured.

Now, you need to log on to the rest of Domain Controllers and set up D2 BurFlags value to initialize non-authoritative restore of SYSVOL from specified server.

BurFlags value should be changed in the same location as for the previous DC, but instead od D4 value you have to specify D2

Location of this value is

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNtFrsParametersBackup/RestoreProcess at Startup
BurFlags value location

BurFlags value location

Double-click the value and set up D2 (hexadecimal)

Changing BurFlags value

Changing BurFlags value

Before you will start FRS service, I would suggest to delete content of these 2 folders

  • %WINDIR%SYSVOLdomainPolicies
  • %WINDIR%SYSVOLdomainScripts

Note! (by default, if you changed SYSVOL location during DC promotion, you need to refer to your own location)

Warning! When you set up D2 BurFlags value, you need to know that during restoration time, your DC is prevent to be a Domain Controller! So, you need to be careful in locations/Sites where you have only single DC or you are going for authentication over WAN-link!

Now, you need to run File Replication Service and wait a while for SYSVOL replication.

After you ran FRS service, you should notice that BurFlags entry was reset to 0

BurFlags value reset

BurFlags value reset

From time to time, refresh File Replication Service event log and check for event ID 13516

When you see this event ID that SYSVOL replication is finished and your Domain Controller is ready to share SYSVOL for users.

SYSVOL re-initialized

SYSVOL re-initialized

When you see event ID 13520 that means, you did not remove content of policies and scripts folders. Do not worry they were moved to another folder which may be removed after all

SYSVOL content moved

SYSVOL content moved

All you need to complete the authoritative SYSVOL restore is to log on to EVERY Domain Controller and perform D2 BurFlags set up

Information! Microsoft does not recommend doing more than 15 concurrent non-authoritative restores to prevent performance issues. Remember that when you are doing authoritative restore in bigger Active Directory environments!

And that’s all! You fixed your broken SYSVOL share.

<<< Previous part

Author: Krzysztof Pytko

Non-authoritative SYSVOL restore (FRS)

 

When you are working in Active Directory environment you may fall into this problem, especially in case where you have many Domain Controllers. Sometimes you may figure out that one or more Domain Controllers are out of date with SYSVOL replication.

Each Domain Controller has its own folder where GPOs and scripts are saved. This folder is located under %WINDIR%SYSVOLdomain (by default, if you changed that location during DC promotion, you need to refer to your own location).

There are 2 folders:

  • Policies where Group Policies are saved (%WINDIR%SYSVOLdomainPolicies)
  • Scripts where logon scripts or other files are saved (%WINDIR%SYSVOLdomainScripts shared as NETLOGON)

If a DC does not replicate SYSVOL you can see that some Group Policies (GPOs) or scripts are not available on DC(s) in SYSVOLdomain folder on particular DC. Another symptom may be that all GPOs are in place but they are not updated.

When you notice one of these behaviors, you would need to do non-authoritative SYSVOL restore which re-deploys SYSVOL data from working Domain Controller (holding PDC Emulator operations master role).

How to be sure if you need non-authoritative SYSVOL restore? There is no simple answer because that depends on the size of your Active Directory and number of Domain Controllers.

When we can decide to start this kind of retore ?

  • one DC out of couple does not replicate SYSVOL
  • a few DCs out of many do not replicate SYSVOL
  • more than few but less than 50% of them do not replicate SYSVOL

above examples are typical scenarios for non-authoritative SYSVOL restore.

Let’s see how you to do that.

First of all, you need to find out which DC or DCs does/do not replicate SYSVOL. Then you have to start SYSVOL restore.

When you see an empty SYSVOL, this may suggest that Domain Controller initialization where not finished after server was promoted. Active Directory database was replicated but SYSVOL was not. In this case, you can simply perform non-authoritative restore and SYSVOL should be replicated.

Empty SYSVOL folder

Empty SYSVOL folder

Another case is when DC, is not up to date with SYSVOL. Some policies are missing and non-authoritative SYSVOL restore would be helpful.

Missing Group Policies under SYSVOL

Missing Group Policies under SYSVOL

When you log on to Domain Controller with PDC Emulator operation master role, you should see that there are more policies than on those faulty Domain Controllers

All Group Policies on DC with PDC Emulator role

So, you can see that those Domain Controllers need SYSVOL restore to have all data up-to-date.

Now, it’s time to play with non-authoritative SYSVOL restore. Log on to the DC which is out of replication with SYSVOL and stop File Replication Service (NtFRS) from command-line/elevated command-line. Type

net stop ntfrs
Stopping File Replication Service

Stopping File Replication Service

Now, you need to change some setting in Windows registry.

Warning! Be careful, do not change other entries than showed in this artcile, you may destroy your server!

You need to open registry editor from run box

Executing registry editor

Executing registry editor

Now, you need to find below key:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNtFrsParametersBackup/RestoreProcess at Startup
BurFlags value location

BurFlags value location

and change BurFlags value from 0 to D2 (hexadecimal) by editing it

Changing BurFlags value

Changing BurFlags value

Before you will start FRS service, I would suggest to remove all content from those 2 folders

  • %WINDIR%SYSVOLdomainPolicies
  • %WINDIR%SYSVOLdomainScripts

Note! (by default, if you changed SYSVOL location during DC promotion, you need to refer to your own location)

Warning! When you set up D2 BurFlags value, you need to know that during restoration time, your DC is prevent to be a Domain Controller! So, you need to be careful in locations/Sites where you have only single DC or you are going for authentication over WAN-link!

Now, it’s time to start File Replication Service. Type in command-line

net start ntfrs
Running File Replication Service

Running File Replication Service

When you refresh (F5 key) registry editor, you should see that BurFlgs values has changed back to 0

BurFlags value reset

BurFlags value reset

and you should also check “File Replication Service” event log. Please check if event id 13565 appeared. That means, server has initiated SYSVOL replication and you need to wait a while. You have to refresh event log from time to time and check if these event IDs appeared:

  • 13553
  • 13516

when you can see them, SYSVOL replication is over and your Domain Controller is up-to-date.

SYSVOL re-initialized

SYSVOL re-initialized

SYSVOL re-initialized

SYSVOL re-initialized

Verify if SYSVOL share is available on your Domain Controller, type in command-line

net share
SYSVOL share verification

SYSVOL share verification

go to %WINDIR%SYSVOLdomainPolicies and check if data is replicated

SYSVOL content verification

SYSVOL content verification

That’s all! Everything you need to do is to repeat all those steps on each Domain Controller which does not replicate SYSVOL volume.

Done!

Next part >>>

Author: Krzysztof Pytko

How to re-register time services on a server

 

This time, I would like to show you, how you can simply fix an issue with time services on your server. That method helps in 90% of cases with time issues.

Sometimes, you may notice a server is out of time in your domain environment. The first method you should follow is re-registering time services on that server. When it fails then much more deep investigation might be needed.

So, let’s check how we can re-register time services on a server.

Windows Server 2003

Log on to the server directly or over Remote Desktop connection and run command prompt by typing in run box

cmd.exe
Running command promt

Running command promt

and provide a command to stop “Windows Time services” by entering

net stop w32time
Stopping Windows Time services

Stopping Windows Time services

or stop the service from GUI console

services.msc
Running "Services" console

Running “Services” console

Now, search for “Windows Time” service which should be started

Searching "Windows Time" service

Searching “Windows Time” service

Double click on it and you’ll see its details, like:

  • service name (w32time)
  • display name (Windows Time)
  • description
  • Path to executable file
  • Startup type (Automatic by default)
  • service status (Started)
Service details

Service details

To stop the service, simply click on “Stop” button and wait a while

Stopping service

Stopping service

Service is stopping

Service is stopping

you should see that service is stopped

Service is stopped

Service is stopped

Now, you can start time services re-registering procedure. The command you need to use is called

w32tm.exe

It is responsible for time management in a domain or on a single server in a workgroup.

First of all, you have to unregister time service by typing

w32tm.exe /unregister
Unregistering time service

Unregistering time service

and now, register service using /register parameter

w32tm.exe /register
Registering time service

Registering time service

and the last, final step requires to start Windows Time service in command prompt

net start w32time
Starting Windows Time service

Starting Windows Time service

or you may do that using GUI console as well. Just click on “Start” button and wait a while for service startup

Starting Windows Time service from GUI console

Starting Windows Time service from GUI console

Service is starting

Service is starting

That’s all. Re-registration procedure has been done. From now, you should see that time is accurate on the server. It comes from your Domain Controller or from other NTP server (depends on network configuration).

If not then you’ll need to deeply investigate the case.

But this is not a part of this article. I’ll try to post another article on troubleshooting services.

Windows Server 2008/2008R2

The procedure required for Windows Time service re-registration is EXACTLY the same as for Windows Server 2003. The only one difference is that you need to execute command prompt in elevated mode as administrator. The rest steps are the same.

Log on to the server directly or over Remote Desktop connection and run elevated command prompt from “Start” menu. Go to “All Programs -> Accessories” and click right mouse button on “Command prompt“. Select “Run as administrator” from the context menu

Running elevated command prompt

Running elevated command prompt

provide a command to stop “Windows Time” service by entering

net stop w32time
Stopping Windows Time service in command-line

Stopping Windows Time service in command-line

or use the same GUI console for that, as it was for Windows Server 2003

services.msc
Running services GUI console

Running services GUI console

and search for “Windows Time” service on the list

Searching for Windows Time service on the list

Searching for Windows Time service on the list

Double click on it and you’ll see its details, like:

  • service name (w32time)
  • display name (Windows Time)
  • description
  • path to executable file
  • startup type (Manual by default) -> startup type is changed in comparison to Windows Server 2003
  • service status (Started)
Service details

Service details

To stop the service, simply click on “Stop” button and wait a while

Stopping Windows Time service from GUI console

Stopping Windows Time service from GUI console

Service is stopping

Service is stopping

after a while, you should see that service is stopped

Service is stopped

Service is stopped

Now, you can start time services re-registering procedure. The command you need to use is called

w32tm.exe

It is responsible for time management in a domain or on a single server in a workgroup.

First of all, you have to unregister time service by typing

w32tm.exe /unregister
Unregistering time service

Unregistering time service

and now, register service using /register parameter

w32tm.exe /register
Registering time service

Registering time service

and the last, final step requires to start Windows Time service in command prompt

net start w32time
Starting Windows Time service from command prompt

Starting Windows Time service from command prompt

or you may do that using GUI console as well. Just click on “Start” button and wait a while for service startup

Starting Windows Time service from GUI console

Starting Windows Time service from GUI console

Service is starting

Service is starting

That’s all. Re-registration procedure has been done. From now, you should see that time is accurate on the server. It comes from your Domain Controller or from other NTP server (depends on network configuration).

If not then you’ll need to deeply investigate the case.

But this is not a part of this article. I’ll try to post another article on troubleshooting services.

Windows Server 2012/2012R2

The procedure required for Windows Time service re-registration is EXACTLY the same as for Windows Server 2003 and Windows Server 2008/2008R2. The only one difference is that you need to execute command prompt in elevated mode as administrator. The rest steps are the same.

Log on to the server directly or over Remote Desktop connection and run elevated command prompt from “Start” tile. Move mouse cursor to the left bottom corner and wait until “Start” tile appears (Windows Server 2012) or do it directly on it (Windows Server 2012 R2). Click on it right mouse buttond and select “Command Prompt (Admin)

Running elevated command prompt

Running elevated command prompt

provide a command to stop “Windows Time” service by entering

net stop w32time
Stopping Windows Time service from command prompt

Stopping Windows Time service from command prompt

or use the same GUI console for that, as it was for Windows Server 2003/2008/2008R2

services.msc
Running services GUI console

Running services GUI console

and search for “Windows Time” service on the list

Searching Windows Time service on the list

Searching Windows Time service on the list

Double click on it and you’ll see its details, like:

  • service name (w32time)
  • display name (Windows Time)
  • description
  • path to executable file
  • startup type (Manual Trigger Start by default) -> startup type is changed in comparison to Windows Server 2003/2008/2008R2
  • service status (Running)
Service details

Service details

To stop the service, simply click on “Stop” button and wait a while

Stopping Windows Time service from GUI console

Stopping Windows Time service from GUI console

Service is stopping

Service is stopping

after a while, you should see that service is stopped

Service is stopped

Service is stopped

Now, you can start time services re-registering procedure. The command you need to use is called

w32tm.exe

It is responsible for time management in a domain or on a single server in a workgroup.

First of all, you have to unregister time service by typing

w32tm.exe /unregister
Unregistering Windows Time service

Unregistering Windows Time service

and now, register service using /register parameter

w32tm.exe /register
Registering time service

Registering time service

and the last, final step requires to start Windows Time service in command prompt

net start w32time
Starting Windows Time service from command prompt

Starting Windows Time service from command prompt

or you may do that using GUI console as well. Just click on “Start” button and wait a while for service startup

Starting service from GUI console

Starting service from GUI console

Service is starting

Service is starting

That’s all. Re-registration procedure has been done. From now, you should see that time is accurate on the server. It comes from your Domain Controller or from other NTP server (depends on network configuration).

If not then you’ll need to deeply investigate the case.

But this is not a part of this article. I’ll try to post another article on troubleshooting services.

Author: Krzysztof Pytko