Archive | Windows Server 2003 RSS for this section

Adding first Windows Server 2012 R2 Domain Controller within Windows 2003/2008/2008R2/2012 network

 

When you wish to do this action, please be informed that nothing has changed from the previous (Windows Server 2012) operating system release. That means, all those steps from Windows Server 2012 are still valid for Windows Server 2012 R2.

I would not rewrite that article again, and if you are interested please read the article about Adding first Windows Server 2012 Domain Controller within Windows 2003/2008/2008R2 network on my blog.

I hope you would find it useful.

Author: Krzysztof Pytko

Adding first Windows Server 2012 Domain Controller within Windows 2003/2008/2008R2 network

 

Prerequisites

To be able to configure Windows Server 2012 Domain Controller within Windows 2003/2008/2008R2 network we need to check if Forest Functional Level is set up at least in Windows 2003 mode. This is the lowest required Forest Functional Level allowing Windows Server 2012 Domain Controller installation. That means, Windows 2000 DCs are not supported anymore. Microsoft does not support them with cooperation with 2012 Domain Controllers. It’s time to forget about these old DCs.

Windows Server 2012 DC Forest Functional Level requirements

Windows Server 2012 DC Forest Functional Level requirements

We can check this in domain, where we want to install first 2012 DC. To verify that, we need to use “Active Directory Users and Computers” or “Active Directory Domains and Trusts” console.

Using “Active Directory Users and Computers” console, select your domain and click right mouse button (RMB) on it. Choose “Raise Domain Functional Level” and check that.

If you see screen like this (Windows 2003 mode), it means that you do not need to raise your Domain Functional Level. In other case you have to remove all Windows 2000 Domain Controllers or if you have no any, raise DFL to Windows 2003 mode or higher

Current Domain Functional Level

But remember, raising Domain Functional Level is one time action and cannot be reverted. Before you raise it to 2003 mode, please ensure that all of your Domain Controllers are running at least on Windows Server 2003. In this case all of them are running at least 2003 DCs as DFL is set up to 2003 mode, which would not be possible when any of 2000 DCs are still available.

Windows 2003 mode do not support DCs based on earlier Microsoft Windows systems like NT4 and Windows 2000

Another way for that is using Active Directory Domains and Trusts console. Run this console, select domain for which you want to check Domain Functional Level and choose “Raise Domain Functional Level”

Current Domain Functional Level

Follow the same steps as in previous console.

More about Raising Domain Functional Level you can find in another article on my blog.

In this place, you can also raise your Forest Functional Level if all of your Domain Controllers in entire forest are running on Windows Server 2003. If not, please skip below steps and go to Single Master Operation Roles section.

To raise Forest Functional Level, select “Active Directory Domains and Trusts” node, click on it RMB and choose “Raise Forest Functional Level”. On the list accept “Windows Server 2003” mode by clicking on “Raise” button.

In this case FFL is set up on Windows Server 2003 mode and there is no need to raise it.

Raising Forest Functional Level

For more information about Raising Forest Functional Level please check another article on my blog.

You can also try to determine DFL and FFL levels following artilce on my blog titled: Determine DFL and FFL using PowerShell

Now, it’s time to determine which Domain Controller(s) hold(s) Single Master Operation Roles. The most important for preparing environment for 2012 DC are

  • Schema Master
  • Infrastructure Master

We need to be sure that connection to this/these DC(s) are available during set up process. In previous versions we need to prepare environment using adprep command to extend schema and configure Infrastructure Master. From Windows Server 2012 we don’t have to run adprep first. Of course, if you wish, you can still do that but it is not mandatory step. From, now, Windows Server 2012 will do that for you if it will detect that adprep was not used before for Schema and Infrastructure preparation. That’s the newest feature in Windows Server 2012 which simplifies promotion process as much as it can. You need to only check if connection to DC(s) with mentioned operators master roles is available (it is based on similar solution applied in Exchange 2010 where you do not have to use setup.com to extend Schema yourself).

To verify necessary Operation Masters, we can use netdom command installed from Support Tools on Windows Server 2003 (in 2008/2008R2 it is available by default). Open command-line and go to default installation directory:

C:Program FilesSupport Tools and type:

netdom query fsmo

and identify DC(s) from an output

Operation Master (FSMO) roles

We collected almost all necessary information to start AD preparation for the first Windows Server 2008 R2 Domain Controller. The last and the most important part before we start preparation, is checking Forest/Domain condition by running:

  • Dcdiag (from Support Tools)
  • Repadmin (also from Support Tools)

Run in command-line on a DC where you have installed Support Tools

dcdiag /e /c /v

and check if there are no errors. If so, please correct them (in case that your forest/domain has a lot of Domain Controllers, please skip /e switch)

now run in command-line:

repadmin /showrepl /all /verbose

to check if your DCs are replicating data without errors.

For more about Active Directory Troubleshooting Tools check one of my articles on this blog

After those checks, you can start with Active Directory preparation.

Adding first Windows 2012 Domain Controller

Before we start preparing AD for new Windows Server 2012 DC, we need to be sure that we are members of:

  • Enterprise Admins group

when we are sure for that, we can start installation.

Install your new box with Windows Server 2012 and configure its IP address correspondingly to your network settings and change default server name to yours.

Remember that it’s very important to properly configure Network Card settings to be able to promote your new box as domain controller!

The most important part of configuring NIC is setting up DNS server(s). Point your new box to one of the existing Domain Controllers where you have installed and configured DNS.

IPv4 settings verification

After you verified IP settings, you can start server promotion to Domain Controller. However, you cannot use old good known dcpromo command as it is not valid anymore 🙂

dcpromo

Microsoft removed it and now everything is done over new Server Manager console. You need to install Active Directory: Directory Servicesrole and after that in post-installation steps, you can promote it to Domain Controller. Let’s start

Open Server Manager console (if it was not already opened) and click on “Add roles and features” on Dashboard screen

Adding Roles and Features

Using default settings in a wizard go up to “Server roles” step (in this article those steps are not described. You may expect their description in another article) and select Active Directory Directory Services role. Accept also default features which are required during installation

Required features for AD:DS role

Verify if check box is in proper place and go to the next step

Adding AD:DS role

On “Features” screen also go to the next step as we do not need more at this step to be installed. All required features will be installed as you accepted them a little bit earlier

Adding AD:DS role

Read information about role you are installing and go to confirmation screen to install it

Adding AD:DS role

Wait some time until selected role is being installed before you will be able to promote server to Domain Controller

Installing AD:DS role

Installing AD:DS role

Now, when role is installed, you can see in notification area an exclamation mark. It tells you that post-installation steps might be required

Notification area

Click on it to see what can be done. You will see that now, you can promote your server to Domain Controller and information that features were installed successfully

Notification area

OK, let’s start server promotion to Domain Controller! Click on “Promote this server to a domain controller” and you will see a wizard.

As we are adding Domain Controller into existing domain, we need to select proper option. It is selected by default, however, please ensure if you can see that “Add a domain controller to an existing domain” is selected

Domain Controller promotion

When you verified that, place in field with red star DNS domain name to which you are promoting DC. Provide Enterprise Administrator credentials and go to the next step

Domain Controller promotion

Domain Controller promotion

Domain Controller promotion

Define if server should be DNS server and Global Catalog. I would strongly recommend installing both roles on each Domain Controller in your environment. Select a Site to which this DC should belongs to and define Directory Services Restoration Mode (DSRM) password for this DC

Domain Controller promotion

Do not worry about DNS delegation as this server is not DNS already. Go to the next step

Domain Controller promotion

In”Additional options” you can define if you want to install this Domain Controller from Install From Media (IFM) (if you have it) and point from which DC replication should be done. When you do not specify, server will choose the best location for AD database replication. If you have no special requirements for that, just leave “Any domain controller”

Domain Controller promotion

Specify location for AD database and SYSVOL (if you need different that suggested) and go to the next step

Domain Controller promotion

Now, wizard informs you that Schema and Domain preparation need to be done. As you did not run adprep before, it will be executed in a background for you

Domain Controller promotion

You will see a summary screen where you can check all selected options for server promotion. As in Windows Server 2012 everything done over Server Manager is translated into PowerShell code and it is executed in a background, you can check code by clicking on “View script” button. You will see what exactly will be run. This is transparent process and you cannot see PowerShell window in front of you

Domain Controller promotion

PowerShell code for adding Domain Controller

 #
 # Windows PowerShell script for AD DS Deployment
 #
Import-Module ADDSDeployment
 Install-ADDSDomainController `
 -NoGlobalCatalog:$false `
 -CreateDnsDelegation:$false `
 -Credential (Get-Credential) `
 -CriticalReplicationOnly:$false `
 -DatabasePath "C:WindowsNTDS" `
 -DomainName "testenv.local" `
 -InstallDns:$true `
 -LogPath "C:WindowsNTDS" `
 -NoRebootOnCompletion:$false `
 -SiteName "Default-First-Site-Name" `
 -SysvolPath "C:WindowsNTDS" `
 -Force:$true

If all prerequisites will pass and you are sure that all setting you have set up properly, you can start installation

Domain Controller promotion

You can observe that Forest and Domain are being prepared by adprep running in backgroun. Wait until wizard will do its job and after server restart you will have new Windows Server 2012 Domain Controller.

Domain Controller promotion

Give DC some time to replicate Directory Services data and you can enjoy with new DC.

Post-Installation steps

Now, you need to do small changes within your environment configuration.

On each server/workstation NIC properties configure alternative DNS server IP address pointing to the new Domain Controller.

Open DHCP management console and under server/scope options (it depends on your DHCP configuration) modify option no. 006

Add there IP address of your new Domain Controller as DNS server.

DHCP server reconfiguration

That’s all!

Congratulations! You have promoted your first Windows Server 2012 in existing domain

Author: Krzysztof Pytko

DNS bulk PTR records creation

 

My previous article was about bulk DNS records creation in forward lookup zone. This time we will focus on the same activity but in reverse lookup zone. In my opinion this kind of task is much more frequently used that the previous on. You may ask, why? Because in regular basis when you create host (A) record in forward lookup zone you don’t care about pointer (PTR) record in reverse lookup zone. This may happen due to 3 scenarios:

  • You really don’t need PTR record(s) 🙂
  • You have not checked “Create associated pointer (PTR) record” when adding host record

Option for pointer (PTR) record auto creation

  •  You have checked above option but DNS reverse lookup zone does not exist

Reverse lookup zone does not exist

So, one of these cases may lead you to bulk PTR records creation in the future when you realize that you need this kind of record(s). I will try to simply show you, how to do that very quickly using the least administrative effort because using DNS Management console is not very convenient and fast method (you need to create each records separately by hand).

I will show you how to do that using simple scripts based on:

  • Windows DNScmd command
  • Using DNSShell module for Windows PowerShell (really great module)
  • Using native DNS cmd-lets in PowerShell 3.0

Windows DNScmd command is by default available on Windows Server 2008/2008R2 server where DNS role has been installed. To use it on Windows Server 2003, you need to install Support Tools from server’s CD#1

DNSShell module needs to be downloaded separately from Chris blog who is REAL genius in DNS topic. His module for PowerShell is really great and very helpful.

Windows PowerShell 3.0 DNS cmd-lets are available in Windows 8 and Windows Server 2012 and are new feature added by Microsoft to manage DNS server.

PowerShell 3.0 can be also installed on Windows 7/2008/2008R2 for more information about that, please check my another article “Windows Management Framework 3.0 for Windows Server 2008/2008R2”

DNScmd

Before we start preparing script for bulk DNS records creation, let’s check if appropriate reverse lookup zone(s) exist(s). This is mandatory to have reverse lookup zone existing in other case PTR (pointer) records won’t be created! When zone does not exist, you need to create it first before you can start using script for bulk records creation.

After we verified zone existence we can start to creating records. But before that let’s see how DNScmd syntax looks for single pointer (PTR) record. After that we would know which parameters should be inserted into input file for the script.

Note! To get help for DNScmd command you need to specify /? after its name or after any switch you want to get information

Now, we will prepare proper syntax to add single pointer (PTR) record into DNS zone. For that we need to know:

  • DNS server name
  • DNS zone name (reverse lookup zone name)
  • IP address
  • host name

proper syntax to create pointer (PTR) record is:

dnscmd ServerName /RecordAdd DNSReverseZoneName IPAddress RecordType FQDNHostName
 

Below you can find an example syntax

dnscmd %LOGONSERVER% /RecordAdd 1.168.192.in-addr.arpa 100 PTR testHost.testenv.local

DNScmd command execution

instead of %LOGONSERVER% system variable, you can use DNS server name (if all  your DCs are DNS servers too, you can sinply use %LOGONSERVER%, in other case, you need to type DNS server name manually)

As you can see in DNS Management console, new record has been created

DNS record verification

We have complete syntax and now, we can create a script to create many DNS records in short time. First of all, we need an input file containing all required data. To create that file we need put in a flat text file 2 or 3 values:

  • an octet of IP Address for which we want to add PTR record
  • host Fully-Qualified Domain Name
  • optionally reverse lookup zone name (if we want to create PTR records for multiple zones)

An example input file for script (2 values and the same zone)

100 testHost01.testenv.local
101 testHost02.testenv.local
102 testHost03.testenv.local
103 testHost04.testenv.local
104 testHost05.testenv.local

of example input file with 3 values

105 testHost06.testenv.local 1.168.192.in-addr.arpa
106 testHost07.testenv.local 1.168.192.in-addr.arpa
107 testHost08.testenv.local 2.168.192.in-addr.arpa
108 testHost09.testenv.local 2.168.192.in-addr.arpa
109 testHost10.testenv.local 3.168.192.in-addr.arpa

and save this as i.e. newPTR.txt on C-Drive

Now, you can use below script to create many DNS records (case with 2 values in file)

for /f "tokens=1-2" %i in (c:newPTR.txt) do dnscmd %LOGONSERVER% /RecordAdd 1.168.192.in-addr.arpa %i PTR %j

Bulk DNS pointer records created

and you can verify that in DNS Management console

DNS records verification

and now, code for the case with 3 values in file

for /f "tokens=1-3" %i in (c:newPTR.txt) do dnscmd %LOGONSERVER% /RecordAdd %k %i PTR %j

Bulk DNS records created

and you can verify that in DNS Management console once again

DNS records verification

DNSShell module for PowerShell

As I mentioned at the beginning of this article, this is separate module which needs to be downloaded. You can simply download it from

http://www.indented.co.uk/index.php/2010/04/16/dnsshell-zone-and-server-cmdlets/

When you download it, you have to extract content into one of the following locations:

  • %HOMEPATH%DocumentsWindowsPowerShellModules
  • %WINDIR%SYSTEM32WindowsPowerShellv1.0Modules

PowerShell modules path

and import this module before the first use

Import-Module DNSShell

to list all available cmd-lets use

help *DNS*

Importing DNSShell module and list all available cmd-lets

From now, you have all cmd-lets available. Let’s start to create single host record in DNS using New-DNSRecord cmd-let

To be able to create pointer (PTR) record using DNSShell, you need:

  • DNS zone name (reverse lookup zone name)
  • an octet of IP Address for which we want to add PTR record
  • host name

You will find general syntax below

New-DNSRecord -Name AnOctet -RecordType PTR -ZoneName ReverseZoneName -HostName HostFQDN

and short example

New-DNSRecord -Name 100 -RecordType PTR -ZoneName 1.168.192.in-addr.arpa -HostName testHost01.testenv.local

New-DNSRecord example

and you can see command’s result in DNS Manager

DNS record veryfying

So, now we can create a script to automatically create many DNS records. As for PowerShell is better to use CSV file format instead of flat text file, I would suggest to prepare an example here. CSV file requires a header for each attribute, we need 2 or 3 attributes to accomplish that.

An example CSV file for 2 values

octet,hostName
100,testHost01.testenv.local
101,testHost02.testenv.local
102,testHost03.testenv.local
103,testHost04.testenv.local
104,testHost05.testenv.local

An example CSV file for 3 values

octet,hostName,zoneName
105,testHost06.testenv.local,1.168.192.in-addr.arpa
106,testHost07.testenv.local,1.168.192.in-addr.arpa
107,testHost08.testenv.local,2.168.192.in-addr.arpa
108,testHost09.testenv.local,2.168.192.in-addr.arpa
109,testHost10.testenv.local,3.168.192.in-addr.arpa

Save this file as newPTR.csv on C-Drive and use below script to create DNS records

for 2 values

Import-Module DNSShell
Import-CSV c:newPTR.csv | %{
New-DNSRecord -Name $_."octet" -RecordType PTR -ZoneName 1.168.192.in-addr.arpa -HostName $_."hostName"
}

PowerShell script

and verify results in DNS Manager

DNS records veryfying

and one more case with 3 values in CSV file

Import-Module DNSShell
Import-CSV c:newPTR.csv | %{
New-DNSRecord -Name $_."octet" -RecordType PTR -ZoneName $_."zoneName" -HostName $_."hostName"
}

PowerShell code

and verify in DNS Manager if they were created

DNS records verifying

Native DNS cmd-lets in PowerShell 3.0

This is new feature and can be only used with PowerShell 3.0 which is available in Windows 8 and Windows Server 2012 (or in other Windows versions as it was mentioned at the beginning of this article). There are variety of DNS cmd-lets to manage DNS server and one of  them is Add-DNSServerResourceRecordPTR and we will use it in this article.

Add-DNSServerResourceRecordPTR cmd-let

To create pointer (PTR) record using this cmd-let you need:

  • DNS zone name (reverse lookup zone name)
  • an octet of IP Address for which we want to add PTR record
  • host name

And now for a practice, we will create single DNS record using Add-DNSServerResourceRecordPTR

Add-DNSServerResourceRecordPTR -ZoneName DNSReverseZoneName -Name octet -PTRDomainName hostName

according to above general syntax, let’s create pointer record

Add-DNSServerResourceRecordPTR -ZoneName 1.168.192.in-addr.arpa -Name 100 -PTRDomainName testHost01.testenv.local

PowerShell 3.0 DNS record creation

and as in previous methods, just verify  if DNS record was created

DNS record verification

So, now the last part. We need to prepare script for multiple records creation. As we would need to use CSV file as in previous method (DNSShell module for Windows PowerShell), we will reuse it. An example CSV file is below

for 2 values

octet,hostName
100,testHost01.testenv.local
101,testHost02.testenv.local
102,testHost03.testenv.local
103,testHost04.testenv.local
104,testHost05.testenv.local

and for 3 values

octet,hostName,zoneName
105,testHost06.testenv.local,1.168.192.in-addr.arpa
106,testHost07.testenv.local,1.168.192.in-addr.arpa
107,testHost08.testenv.local,2.168.192.in-addr.arpa
108,testHost09.testenv.local,2.168.192.in-addr.arpa
109,testHost10.testenv.local,3.168.192.in-addr.arpa

and save this as newPTR.csv file on C-Drive. When you do that, use below code for pointer (PTR) records creation

PowerShell 3.0 code for CSV with 2 values

Import-CSV c:newPTR.csv | %{
Add-DNSServerResourceRecordPTR -ZoneName 1.168.192.in-addr.arpa -Name $_."octet "-PTRDomainName $_."hostName"
}

PowerShell 3.0 code

and DNS Manager view to prove that record were created

DNS Manager and newly created DNS records

and the last part with PowerShell 3.0 for DNS, code for CSV file with 3 values

Import-CSV c:newPTR.csv | %{
Add-DNSServerResourceRecordPTR -ZoneName $_."zoneName" -Name $_."octet "-PTRDomainName $_."hostName"
}

just to be sure if records were created, let’s check each reverse lookup zone to verify that

DNS Manager and newly created DNS records

That’s all!

<<< Previous part

Author: Krzysztof Pytko

DNS bulk host (A) records creation

 

Sometimes we need to create many DNS records in a short time. Using DNS Management console is not very convenient and fast method because you need to create each records separately by hand. I will show you how to do that using simple scripts based on:

  • Windows DNScmd command
  • Using DNSShell module for Windows PowerShell (really great module)
  • Using native DNS cmd-lets in PowerShell 3.0

Windows DNScmd command is by default available on Windows Server 2008/2008R2 server where DNS role has been installed. To use it on Windows Server 2003, you need to install Support Tools from server’s CD#1

DNSShell module needs to be downloaded separately from Chris blog who is REAL genius in DNS topic. His module for PowerShell is really great and very helpful.

Windows PowerShell 3.0 DNS cmd-lets are available in Windows 8 and Windows Server 2012 and are new feature added by Microsoft to manage DNS server.

PowerShell 3.0 can be also installed on Windows 7/2008/2008R2 for more information about that, please check my another article “Windows Management Framework 3.0 for Windows Server 2008/2008R2”

DNScmd

Before we start preparing script for bulk DNS records creation, let’s see how DNScmd syntax looks for single host (A) record. After that we would know which parameters should be inserted into input file for the script.

Note! To get help for DNScmd command you need to specify /? after its name or after any switch you want to get information

Now, we will prepare proper syntax to add single host (A) record into DNS zone. For that we need to know:

  • DNS server name
  • DNS zone name
  • host name
  • IP address

proper syntax to create host (A) record is:

dnscmd ServerName /RecordAdd DNSZoneName HostName RecordType IPAddress

Below you can find an example syntax

dnscmd %LOGONSERVER% /RecordAdd testenv.local test01 A 192.168.1.101

DNScmd command execution

instead of %LOGONSERVER% system variable, you can use DNS server name (if all  your DCs are DNS servers too, you can sinply use %LOGONSERVER%, in other case, you need to type DNS server name manually)

As you can see in DNS Management console, new record has been created

DNS record verification

We have complete syntax and now, we can create a script to create many DNS records in short time. First of all, we need an input file containing all required data. To create that file we need put in a flat text file 2 values:

  • host name
  • IP address

An example input file for script

test01 192.168.1.101
test02 192.168.1.102
test03 192.168.1.103
test04 192.168.1.104
test05 192.168.1.105

and save this as i.e. newHosts.txt on C-Drive

Now, you can use below script to create many DNS records

for /f "tokens=1-2" %i in (c:newHosts.txt) do dnscmd %LOGONSERVER% /RecordAdd testenv.local %i A %j

Bulk DNS host records created

and you can verify that in DNS Management console

DNS records verification

DNSShell module for PowerShell

As I mentioned at the beginning of this article, this is separate module which needs to be downloaded. You can simply download it from

http://www.indented.co.uk/index.php/2010/04/16/dnsshell-zone-and-server-cmdlets/

When you download it, you have to extract content into one of the following locations:

  • %HOMEPATH%DocumentsWindowsPowerShellModules
  • %WINDIR%SYSTEM32WindowsPowerShellv1.0Modules

PowerShell modules path

and import this module before the first use

Import-Module DNSShell

to list all available cmd-lets use

help *DNS*

Importing DNSShell module and list all available cmd-lets

From now, you have all cmd-lets available. Let’s start to create single host record in DNS using New-DNSRecord cmd-let

To be able to create host (A) record using DNSShell, you need:

  • DNS zone name
  • host name
  • IP address

You will find general syntax below

New-DNSRecord -Name HostName -RecordType A -ZoneName DNSZoneName -IPAddress IPAddress

and short example

New-DNSRecord -Name test01 -RecordType A -ZoneName testenv.local -IPAddress 192.168.1.101

New-DNSRecord example

and you can see command’s result in DNS Manager

DNS record veryfying

So, now we can create a script to automatically create many DNS records. As for PowerShell is better to use CSV file format instead of flat text file, I would suggest to prepare an example here. CSV file requires a header for each attribute, we need only 2 attributes to accomplish that

HostName,IPAddr
 test01,192.168.1.101
 test02,192.168.1.102
 test03,192.168.1.103
 test04,192.168.1.104
 test05,192.168.1.105

Save this file as newHosts.csv on C-Drive and use below script to create DNS records

Import-Module DNSShell
Import-CSV c:newHosts.csv | %{
New-DNSRecord -Name $_."HostName" -RecordType A -ZoneName testenv.local -IPAddress $_."IPAddr"
}

PowerShell script

and verify results in DNS Manager

DNS records veryfying

Native DNS cmd-lets in PowerShell 3.0

This is new feature and can be only used with PowerShell 3.0 which is available in Windows 8 and Windows Server 2012. There are variety of DNS cmd-lets to manage DNS server and one of  them is Add-DNSServerResourceRecordA and we will use it in this article.

Add-DNSServerResourceRecordA cmd-let

To create host record using this cmd-let we need to have prepared:

  • DNS zone name
  • host name
  • IP address

And now for a practice, we will create single DNS record using Add-DNSServerResourceRecordA

Add-DNSServerResourceRecordA -ZoneName DNSZoneName -Name HostName -IPv4Address IPAddress

according to above general syntax, let’s create host record

Add-DNSServerResourceRecordA -ZoneName testenv.local -Name test01 -IPv4Address 192.168.1.101

PowerShell 3.0 DNS record creation

and as in previous methods, just verify  if DNS record was created

DNS record verification

So, now the last part. We need to prepare script for multiple records creation. As we would need to use CSV file as in previous method (DNSShell module for Windows PowerShell), we will reuse it. An example CSV file is below

HostName,IPAddress
test01,192.168.1.101
test02,192.168.1.102
test03,192.168.1.103
test04,192.168.1.104
test05,192.168.1.105

and save this as newHosts.csv file on C-Drive. When you do that, use below code for host (A) records creation

Import-CSV c:newHosts.csv | %{
 Add-DNSServerResourceRecordA -ZoneName testenv.local -Name $_."HostName" -IPv4Address $_."IPAddress"
 }

Script output

and DNS Manager view to prove that record were created

DNS Manager and newly created DNS records

This time, that’s all!

Next part >>>

Author: Krzysztof Pytko

Determine DFL and FFL using PowerShell

 

I was curious after the last article about checking schema version with PowerShell, if it is possible to use the same template to determine Domain and Forest Functional Levels. I’ve decided to check that using the same code and I found it is also working 🙂

You need to only check different AD objects to get that information.

For Domain Functional Level you need to query Default naming context (domain partition) and read msDS-Behavior-Version attribute. Its value tells you what kind of DFL is present in your domain. However, today, there is no need to check if domain is working in 2000 mixed mode but I decided also to put that information into script to have full overview of DFL. In this case (mixed mode) you have to check ntMixedDomain attribute.

If ntMixedDomain attribute is set to 0  that means Domain Functional Level is not in 2000 mixed mode. In case that this attribute is set to then DFL is Windows 2000 Mixed mode.

For msDS-Behavior-Version attribute value and its corresponding DFL check below list

  • 0 – Windows 2000 Native mode
  • 1 – Windows Server 2003 Interim mode
  • 2 – Windows Server 2003 mode
  • 3 – Windows Server 2008 mode
  • 4 – Windows Server 2008 R2 mode
  • 5 – Windows Server 2012 mode
  • 6 – Windows Server 2012 R2 mode

To get Forest Functional Level mode, you need to check the same msDS-Behavior-Version attribute but in different AD object. This object is

cn=partitions,cn=configuration,dc=testenv,dc=local

on Configuration partition

Note! Remember that Forest Functional Level mode cannot be higher than Domain Functional Level. Its value may be equal or less but never HIGHER!

For msDS-Behavior-Version attribute value and its corresponding FFL check below list

  • 0 – Windows 2000 mode
  • 1 – Windows Server 2003 Interim mode
  • 2 – Windows Server 2003 mode
  • 3 – Windows Server 2008 mode
  • 4 – Windows Server 2008 R2 mode
  • 5 – Windows Server 2012 mode
  • 6 – Windows Server 2012 R2 mode

that’s all available option at this moment, so now it is possible to prepare PowerShell script checking that attribute and comparing it to above lists

Windows PowerShell module for Active Directory

Open Windows PowerShell or Windows PowerShell module for AD and use below syntax to get Domain Functional Level mode (in case that you are using module for AD, you don’t need to use Import-Module cmd-let!)

Import-Module ActiveDirectory
Get-ADObject -Identity "dc=testenv,dc=local" -Properties * | Select msDS-Behavior-Version,ntMixedDomain

Windows PowerShell syntax for DFL

Get-ADObject -Identity "cn=partitions,cn=configuration,dc=testenv,dc=local" -Properties * | Select msDS-Behavior-Version

Windows PowerShell syntax for FFL

Remember to change domain distinguished name from dc=testenv,dc=local to yours

Now, it’s time to see complete script which displays more friendly output for user

Import-Module ActiveDirectory
Clear-Host
Write-Host ""
Write-Host "Domain Functional Level is " -ForegroundColor Green -NoNewLine
$domain=Get-ADObject -Identity "dc=testenv,dc=local" -Properties * | Select msDS-Behavior-Version,ntMixedDomain
if ($domain.ntMixedDomain -eq 1){
Write-Host "Windows 2000 Mixed mode" -ForegroundColor Yellow
}
else {
switch ($domain."msDS-Behavior-Version")
{
0 { Write-Host "Windows 2000 Native mode" -ForegroundColor Yellow }
1 { Write-Host "Windows Server 2003 Interim mode" -ForegroundColor Yellow }
2 { Write-Host "Windows Server 2003 mode" -ForegroundColor Yellow }
3 { Write-Host "Windows Server 2008 mode" -ForegroundColor Yellow }
4 { Write-Host "Windows Server 2008 R2 mode" -ForegroundColor Yellow }
5 { Write-Host "Windows Server 2012 mode" -ForegroundColor Yellow }
6 { Write-Host "Windows Server 2012 R2 mode" -ForegroundColor Yellow }
default { Write-Host "unknown" -ForegroundColor Red }
}
}
Write-Host ""
Write-Host "Forest Functional Level is " -ForegroundColor Green -NoNewLine
$forest=Get-ADObject -Identity "cn=partitions,cn=configuration,dc=testenv,dc=local" -Properties * | Select msDS-Behavior-Version
switch ($forest."msDS-Behavior-Version")
{
0 { Write-Host "Windows 2000 mode" -ForegroundColor Yellow }
1 { Write-Host "Windows Server 2003 Interim mode" -ForegroundColor Yellow }
2 { Write-Host "Windows Server 2003 mode" -ForegroundColor Yellow }
3 { Write-Host "Windows Server 2008 mode" -ForegroundColor Yellow }
4 { Write-Host "Windows Server 2008 R2 mode" -ForegroundColor Yellow }
5 { Write-Host "Windows Server 2012 mode" -ForegroundColor Yellow }
6 { Write-Host "Windows Server 2012 R2 mode" -ForegroundColor Yellow }
default { Write-Host "unknown" -ForegroundColor Red }
}
Write-Host ""

Copy above code and put it into notepad, save it as ps1 file and execute in Windows PowerShell environment

Script output

Quest PowerShell module for Active Directory

To be able to run below code, you need to have installed free Quest PowerShell module for Active Directory

If you have this available then you can run below syntax

Get-QADObject -Identity "dc=testenv,dc=local" -IncludeAllProperties | Select msDS-Behavior-Version,ntMixedDomain

Quest PowerShell syntax for DFL

Get-QADObject -Identity "cn=partitions,cn=configuration,dc=testenv,dc=local" -IncludeAllProperties | Select msDS-Behavior-Version

Quest PowerShell syntax for FFL

Remember to change domain distinguished name from dc=testenv,dc=local to yours

Now, it’s time to see complete script which displays more friendly output for user

Clear-Host
Write-Host ""
Write-Host "Domain Functional Level is " -ForegroundColor Green -NoNewLine
$domain=Get-QADObject -Identity "dc=testenv,dc=local" -IncludeAllProperties | Select msDS-Behavior-Version,ntMixedDomain
if ($domain.ntMixedDomain -eq 1){
Write-Host "Windows 2000 Mixed mode" -ForegroundColor Yellow
}
else {
switch ($domain."msDS-Behavior-Version")
{
0 { Write-Host "Windows 2000 Native mode" -ForegroundColor Yellow }
1 { Write-Host "Windows Server 2003 Interim mode" -ForegroundColor Yellow }
2 { Write-Host "Windows Server 2003 mode" -ForegroundColor Yellow }
3 { Write-Host "Windows Server 2008 mode" -ForegroundColor Yellow }
4 { Write-Host "Windows Server 2008 R2 mode" -ForegroundColor Yellow }
5 { Write-Host "Windows Server 2012 mode" -ForegroundColor Yellow }
6 { Write-Host "Windows Server 2012 R2 mode" -ForegroundColor Yellow }
default { Write-Host "unknown" -ForegroundColor Red }
}
}
Write-Host ""
Write-Host "Forest Functional Level is " -ForegroundColor Green -NoNewLine
$forest=Get-QADObject -Identity "cn=partitions,cn=configuration,dc=testenv,dc=local" -IncludeAllProperties | Select msDS-Behavior-Version
switch ($forest."msDS-Behavior-Version")
{
0 { Write-Host "Windows 2000 mode" -ForegroundColor Yellow }
1 { Write-Host "Windows Server 2003 Interim mode" -ForegroundColor Yellow }
2 { Write-Host "Windows Server 2003 mode" -ForegroundColor Yellow }
3 { Write-Host "Windows Server 2008 mode" -ForegroundColor Yellow }
4 { Write-Host "Windows Server 2008 R2 mode" -ForegroundColor Yellow }
5 { Write-Host "Windows Server 2012 mode" -ForegroundColor Yellow }
6 { Write-Host "Windows Server 2012 R2 mode" -ForegroundColor Yellow }
default { Write-Host "unknown" -ForegroundColor Red }
}
Write-Host ""

Script output

Now, we have two scripts, one to check schema version and one to check DFL and FFL. If you wish, you may combine them into one and get all necessary information in one output 🙂

<<< Previous part

Author: Krzysztof Pytko

5 { Write-Host "Windows Server 2012 mode" -ForegroundColor Yellow }

Schema version using PowerShell

 

I’ve just played with PowerShell in my test environment and I was wondering if it’s possible to verify Active Directory Schema version in some simple way using it. As I know that schema version number is stored in objectVersion attribute of

"cn=Schema,cn=Configuration,dc=domain,dc=local" object

I found that there is in PowerShell cmd-let which allows to query that object and get its attributes

So,you need to simply type below syntax of cmd-let to get version of schema in a domain

for Windows PowerShell (available when you have at least one Domain Controller based on Windows Server 2008R2)

Get-ADObject -Identity "cn=Schema,cn=Configuration,dc=testenv,dc=local" -Properties * | Select objectVersion

Schema version using Windows PowerShell

for Quest PowerShell (required download from 3rd party website. This is free tool)

Get-QADObject -Identity "cn=Schema,cn=Configuration,dc=testenv,dc=local" -IncludeAllProperties | Select objectVersion
<img class="size-full wp-image-884" title="Schema version using Quest PowerShell" src="http://kpytko.pl/wp-content/uploads/2012/08/f011 microsoft project alternative free.png” alt=”” width=”519″ height=”152″ srcset=”http://kpytko.pl/wp-content/uploads/2012/08/f011.png 982w, http://kpytko.pl/wp-content/uploads/2012/08/f011-300×88.png 300w, http://kpytko.pl/wp-content/uploads/2012/08/f011-519×152.png 519w” sizes=”(max-width: 519px) 100vw, 519px” />

Schema version using Quest PowerShell

as you can see, this was very short and quick way to get information about schema version 🙂 However, I went one step further and I prepared some script which checks objectVersion and writes on the screen its OS name. Basically, I started with if syntax but it was not the best possible solution for that. I started looking in the Internet if there is something like “case” which I remember from Turbo Pascal 😀 … and I found … this is switch in PowerShell. So, after I used switch, my code looks better and I’ve decided to share it here 🙂 (perhaps someone would find it useful)

Below you can find complete script code for Windows and Quest PowerShell

Windows PowerShell module for Active Directory

Import-Module ActiveDirectory

Clear-Host
Write-Host ""

Write-Host "Schema version is " -ForegroundColor Green -NoNewLine

$schema_ver=Get-ADObject -Identity "cn=Schema,cn=Configuration,dc=testenv,dc=local" -Properties * | Select objectVersion

switch ($schema_ver.objectVersion)
 {

 13 { Write-Host "Windows 2000 Server" -ForegroundColor Yellow }
 30 { Write-Host "Windows Server 2003" -ForegroundColor Yellow }
 31 { Write-Host "Windows Server 2003 R2" -ForegroundColor Yellow }
 44 { Write-Host "Windows Server 2008" -ForegroundColor Yellow }
 47 { Write-Host "Windows Server 2008 R2" -ForegroundColor Yellow }
 51 { Write-Host "Windows Server 8 Developers Preview" -ForegroundColor Yellow }
 52 { Write-Host "Windows Server 8 Beta" -ForegroundColor Yellow }
 56 { Write-Host "Windows Server 2012" -ForegroundColor Yellow }
 69 { Write-Host "Windows Server 2012 R2" -ForegroundColor Yellow }
 72 { Write-Host "Windows Server Technical Preview (2014)" -ForegroundColor Yellow }
 81 { Write-Host "Windows Server Technical Preview 2 (2015)" -ForegroundColor Yellow }
 82 { Write-Host "Windows Server 2016 Technical Preview 3 (2015)" -ForegroundColor Yellow }
 85 { Write-Host "Windows Server 2016 Technical Preview 4 (2015)" -ForegroundColor Yellow }
 87 { Write-Host "Windows Server 2016" -ForegroundColor Yellow }
default { Write-Host "unknown - "$schema_ver.objectVersion -ForegroundColor Red }  }  Write-Host ""

Copy above code and paste it to notepad, save as ps1  file and you will be able to execute it in your environment (remember that you need to change distinguished name of a domain from dc=testenv,dc=local to yours)

Script based on Windows PowerShell

Quest PowerShell module for Active Directory

Clear-Host
Write-Host ""

Write-Host "Schema version is " -ForegroundColor Green -NoNewLine

$schema_ver=Get-QADObject -Identity "cn=Schema,cn=Configuration,dc=testenv,dc=local" -IncludeAllProperties | Select objectVersion

switch ($schema_ver.objectVersion)
{

13 { Write-Host "Windows 2000 Server" -ForegroundColor Yellow }
30 { Write-Host "Windows Server 2003" -ForegroundColor Yellow }
31 { Write-Host "Windows Server 2003 R2" -ForegroundColor Yellow }
44 { Write-Host "Windows Server 2008" -ForegroundColor Yellow }
47 { Write-Host "Windows Server 2008 R2" -ForegroundColor Yellow }
51 { Write-Host "Windows Server 8 Developers Preview" -ForegroundColor Yellow }
52 { Write-Host "Windows Server 8 Beta" -ForegroundColor Yellow }
56 { Write-Host "Windows Server 2012" -ForegroundColor Yellow }
69 { Write-Host "Windows Server 2012 R2" -ForegroundColor Yellow }
72 { Write-Host "Windows Server Technical Preview (2014)" -ForegroundColor Yellow }
81 { Write-Host "Windows Server Technical Preview 2 (2015)" -ForegroundColor Yellow }
82 { Write-Host "Windows Server 2016 Technical Preview 3 (2015)" -ForegroundColor Yellow }
85 { Write-Host "Windows Server 2016 Technical Preview 4 (2015)" -ForegroundColor Yellow }
87 { Write-Host "Windows Server 2016" -ForegroundColor Yellow }
default { Write-Host "unknown - "$schema_ver.objectVersion -ForegroundColor Red }  }  Write-Host ""

Copy above code and paste it to notepad, save as ps1  file and you will be able to execute it in your Quest PowerShell environment (remember that you need to change distinguished name of a domain from dc=testenv,dc=local to yours)

Script for Quest PowerShell

I hope it would be useful for you.

Next part >>>

Author: Krzysztof Pytko

Global Catalog on additional Domain Controller

 

Sometimes, we need to select additional Domain Controller as Global Catalog and we are wondering how to do that. This is always necessary to add this feature to Domain Controller running Windows Server 2003 after promotion it to DC. This feature is not automatically added.

When we use Windows Server 2008/2008R2 as Domain Controller then during promotion process we can make it as Global Catalog (if we do not turn off default options). However when we disable it during promotion process or you are promoting Windows Server 2003 then you need to enable that feature later.

This short article shows you how to do that.

Important! In single forest, multiple domain environment you need to ensure first, if all of your Domain Controllers are Global Catalogs. If not, you cannot place Global Catalog on a DC with Infrastructure Master Operation role!

To select additional Global Catalog in your domain, you need to use Active Directory Sites and Services console. This tool is located under “Administrative Tools” (even though, it is done on Windows Server 2003, all the same steps are valid for Windows Server 2008/2008R2)

Active Directory Sites and Services console

Navigate to Site in which desired Domain Controller is located and expand “Servers” node. Select that server and in the right pane, click right mouse button on “NTDS Settings” and choose “Properties”

NTDS Settings

Under “NTDS Settings” in “General” tab check “Global Catalog” checkbox.

Configuring Global Catalog

Configuring Global Catalog

Confirm by clicking on “OK” button and that’s all!

Author: Krzysztof Pytko

Decommissioning broken Domain Controller

 

Sometimes, we want to remove Domain Controller from a network but it is not possible. We see some errors that DC cannot be demoted. We are afraid because on that server we have also another services or data (which is not recommended, DC should have only AD:DS, DNS and possibly DHCP roles to avoid server overloading or corruption). This situation mostly can be found in small organizations where only very few servers are available.

What we can do in this case when formatting or reinstalling server is not an option? We can use special mode of demoting Domain Controller in case that we see similar error message

decommissioning error

on this broken server in run box we need to run dcpromo but with additional switch to be able to decommission a DC. This switch is /forceremoval

 Log on to that faulty DC and type dcpromo /forceremoval

forcing Domain Controller demotion

If Domain Controller holds any of FSMO roles you will get a warnings that you should transfer them to another server.

FSMO roles warning

It is unfortunately impossible because DC cannot contact to another Domain Controller within network. In this case you have to seize FSMO roles.

How to do that you can find in another article at http://kpytko.wordpress.com/2011/08/28/seizing-fsmo-roles/

To continue press “Yes” on each warning related with FSMO roles. At the final step (if your DC held also DNS role) you will be warned that you should fix your network settings according to DNS servers after its removal. If you didn’t do that before, remember that you have to fix it after DC demotion. Confirm that you are sure with Active Directory services to remove

DNS removal confirmation

When your DC held also Global Catalog you will be warned to check if at least one GC is available in a network to prevent problem with logon to the domain.

Global Catalog removal confirmation

Now, you should see standard Active Directory Installation wizard which helps you in decommission process. Follow with its suggestions

Active Directory Installation wizard

Before this process starts, there is the last information that after all you have to do metadata cleanup because it won’t be done automatically.

Active Directory Installation wizard

Also DNS needs to be clean up after DC demotion, click “OK”

Now, set up local administrator password which will be necessary, to log on to that server. Decommission process removes Active Directory role from a server and makes it a domain member box.

Setting local administrator password

after role removal, reboot server to fully complete a task

on Windows Server 2003 you have to do it manually

Reboot Windows Server 2003

on Windows Server 2008/2008 R2 you can select a checkbox to reboot server automatically

Reboot server

Voila! Your DC has been decommissioned and now it’s a domain member server with all other roles and data on it. You can log on, on a password specified during demotion process

A domain member server - Windows 2008

A domain member server - Windows 2003

Now, you need to do metadata cleanup, remove DNS records related with that server and delete it from Sites and Services.

How to do metadata cleanup you can find in another article at

http://kpytko.wordpress.com/2011/08/29/metadata-cleanup-for-broken-domain-controller/

You can promote this server as DC again or change its name and use only as standard box in your network.

 To clean DNS records, open DNS management console and delete all DNS records related with removed Domain Controller. Next, run Active Directory Sites and Services console and from appropriate Site, remove a server.

Sites and Services

Confirm that you want to remove this object and that’s it.

Removing demoted DC from Sites and Services

It’s done.

Author: Krzysztof Pytko

Decommissioning the old Domain Controller

 

When you connect into your network new Domain Controllers, you may wish to remove the old ones. The reason can vary, you have newer hardware on which DC is running or you just want to remove old Windows 2000/2003 Domain Controllers which were replaced by Windows Server 2008.

To do that you need to have a Domain Admin account. When you are sure that decommissioning DC can be done, you need to do some additional steps before you really remove it from your network.

First of all, you need to check the forest/domain condition if there are no errors. To do that, you need to use dcdiag and repadmin tools. Dcdiag is available on Domain Controller by default but repadmin must be installed from Support Tools from Windows Server CD.

Run command-line and type dcdiag /v to check condition of your domain environment. Review an output and check if everything is ok. If not, you have to fix errors before continuing with Domain Controller decommissioning.

dcdiag check

you should also check if Active Directory replication between Domain Controllers occurs regularly. To check that use repadmin tool from Support Tools. You need to install them from Windows Server CD. After installation they are located by default in “C:Program FilesSupport Tools”

enter this syntax and review an output to see if there is no error in AD replication.

repadmin /showrepl /all /verbose

AD data replication check

You should also check if DC which will be decommission, do not hold any of FSMO roles. Don’t worry, decommission process will transfer them automatically to another available Domain Controller but it’s better to control this process by yourself. Please ensure also if at least one Global Catalog server is available in your network after decommission process.

Now, when you are sure that you have no errors in your Domain Environment, you can start decommissioning Domain Controller. Log on to that particular server with Domain Admin credentials and in run box type dcpromo (like in DC promotion process)

Demoting DC

Active Directory installation wizard will be displayed. Continue this process

Active Directory Installation wizard

you will be warned to ensure that at least one Global Catalog will be left in your environment

Active Directory Installation wizard

on the next screen do not select “This server is the last domain controller in the domain” checkbox. This option is only used when you are demoting the last Domain Controller and you also want to remove the domain. So, go further without any changes on this screen in this case

Active Directory Installation wizard

Set up a server’s password. After decommission it will be a domain member server and you need to specify local administrator’s password.

Active Directory Installation wizard

to permanently remove Active Directory role from this server click “Next”

Active Directory Installation wizard

wait until Active Directory services will be removed from the server and when your DC is decommissioned, you need to reboot it, to complete a process

Active Directory Installation wizard

Active Directory removed

As you can see, your box is a domain member now.

a domain member server

If you wish to keep this server in your environment it’s good to consider its name change (if it was related with DC – as in my example). When you don’t want to use this server anymore, you can shut it down and then clean up DNS records and Sites and Services.

To do that, open DNS management console and delete all DNS records related with removed Domain Controller. Next, run Active Directory Sites and Services console and from appropriate Site, remove a server.

Removing demoted DC from Sites and Services

Confirm that you want to remove this object and that’s it.

DC removal from Sites and Services - confirmation

It’s done.

Author: Krzysztof Pytko

Adding first Windows Server 2008 R2 Domain Controller within Windows 2003 network

 

Prerequisites

To be able to configure Windows Server 2008 R2 Domain Controller within Windows 2003 network we need to check if Domain Functional Level is set up at least in Windows 2000 native mode. But preferable Domain Functional Level is Windows Server 2003. When it’s set up in Windows Server 2003 mode, and you have only one domain in a forest or each domains have only Windows 2003 Domain Controllers, you are also able to raise Forest Functional Level to Windows Server 2003 to use Read-Only Domain Controller (RODC) within your network.

We can check this in domain, where we want to install first 2008 R2 DC. To verify that, we need to use “Active Directory Users and Computers” or “Active Directory Domains and Trusts” console.

Using “Active Directory Users and Computers” console, select your domain and click right mouse button (RMB) on it. Choose “Raise Domain Functional Level” and check that.

If you see screen like this (mixed mode), it means that you need to raise your Domain Functional Level.

Domain Functional Level

But remember, raising Domain Functional Level is one time action and cannot be reverted. Before you raise it to 2000 native mode, please ensure that all of your Domain Controllers are running at least on Windows 2000 Server.

Windows 2000 native mode do not support DCs based on earlier Microsoft Windows systems like NT4.

If your environment doesn’t have any NT4, 2000 Domain Controllers, you can raise Domain Functional Level to Windows Server 2003 mode.

Now, when you checked that you do not have any pre-2000 OS, select appropriate level and click on “Raise” button

Raising Domain Functional Level

and accept the change. You will be warned that revert changes won’t be possible!

Warning

information about successful change will be displayed

Information

After successful change, you should see changed domain operation mode.

Veryfication

Another way for that is using Active Directory Domains and Trusts console. Run this console, select domain for which you want to check Domain Functional Level and choose “Raise Domain Functional Level”

Follow the same steps as in previous console.

In this place, you can also raise your Forest Functional Level if all of your Domain Controllers in entire forest are running on Windows Server 2003. If not, please skip below steps and go to Single Master Operation Roles section.

To raise Forest Functional Level, select “Active Directory Domains and Trusts” node, click on it RMB and choose “Raise Forest Functional Level”. On the list accept “Windows Server 2003” mode by clicking on “Raise” button.

Raising Forest Functional Level

You will be notified that it is also not reversible action. Confirm that you know what you are doing and then verify if your Forest Functional Level is set up to Windows Server 2003

Forest Functional Level

Now, it’s time to determine which Domain Controller(s) hold(s) Single Master Operation Roles. The most important for preparing environment for 2008 R2 DC are

  • Schema Master
  • Infrastructure Master

On that/those DC(s) we have to run Active Directory preparation tool.

To determine which DC(s) hold(s) these roles we need to use:

  • Active Directory Users and Computers and Active Directory Schema consoles

or

  • netdom command from Support Tools (Support Tools have to be installed from Windows 2000 Server CD from Support folder)

Determining which DC holds Schema Master we need to run on one of the DCs or workstation with Administrative Tools installed in command-line

regsvr32 schmmgmt.dll

 to register Schema snap-in within OS.

Registration ActiveDirectory Schema console

Now, open MMC console from run box

MMC console

Within that console add Active Directory Schema snap-in

Active Directory Schema snap-in

Click RMB on “Active Directory Schema” node and choose “Operation Master

Write down or remember which DC holds it.

Schema Master owner

Close MMC without saving changes.

Now we need to identify Infrastructure Master within your network. To do that, open Active Directory Users and Computers console, select your domain and click RMB on it. From pop up menu, choose “Operation Masters”. Select “Infrastructure” tab

Infrastructure Master owner

In my case, both Operation Masters are located on the same DC.

To verify necessary Operation Masters much faster, we can use netdom command installed from Support Tools. Open command-line and go to default installation directory:

C:Program FilesSupport Tools

then type: netdom query fsmo

and identify DC(s) from an output

netdom output

We collected almost all necessary information to start AD preparation for the first Windows Server 2008 R2 Domain Controller. The last and the most important part before we start preparation, is checking Forest/Domain condition by running:

  • Dcdiag (from Support Tools)
  • Repadmin (also from Support Tools)

Run in command-line on a DC where you have installed Support Tools

dcdiag /v

and check if there are no errors. If so, please correct them.

An example part of output from dcdiag tool

dcdiag

now run in command-line:

repadmin /showrepl /all /verbose

to check if your DCs are replicating data without errors.

repadmin

After those checks, you can start with Active Directory preparation.

Active Directory preparation

Before we start preparing AD for new Windows Server 2008 R2 DC, we need to be sure that we are members of:

  • Enterprise Admins group or
  • Schema Admins group

and we have DVD with Windows Server 2008 R2

Let’s start preparing Active Directory for the first Windows Server 2008 R2 Domain Controller.

Log on to Schema Master owner (we identified it in previous steps) on a user from one of mentioned above groups and put into DVD-ROM installation media. Run command-line and go to

 <DVD-Drive-Letter>:supportadprep

example:

d:supportadprep

You will find there two AD preparation tools:

  • adprep (64-bit application for 64-bit platforms)
  • adprep32 (32-bit application for 32-bit platforms)

We need to use adprep32 on Schema Master (because it is 32-bit OS) In case that you have 64-bit Windows Server 2003 then use adprep. So, type in command-line

adprep32 /forestprep

Forest preparation

as you can see, adprep informs you that all of your Windows 2000 Domain Controllers require at least SP4 to start extending schema.

Warning

if you followed previous steps of this article, all of your DCs have SP4 installed or you have no 2000 DCs at all. You can continue by pressing C letter on a keyboard and wait until AD preparation tool will finish its actions.

adprep32 /forestprep

Your schema in a forest is extended.

You may also wish to run adprep32 /rodcprep if you have Windows Server 2003 at Forest Functional Level. If not, you would be able to do that any time in the future.

Preparing environment for RODC

If everything would go fine, you will see no errors.

/rodcprep output

The last step before we can introduce 2008 R2 as DC is to prepare domain for it.

Log on to Infrastructure Master owner as Domain Administrator and put DVD installation media into DVD-ROM. Open command-line and as previously go to supportadprep directory.

Type then adprep32 /domainprep /gpprep

Preparing domain

and wait until adprep will finish its actions

Congratulations! Your domain is now ready for the first Windows 2008 R2 Domain Controller.

You can check that by using ADSIEdit console or free ADFind command-line tool which can be downloaded from the Internet.

Open run box and type adsiedit.msc to open ADSI Editor

Running ADSIEdit

Expand “Schema” node and select “Schema” container. Click on it RMB and choose “Properties”. You will see schema “Attribute Editor” tab. Check “Show only attributes that have values” and  search for “objectVersion” attribute.

Veryfying schema version

Value 47 tells you that your Schema version is Windows Server 2008 R2

Using adfind tool, run in command-line this syntax

adfind –sc schver

Veryfying schema version

Adding first Windows 2008 R2 Domain Controller

Install your new box with Windows Server 2008 R2 and configure its IP address correspondingly to your network settings.

Remember that it’s very important to properly configure Network Card settings to be able to promote your new box as domain controller!

 The most important part of configuring NIC is setting up DNS server(s). Point your new box to one of the existing Domain Controllers where you have installed and configured DNS.

Network card configuration

Log on as local administrator and in command-line type: dcpromo

Running dcpromo

Domain Controller promotion will start automatically. If you haven’t installed Active Directory: Directory Services role before, it will be done by wizard at this moment.

Active Directory: Directory Services role

When role is installed, you will see DC promotion wizard. I would suggest using advanced mode during promotion process. So, please check “Use advanced mode installation” and let’s start.

Domain Controller promotion wizard

We are adding new DC within existing forest to the existing domain, so choose appropriate option and click “Next”

Adding new DC into existing domain

Type DNS Domain name to which you want to add new domain controller and specify Domain Administrator credentials for that process

Adding new DC into existing domain

Choose domain from a list

Adding new DC into existing domain

If you didn’t use previously /rodcprep switch with adprep, you will be notified that you won’t be able to add Read-Only Domain Controllers. To install RODC within network it’s required to have at least Windows 2003 Forest Functional Level and you can advertise this option later (before first RODC installation). Skip this warning and press “yes” to continue.

RODC warning

Select appropriate site for this Domain Controller and continue.

Install on your new DC:

  • DNS
  • Global Catalog

They’re suggested by default. Continue and start AD data replication process from the existing DC within network.

Adding new DC into existing domain

Now, you can select from which Domain Controller data should be replicated or leave choice for the wizard (use the second option)

Adding new DC into existing domain

Leave default folders for Directory Services data (or change path if you need)

Adding new DC into existing domain

Set up Directory Services Restoration Mode password in case that you would need to use this mode. Password should be different that domain administrator’s account and should be also changed periodically.

DSRM password set up

Now you will see summary screen, click “Next” and Domain Controller promotion wizard will start preparing new DC for you.

Summary screen

To have fully operational DC, you need to reboot it after promotion. So, let’s check “Reboot on completion” checkbox and wait until it will be up and ready.

Installing Directory Services

Your new Windows Server 2008 R2 Domain Controller is not available in your network!

New DC available

Give DC some time to replicate Directory Services data and you can enjoy with new DC.

Post-Installation steps

Now, you need to do small changes within your environment configuration.

On each server/workstation NIC properties configure alternative DNS server IP address pointing to the new Domain Controller.

Open DHCP management console and under server/scope options (it depends on your DHCP configuration) modify option no. 006

Add there IP address of your new Domain Controller as DNS server.

DHCP reconfiguration

It’s done

Author: Krzysztof Pytko