Archive | Windows Server 2008 R2 RSS for this section

Moving Active Directory database

 

Sometimes, you may need to move Active Directory database from one location to another. This location may be a different folder or different drive. When you need to do that, you are not allowed to use standard copy/move option within Windows operating system.

This kind of action is not supported when Active Directory services/Active Directory:Domain Services are running!

You need to use a tool named: ntdsutil

This is command-line tool which allows to move Active Directory database to another location.

Important! When you are moving AD database, specified location must exists! You cannot move database to non-existing drive or folder!

To move Active Directory database, you need to evaluate on which operating system version this particular Domain Controller is running

Windows Server 2003

In Windows Server 2003 you need to restart Domain Controller into Directory Services Restore Mode which is accessible when you press F8 key, during Windows system startup. Choose this mode from the list and press “enter” to run it

DSRM mode startup

DSRM mode startup

Warning! Remember, when you do that, your Domain Controller does not support Active Directory authentication and other roles/services are unavailable for users! Be aware in locations/Sites where you have only single DC, because during this operation, DC and all its roles ( i.e. DNS, DHCP) are not working!

Wait until logon screen will appear

DSRM mode logon screen

DSRM mode logon screen

Press “CTRL+ALT+DEL” and provide Directory Services Restore Mode administrator password.

Note! This password may be different (and it should be) than standard domain administrator password! If you did not change it since DC promotion, then you need to find it in your documentation before you can proceed.

DSRM mode administrator password

DSRM mode administrator password

You will be informed that server is running in Safe mode

Safe mode warning

Safe mode warning

Now, you need to start command-line where you will execute ntdsutil tool

Running command-line

Running command-line

To run ntdsutil type in command prompt

ntdsutil
Running ntdsutil tool

Running ntdsutil tool

and check if desired folder structure is available before you will move AD database. If not, create it or attach the drive into system.When you do not create a folder, it is created by ntdsutil automatically during database move process.

Warning! You cannot use removable disk to store Active Directory database. Disk needs to be NTFS formatted partition. AD DB does not support FAT/FAT32/ReFS file systems!

Veryfying target folder for AD database

Veryfying target folder for AD database

now, you need to go into files context of ntdsutil tool where you are allowed to operate on AD database files (DB and logs)

ntdsutil - file maintenance context

ntdsutil – file maintenance context

there are few options for file maintenance but in this article only 2 options are interesting for us:

  • Move DB to Path-to-the-new-location
  • Move logs to Path-to-the-new-location
File maintenance options

File maintenance options

so, let’s move Active Directory database to the new location (in this example E:ADDB)

Put this syntax into command prompt window

move DB to E:ADDB
Moving AD database

Moving AD database

and wait some time, while AD DB is being moved to the new location

AD DB is moving

AD DB is moving

As you could see in the screen above, AD DB was move with built-in command move while Active Directory services/Active Directory:Domain Services are not running!

Let’s verify if Active Directory database was moved to specified location. Just check that using Windows Explorer and go to that location

AD database new location

AD database new location

or type in command prompt inside of ntdsutil

info
AD database new location

AD database new location

ok, Active Directory database was moved and I strongly suggest to move also its log files to the same location. For that you need to use the option

move logs to E:ADDB

where E:ADDB is a folder on your server

Moving AD logs to the new location

Moving AD logs to the new location

and wait some time, while logs are being moved to the new location

AD logs are moving

AD logs are moving

OK, let’s verify if Active Directory logs were moved to specified location. Just check that using Windows Explorer and go to that location

AD logs new location

AD logs new location

All logs are in the same location as AD database. You can also verify that within ntdsutil typing

info
AD logs new location

AD logs new location

Now, you need to schedule System State backup of your Domain Controller to have an up-to-data backup with AD database and its logs in the new location.

That’s all, you may close ntdsutil by typing quit twice and close command-line window

Leaving ntdsutil

Leaving ntdsutil

Reboot server into its regular mode and you’re done!

Windows Server 2008/2008R2

With Windows Server 2008/2008R2 this process is much more quick than with previous Microsoft OSes. Windows Server 2008 introduced for the first time Active Directory role as a service. This improvement allows you to simply stop the service without rebooting a server into Directory Services Restore Mode.

What are the main benefits of this solution?

  • You do not waste time required for server reboot
  • Other services are still available for users
  • Even DNS or DHCP servers are still runnig while at least one Domain Controller is available!

Note! Please remember, when you have single Domain Controller and you stop Active Directory Domain Services service, DC will not provide services as it was in Windows Server 2003 DSRM mode!

So, how can you do that in Windows Server 2008/2008R2? The same way as in Windows Server 2003 except server reboot into DSRM mode. Just simply stop Active Directory Domain Services service and run from elevated command-line ntdsutil tool.

First of all, you have to stop Active Directory Domain Services service, run elevated command-line

Running elevated command prompt

Running elevated command prompt

and type below command to stop Active Directory Domain Services (NTDS) service

net stop ntds
Stopping Active Directory: Domain Services service

Stopping Active Directory: Domain Services service

confirm you are sure that follwing services also will be stopped by typing Y and pressing enter

Stopping dependent services

Stopping dependent services

Now, you can start ntdsutil tool to initite Active Directory database move process. Type in command-line

ntdsutil
Executing ntdsutil tool

Executing ntdsutil tool

and check if desired folder structure is available before you will move AD database. If not, create it or attach the drive into system.When you do not create a folder, it is created by ntdsutil automatically during database move process.

Warning! You cannot use removable disk to store Active Directory database. Disk needs to be NTFS formatted partition. AD DB does not support FAT/FAT32/ReFS file systems!

Target folder verification

Target folder verification

and before you are allowed to execute files context, you have to set up active AD DB instance. To do that type

activate instance NTDS
Activating NTDS instance

Activating NTDS instance

now, you can go into files context of ntdsutil tool where you are allowed to operate on AD database files (DB and logs). Type

files
ntdsutil - files maintenance

ntdsutil – files maintenance

there are few options for file maintenance but in this article only 2 options are interesting for us:

  • Move DB to Path-to-the-new-location
  • Move logs to Path-to-the-new-location
Files maintenance options

Files maintenance options

so, let’s move Active Directory database to the new location (in this example E:ADDB)

Put this syntax into command prompt window

move DB to E:ADDB
Moving AD DB to the new location

Moving AD DB to the new location

and wait some time, while logs are being moved to the new location

AD DB moved

AD DB moved

As you could see in the screen above, AD DB was move with built-in command move while Active Directory services/Active Directory:Domain Services are not running!

Let’s verify if Active Directory database was moved to specified location. Just check that using Windows Explorer and go to that location

AD DB new location

AD DB new location

or type in command prompt inside of ntdsutil

info
Active Directory database new location

Active Directory database new location

ok, Active Directory database was moved and I strongly suggest to move also its log files to the same location. For that you need to use the option

move logs to E:ADDB

where E:ADDB is a folder on your server

Moving AD log files

Moving AD log files

and wait some time, while logs are being moved to the new location

Moving AD logs

Moving AD logs

OK, let’s verify if Active Directory logs were moved to specified location. Just check that using Windows Explorer and go to that location

All logs are in the same location as AD database. You can also verify that within ntdsutil typing

info
Active Directory logs new location

Active Directory logs new location

Now, you need to schedule System State backup of your Domain Controller to have an up-to-data backup with AD database and its logs in the new location.

That’s all, you may close ntdsutil by typing quit twice

Leaving ntdsutil

Leaving ntdsutil

and now it’s time to start Active Directory Domain Services service, type in command-line

net start NTDS
Starting AD DS service

Starting AD DS service

just verify if these services were also started with AD DS service (should be ran automatically)

  • File Replication Service (NtFRS)
  • Kerberos Key Distribution Center (KDC)
  • Intersite Messaging (IsmServ)
  • DNS Server (DNS)

if so, you’re done!

Windows Server 2012/2012R2

In Windows Server 2012/2012 R2 this procedure is exactly the same as for Windows Server 2008/2008R2. All steps described for previous Microsoft operating system version apply to these two new operating systems too.

Let’s see how this procedure looks like on Windows Server 2012/2012R2

Note! Please remember, when you have single Domain Controller and you stop Active Directory Domain Services service, DC will not provide services as it was in Windows Server 2003 DSRM mode!

So, how can you do that in Windows Server 2012/2012R2? The same way as in Windows Server 2008. Just simply stop Active Directory Domain Services (NTDS) service and run from elevated command-line ntdsutil tool.

First of all, you have to stop Active Directory Domain Services service, run elevated command prompt

Running elevated command prompt

Running elevated command prompt

and type below command to stop Active Directory Domain Services (NTDS) service

net stop ntds
Stopping NTDS service

Stopping NTDS service

confirm you are sure that follwing services also will be stopped by typing Y and pressing enter

Dependent services to be stopped

Dependent services to be stopped

Now, you can start ntdsutil tool to initite Active Directory database move process. Type in command-line

ntdsutil
Executing ntdsutil

Executing ntdsutil

and check if desired folder structure is available before you will move AD database. If not, create it or attach the drive into system.When you do not create a folder, it is created by ntdsutil automatically during database move process.

Warning! You cannot use removable disk to store Active Directory database. Disk needs to be NTFS formatted partition. AD DB does not support FAT/FAT32/ReFS file systems!

Target folder verification

Target folder verification

and before you are allowed to execute files context, you have to set up active AD DB instance. To do that type

activate instance NTDS
Setting NTDS instance

Setting NTDS instance

now, you can go into files context of ntdsutil tool where you are allowed to operate on AD database files (DB and logs). Type

files
Files maintenance context

Files maintenance context

there are few options for file maintenance but in this article only 2 options are interesting for us:

  • Move DB to Path-to-the-new-location
  • Move logs to Path-to-the-new-location
Active Directory database and logs move options

Active Directory database and logs move options

so, let’s move Active Directory database to the new location (in this example E:ADDB)

Put this syntax into command prompt window

move DB to E:ADDB
Moving Active Directory database

Moving Active Directory database

and wait some time, while logs are being moved to the new location

Moving Active Directory database

Moving Active Directory database

As you could see in the screen above, AD DB was move with built-in command move while Active Directory services/Active Directory Domain Services are not running!

Let’s verify if Active Directory database was moved to specified location. Just check that using Windows Explorer and go to that location

New Active Directory database location

New Active Directory database location

or type in command prompt inside of ntdsutil

info
New Active Directory database location

New Active Directory database location

ok, Active Directory database was moved and I strongly suggest to move also its log files to the same location. For that you need to use the option

move logs to E:ADDB

where E:ADDB is a folder on your server

Moving Active Directory logs

Moving Active Directory logs

and wait some time, while logs are being moved to the new location

Moving Active Directory logs

Moving Active Directory logs

OK, let’s verify if Active Directory logs were moved to specified location. Just check that using Windows Explorer and go to that location

New Active Directory logs location

New Active Directory logs location

All logs are in the same location as AD database. You can also verify that within ntdsutil typing

info
New Active Directory logs location

New Active Directory logs location

Now, you need to schedule System State backup of your Domain Controller to have an up-to-data backup with AD database and its logs in the new location.

That’s all, you may close ntdsutil by typing quit twice

Leaving ntdsutil

Leaving ntdsutil

and now it’s time to start Active Directory Domain Services service, type in command-line

net start NTDS
Starting Active DIrectory Domain Services service

Starting Active DIrectory Domain Services service

just verify if these services were also started with AD DS service (should be ran automatically)

  • File Replication Service (NtFRS)
  • Kerberos Key Distribution Center (KDC)
  • Intersite Messaging (IsmServ)
  • DNS Server (DNS)

if so, you’re done!

Author: Krzysztof Pytko

Authoritative SYSVOL restore (FRS)

 

In my previous article “Non-authoritative SYSVOL restore (FRS)” I showed you, how to do a non-authoritative restore of SYSVOL.

What if you have bigger mess on your Domain Controllers with SYSVOL?
What if the most of DCs do not replicate SYSVOL or its changes?

What can you do, if you want to restore SYSVOL from a backup and you prefer it as a replication source?  Then you have another option, authoritative SYSVOL restore.

Today, I will show you, how to do that.

But, first of all. What is the basic difference between non-authoritative and authoritative SYSVOL restore?

In the first case (non-authoritative) you only touch SYSVOL on one DC at the time. The rest of your Domain Controllers are running and sharing SYSVOL for users. Only this particular DC has disabled SYSVOL during non-authoritative restore procedure.

The second case (authoritative) is much more visible for users. All of Domain Controllers do not run and share SYSVOL where Group Policies and logon scripts are located. When you decide to do authoritative SYSVOL restore, you need to inform all administrators to not create/modify Group Policies during that time. All other domain services are running except access to SYSVOL. So, this action should be performed out of office business hours.

How to start authoritative SYSVOL restore? What do you need to do first?

You should identify which Domain Controller is holding PDC Emulator operation master role. As you know, one of its functions is to manage and maintain GPOs. When you create or modify existing GPO, it is done directly on this Domain Controller.

If you need to restore SYSVOL from backup, it should also be done directly on PDC Emulator operation master role holder, from which you will initiate authoritative SYSVOL restore.

So, let’s see, how we can do that.

Log on to PDC Emulator FSMO role holder. If you do not know, which Domain Controller holds this role, run in command-line/elevated command-line on any of your DCs

netdom query fsmo
Finding PDC Emulator role holder

Finding PDC Emulator role holder

and you’ll see which DC is holding this role.

When you are logged on on this Domain Controller, you need to evaluate how many DCs are in your domain. The most simple way to check that is using Microsoft DS tools on a DC. Type in command-line

dsquery server -name * -limit 0 | dsget server -dnsname | find /v "dnsname" | find /v "dsget" >c:dcslist.txt
Collecting all Domain Controllers in a domain

Collecting all Domain Controllers in a domain

after you ran this command, on your DC’s C-Drive, you should find a text file named dcslist.txt Check its content, there are all Domain Controllers for your domain

All Domain Controllers in a file

All Domain Controllers in a file

On all of those Domain Controllers, you have to stop File Replication Service before you will be able to initiate authoritative SYSVOL restore, type in command prompt

net stop ntfrs
Stopping File Replication Service

Stopping File Replication Service

When you are sure that all of Domain Controllers have stopped FRS service, you can start restore.

You need to run registry editor on your PDC Emulator operation master role holder

Executing registry editor

Executing registry editor

and go to BurFlags value location

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNtFrsParametersBackup/RestoreProcess at Startup
BurFlags value location

BurFlags value location

to be able to modify BurFlags value, double-click on it and put D4 (hexadecimal) as a value

Setting BurFlags value

Setting BurFlags value

This sets Domain Controller as an authoritative source for SYSVOL replication. All other DCs will pull SYSVOL content from this server.

Now, you have to start File Replication Service on PDC Emulator role holder DC. Type in command-line

net start ntfrs
Running File Replication Service

Running File Replication Service

Refresh (F5 key) registry editior and you should see that BurFlags value is reset to 0

BurFlags value reset

BurFlags value reset

Check File Replication Service event log and search event IDs

  • 13566
  • 13516

If both of them are available then authoritative restore is configured.

Now, you need to log on to the rest of Domain Controllers and set up D2 BurFlags value to initialize non-authoritative restore of SYSVOL from specified server.

BurFlags value should be changed in the same location as for the previous DC, but instead od D4 value you have to specify D2

Location of this value is

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNtFrsParametersBackup/RestoreProcess at Startup
BurFlags value location

BurFlags value location

Double-click the value and set up D2 (hexadecimal)

Changing BurFlags value

Changing BurFlags value

Before you will start FRS service, I would suggest to delete content of these 2 folders

  • %WINDIR%SYSVOLdomainPolicies
  • %WINDIR%SYSVOLdomainScripts

Note! (by default, if you changed SYSVOL location during DC promotion, you need to refer to your own location)

Warning! When you set up D2 BurFlags value, you need to know that during restoration time, your DC is prevent to be a Domain Controller! So, you need to be careful in locations/Sites where you have only single DC or you are going for authentication over WAN-link!

Now, you need to run File Replication Service and wait a while for SYSVOL replication.

After you ran FRS service, you should notice that BurFlags entry was reset to 0

BurFlags value reset

BurFlags value reset

From time to time, refresh File Replication Service event log and check for event ID 13516

When you see this event ID that SYSVOL replication is finished and your Domain Controller is ready to share SYSVOL for users.

SYSVOL re-initialized

SYSVOL re-initialized

When you see event ID 13520 that means, you did not remove content of policies and scripts folders. Do not worry they were moved to another folder which may be removed after all

SYSVOL content moved

SYSVOL content moved

All you need to complete the authoritative SYSVOL restore is to log on to EVERY Domain Controller and perform D2 BurFlags set up

Information! Microsoft does not recommend doing more than 15 concurrent non-authoritative restores to prevent performance issues. Remember that when you are doing authoritative restore in bigger Active Directory environments!

And that’s all! You fixed your broken SYSVOL share.

<<< Previous part

Author: Krzysztof Pytko

Non-authoritative SYSVOL restore (FRS)

 

When you are working in Active Directory environment you may fall into this problem, especially in case where you have many Domain Controllers. Sometimes you may figure out that one or more Domain Controllers are out of date with SYSVOL replication.

Each Domain Controller has its own folder where GPOs and scripts are saved. This folder is located under %WINDIR%SYSVOLdomain (by default, if you changed that location during DC promotion, you need to refer to your own location).

There are 2 folders:

  • Policies where Group Policies are saved (%WINDIR%SYSVOLdomainPolicies)
  • Scripts where logon scripts or other files are saved (%WINDIR%SYSVOLdomainScripts shared as NETLOGON)

If a DC does not replicate SYSVOL you can see that some Group Policies (GPOs) or scripts are not available on DC(s) in SYSVOLdomain folder on particular DC. Another symptom may be that all GPOs are in place but they are not updated.

When you notice one of these behaviors, you would need to do non-authoritative SYSVOL restore which re-deploys SYSVOL data from working Domain Controller (holding PDC Emulator operations master role).

How to be sure if you need non-authoritative SYSVOL restore? There is no simple answer because that depends on the size of your Active Directory and number of Domain Controllers.

When we can decide to start this kind of retore ?

  • one DC out of couple does not replicate SYSVOL
  • a few DCs out of many do not replicate SYSVOL
  • more than few but less than 50% of them do not replicate SYSVOL

above examples are typical scenarios for non-authoritative SYSVOL restore.

Let’s see how you to do that.

First of all, you need to find out which DC or DCs does/do not replicate SYSVOL. Then you have to start SYSVOL restore.

When you see an empty SYSVOL, this may suggest that Domain Controller initialization where not finished after server was promoted. Active Directory database was replicated but SYSVOL was not. In this case, you can simply perform non-authoritative restore and SYSVOL should be replicated.

Empty SYSVOL folder

Empty SYSVOL folder

Another case is when DC, is not up to date with SYSVOL. Some policies are missing and non-authoritative SYSVOL restore would be helpful.

Missing Group Policies under SYSVOL

Missing Group Policies under SYSVOL

When you log on to Domain Controller with PDC Emulator operation master role, you should see that there are more policies than on those faulty Domain Controllers

All Group Policies on DC with PDC Emulator role

So, you can see that those Domain Controllers need SYSVOL restore to have all data up-to-date.

Now, it’s time to play with non-authoritative SYSVOL restore. Log on to the DC which is out of replication with SYSVOL and stop File Replication Service (NtFRS) from command-line/elevated command-line. Type

net stop ntfrs
Stopping File Replication Service

Stopping File Replication Service

Now, you need to change some setting in Windows registry.

Warning! Be careful, do not change other entries than showed in this artcile, you may destroy your server!

You need to open registry editor from run box

Executing registry editor

Executing registry editor

Now, you need to find below key:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNtFrsParametersBackup/RestoreProcess at Startup
BurFlags value location

BurFlags value location

and change BurFlags value from 0 to D2 (hexadecimal) by editing it

Changing BurFlags value

Changing BurFlags value

Before you will start FRS service, I would suggest to remove all content from those 2 folders

  • %WINDIR%SYSVOLdomainPolicies
  • %WINDIR%SYSVOLdomainScripts

Note! (by default, if you changed SYSVOL location during DC promotion, you need to refer to your own location)

Warning! When you set up D2 BurFlags value, you need to know that during restoration time, your DC is prevent to be a Domain Controller! So, you need to be careful in locations/Sites where you have only single DC or you are going for authentication over WAN-link!

Now, it’s time to start File Replication Service. Type in command-line

net start ntfrs
Running File Replication Service

Running File Replication Service

When you refresh (F5 key) registry editor, you should see that BurFlgs values has changed back to 0

BurFlags value reset

BurFlags value reset

and you should also check “File Replication Service” event log. Please check if event id 13565 appeared. That means, server has initiated SYSVOL replication and you need to wait a while. You have to refresh event log from time to time and check if these event IDs appeared:

  • 13553
  • 13516

when you can see them, SYSVOL replication is over and your Domain Controller is up-to-date.

SYSVOL re-initialized

SYSVOL re-initialized

SYSVOL re-initialized

SYSVOL re-initialized

Verify if SYSVOL share is available on your Domain Controller, type in command-line

net share
SYSVOL share verification

SYSVOL share verification

go to %WINDIR%SYSVOLdomainPolicies and check if data is replicated

SYSVOL content verification

SYSVOL content verification

That’s all! Everything you need to do is to repeat all those steps on each Domain Controller which does not replicate SYSVOL volume.

Done!

Next part >>>

Author: Krzysztof Pytko

Advertising new time server in domain environment

 

I can see on different forums that people are asking what happens when they transfer PDC Emulator Operation Master role to another Domain Controller. This is really important question as PDC Emulator is responsible for time management in domain environment. When you do not advertise new time server you might notice some time differences between your domain controllers and domain member servers.

This article shows the procedure on Windows Server 2012 R2 how to accomplish that properly but is also suitable for all earlier operating systems.

All the time when you transfer PDC Emulator role to another Domain Controller, you need to change configuration on both servers:

  • on previous PDC Emulator role holder
  • on the new PDC Emulator role holder

this will advertise new time server in your domain environment and you will prevent future issues because of that. The most often scenario of transferring PDC Emulator FSMO role to another DC is when you are promoting new Domain Controller based on newer operating system i.e:

  • promoting new Windows Server 2008/2008R2 DC in Windows Server 2003/2008 DC environment
  • promoting new Windows Server 2012/2012R2 DC in Windows Server 2003/2008/2008R2/2012 environment

in this particular case you need to do following things:

Log on directly or over Remote Desktop connection to the new PDC Emulator FSMO role holder and run elevated command prompt

Running elevated command prompt

Running elevated command prompt

Now, you need to configure external time server source from which you will synchronize time settings. This may be another device in your network (like Cisco ACS server) or any reliable external NTP server. The list of reliable NTP servers you may find on NTP Pool website

In this example I will use external NTP pool server for my region (Poland)

You need to use IP address or DNS name of NTP server during Domain Controller configuration, so if you want to use IP address then the first step is to ping DNS name and write down an IP address of the server

  • 95.158.95.123

this is the IP address resolved from pl.pool.ntp.org

Important! Before you start reconfiguring servers, please ensure if UDP/123 port is allowed on your router/firewall because NTP is using this particular port to synchronize time settings!

Now, in elevated command-line you need to run this command

w32tm.exe /config /manualpeerlist:95.158.95.123 /syncfromflags:manual /reliable:yes /update
Configuring NTP source on new PDC Emulator FSMO role holder

Configuring NTP source on new PDC Emulator FSMO role holder

or

w32tm.exe /config /manualpeerlist:pl.pool.ntp.org /syncfromflags:manual /reliable:yes /update
Configuring NTP source on new PDC Emulator FSMO role holder

Configuring NTP source on new PDC Emulator FSMO role holder

where /manualpeerlist:IPAddress or /manualpeerlist:DNSServerName is an NTP server to use in your environment

and restart Windows Time service

net stop w32time
net start w32time
Restarting Windows Time service

Restarting Windows Time service

Now, your new PDC Emulator FSMO role holder will synchronize time with specified NTP time source.

The last step is to reconfigure the old PDC Emulator Operation Master role holder to not advertise it as time server and pull time information from new PDC Emulator. To do that log on directly or over Remote Desktop connection to the server and type in command prompt (2003)/elevated command prompt (all newer OSes)

w32tm.exe /config /syncfromflags:domhier /reliable:no /update
Reconfiguring old PDC Emulator FSMO role holder

Reconfiguring old PDC Emulator FSMO role holder

and you need to also restart Windows Time service to complete whole operation

net stop w32time
net start w32time
Restarting Windows Time service

Restarting Windows Time service

That’s all! You have reconfigured your environment and advertised new time server in a domain.

Author: Krzysztof Pytko

How to re-register time services on a server

 

This time, I would like to show you, how you can simply fix an issue with time services on your server. That method helps in 90% of cases with time issues.

Sometimes, you may notice a server is out of time in your domain environment. The first method you should follow is re-registering time services on that server. When it fails then much more deep investigation might be needed.

So, let’s check how we can re-register time services on a server.

Windows Server 2003

Log on to the server directly or over Remote Desktop connection and run command prompt by typing in run box

cmd.exe
Running command promt

Running command promt

and provide a command to stop “Windows Time services” by entering

net stop w32time
Stopping Windows Time services

Stopping Windows Time services

or stop the service from GUI console

services.msc
Running "Services" console

Running “Services” console

Now, search for “Windows Time” service which should be started

Searching "Windows Time" service

Searching “Windows Time” service

Double click on it and you’ll see its details, like:

  • service name (w32time)
  • display name (Windows Time)
  • description
  • Path to executable file
  • Startup type (Automatic by default)
  • service status (Started)
Service details

Service details

To stop the service, simply click on “Stop” button and wait a while

Stopping service

Stopping service

Service is stopping

Service is stopping

you should see that service is stopped

Service is stopped

Service is stopped

Now, you can start time services re-registering procedure. The command you need to use is called

w32tm.exe

It is responsible for time management in a domain or on a single server in a workgroup.

First of all, you have to unregister time service by typing

w32tm.exe /unregister
Unregistering time service

Unregistering time service

and now, register service using /register parameter

w32tm.exe /register
Registering time service

Registering time service

and the last, final step requires to start Windows Time service in command prompt

net start w32time
Starting Windows Time service

Starting Windows Time service

or you may do that using GUI console as well. Just click on “Start” button and wait a while for service startup

Starting Windows Time service from GUI console

Starting Windows Time service from GUI console

Service is starting

Service is starting

That’s all. Re-registration procedure has been done. From now, you should see that time is accurate on the server. It comes from your Domain Controller or from other NTP server (depends on network configuration).

If not then you’ll need to deeply investigate the case.

But this is not a part of this article. I’ll try to post another article on troubleshooting services.

Windows Server 2008/2008R2

The procedure required for Windows Time service re-registration is EXACTLY the same as for Windows Server 2003. The only one difference is that you need to execute command prompt in elevated mode as administrator. The rest steps are the same.

Log on to the server directly or over Remote Desktop connection and run elevated command prompt from “Start” menu. Go to “All Programs -> Accessories” and click right mouse button on “Command prompt“. Select “Run as administrator” from the context menu

Running elevated command prompt

Running elevated command prompt

provide a command to stop “Windows Time” service by entering

net stop w32time
Stopping Windows Time service in command-line

Stopping Windows Time service in command-line

or use the same GUI console for that, as it was for Windows Server 2003

services.msc
Running services GUI console

Running services GUI console

and search for “Windows Time” service on the list

Searching for Windows Time service on the list

Searching for Windows Time service on the list

Double click on it and you’ll see its details, like:

  • service name (w32time)
  • display name (Windows Time)
  • description
  • path to executable file
  • startup type (Manual by default) -> startup type is changed in comparison to Windows Server 2003
  • service status (Started)
Service details

Service details

To stop the service, simply click on “Stop” button and wait a while

Stopping Windows Time service from GUI console

Stopping Windows Time service from GUI console

Service is stopping

Service is stopping

after a while, you should see that service is stopped

Service is stopped

Service is stopped

Now, you can start time services re-registering procedure. The command you need to use is called

w32tm.exe

It is responsible for time management in a domain or on a single server in a workgroup.

First of all, you have to unregister time service by typing

w32tm.exe /unregister
Unregistering time service

Unregistering time service

and now, register service using /register parameter

w32tm.exe /register
Registering time service

Registering time service

and the last, final step requires to start Windows Time service in command prompt

net start w32time
Starting Windows Time service from command prompt

Starting Windows Time service from command prompt

or you may do that using GUI console as well. Just click on “Start” button and wait a while for service startup

Starting Windows Time service from GUI console

Starting Windows Time service from GUI console

Service is starting

Service is starting

That’s all. Re-registration procedure has been done. From now, you should see that time is accurate on the server. It comes from your Domain Controller or from other NTP server (depends on network configuration).

If not then you’ll need to deeply investigate the case.

But this is not a part of this article. I’ll try to post another article on troubleshooting services.

Windows Server 2012/2012R2

The procedure required for Windows Time service re-registration is EXACTLY the same as for Windows Server 2003 and Windows Server 2008/2008R2. The only one difference is that you need to execute command prompt in elevated mode as administrator. The rest steps are the same.

Log on to the server directly or over Remote Desktop connection and run elevated command prompt from “Start” tile. Move mouse cursor to the left bottom corner and wait until “Start” tile appears (Windows Server 2012) or do it directly on it (Windows Server 2012 R2). Click on it right mouse buttond and select “Command Prompt (Admin)

Running elevated command prompt

Running elevated command prompt

provide a command to stop “Windows Time” service by entering

net stop w32time
Stopping Windows Time service from command prompt

Stopping Windows Time service from command prompt

or use the same GUI console for that, as it was for Windows Server 2003/2008/2008R2

services.msc
Running services GUI console

Running services GUI console

and search for “Windows Time” service on the list

Searching Windows Time service on the list

Searching Windows Time service on the list

Double click on it and you’ll see its details, like:

  • service name (w32time)
  • display name (Windows Time)
  • description
  • path to executable file
  • startup type (Manual Trigger Start by default) -> startup type is changed in comparison to Windows Server 2003/2008/2008R2
  • service status (Running)
Service details

Service details

To stop the service, simply click on “Stop” button and wait a while

Stopping Windows Time service from GUI console

Stopping Windows Time service from GUI console

Service is stopping

Service is stopping

after a while, you should see that service is stopped

Service is stopped

Service is stopped

Now, you can start time services re-registering procedure. The command you need to use is called

w32tm.exe

It is responsible for time management in a domain or on a single server in a workgroup.

First of all, you have to unregister time service by typing

w32tm.exe /unregister
Unregistering Windows Time service

Unregistering Windows Time service

and now, register service using /register parameter

w32tm.exe /register
Registering time service

Registering time service

and the last, final step requires to start Windows Time service in command prompt

net start w32time
Starting Windows Time service from command prompt

Starting Windows Time service from command prompt

or you may do that using GUI console as well. Just click on “Start” button and wait a while for service startup

Starting service from GUI console

Starting service from GUI console

Service is starting

Service is starting

That’s all. Re-registration procedure has been done. From now, you should see that time is accurate on the server. It comes from your Domain Controller or from other NTP server (depends on network configuration).

If not then you’ll need to deeply investigate the case.

But this is not a part of this article. I’ll try to post another article on troubleshooting services.

Author: Krzysztof Pytko

Windows Server 2008R2 in-place upgrade to Windows Server 2012/2012R2

 

Previous article showed that in-place upgrade from Windows Server 2008 to Windows Server 2012 is possible only if it has Hyper-V role configured and it is impossible to do that on Windows Server 2012 R2.

Situation looks much better when you plan to do in-place upgrade of Windows Server 2008 R2 into Windows Server 2012/2012R2. This is supported but requires some administrator’s attention before server will be upgraded.

Below you can find some hints for that process.

First of all, you need to evaluate if software installed on your Windows Server 2008 R2 is compatible and supported on Windows Server 2012/2012R2. When you find any incompaticle software you need to

  • upgrade it to supported version before OS upgrade (recommended action)
  • uninstall it from the server before OS upgrade
  • leave it as is but remember that Windows Server after in-place upgrade may not function properly

Important! Some applications may be compatible with Windows Server 2012/2012R2 but their version might not be sufficient to support full application features. You need to evaluate it also before OS in-place upgrade.

When all appropriate steps were taken, are able to start in-place upgrade. To do that follow procedure listed below

Start Windows Server 2012/2012R2 setup wizard from DVD media

Windows setup wizard

Windows Server 2012 setup wizard

Windows Server 2012 R2 setup wizard

Windows Server 2012 R2 setup wizard

Wait for Windows to copy necessary files to the server

Setup is copying necessary files

Setup is copying necessary files

Setup is starting

Setup is starting

When those files were copied to local hard drive, you should go on-line and install all new Windows Server 2008 R2 updates (recommended)

Note! The Internet connection will be required!

Updating Windows Server 2008 before in-place ugrade

Updating Windows Server 2008 R2 before in-place ugrade

Wait for system update to finish the process

Windows Server 2008 R2 on-line update

Windows Server 2008 R2 on-line update

At this moment you have to provide valid Windows Server 2012/2012R2 product key to start installation

Provide valid Windows Server 2012/2012R2 product key

Provide valid Windows Server 2012/2012R2 product key

When system is updated, you’ll see a screen where you need to choose appropriate Windows Server 2012 edition to which you want to upgrade Windows Server 2008 R2

Select Windows Server 2012 edition to install

Select Windows Server 2012 edition to install

Accept license terms and go to the next step

License terms

License terms

Now, everything is ready to start in-place upgrade. Click on “Upgrade: Install Windows and keep files, settings, and applications

In-place upgrade initiation

In-place upgrade initiation

Review applications compatibility report and if there are no errors, continue the installation

Compatibility report

Compatibility report

Compatibility report

Compatibility report

Windows Server upgrade will start

Windows Server 2012 upgrade progress

Windows Server 2012 upgrade progress

During the upgrade process, several actions will be executed like:

  • collecting files
  • collecting settings
  • collecting applications
Windows Server 2012 upgrade progress

Windows Server 2012 upgrade progress

In the next step, Windows Server will install its own files

Windows Server 2012 upgrade progress

Windows Server 2012 upgrade progress

Your server will be restarted when all files were extracted. During system restart, you have short time to decide if you wish to continue in-place upgrade or you want to roll back to the previous Windows Server 2008 R2 OS

Windows Server 2012 upgrade progress

Windows Server 2012 upgrade progress

Windows Server 2012 starts preparing itself for devices configuration

Windows Server 2012 upgrade progress

Windows Server 2012 upgrade progress

Windows Server 2012 upgrade progress

Windows Server 2012 upgrade progress

The server will be restarted to finalize settings

Windows Server 2012 upgrade progress

Windows Server 2012 upgrade progress

and finally, logon screen will appear. That means the in-place upgrade process has been finished.

Windows Server 2012/2012R2 logon screen

Windows Server 2012/2012R2 logon screen

That’s all!

<<< Previous part

Author: Krzysztof Pytko

Microsoft Technology Questions – Question 1

 

Finally, I found some time to start something new on my blog 🙂

This time, I’ve decided to start a serie of Microsoft Technology Questions (MTQ).  Its form may be familiar for many of you who did take a Microsoft official exam. This form is only one common thing with official Microsoft exam. I will defintively NOT publish official questions from the real exams here. So, those people who are looking for exact questions for Microsoft exams will be disappointed!

I’ll try to publish in a monthly basis one Microsoft technology related question invented by me. The question will be prepared by me, based on my experience and you won’t find it anywhere before it will be published here 🙂 So, do not search the Internet to find an answer 😉

After two weeks, I will update particular post with an answer, containing detailed explanation. I would like to start sharing knowledge with you using this form.

I hope you would love this idea and we will meet here regularly to learn something new! 🙂

Please feel free to discuss this idea and comment the question. I would love to hear if the idea is worth developing or not.

So, let’s start with the first question. The answer will be provided in two weeks from now.

QUESTION

You are working in TESTENV company as Domain Administrator. There is a single forest, single domain environment.
All Domain Controllers are running on Windows Server 2003 R2 Enterprise x64 and they are physical machines.
FSMO roles are split. Both, forest and domain functional levels are set up to Windows Server 2003.

You need to promote two new Domain Controllers using the least administrative effort. One based on Windows Server 2008R2 and one based on Windows Server 2012.

How would you do that?
More than one answer is appropriate, choose the most suitable to the above requirements.

ANSWERS

A)
– Run adprep from Windows Server 2008R2 media
– Promote new Windows Server 2008R2 Domain Controller
– Run adprep from Windows Server 2012 media
– Promote new Windows Server 2012 Domain Controller
B)
– Run adprep from Windows Server 2012 media
– Promote Windows Server 2012 Domain Controller
– Run adprep from Windows Server 2008R2 media
– Promote Windows Server 2008R2 Domain Controller
C)
– Promote Windows Server 2012 Domain Controller
– Promote Windows Server 2008R2 Domain Controller
D)
– Run adprep from Windows Server 2008R2 media
– Promote Windows Server 2008R2 Domain Controller
– Decommission all Windows Server 2003R2 Domain Controllers
– Run adprep from Windows Server 2012 media
– Promote Windows Server 2012 Domain Controller
E)
– Run adprep from Windows Server 2008R2 media
– Promote Windows Server 2008R2 Domain Controller
– Promote Windows Server 2012 Domain Controller

Author: Krzysztof Pytko

Adding first Windows Server 2012 R2 Domain Controller within Windows 2003/2008/2008R2/2012 network

 

When you wish to do this action, please be informed that nothing has changed from the previous (Windows Server 2012) operating system release. That means, all those steps from Windows Server 2012 are still valid for Windows Server 2012 R2.

I would not rewrite that article again, and if you are interested please read the article about Adding first Windows Server 2012 Domain Controller within Windows 2003/2008/2008R2 network on my blog.

I hope you would find it useful.

Author: Krzysztof Pytko

Fine-Grained Password Policy in Windows Server 2008/2008R2

 

Recently, I have seen that some administrators afraid of using Fine-Grained Password Policy.It looks like the main reason is they do not know how to set up and how to manage it. I will try to show you some easy steps to understand that and implement in your Active Directory environment.

First of all, if you wish to implement Fine-Grained Password Policy (FGPP) in your environment, your Domain Functional Level must operate at Windows Server 2008 mode. That means, all of your Domain Controllers in a domains must be ran at least on Windows Server 2008. No previous operating systems may be used for DCs. Of course, all the rest domain member servers may be ran on earlier OS versions.

For more details about Domain Functional Level, please read my article on this blog.

OK, so what is FGPP and why we want to use it? As you remember in Windows 2000 Server and Windows Server 2003 we were able only to use single password policy defined at domain level over GPO. There were no possibility to use more than one domain password policy using group policies. When some department in our enterprise required another password policy, we needed to decide if we want to:

  • convince it to use the standard password policy 🙂
  • configure child domain and migrate their objects
  • use 3rd party tools

For more details about Default Domain Password policy, please check an article on my blog for that.

This situation did not change in Windows Server 2008, you can still use only one domain password policy configured in GPO. However, Microsoft introduced new feature to define additional password policies. The policy allows you to define separate password settings for user of group of users.

Important! Fine-Grained Password Policy may be only assigned to user or security global group not to domain or OU

When your DFL is set up at appropriate level, you can start using Fine-Grained Password Policy feature. What do you need to know about this kind of Password Settings Object (PSO) before you will set it up:

  • you can apply it only to user or security global group
  • you can set it up using ADSI Edit
  • you can set it up using PowerShell module for Active Directory
  • you need to use dsget command to verify if policy is applied
  • you can use PowerShell to manage PSO
  • only one password set applies to user or group

Using Fine-Grained Password policy, you overwrite default domain policy for user or group of users. However, you need to know that you may apply as many FGPPs as you wish but the only one will be applied. There are few important things to know about password policy precedence:

  • when applied more than one to a group then PSO with the lowest precedence index is applied
  • when applied more than one to a user then PSO with the lowest precedence index is applied
  • when applied more than one to a user or a group then PSO on user level is applied
  • when user is a member of few groups with PSO assigned then policy with the lowest precedence index is applied

Now, when we know those things, we can start creating our first Fine-Grained Password Policy.

ADSI Edit

ADSI Edit allows you to use GUI method for PSO creation. To start the process, run ADSI Edit from “Administrative Tools” or type in run box: adsiedit.msc

Running ADSIEdit console

When you ran that console, you need to connect to Deafult Naming Context where those objects are stored. To do that, click on root “ADSI Edit” node in a console by right mouse button and choose “Connect to

Connecting to Default Naming Context

Now, in “Connection Settings” window please ensure if in “Select a well known Naming Context area you have pointed to Default Naming Context

Connecting to Default Naming Context

When you are connected to that Naming Context, you need to navigate to a container where you can create PSO. The location of this container is in

CN=Password Settings Container,CN=System,DC=domain,DC=local

Below you can see that container location in ADSI Edit console

PSO container location

In this place you need to create new object by clicking right mouse button and selecting “New -> object”

Creating new Fine-Grained Password Policy

Create object which is responsible for password settings “msDS-PasswordSettings“. From now, you are defining new password policy. Proceed below steps to successfully finish PSO creation process.

Selecting object class

At this step, you need to define Fine-Grained Password Policy name which would be easy to identify by you when you start reviewing PSO list

Creating new PSO object

Now, you need to set up integer value of precedence index. Remember, when any PSO would be in conflict then password policy with the lowest precedence index is being applied

Creating new PSO object

This time, you need to specify if you want to use reversible encryption for passwords. This will store password in plain text, so this is vulnerability for the environment. Do not use this option if any of your legacy application requires that. For this setting you can only use one of two possibilities for boolean variable:

  • true to enable reversible encryption policy
  • false to disable reversible encryption policy

Creating new PSO object

Define how many previous passwords are remembered and user cannot re-use them. This value should be an integer number

Creating new PSO object

OK, at this time, you need to define if user’s password must be complex using 3 out of 4 character categories. When you use true value then, password must meet the complexity using 3 characters group out of 4 available:

  • small letters [a-z]
  • capital letters [A-Z]
  • digits [0-9]
  • special characters [!@#$%^&*()]

in case that yo do not want to force users using complex passwords, you need to put false value in a form. In this example, we would like to use complex passwords

Creating new PSO object

User’s password requires minimum number of characters needed to build good and invulnerable password. You need to define the lowest number of characters to build the password by user. This value is an integer number

Creating new PSO object

Really important part of each password policy is setting for the minimum password age. That means, when user is able to change his/her password after the latest change. When you set this up to short time or disable it, user may change his/her password few times and then he/she is able to use that previous password(s) again. The important part during setting up PSO is to remember that this setting uses non integer variable! Expected value is duration which defines a time in format

d:hh:mm:ss

where

  • d means, how many days
  • hh means, how many hours
  • mm means, how many minutes
  • ss means, how many seconds

an example duration for password which may be changed again after 3 days

3:00:00:00

Creating new PSO object

the next setting determine when user is forced to change the current password. You need to set up time after which password is required to change. This value is also in the same format as the previous one, so you need to use duration format as this is shown in the above step

Creating new PSO object

And now, another part of setting password policy. You need to decide if you wish to enable account lockout or not. However, this is good practice to enable account lockout policy to prevent users guessing password of other users in your environment or prevent hackers from guessing password of your users. Just define integer value for the policy and after entered number of failed logon attempts, the account is being blocked

Creating new PSO object

When you defined after how many failed logon attempts, user account is locked you are able to define 2 other policies related with the previous one. Lockout Observation Window in which you define when user may try to log on once again to the system. After that time, user is able to try once again (but only one chance) log on to the system. If he/she remembers a password and account was locked out by mistake, the next try would be successful. If user does not remember the password, after the next wrong attempt, the account would be locked again for time specified in Lockout Observation Window. This option allows an administrator to tell the users that if they remember password but they locked the account by mistake, they need to wait specified time and try once again. In other case, they should request a password reset. For that setting you need to use again duration variable format like for minimum and maximum password age.

Creating new PSO object

The second policy related with account lockout is Lockout Durationwhich determines the time when user account is completely unlocked. Then user has again defined number of tries to log on to the system. As for the previous setting, it also uses duration format to define time

Creating new PSO object

That was the last setting in PSO wizard. However, remember that when you close it by clicking on “Finish” button, you have only create password policy but it is not applied to any group or user. If you wish to define that at this step, click on “More Attributes” button and from “Select a property to view” drop down box choose “msDS-PSOAppliesTo

Creating new PSO object

Creating new PSO object

When you choose that attribute, you need to define distinguished name of an object to which you want to apply policy. This requires from you to know that DN name to put it in that field in format:

CN=Object Name,OU=OU Location,DC=domain,DC=local

and press “Add” button to add the object to password policy

Creating new PSO object

You can see all objects assigned to PSO in the “Value(s)” list

Creating new PSO object

Above step in PSO wizard requires from you object’s DN to know. What if you do not know it or this DN is really long? You may simply finish a wizard without defining value for msDS-PSOAppliesToattribute. This may be done later in some short and more convenient way. Just take a look for below steps.

When you finish a wizard, you will see new password policy in a selected container. Just edit it by double click on it in ADSI Edit window.

Edit existing PSO

In the “Attribute Editor” list search for msDS-PSOAppliesToattribute and click “Edit” button

Edit existing PSO

Now, you have 2 options for object(s) assigning. Classic window for distinguished name of an object

Edit existing PSO

Edit existing PSO

or just use more familiar option to search an object from AD

Edit existing PSO

Edit existing PSO

OK, when we have created granular password policy and we applied it to some object, how to see if the user is really using that policy? You can use for that dsget command or dsquery and dsget commands combination. Let’s see, how to check if PSO is applied to a user name iSiek

dsquery user -samid iSiek | dsget user -effectivepso

After running this query, you will see information about used PSO policy. If result is empty then you can be sure that user has no Fine-Grained Password Policy assigned and he/she uses default domain password policy

Effective password policy applied to the user

This is working fine as you can see! If you really need different password policies in your environment, I really encourage you to use Fine-Grained Password policy feature as it is really great feature!

PowerShell module for Active Directory

As we already know something more about Fine-Grained Password policy requirements, now we can check how to simply create and apply PSO to an object. For that we need to use PowerShell module for Active Directory. To initiate it run in PowerShell window

Import-Module ActiveDirectory

PowerShell – importing AD module

and wait for cmd-lets to be imported. Now, you can use some PowerShell cmd-lets to manage PSO, let’s see their names. Type in PS window

Get-Help *-ADFine*

Getting cmd-lets for Fine-Grained Password Policy

To create new granular password policy we need to use New-ADFineGrainedPasswordPolicy cmd-let. We need to define all interesting us values as we did it using ADSI Edit. When you skip any value then default settings for that value is being used.

Let’s see how to create another PSO using the same values as in the previous example but over PowerShell cmd-let

New-ADFineGrainedPasswordPolicy -Name it-security-PSO-02 `
-DisplayName it-security-PSO-02 `
-Precedence 200 `
-ComplexityEnabled $true `
-ReversibleEncryptionEnabled $false `
-PasswordHistoryCount 10 `
-MinPasswordLength 8 `
-MinPasswordAge 3.00:00:00 `
-MaxPasswordAge 30.00:00:00 `
-LockoutThreshold 3 `
-LockoutObservationWindow 0.00:25:00 `
-LockoutDuration 0.00:30:00

PowerShell – PSO creation

PSO list

As you can see, PowerShell created new PSO but it is not assigned to any object. We need to use another cmd-let to accomplish that. This cmd-let is Add-ADFineGrainedPasswordPolicySubject

This time, I will assign granular password policy to the user directly.

Add-ADFineGrainedPasswordPolicySubject -Identity it-security-PSO-02 -Subjects iSiek

Assigning PSO to an object

Now, it’s time to verify if PSO is applied to a user. For that you need to use Get-ADFineGrainedPasswordPolicy cmd-let

Get-ADFineGrainedPasswordPolicy -Filter { name -like 'it-security-PSO-02' }

PSO applies to

and that’s all about configuring and setting up Fine-Grained Password Policy objects. You may also check the rest cmd-lets to modify and remove PSO objects.

Author: Krzysztof Pytko

Windows Management Framework 3.0 for Windows Server 2008/2008R2

 

Microsoft has released Windows Management Framework 3.0 for Windows Server 2008/2008R2. You can download it from http://www.microsoft.com/en-us/download/details.aspx?id=34595

This allows you to use Windows Remote Management (WinRM) services, WMI and PowerShell in 3.0 version on Windows Server 2008/2008R2

To be able to run that package, you need to install Microsoft .NET Framework 4 first. Its package is available at http://www.microsoft.com/en-us/download/details.aspx?id=17718

Windows Management Framework 3.0 allows you to use PowerShell in version 3 and manage server over WinRM from new Server Manager on Windows Server 2012 (which required WinRM 3.0)

When you download required packages and install them on a server, you need to enable remote management to allow remote server management. To do that, run in command-line

winrm qc

or

winrm quickconfig

Windows Remote Management configuration

and confirm that you want to enable remote management.

Windows Remote Management configuration

After that, please ensure if all required ports are opened on Windows firewall or just disable required firewall’s profile before you would be able to manage that server over Server Manager in Windows Server 2012 or RSAT in Windows 8

Now, you are able to add those Windows Server 2008/2008R2 into Server Manager and manage them. However, there is one limitation for this kind of management. You cannot install roles/features remotely on Windows Server 2008/2008R2 machines.

Open Server Manager in Windows Server 2012 or RSAT in Windows 8, select “All Servers” on the left side and click right mouse button, choose “Add Servers

Adding Windows Server 2008/2008R2 into Server Manager for remote management

You will see new window where you can select a server to add. You can add servers by one of these criteria:

  • using Active Directory computer object

You can search AD for computers using their

  1. name
  2. OS type
  3. or just display them all and choose from the list

Adding server(s) to Server Manager

  • using existing DNS record
  1. host (A) record – machine name (forward lookup zone)
  2. pointer (PTR) record – machine IP address (reverse lookup zone)

Adding server(s) to Server Manager

  • using text file for import

Adding server(s) to Server Manager

Using one of above methods, add server to Server Manager and we promote it to Domain Controller (select server from the list and click an arrow to add it)

Adding server(s) to Server Manager

and as you can see, server is available on the list (ready to manage)

Windows Server 2008/2008R2 in new Server Manager

From now on, you can manage server(s). Select it on a list, click right mouse button and you will see all available options to manage (except roles/features installation)

Remote server management

Author: Krzysztof Pytko