Archive | Windows Server 2008 RSS for this section

Non-authoritative SYSVOL restore (FRS)

 

When you are working in Active Directory environment you may fall into this problem, especially in case where you have many Domain Controllers. Sometimes you may figure out that one or more Domain Controllers are out of date with SYSVOL replication.

Each Domain Controller has its own folder where GPOs and scripts are saved. This folder is located under %WINDIR%SYSVOLdomain (by default, if you changed that location during DC promotion, you need to refer to your own location).

There are 2 folders:

  • Policies where Group Policies are saved (%WINDIR%SYSVOLdomainPolicies)
  • Scripts where logon scripts or other files are saved (%WINDIR%SYSVOLdomainScripts shared as NETLOGON)

If a DC does not replicate SYSVOL you can see that some Group Policies (GPOs) or scripts are not available on DC(s) in SYSVOLdomain folder on particular DC. Another symptom may be that all GPOs are in place but they are not updated.

When you notice one of these behaviors, you would need to do non-authoritative SYSVOL restore which re-deploys SYSVOL data from working Domain Controller (holding PDC Emulator operations master role).

How to be sure if you need non-authoritative SYSVOL restore? There is no simple answer because that depends on the size of your Active Directory and number of Domain Controllers.

When we can decide to start this kind of retore ?

  • one DC out of couple does not replicate SYSVOL
  • a few DCs out of many do not replicate SYSVOL
  • more than few but less than 50% of them do not replicate SYSVOL

above examples are typical scenarios for non-authoritative SYSVOL restore.

Let’s see how you to do that.

First of all, you need to find out which DC or DCs does/do not replicate SYSVOL. Then you have to start SYSVOL restore.

When you see an empty SYSVOL, this may suggest that Domain Controller initialization where not finished after server was promoted. Active Directory database was replicated but SYSVOL was not. In this case, you can simply perform non-authoritative restore and SYSVOL should be replicated.

Empty SYSVOL folder

Empty SYSVOL folder

Another case is when DC, is not up to date with SYSVOL. Some policies are missing and non-authoritative SYSVOL restore would be helpful.

Missing Group Policies under SYSVOL

Missing Group Policies under SYSVOL

When you log on to Domain Controller with PDC Emulator operation master role, you should see that there are more policies than on those faulty Domain Controllers

All Group Policies on DC with PDC Emulator role

So, you can see that those Domain Controllers need SYSVOL restore to have all data up-to-date.

Now, it’s time to play with non-authoritative SYSVOL restore. Log on to the DC which is out of replication with SYSVOL and stop File Replication Service (NtFRS) from command-line/elevated command-line. Type

net stop ntfrs
Stopping File Replication Service

Stopping File Replication Service

Now, you need to change some setting in Windows registry.

Warning! Be careful, do not change other entries than showed in this artcile, you may destroy your server!

You need to open registry editor from run box

Executing registry editor

Executing registry editor

Now, you need to find below key:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNtFrsParametersBackup/RestoreProcess at Startup
BurFlags value location

BurFlags value location

and change BurFlags value from 0 to D2 (hexadecimal) by editing it

Changing BurFlags value

Changing BurFlags value

Before you will start FRS service, I would suggest to remove all content from those 2 folders

  • %WINDIR%SYSVOLdomainPolicies
  • %WINDIR%SYSVOLdomainScripts

Note! (by default, if you changed SYSVOL location during DC promotion, you need to refer to your own location)

Warning! When you set up D2 BurFlags value, you need to know that during restoration time, your DC is prevent to be a Domain Controller! So, you need to be careful in locations/Sites where you have only single DC or you are going for authentication over WAN-link!

Now, it’s time to start File Replication Service. Type in command-line

net start ntfrs
Running File Replication Service

Running File Replication Service

When you refresh (F5 key) registry editor, you should see that BurFlgs values has changed back to 0

BurFlags value reset

BurFlags value reset

and you should also check “File Replication Service” event log. Please check if event id 13565 appeared. That means, server has initiated SYSVOL replication and you need to wait a while. You have to refresh event log from time to time and check if these event IDs appeared:

  • 13553
  • 13516

when you can see them, SYSVOL replication is over and your Domain Controller is up-to-date.

SYSVOL re-initialized

SYSVOL re-initialized

SYSVOL re-initialized

SYSVOL re-initialized

Verify if SYSVOL share is available on your Domain Controller, type in command-line

net share
SYSVOL share verification

SYSVOL share verification

go to %WINDIR%SYSVOLdomainPolicies and check if data is replicated

SYSVOL content verification

SYSVOL content verification

That’s all! Everything you need to do is to repeat all those steps on each Domain Controller which does not replicate SYSVOL volume.

Done!

Next part >>>

Author: Krzysztof Pytko

Advertising new time server in domain environment

 

I can see on different forums that people are asking what happens when they transfer PDC Emulator Operation Master role to another Domain Controller. This is really important question as PDC Emulator is responsible for time management in domain environment. When you do not advertise new time server you might notice some time differences between your domain controllers and domain member servers.

This article shows the procedure on Windows Server 2012 R2 how to accomplish that properly but is also suitable for all earlier operating systems.

All the time when you transfer PDC Emulator role to another Domain Controller, you need to change configuration on both servers:

  • on previous PDC Emulator role holder
  • on the new PDC Emulator role holder

this will advertise new time server in your domain environment and you will prevent future issues because of that. The most often scenario of transferring PDC Emulator FSMO role to another DC is when you are promoting new Domain Controller based on newer operating system i.e:

  • promoting new Windows Server 2008/2008R2 DC in Windows Server 2003/2008 DC environment
  • promoting new Windows Server 2012/2012R2 DC in Windows Server 2003/2008/2008R2/2012 environment

in this particular case you need to do following things:

Log on directly or over Remote Desktop connection to the new PDC Emulator FSMO role holder and run elevated command prompt

Running elevated command prompt

Running elevated command prompt

Now, you need to configure external time server source from which you will synchronize time settings. This may be another device in your network (like Cisco ACS server) or any reliable external NTP server. The list of reliable NTP servers you may find on NTP Pool website

In this example I will use external NTP pool server for my region (Poland)

You need to use IP address or DNS name of NTP server during Domain Controller configuration, so if you want to use IP address then the first step is to ping DNS name and write down an IP address of the server

  • 95.158.95.123

this is the IP address resolved from pl.pool.ntp.org

Important! Before you start reconfiguring servers, please ensure if UDP/123 port is allowed on your router/firewall because NTP is using this particular port to synchronize time settings!

Now, in elevated command-line you need to run this command

w32tm.exe /config /manualpeerlist:95.158.95.123 /syncfromflags:manual /reliable:yes /update
Configuring NTP source on new PDC Emulator FSMO role holder

Configuring NTP source on new PDC Emulator FSMO role holder

or

w32tm.exe /config /manualpeerlist:pl.pool.ntp.org /syncfromflags:manual /reliable:yes /update
Configuring NTP source on new PDC Emulator FSMO role holder

Configuring NTP source on new PDC Emulator FSMO role holder

where /manualpeerlist:IPAddress or /manualpeerlist:DNSServerName is an NTP server to use in your environment

and restart Windows Time service

net stop w32time
net start w32time
Restarting Windows Time service

Restarting Windows Time service

Now, your new PDC Emulator FSMO role holder will synchronize time with specified NTP time source.

The last step is to reconfigure the old PDC Emulator Operation Master role holder to not advertise it as time server and pull time information from new PDC Emulator. To do that log on directly or over Remote Desktop connection to the server and type in command prompt (2003)/elevated command prompt (all newer OSes)

w32tm.exe /config /syncfromflags:domhier /reliable:no /update
Reconfiguring old PDC Emulator FSMO role holder

Reconfiguring old PDC Emulator FSMO role holder

and you need to also restart Windows Time service to complete whole operation

net stop w32time
net start w32time
Restarting Windows Time service

Restarting Windows Time service

That’s all! You have reconfigured your environment and advertised new time server in a domain.

Author: Krzysztof Pytko

How to re-register time services on a server

 

This time, I would like to show you, how you can simply fix an issue with time services on your server. That method helps in 90% of cases with time issues.

Sometimes, you may notice a server is out of time in your domain environment. The first method you should follow is re-registering time services on that server. When it fails then much more deep investigation might be needed.

So, let’s check how we can re-register time services on a server.

Windows Server 2003

Log on to the server directly or over Remote Desktop connection and run command prompt by typing in run box

cmd.exe
Running command promt

Running command promt

and provide a command to stop “Windows Time services” by entering

net stop w32time
Stopping Windows Time services

Stopping Windows Time services

or stop the service from GUI console

services.msc
Running "Services" console

Running “Services” console

Now, search for “Windows Time” service which should be started

Searching "Windows Time" service

Searching “Windows Time” service

Double click on it and you’ll see its details, like:

  • service name (w32time)
  • display name (Windows Time)
  • description
  • Path to executable file
  • Startup type (Automatic by default)
  • service status (Started)
Service details

Service details

To stop the service, simply click on “Stop” button and wait a while

Stopping service

Stopping service

Service is stopping

Service is stopping

you should see that service is stopped

Service is stopped

Service is stopped

Now, you can start time services re-registering procedure. The command you need to use is called

w32tm.exe

It is responsible for time management in a domain or on a single server in a workgroup.

First of all, you have to unregister time service by typing

w32tm.exe /unregister
Unregistering time service

Unregistering time service

and now, register service using /register parameter

w32tm.exe /register
Registering time service

Registering time service

and the last, final step requires to start Windows Time service in command prompt

net start w32time
Starting Windows Time service

Starting Windows Time service

or you may do that using GUI console as well. Just click on “Start” button and wait a while for service startup

Starting Windows Time service from GUI console

Starting Windows Time service from GUI console

Service is starting

Service is starting

That’s all. Re-registration procedure has been done. From now, you should see that time is accurate on the server. It comes from your Domain Controller or from other NTP server (depends on network configuration).

If not then you’ll need to deeply investigate the case.

But this is not a part of this article. I’ll try to post another article on troubleshooting services.

Windows Server 2008/2008R2

The procedure required for Windows Time service re-registration is EXACTLY the same as for Windows Server 2003. The only one difference is that you need to execute command prompt in elevated mode as administrator. The rest steps are the same.

Log on to the server directly or over Remote Desktop connection and run elevated command prompt from “Start” menu. Go to “All Programs -> Accessories” and click right mouse button on “Command prompt“. Select “Run as administrator” from the context menu

Running elevated command prompt

Running elevated command prompt

provide a command to stop “Windows Time” service by entering

net stop w32time
Stopping Windows Time service in command-line

Stopping Windows Time service in command-line

or use the same GUI console for that, as it was for Windows Server 2003

services.msc
Running services GUI console

Running services GUI console

and search for “Windows Time” service on the list

Searching for Windows Time service on the list

Searching for Windows Time service on the list

Double click on it and you’ll see its details, like:

  • service name (w32time)
  • display name (Windows Time)
  • description
  • path to executable file
  • startup type (Manual by default) -> startup type is changed in comparison to Windows Server 2003
  • service status (Started)
Service details

Service details

To stop the service, simply click on “Stop” button and wait a while

Stopping Windows Time service from GUI console

Stopping Windows Time service from GUI console

Service is stopping

Service is stopping

after a while, you should see that service is stopped

Service is stopped

Service is stopped

Now, you can start time services re-registering procedure. The command you need to use is called

w32tm.exe

It is responsible for time management in a domain or on a single server in a workgroup.

First of all, you have to unregister time service by typing

w32tm.exe /unregister
Unregistering time service

Unregistering time service

and now, register service using /register parameter

w32tm.exe /register
Registering time service

Registering time service

and the last, final step requires to start Windows Time service in command prompt

net start w32time
Starting Windows Time service from command prompt

Starting Windows Time service from command prompt

or you may do that using GUI console as well. Just click on “Start” button and wait a while for service startup

Starting Windows Time service from GUI console

Starting Windows Time service from GUI console

Service is starting

Service is starting

That’s all. Re-registration procedure has been done. From now, you should see that time is accurate on the server. It comes from your Domain Controller or from other NTP server (depends on network configuration).

If not then you’ll need to deeply investigate the case.

But this is not a part of this article. I’ll try to post another article on troubleshooting services.

Windows Server 2012/2012R2

The procedure required for Windows Time service re-registration is EXACTLY the same as for Windows Server 2003 and Windows Server 2008/2008R2. The only one difference is that you need to execute command prompt in elevated mode as administrator. The rest steps are the same.

Log on to the server directly or over Remote Desktop connection and run elevated command prompt from “Start” tile. Move mouse cursor to the left bottom corner and wait until “Start” tile appears (Windows Server 2012) or do it directly on it (Windows Server 2012 R2). Click on it right mouse buttond and select “Command Prompt (Admin)

Running elevated command prompt

Running elevated command prompt

provide a command to stop “Windows Time” service by entering

net stop w32time
Stopping Windows Time service from command prompt

Stopping Windows Time service from command prompt

or use the same GUI console for that, as it was for Windows Server 2003/2008/2008R2

services.msc
Running services GUI console

Running services GUI console

and search for “Windows Time” service on the list

Searching Windows Time service on the list

Searching Windows Time service on the list

Double click on it and you’ll see its details, like:

  • service name (w32time)
  • display name (Windows Time)
  • description
  • path to executable file
  • startup type (Manual Trigger Start by default) -> startup type is changed in comparison to Windows Server 2003/2008/2008R2
  • service status (Running)
Service details

Service details

To stop the service, simply click on “Stop” button and wait a while

Stopping Windows Time service from GUI console

Stopping Windows Time service from GUI console

Service is stopping

Service is stopping

after a while, you should see that service is stopped

Service is stopped

Service is stopped

Now, you can start time services re-registering procedure. The command you need to use is called

w32tm.exe

It is responsible for time management in a domain or on a single server in a workgroup.

First of all, you have to unregister time service by typing

w32tm.exe /unregister
Unregistering Windows Time service

Unregistering Windows Time service

and now, register service using /register parameter

w32tm.exe /register
Registering time service

Registering time service

and the last, final step requires to start Windows Time service in command prompt

net start w32time
Starting Windows Time service from command prompt

Starting Windows Time service from command prompt

or you may do that using GUI console as well. Just click on “Start” button and wait a while for service startup

Starting service from GUI console

Starting service from GUI console

Service is starting

Service is starting

That’s all. Re-registration procedure has been done. From now, you should see that time is accurate on the server. It comes from your Domain Controller or from other NTP server (depends on network configuration).

If not then you’ll need to deeply investigate the case.

But this is not a part of this article. I’ll try to post another article on troubleshooting services.

Author: Krzysztof Pytko

Windows Server 2008 in-place upgrade to Windows Server 2012/2012R2

 

This topic is about Windows Server 2008 in-place upgrade to Windows Server 2012/2012R2. Article will be really short because there is no possibility to do in-place upgrade of Windows Server 2008 to Windows Server 2012/2012R2 when it has no Hyper-V role configured.

The only one supported in-place upgarde is possible when your Windows Server 2008 has Hyper-V role configured.

Windows Server 2008 in-place upgrade to Windows Server 2012

When you insert Windows Server 2012 installation media on Windows Server 2008 and you’ll run setup.exe or autostart will do that, you will be able to start in-place installation process

Windows setup wizard

Windows setup wizard

Click on “Install now” button to initiate setup. Wizard will copy necessary files to start in-place upgrade process

Setup is copying necessary files

Setup is copying necessary files

Setup is starting

Setup is starting

Now, you should go on-line and install the lates Windows Server 2008 updates before you will continu in-place upgrade

Note! The Internet connection is required!

Updating Windows Server 2008 before in-place ugrade

Updating Windows Server 2008 before in-place ugrade

When all updates are applied you need to provide product key for this installation

Provide valid Windows Server 2012/2012R2 product key

Provide valid Windows Server 2012 product key

after that choose Windows Server 2012 edition to which you want to upgrade current Windows Server 2008

Select Windows Server 2012 edition to install

Select Windows Server 2012 edition to install

Accept license terms and go to the next step

License terms

License terms

Now, you can initiate in-place upgrade installation. Choose “Upgrade: Install Windows and keep files,settings, and applications

In-place upgrade initiation

In-place upgrade initiation

When you click to start in-place upgrade, setup wizard starts to check if there is any incompatible software on Windows Server 2008. In this case that process is skipped because of unsupported scenario. You will notice an error stating that you cannot do in-place upgrade to Windows Server 2012 (GUI or non-GUI installation) if no Hyper-V role is configured on the current server.

No in-place upgrade support for GUI edition of Windows Server 2012

No in-place upgrade support for GUI edition of Windows Server 2012

No in-place upgrade support for non-GUI edition of Windows Server 2012

No in-place upgrade support for non-GUI edition of Windows Server 2012

and that’s all in this case. Unfortunatelly, you need to do clean Windows Server 2012 installation.

Windows Server 2008 in-place upgrade to Windows Server 2012 R2

In this scenario, in-place upgrade path is shorter because when you start Windows Server 2012 R2 setup wizard, you get an error that this is not possible at all. Does not matter if current Windows Server 2008 has Hyper-V role configured or not. In-place upgrade to Windows Server 2012 R2 is not supported at all.
When you try to do that, you see an error similar to that below

Windows Server 2012 R2 setup wizard error

Windows Server 2012 R2 setup wizard error

That’s all, you need to use workaround in this case. First of all you have to perform in-place upgrade from Windows Server 2008 to Windows Server 2008 R2 and then to Windows Server 2012

Next part >>>

Author: Krzysztof Pytko

Adding first Windows Server 2012 R2 Domain Controller within Windows 2003/2008/2008R2/2012 network

 

When you wish to do this action, please be informed that nothing has changed from the previous (Windows Server 2012) operating system release. That means, all those steps from Windows Server 2012 are still valid for Windows Server 2012 R2.

I would not rewrite that article again, and if you are interested please read the article about Adding first Windows Server 2012 Domain Controller within Windows 2003/2008/2008R2 network on my blog.

I hope you would find it useful.

Author: Krzysztof Pytko

Fine-Grained Password Policy in Windows Server 2008/2008R2

 

Recently, I have seen that some administrators afraid of using Fine-Grained Password Policy.It looks like the main reason is they do not know how to set up and how to manage it. I will try to show you some easy steps to understand that and implement in your Active Directory environment.

First of all, if you wish to implement Fine-Grained Password Policy (FGPP) in your environment, your Domain Functional Level must operate at Windows Server 2008 mode. That means, all of your Domain Controllers in a domains must be ran at least on Windows Server 2008. No previous operating systems may be used for DCs. Of course, all the rest domain member servers may be ran on earlier OS versions.

For more details about Domain Functional Level, please read my article on this blog.

OK, so what is FGPP and why we want to use it? As you remember in Windows 2000 Server and Windows Server 2003 we were able only to use single password policy defined at domain level over GPO. There were no possibility to use more than one domain password policy using group policies. When some department in our enterprise required another password policy, we needed to decide if we want to:

  • convince it to use the standard password policy 🙂
  • configure child domain and migrate their objects
  • use 3rd party tools

For more details about Default Domain Password policy, please check an article on my blog for that.

This situation did not change in Windows Server 2008, you can still use only one domain password policy configured in GPO. However, Microsoft introduced new feature to define additional password policies. The policy allows you to define separate password settings for user of group of users.

Important! Fine-Grained Password Policy may be only assigned to user or security global group not to domain or OU

When your DFL is set up at appropriate level, you can start using Fine-Grained Password Policy feature. What do you need to know about this kind of Password Settings Object (PSO) before you will set it up:

  • you can apply it only to user or security global group
  • you can set it up using ADSI Edit
  • you can set it up using PowerShell module for Active Directory
  • you need to use dsget command to verify if policy is applied
  • you can use PowerShell to manage PSO
  • only one password set applies to user or group

Using Fine-Grained Password policy, you overwrite default domain policy for user or group of users. However, you need to know that you may apply as many FGPPs as you wish but the only one will be applied. There are few important things to know about password policy precedence:

  • when applied more than one to a group then PSO with the lowest precedence index is applied
  • when applied more than one to a user then PSO with the lowest precedence index is applied
  • when applied more than one to a user or a group then PSO on user level is applied
  • when user is a member of few groups with PSO assigned then policy with the lowest precedence index is applied

Now, when we know those things, we can start creating our first Fine-Grained Password Policy.

ADSI Edit

ADSI Edit allows you to use GUI method for PSO creation. To start the process, run ADSI Edit from “Administrative Tools” or type in run box: adsiedit.msc

Running ADSIEdit console

When you ran that console, you need to connect to Deafult Naming Context where those objects are stored. To do that, click on root “ADSI Edit” node in a console by right mouse button and choose “Connect to

Connecting to Default Naming Context

Now, in “Connection Settings” window please ensure if in “Select a well known Naming Context area you have pointed to Default Naming Context

Connecting to Default Naming Context

When you are connected to that Naming Context, you need to navigate to a container where you can create PSO. The location of this container is in

CN=Password Settings Container,CN=System,DC=domain,DC=local

Below you can see that container location in ADSI Edit console

PSO container location

In this place you need to create new object by clicking right mouse button and selecting “New -> object”

Creating new Fine-Grained Password Policy

Create object which is responsible for password settings “msDS-PasswordSettings“. From now, you are defining new password policy. Proceed below steps to successfully finish PSO creation process.

Selecting object class

At this step, you need to define Fine-Grained Password Policy name which would be easy to identify by you when you start reviewing PSO list

Creating new PSO object

Now, you need to set up integer value of precedence index. Remember, when any PSO would be in conflict then password policy with the lowest precedence index is being applied

Creating new PSO object

This time, you need to specify if you want to use reversible encryption for passwords. This will store password in plain text, so this is vulnerability for the environment. Do not use this option if any of your legacy application requires that. For this setting you can only use one of two possibilities for boolean variable:

  • true to enable reversible encryption policy
  • false to disable reversible encryption policy

Creating new PSO object

Define how many previous passwords are remembered and user cannot re-use them. This value should be an integer number

Creating new PSO object

OK, at this time, you need to define if user’s password must be complex using 3 out of 4 character categories. When you use true value then, password must meet the complexity using 3 characters group out of 4 available:

  • small letters [a-z]
  • capital letters [A-Z]
  • digits [0-9]
  • special characters [!@#$%^&*()]

in case that yo do not want to force users using complex passwords, you need to put false value in a form. In this example, we would like to use complex passwords

Creating new PSO object

User’s password requires minimum number of characters needed to build good and invulnerable password. You need to define the lowest number of characters to build the password by user. This value is an integer number

Creating new PSO object

Really important part of each password policy is setting for the minimum password age. That means, when user is able to change his/her password after the latest change. When you set this up to short time or disable it, user may change his/her password few times and then he/she is able to use that previous password(s) again. The important part during setting up PSO is to remember that this setting uses non integer variable! Expected value is duration which defines a time in format

d:hh:mm:ss

where

  • d means, how many days
  • hh means, how many hours
  • mm means, how many minutes
  • ss means, how many seconds

an example duration for password which may be changed again after 3 days

3:00:00:00

Creating new PSO object

the next setting determine when user is forced to change the current password. You need to set up time after which password is required to change. This value is also in the same format as the previous one, so you need to use duration format as this is shown in the above step

Creating new PSO object

And now, another part of setting password policy. You need to decide if you wish to enable account lockout or not. However, this is good practice to enable account lockout policy to prevent users guessing password of other users in your environment or prevent hackers from guessing password of your users. Just define integer value for the policy and after entered number of failed logon attempts, the account is being blocked

Creating new PSO object

When you defined after how many failed logon attempts, user account is locked you are able to define 2 other policies related with the previous one. Lockout Observation Window in which you define when user may try to log on once again to the system. After that time, user is able to try once again (but only one chance) log on to the system. If he/she remembers a password and account was locked out by mistake, the next try would be successful. If user does not remember the password, after the next wrong attempt, the account would be locked again for time specified in Lockout Observation Window. This option allows an administrator to tell the users that if they remember password but they locked the account by mistake, they need to wait specified time and try once again. In other case, they should request a password reset. For that setting you need to use again duration variable format like for minimum and maximum password age.

Creating new PSO object

The second policy related with account lockout is Lockout Durationwhich determines the time when user account is completely unlocked. Then user has again defined number of tries to log on to the system. As for the previous setting, it also uses duration format to define time

Creating new PSO object

That was the last setting in PSO wizard. However, remember that when you close it by clicking on “Finish” button, you have only create password policy but it is not applied to any group or user. If you wish to define that at this step, click on “More Attributes” button and from “Select a property to view” drop down box choose “msDS-PSOAppliesTo

Creating new PSO object

Creating new PSO object

When you choose that attribute, you need to define distinguished name of an object to which you want to apply policy. This requires from you to know that DN name to put it in that field in format:

CN=Object Name,OU=OU Location,DC=domain,DC=local

and press “Add” button to add the object to password policy

Creating new PSO object

You can see all objects assigned to PSO in the “Value(s)” list

Creating new PSO object

Above step in PSO wizard requires from you object’s DN to know. What if you do not know it or this DN is really long? You may simply finish a wizard without defining value for msDS-PSOAppliesToattribute. This may be done later in some short and more convenient way. Just take a look for below steps.

When you finish a wizard, you will see new password policy in a selected container. Just edit it by double click on it in ADSI Edit window.

Edit existing PSO

In the “Attribute Editor” list search for msDS-PSOAppliesToattribute and click “Edit” button

Edit existing PSO

Now, you have 2 options for object(s) assigning. Classic window for distinguished name of an object

Edit existing PSO

Edit existing PSO

or just use more familiar option to search an object from AD

Edit existing PSO

Edit existing PSO

OK, when we have created granular password policy and we applied it to some object, how to see if the user is really using that policy? You can use for that dsget command or dsquery and dsget commands combination. Let’s see, how to check if PSO is applied to a user name iSiek

dsquery user -samid iSiek | dsget user -effectivepso

After running this query, you will see information about used PSO policy. If result is empty then you can be sure that user has no Fine-Grained Password Policy assigned and he/she uses default domain password policy

Effective password policy applied to the user

This is working fine as you can see! If you really need different password policies in your environment, I really encourage you to use Fine-Grained Password policy feature as it is really great feature!

PowerShell module for Active Directory

As we already know something more about Fine-Grained Password policy requirements, now we can check how to simply create and apply PSO to an object. For that we need to use PowerShell module for Active Directory. To initiate it run in PowerShell window

Import-Module ActiveDirectory

PowerShell – importing AD module

and wait for cmd-lets to be imported. Now, you can use some PowerShell cmd-lets to manage PSO, let’s see their names. Type in PS window

Get-Help *-ADFine*

Getting cmd-lets for Fine-Grained Password Policy

To create new granular password policy we need to use New-ADFineGrainedPasswordPolicy cmd-let. We need to define all interesting us values as we did it using ADSI Edit. When you skip any value then default settings for that value is being used.

Let’s see how to create another PSO using the same values as in the previous example but over PowerShell cmd-let

New-ADFineGrainedPasswordPolicy -Name it-security-PSO-02 `
-DisplayName it-security-PSO-02 `
-Precedence 200 `
-ComplexityEnabled $true `
-ReversibleEncryptionEnabled $false `
-PasswordHistoryCount 10 `
-MinPasswordLength 8 `
-MinPasswordAge 3.00:00:00 `
-MaxPasswordAge 30.00:00:00 `
-LockoutThreshold 3 `
-LockoutObservationWindow 0.00:25:00 `
-LockoutDuration 0.00:30:00

PowerShell – PSO creation

PSO list

As you can see, PowerShell created new PSO but it is not assigned to any object. We need to use another cmd-let to accomplish that. This cmd-let is Add-ADFineGrainedPasswordPolicySubject

This time, I will assign granular password policy to the user directly.

Add-ADFineGrainedPasswordPolicySubject -Identity it-security-PSO-02 -Subjects iSiek

Assigning PSO to an object

Now, it’s time to verify if PSO is applied to a user. For that you need to use Get-ADFineGrainedPasswordPolicy cmd-let

Get-ADFineGrainedPasswordPolicy -Filter { name -like 'it-security-PSO-02' }

PSO applies to

and that’s all about configuring and setting up Fine-Grained Password Policy objects. You may also check the rest cmd-lets to modify and remove PSO objects.

Author: Krzysztof Pytko

Windows Management Framework 3.0 for Windows Server 2008/2008R2

 

Microsoft has released Windows Management Framework 3.0 for Windows Server 2008/2008R2. You can download it from http://www.microsoft.com/en-us/download/details.aspx?id=34595

This allows you to use Windows Remote Management (WinRM) services, WMI and PowerShell in 3.0 version on Windows Server 2008/2008R2

To be able to run that package, you need to install Microsoft .NET Framework 4 first. Its package is available at http://www.microsoft.com/en-us/download/details.aspx?id=17718

Windows Management Framework 3.0 allows you to use PowerShell in version 3 and manage server over WinRM from new Server Manager on Windows Server 2012 (which required WinRM 3.0)

When you download required packages and install them on a server, you need to enable remote management to allow remote server management. To do that, run in command-line

winrm qc

or

winrm quickconfig

Windows Remote Management configuration

and confirm that you want to enable remote management.

Windows Remote Management configuration

After that, please ensure if all required ports are opened on Windows firewall or just disable required firewall’s profile before you would be able to manage that server over Server Manager in Windows Server 2012 or RSAT in Windows 8

Now, you are able to add those Windows Server 2008/2008R2 into Server Manager and manage them. However, there is one limitation for this kind of management. You cannot install roles/features remotely on Windows Server 2008/2008R2 machines.

Open Server Manager in Windows Server 2012 or RSAT in Windows 8, select “All Servers” on the left side and click right mouse button, choose “Add Servers

Adding Windows Server 2008/2008R2 into Server Manager for remote management

You will see new window where you can select a server to add. You can add servers by one of these criteria:

  • using Active Directory computer object

You can search AD for computers using their

  1. name
  2. OS type
  3. or just display them all and choose from the list

Adding server(s) to Server Manager

  • using existing DNS record
  1. host (A) record – machine name (forward lookup zone)
  2. pointer (PTR) record – machine IP address (reverse lookup zone)

Adding server(s) to Server Manager

  • using text file for import

Adding server(s) to Server Manager

Using one of above methods, add server to Server Manager and we promote it to Domain Controller (select server from the list and click an arrow to add it)

Adding server(s) to Server Manager

and as you can see, server is available on the list (ready to manage)

Windows Server 2008/2008R2 in new Server Manager

From now on, you can manage server(s). Select it on a list, click right mouse button and you will see all available options to manage (except roles/features installation)

Remote server management

Author: Krzysztof Pytko

Fine-Grained Password Policy

 

As you know, in Windows 2000 and 2003 Server, you could only have one password policy in a domain. If your company required different password policies for particular departments, you needed to set up separate domain(s) for them or search for 3rd party tools to fulfill these requirements. That was yours only one choice.

In Windows Server 2008 (Domain Functional Level) Microsoft introduced new feature called “Fine-Grained Password Policy“. This still does not allow to have more than one global domain-wide password policy defined in GPO but allows for defining additional password policies in your environment without creating additional domains. This objects are created in a domain and are stored on “domain partition“. The main difference between GPO password policy and FGPP is that you cannot assign it to Organizational Unit (OU). These kind of password policies may be only applied to:

  • user
  • group

In Windows Server 2008/2008R2 setting up this policies is not so convenient as you need to use ADSI Editor for that. It is also a little bit difficult to track which policy takes affect in case that more than one is applied to user or group. In Windows Server 2012 Microsoft created GUI for FGPP management and it is available over new Active Directory Administrative Center

In this article we will focus only on Windows Server 2012 and its new GUI feature within ADAC. However, if you are also interested how to create FGPP in Windows Server 2008/2008R2, please read below Microsoft article for that:

Important! Remember, that to be able to use Fine-Grained Password policies, your Domain Functional Level must be at least at Windows Server 2008 level

Let’s try to configure example Fine-Grained Password policy in Windows Server 2012. To be able to do that we need access to Windows Server 2012 or Windows 8 RSAT, where new Active Directory Administrative Center is available.

When you have Server Manager up and running, go to “Tools” and open ADAC console

ADAC console

In Active Directory Administrative Center console, select “Tree” view and expand your domain node.

Active Directory Administrative Center

Now, select “System” container and go to the middle window. Search there for “Password Settings Container

Password Settings container

Click right mouse button on it, and choose “New -> Password Settings” to create to password policy.

Note! When you see grayed fields for “New” and “Delete” that means your domain does not fulfill FGPP requirements. This is mostly caused by to low Domain Functional Level. you need to raise DFL into Windows Server 2008 and then you will have possibility to use password policies.

Too low Domain Functional Level

OK, but this should be checked before you start creating password policy 🙂

New Fine-Grained Password Policy

When you do that, you will see new window in which you can define all password settings like in GPO. Below you can find a screen from default view

Default view of password settings policy

On that screen in policy, you need to define below parameters:

  • Policy name
  • Policy precedence number
  • Minimum password length
  • Minimum password age
  • Maximum password age
  • Number of passwords remembered
  • Number of failed logon attempts allowed
  • Reset failed logon attempts count after (mins)
  • Account will be locked out
  • Password must meet complexity requirements
  • Store password using reversible encryption
  • Protect from accidental deletion

I will try to explain each of those parameters in few words to better understand what they do

Policy name

This parameter defines policy name which will be identified by administrators. Set up policy name the way you can easily evaluate what is it for.

Policy precedence number

The number specified there is for user/group to which you assign the policy. In case that you assigned more than one password policy, you need to determine which one should take precedence. Lower value means that policy will be applied.

Minimum password length

Specify here, how many characters (at least) will be required to create password.

Minimum password age

Here, you can define when user is able to changes its password after the last change. This setting prevents user from password change before specified number of days will pass.

Maximum password age

After that time, user is obligated to change password.

Number of passwords remembered

This setting stores information about number of last used passwords which cannot be reused.

Number of failed logon attempts allowed

Value tells the domain how many wrong logons are accepted before an account is being locked.

Reset failed logon attempts count after (mins)

Option configuring amount of time, after bad logons counter is reset to allow user one more chance to log on into domain

Account will be locked out

Setting time for how long account will be locked out. When value is set up to 0 or “Account will be locked out until an administrator manually unlocks the account” is enabled then account is locked until some administrator will unlock it.

Password must meet complexity requirements

This, defines that password must contain 3 out o 4 characters group to be valid. These groups are:

  • lower characters [a-z]
  • upper characters [A-Z]
  • special characters [!@#$%^&*()]
  • digits [0123456789]

Store password using reversible encryption

Setting responsible for storing password in plain text for some applications requiring access to user password. Should not be used until any of application really requires that

Protect from accidental deletion

Nothing directly connected to password settings. This setting is for password policy object which defines that it cannot be deleted from domain until you uncheck this box.

Now, we have a better understanding of these policy parameters and we can define some example Fine-Grained Password policy. Below you can find settings used for that policy:

  • Policy name – it-domain-administrators
  • Policy precedence number – 1
  • Minimum password length – 8
  • Minimum password age – 5
  • Maximum password age – 90
  • Number of passwords remembered – 10
  • Number of failed logon attempts allowed – 3
  • Reset failed logon attempts count after – 30
  • Account will be locked out – 40
  • Password must meet complexity requirements – yes
  • Store password using reversible encryption – no
  • Protect from accidental deletion – yes

Example Fine-Grained Password Policy

After adding this policy into domain, you need to specify user or group to which you want to apply it. As an example policy name suggests that it is for Domain Administrators, i need to choose their group in displayed window

Target group for FGPP

and you can see that it is directly applied to “Domain Admins” group in “Directly applies to” section

Confirmation for applying FGPP

that’s all for Fine-Grained Password policies in this article. Each time you need to see FGPPs and their assigned  users/groups, open ADAC and go to System -> Password Settings Container and review those settings.

Author: Krzysztof Pytko

Adding first Windows Server 2012 Domain Controller within Windows 2003/2008/2008R2 network

 

Prerequisites

To be able to configure Windows Server 2012 Domain Controller within Windows 2003/2008/2008R2 network we need to check if Forest Functional Level is set up at least in Windows 2003 mode. This is the lowest required Forest Functional Level allowing Windows Server 2012 Domain Controller installation. That means, Windows 2000 DCs are not supported anymore. Microsoft does not support them with cooperation with 2012 Domain Controllers. It’s time to forget about these old DCs.

Windows Server 2012 DC Forest Functional Level requirements

Windows Server 2012 DC Forest Functional Level requirements

We can check this in domain, where we want to install first 2012 DC. To verify that, we need to use “Active Directory Users and Computers” or “Active Directory Domains and Trusts” console.

Using “Active Directory Users and Computers” console, select your domain and click right mouse button (RMB) on it. Choose “Raise Domain Functional Level” and check that.

If you see screen like this (Windows 2003 mode), it means that you do not need to raise your Domain Functional Level. In other case you have to remove all Windows 2000 Domain Controllers or if you have no any, raise DFL to Windows 2003 mode or higher

Current Domain Functional Level

But remember, raising Domain Functional Level is one time action and cannot be reverted. Before you raise it to 2003 mode, please ensure that all of your Domain Controllers are running at least on Windows Server 2003. In this case all of them are running at least 2003 DCs as DFL is set up to 2003 mode, which would not be possible when any of 2000 DCs are still available.

Windows 2003 mode do not support DCs based on earlier Microsoft Windows systems like NT4 and Windows 2000

Another way for that is using Active Directory Domains and Trusts console. Run this console, select domain for which you want to check Domain Functional Level and choose “Raise Domain Functional Level”

Current Domain Functional Level

Follow the same steps as in previous console.

More about Raising Domain Functional Level you can find in another article on my blog.

In this place, you can also raise your Forest Functional Level if all of your Domain Controllers in entire forest are running on Windows Server 2003. If not, please skip below steps and go to Single Master Operation Roles section.

To raise Forest Functional Level, select “Active Directory Domains and Trusts” node, click on it RMB and choose “Raise Forest Functional Level”. On the list accept “Windows Server 2003” mode by clicking on “Raise” button.

In this case FFL is set up on Windows Server 2003 mode and there is no need to raise it.

Raising Forest Functional Level

For more information about Raising Forest Functional Level please check another article on my blog.

You can also try to determine DFL and FFL levels following artilce on my blog titled: Determine DFL and FFL using PowerShell

Now, it’s time to determine which Domain Controller(s) hold(s) Single Master Operation Roles. The most important for preparing environment for 2012 DC are

  • Schema Master
  • Infrastructure Master

We need to be sure that connection to this/these DC(s) are available during set up process. In previous versions we need to prepare environment using adprep command to extend schema and configure Infrastructure Master. From Windows Server 2012 we don’t have to run adprep first. Of course, if you wish, you can still do that but it is not mandatory step. From, now, Windows Server 2012 will do that for you if it will detect that adprep was not used before for Schema and Infrastructure preparation. That’s the newest feature in Windows Server 2012 which simplifies promotion process as much as it can. You need to only check if connection to DC(s) with mentioned operators master roles is available (it is based on similar solution applied in Exchange 2010 where you do not have to use setup.com to extend Schema yourself).

To verify necessary Operation Masters, we can use netdom command installed from Support Tools on Windows Server 2003 (in 2008/2008R2 it is available by default). Open command-line and go to default installation directory:

C:Program FilesSupport Tools and type:

netdom query fsmo

and identify DC(s) from an output

Operation Master (FSMO) roles

We collected almost all necessary information to start AD preparation for the first Windows Server 2008 R2 Domain Controller. The last and the most important part before we start preparation, is checking Forest/Domain condition by running:

  • Dcdiag (from Support Tools)
  • Repadmin (also from Support Tools)

Run in command-line on a DC where you have installed Support Tools

dcdiag /e /c /v

and check if there are no errors. If so, please correct them (in case that your forest/domain has a lot of Domain Controllers, please skip /e switch)

now run in command-line:

repadmin /showrepl /all /verbose

to check if your DCs are replicating data without errors.

For more about Active Directory Troubleshooting Tools check one of my articles on this blog

After those checks, you can start with Active Directory preparation.

Adding first Windows 2012 Domain Controller

Before we start preparing AD for new Windows Server 2012 DC, we need to be sure that we are members of:

  • Enterprise Admins group

when we are sure for that, we can start installation.

Install your new box with Windows Server 2012 and configure its IP address correspondingly to your network settings and change default server name to yours.

Remember that it’s very important to properly configure Network Card settings to be able to promote your new box as domain controller!

The most important part of configuring NIC is setting up DNS server(s). Point your new box to one of the existing Domain Controllers where you have installed and configured DNS.

IPv4 settings verification

After you verified IP settings, you can start server promotion to Domain Controller. However, you cannot use old good known dcpromo command as it is not valid anymore 🙂

dcpromo

Microsoft removed it and now everything is done over new Server Manager console. You need to install Active Directory: Directory Servicesrole and after that in post-installation steps, you can promote it to Domain Controller. Let’s start

Open Server Manager console (if it was not already opened) and click on “Add roles and features” on Dashboard screen

Adding Roles and Features

Using default settings in a wizard go up to “Server roles” step (in this article those steps are not described. You may expect their description in another article) and select Active Directory Directory Services role. Accept also default features which are required during installation

Required features for AD:DS role

Verify if check box is in proper place and go to the next step

Adding AD:DS role

On “Features” screen also go to the next step as we do not need more at this step to be installed. All required features will be installed as you accepted them a little bit earlier

Adding AD:DS role

Read information about role you are installing and go to confirmation screen to install it

Adding AD:DS role

Wait some time until selected role is being installed before you will be able to promote server to Domain Controller

Installing AD:DS role

Installing AD:DS role

Now, when role is installed, you can see in notification area an exclamation mark. It tells you that post-installation steps might be required

Notification area

Click on it to see what can be done. You will see that now, you can promote your server to Domain Controller and information that features were installed successfully

Notification area

OK, let’s start server promotion to Domain Controller! Click on “Promote this server to a domain controller” and you will see a wizard.

As we are adding Domain Controller into existing domain, we need to select proper option. It is selected by default, however, please ensure if you can see that “Add a domain controller to an existing domain” is selected

Domain Controller promotion

When you verified that, place in field with red star DNS domain name to which you are promoting DC. Provide Enterprise Administrator credentials and go to the next step

Domain Controller promotion

Domain Controller promotion

Domain Controller promotion

Define if server should be DNS server and Global Catalog. I would strongly recommend installing both roles on each Domain Controller in your environment. Select a Site to which this DC should belongs to and define Directory Services Restoration Mode (DSRM) password for this DC

Domain Controller promotion

Do not worry about DNS delegation as this server is not DNS already. Go to the next step

Domain Controller promotion

In”Additional options” you can define if you want to install this Domain Controller from Install From Media (IFM) (if you have it) and point from which DC replication should be done. When you do not specify, server will choose the best location for AD database replication. If you have no special requirements for that, just leave “Any domain controller”

Domain Controller promotion

Specify location for AD database and SYSVOL (if you need different that suggested) and go to the next step

Domain Controller promotion

Now, wizard informs you that Schema and Domain preparation need to be done. As you did not run adprep before, it will be executed in a background for you

Domain Controller promotion

You will see a summary screen where you can check all selected options for server promotion. As in Windows Server 2012 everything done over Server Manager is translated into PowerShell code and it is executed in a background, you can check code by clicking on “View script” button. You will see what exactly will be run. This is transparent process and you cannot see PowerShell window in front of you

Domain Controller promotion

PowerShell code for adding Domain Controller

 #
 # Windows PowerShell script for AD DS Deployment
 #
Import-Module ADDSDeployment
 Install-ADDSDomainController `
 -NoGlobalCatalog:$false `
 -CreateDnsDelegation:$false `
 -Credential (Get-Credential) `
 -CriticalReplicationOnly:$false `
 -DatabasePath "C:WindowsNTDS" `
 -DomainName "testenv.local" `
 -InstallDns:$true `
 -LogPath "C:WindowsNTDS" `
 -NoRebootOnCompletion:$false `
 -SiteName "Default-First-Site-Name" `
 -SysvolPath "C:WindowsNTDS" `
 -Force:$true

If all prerequisites will pass and you are sure that all setting you have set up properly, you can start installation

Domain Controller promotion

You can observe that Forest and Domain are being prepared by adprep running in backgroun. Wait until wizard will do its job and after server restart you will have new Windows Server 2012 Domain Controller.

Domain Controller promotion

Give DC some time to replicate Directory Services data and you can enjoy with new DC.

Post-Installation steps

Now, you need to do small changes within your environment configuration.

On each server/workstation NIC properties configure alternative DNS server IP address pointing to the new Domain Controller.

Open DHCP management console and under server/scope options (it depends on your DHCP configuration) modify option no. 006

Add there IP address of your new Domain Controller as DNS server.

DHCP server reconfiguration

That’s all!

Congratulations! You have promoted your first Windows Server 2012 in existing domain

Author: Krzysztof Pytko

DNS bulk PTR records creation

 

My previous article was about bulk DNS records creation in forward lookup zone. This time we will focus on the same activity but in reverse lookup zone. In my opinion this kind of task is much more frequently used that the previous on. You may ask, why? Because in regular basis when you create host (A) record in forward lookup zone you don’t care about pointer (PTR) record in reverse lookup zone. This may happen due to 3 scenarios:

  • You really don’t need PTR record(s) 🙂
  • You have not checked “Create associated pointer (PTR) record” when adding host record

Option for pointer (PTR) record auto creation

  •  You have checked above option but DNS reverse lookup zone does not exist

Reverse lookup zone does not exist

So, one of these cases may lead you to bulk PTR records creation in the future when you realize that you need this kind of record(s). I will try to simply show you, how to do that very quickly using the least administrative effort because using DNS Management console is not very convenient and fast method (you need to create each records separately by hand).

I will show you how to do that using simple scripts based on:

  • Windows DNScmd command
  • Using DNSShell module for Windows PowerShell (really great module)
  • Using native DNS cmd-lets in PowerShell 3.0

Windows DNScmd command is by default available on Windows Server 2008/2008R2 server where DNS role has been installed. To use it on Windows Server 2003, you need to install Support Tools from server’s CD#1

DNSShell module needs to be downloaded separately from Chris blog who is REAL genius in DNS topic. His module for PowerShell is really great and very helpful.

Windows PowerShell 3.0 DNS cmd-lets are available in Windows 8 and Windows Server 2012 and are new feature added by Microsoft to manage DNS server.

PowerShell 3.0 can be also installed on Windows 7/2008/2008R2 for more information about that, please check my another article “Windows Management Framework 3.0 for Windows Server 2008/2008R2”

DNScmd

Before we start preparing script for bulk DNS records creation, let’s check if appropriate reverse lookup zone(s) exist(s). This is mandatory to have reverse lookup zone existing in other case PTR (pointer) records won’t be created! When zone does not exist, you need to create it first before you can start using script for bulk records creation.

After we verified zone existence we can start to creating records. But before that let’s see how DNScmd syntax looks for single pointer (PTR) record. After that we would know which parameters should be inserted into input file for the script.

Note! To get help for DNScmd command you need to specify /? after its name or after any switch you want to get information

Now, we will prepare proper syntax to add single pointer (PTR) record into DNS zone. For that we need to know:

  • DNS server name
  • DNS zone name (reverse lookup zone name)
  • IP address
  • host name

proper syntax to create pointer (PTR) record is:

dnscmd ServerName /RecordAdd DNSReverseZoneName IPAddress RecordType FQDNHostName
 

Below you can find an example syntax

dnscmd %LOGONSERVER% /RecordAdd 1.168.192.in-addr.arpa 100 PTR testHost.testenv.local

DNScmd command execution

instead of %LOGONSERVER% system variable, you can use DNS server name (if all  your DCs are DNS servers too, you can sinply use %LOGONSERVER%, in other case, you need to type DNS server name manually)

As you can see in DNS Management console, new record has been created

DNS record verification

We have complete syntax and now, we can create a script to create many DNS records in short time. First of all, we need an input file containing all required data. To create that file we need put in a flat text file 2 or 3 values:

  • an octet of IP Address for which we want to add PTR record
  • host Fully-Qualified Domain Name
  • optionally reverse lookup zone name (if we want to create PTR records for multiple zones)

An example input file for script (2 values and the same zone)

100 testHost01.testenv.local
101 testHost02.testenv.local
102 testHost03.testenv.local
103 testHost04.testenv.local
104 testHost05.testenv.local

of example input file with 3 values

105 testHost06.testenv.local 1.168.192.in-addr.arpa
106 testHost07.testenv.local 1.168.192.in-addr.arpa
107 testHost08.testenv.local 2.168.192.in-addr.arpa
108 testHost09.testenv.local 2.168.192.in-addr.arpa
109 testHost10.testenv.local 3.168.192.in-addr.arpa

and save this as i.e. newPTR.txt on C-Drive

Now, you can use below script to create many DNS records (case with 2 values in file)

for /f "tokens=1-2" %i in (c:newPTR.txt) do dnscmd %LOGONSERVER% /RecordAdd 1.168.192.in-addr.arpa %i PTR %j

Bulk DNS pointer records created

and you can verify that in DNS Management console

DNS records verification

and now, code for the case with 3 values in file

for /f "tokens=1-3" %i in (c:newPTR.txt) do dnscmd %LOGONSERVER% /RecordAdd %k %i PTR %j

Bulk DNS records created

and you can verify that in DNS Management console once again

DNS records verification

DNSShell module for PowerShell

As I mentioned at the beginning of this article, this is separate module which needs to be downloaded. You can simply download it from

http://www.indented.co.uk/index.php/2010/04/16/dnsshell-zone-and-server-cmdlets/

When you download it, you have to extract content into one of the following locations:

  • %HOMEPATH%DocumentsWindowsPowerShellModules
  • %WINDIR%SYSTEM32WindowsPowerShellv1.0Modules

PowerShell modules path

and import this module before the first use

Import-Module DNSShell

to list all available cmd-lets use

help *DNS*

Importing DNSShell module and list all available cmd-lets

From now, you have all cmd-lets available. Let’s start to create single host record in DNS using New-DNSRecord cmd-let

To be able to create pointer (PTR) record using DNSShell, you need:

  • DNS zone name (reverse lookup zone name)
  • an octet of IP Address for which we want to add PTR record
  • host name

You will find general syntax below

New-DNSRecord -Name AnOctet -RecordType PTR -ZoneName ReverseZoneName -HostName HostFQDN

and short example

New-DNSRecord -Name 100 -RecordType PTR -ZoneName 1.168.192.in-addr.arpa -HostName testHost01.testenv.local

New-DNSRecord example

and you can see command’s result in DNS Manager

DNS record veryfying

So, now we can create a script to automatically create many DNS records. As for PowerShell is better to use CSV file format instead of flat text file, I would suggest to prepare an example here. CSV file requires a header for each attribute, we need 2 or 3 attributes to accomplish that.

An example CSV file for 2 values

octet,hostName
100,testHost01.testenv.local
101,testHost02.testenv.local
102,testHost03.testenv.local
103,testHost04.testenv.local
104,testHost05.testenv.local

An example CSV file for 3 values

octet,hostName,zoneName
105,testHost06.testenv.local,1.168.192.in-addr.arpa
106,testHost07.testenv.local,1.168.192.in-addr.arpa
107,testHost08.testenv.local,2.168.192.in-addr.arpa
108,testHost09.testenv.local,2.168.192.in-addr.arpa
109,testHost10.testenv.local,3.168.192.in-addr.arpa

Save this file as newPTR.csv on C-Drive and use below script to create DNS records

for 2 values

Import-Module DNSShell
Import-CSV c:newPTR.csv | %{
New-DNSRecord -Name $_."octet" -RecordType PTR -ZoneName 1.168.192.in-addr.arpa -HostName $_."hostName"
}

PowerShell script

and verify results in DNS Manager

DNS records veryfying

and one more case with 3 values in CSV file

Import-Module DNSShell
Import-CSV c:newPTR.csv | %{
New-DNSRecord -Name $_."octet" -RecordType PTR -ZoneName $_."zoneName" -HostName $_."hostName"
}

PowerShell code

and verify in DNS Manager if they were created

DNS records verifying

Native DNS cmd-lets in PowerShell 3.0

This is new feature and can be only used with PowerShell 3.0 which is available in Windows 8 and Windows Server 2012 (or in other Windows versions as it was mentioned at the beginning of this article). There are variety of DNS cmd-lets to manage DNS server and one of  them is Add-DNSServerResourceRecordPTR and we will use it in this article.

Add-DNSServerResourceRecordPTR cmd-let

To create pointer (PTR) record using this cmd-let you need:

  • DNS zone name (reverse lookup zone name)
  • an octet of IP Address for which we want to add PTR record
  • host name

And now for a practice, we will create single DNS record using Add-DNSServerResourceRecordPTR

Add-DNSServerResourceRecordPTR -ZoneName DNSReverseZoneName -Name octet -PTRDomainName hostName

according to above general syntax, let’s create pointer record

Add-DNSServerResourceRecordPTR -ZoneName 1.168.192.in-addr.arpa -Name 100 -PTRDomainName testHost01.testenv.local

PowerShell 3.0 DNS record creation

and as in previous methods, just verify  if DNS record was created

DNS record verification

So, now the last part. We need to prepare script for multiple records creation. As we would need to use CSV file as in previous method (DNSShell module for Windows PowerShell), we will reuse it. An example CSV file is below

for 2 values

octet,hostName
100,testHost01.testenv.local
101,testHost02.testenv.local
102,testHost03.testenv.local
103,testHost04.testenv.local
104,testHost05.testenv.local

and for 3 values

octet,hostName,zoneName
105,testHost06.testenv.local,1.168.192.in-addr.arpa
106,testHost07.testenv.local,1.168.192.in-addr.arpa
107,testHost08.testenv.local,2.168.192.in-addr.arpa
108,testHost09.testenv.local,2.168.192.in-addr.arpa
109,testHost10.testenv.local,3.168.192.in-addr.arpa

and save this as newPTR.csv file on C-Drive. When you do that, use below code for pointer (PTR) records creation

PowerShell 3.0 code for CSV with 2 values

Import-CSV c:newPTR.csv | %{
Add-DNSServerResourceRecordPTR -ZoneName 1.168.192.in-addr.arpa -Name $_."octet "-PTRDomainName $_."hostName"
}

PowerShell 3.0 code

and DNS Manager view to prove that record were created

DNS Manager and newly created DNS records

and the last part with PowerShell 3.0 for DNS, code for CSV file with 3 values

Import-CSV c:newPTR.csv | %{
Add-DNSServerResourceRecordPTR -ZoneName $_."zoneName" -Name $_."octet "-PTRDomainName $_."hostName"
}

just to be sure if records were created, let’s check each reverse lookup zone to verify that

DNS Manager and newly created DNS records

That’s all!

<<< Previous part

Author: Krzysztof Pytko