Archive | Windows Server 2008 RSS for this section

DNS bulk host (A) records creation

 

Sometimes we need to create many DNS records in a short time. Using DNS Management console is not very convenient and fast method because you need to create each records separately by hand. I will show you how to do that using simple scripts based on:

  • Windows DNScmd command
  • Using DNSShell module for Windows PowerShell (really great module)
  • Using native DNS cmd-lets in PowerShell 3.0

Windows DNScmd command is by default available on Windows Server 2008/2008R2 server where DNS role has been installed. To use it on Windows Server 2003, you need to install Support Tools from server’s CD#1

DNSShell module needs to be downloaded separately from Chris blog who is REAL genius in DNS topic. His module for PowerShell is really great and very helpful.

Windows PowerShell 3.0 DNS cmd-lets are available in Windows 8 and Windows Server 2012 and are new feature added by Microsoft to manage DNS server.

PowerShell 3.0 can be also installed on Windows 7/2008/2008R2 for more information about that, please check my another article “Windows Management Framework 3.0 for Windows Server 2008/2008R2”

DNScmd

Before we start preparing script for bulk DNS records creation, let’s see how DNScmd syntax looks for single host (A) record. After that we would know which parameters should be inserted into input file for the script.

Note! To get help for DNScmd command you need to specify /? after its name or after any switch you want to get information

Now, we will prepare proper syntax to add single host (A) record into DNS zone. For that we need to know:

  • DNS server name
  • DNS zone name
  • host name
  • IP address

proper syntax to create host (A) record is:

dnscmd ServerName /RecordAdd DNSZoneName HostName RecordType IPAddress

Below you can find an example syntax

dnscmd %LOGONSERVER% /RecordAdd testenv.local test01 A 192.168.1.101

DNScmd command execution

instead of %LOGONSERVER% system variable, you can use DNS server name (if all  your DCs are DNS servers too, you can sinply use %LOGONSERVER%, in other case, you need to type DNS server name manually)

As you can see in DNS Management console, new record has been created

DNS record verification

We have complete syntax and now, we can create a script to create many DNS records in short time. First of all, we need an input file containing all required data. To create that file we need put in a flat text file 2 values:

  • host name
  • IP address

An example input file for script

test01 192.168.1.101
test02 192.168.1.102
test03 192.168.1.103
test04 192.168.1.104
test05 192.168.1.105

and save this as i.e. newHosts.txt on C-Drive

Now, you can use below script to create many DNS records

for /f "tokens=1-2" %i in (c:newHosts.txt) do dnscmd %LOGONSERVER% /RecordAdd testenv.local %i A %j

Bulk DNS host records created

and you can verify that in DNS Management console

DNS records verification

DNSShell module for PowerShell

As I mentioned at the beginning of this article, this is separate module which needs to be downloaded. You can simply download it from

http://www.indented.co.uk/index.php/2010/04/16/dnsshell-zone-and-server-cmdlets/

When you download it, you have to extract content into one of the following locations:

  • %HOMEPATH%DocumentsWindowsPowerShellModules
  • %WINDIR%SYSTEM32WindowsPowerShellv1.0Modules

PowerShell modules path

and import this module before the first use

Import-Module DNSShell

to list all available cmd-lets use

help *DNS*

Importing DNSShell module and list all available cmd-lets

From now, you have all cmd-lets available. Let’s start to create single host record in DNS using New-DNSRecord cmd-let

To be able to create host (A) record using DNSShell, you need:

  • DNS zone name
  • host name
  • IP address

You will find general syntax below

New-DNSRecord -Name HostName -RecordType A -ZoneName DNSZoneName -IPAddress IPAddress

and short example

New-DNSRecord -Name test01 -RecordType A -ZoneName testenv.local -IPAddress 192.168.1.101

New-DNSRecord example

and you can see command’s result in DNS Manager

DNS record veryfying

So, now we can create a script to automatically create many DNS records. As for PowerShell is better to use CSV file format instead of flat text file, I would suggest to prepare an example here. CSV file requires a header for each attribute, we need only 2 attributes to accomplish that

HostName,IPAddr
 test01,192.168.1.101
 test02,192.168.1.102
 test03,192.168.1.103
 test04,192.168.1.104
 test05,192.168.1.105

Save this file as newHosts.csv on C-Drive and use below script to create DNS records

Import-Module DNSShell
Import-CSV c:newHosts.csv | %{
New-DNSRecord -Name $_."HostName" -RecordType A -ZoneName testenv.local -IPAddress $_."IPAddr"
}

PowerShell script

and verify results in DNS Manager

DNS records veryfying

Native DNS cmd-lets in PowerShell 3.0

This is new feature and can be only used with PowerShell 3.0 which is available in Windows 8 and Windows Server 2012. There are variety of DNS cmd-lets to manage DNS server and one of  them is Add-DNSServerResourceRecordA and we will use it in this article.

Add-DNSServerResourceRecordA cmd-let

To create host record using this cmd-let we need to have prepared:

  • DNS zone name
  • host name
  • IP address

And now for a practice, we will create single DNS record using Add-DNSServerResourceRecordA

Add-DNSServerResourceRecordA -ZoneName DNSZoneName -Name HostName -IPv4Address IPAddress

according to above general syntax, let’s create host record

Add-DNSServerResourceRecordA -ZoneName testenv.local -Name test01 -IPv4Address 192.168.1.101

PowerShell 3.0 DNS record creation

and as in previous methods, just verify  if DNS record was created

DNS record verification

So, now the last part. We need to prepare script for multiple records creation. As we would need to use CSV file as in previous method (DNSShell module for Windows PowerShell), we will reuse it. An example CSV file is below

HostName,IPAddress
test01,192.168.1.101
test02,192.168.1.102
test03,192.168.1.103
test04,192.168.1.104
test05,192.168.1.105

and save this as newHosts.csv file on C-Drive. When you do that, use below code for host (A) records creation

Import-CSV c:newHosts.csv | %{
 Add-DNSServerResourceRecordA -ZoneName testenv.local -Name $_."HostName" -IPv4Address $_."IPAddress"
 }

Script output

and DNS Manager view to prove that record were created

DNS Manager and newly created DNS records

This time, that’s all!

Next part >>>

Author: Krzysztof Pytko

Determine DFL and FFL using PowerShell

 

I was curious after the last article about checking schema version with PowerShell, if it is possible to use the same template to determine Domain and Forest Functional Levels. I’ve decided to check that using the same code and I found it is also working 🙂

You need to only check different AD objects to get that information.

For Domain Functional Level you need to query Default naming context (domain partition) and read msDS-Behavior-Version attribute. Its value tells you what kind of DFL is present in your domain. However, today, there is no need to check if domain is working in 2000 mixed mode but I decided also to put that information into script to have full overview of DFL. In this case (mixed mode) you have to check ntMixedDomain attribute.

If ntMixedDomain attribute is set to 0  that means Domain Functional Level is not in 2000 mixed mode. In case that this attribute is set to then DFL is Windows 2000 Mixed mode.

For msDS-Behavior-Version attribute value and its corresponding DFL check below list

  • 0 – Windows 2000 Native mode
  • 1 – Windows Server 2003 Interim mode
  • 2 – Windows Server 2003 mode
  • 3 – Windows Server 2008 mode
  • 4 – Windows Server 2008 R2 mode
  • 5 – Windows Server 2012 mode
  • 6 – Windows Server 2012 R2 mode

To get Forest Functional Level mode, you need to check the same msDS-Behavior-Version attribute but in different AD object. This object is

cn=partitions,cn=configuration,dc=testenv,dc=local

on Configuration partition

Note! Remember that Forest Functional Level mode cannot be higher than Domain Functional Level. Its value may be equal or less but never HIGHER!

For msDS-Behavior-Version attribute value and its corresponding FFL check below list

  • 0 – Windows 2000 mode
  • 1 – Windows Server 2003 Interim mode
  • 2 – Windows Server 2003 mode
  • 3 – Windows Server 2008 mode
  • 4 – Windows Server 2008 R2 mode
  • 5 – Windows Server 2012 mode
  • 6 – Windows Server 2012 R2 mode

that’s all available option at this moment, so now it is possible to prepare PowerShell script checking that attribute and comparing it to above lists

Windows PowerShell module for Active Directory

Open Windows PowerShell or Windows PowerShell module for AD and use below syntax to get Domain Functional Level mode (in case that you are using module for AD, you don’t need to use Import-Module cmd-let!)

Import-Module ActiveDirectory
Get-ADObject -Identity "dc=testenv,dc=local" -Properties * | Select msDS-Behavior-Version,ntMixedDomain

Windows PowerShell syntax for DFL

Get-ADObject -Identity "cn=partitions,cn=configuration,dc=testenv,dc=local" -Properties * | Select msDS-Behavior-Version

Windows PowerShell syntax for FFL

Remember to change domain distinguished name from dc=testenv,dc=local to yours

Now, it’s time to see complete script which displays more friendly output for user

Import-Module ActiveDirectory
Clear-Host
Write-Host ""
Write-Host "Domain Functional Level is " -ForegroundColor Green -NoNewLine
$domain=Get-ADObject -Identity "dc=testenv,dc=local" -Properties * | Select msDS-Behavior-Version,ntMixedDomain
if ($domain.ntMixedDomain -eq 1){
Write-Host "Windows 2000 Mixed mode" -ForegroundColor Yellow
}
else {
switch ($domain."msDS-Behavior-Version")
{
0 { Write-Host "Windows 2000 Native mode" -ForegroundColor Yellow }
1 { Write-Host "Windows Server 2003 Interim mode" -ForegroundColor Yellow }
2 { Write-Host "Windows Server 2003 mode" -ForegroundColor Yellow }
3 { Write-Host "Windows Server 2008 mode" -ForegroundColor Yellow }
4 { Write-Host "Windows Server 2008 R2 mode" -ForegroundColor Yellow }
5 { Write-Host "Windows Server 2012 mode" -ForegroundColor Yellow }
6 { Write-Host "Windows Server 2012 R2 mode" -ForegroundColor Yellow }
default { Write-Host "unknown" -ForegroundColor Red }
}
}
Write-Host ""
Write-Host "Forest Functional Level is " -ForegroundColor Green -NoNewLine
$forest=Get-ADObject -Identity "cn=partitions,cn=configuration,dc=testenv,dc=local" -Properties * | Select msDS-Behavior-Version
switch ($forest."msDS-Behavior-Version")
{
0 { Write-Host "Windows 2000 mode" -ForegroundColor Yellow }
1 { Write-Host "Windows Server 2003 Interim mode" -ForegroundColor Yellow }
2 { Write-Host "Windows Server 2003 mode" -ForegroundColor Yellow }
3 { Write-Host "Windows Server 2008 mode" -ForegroundColor Yellow }
4 { Write-Host "Windows Server 2008 R2 mode" -ForegroundColor Yellow }
5 { Write-Host "Windows Server 2012 mode" -ForegroundColor Yellow }
6 { Write-Host "Windows Server 2012 R2 mode" -ForegroundColor Yellow }
default { Write-Host "unknown" -ForegroundColor Red }
}
Write-Host ""

Copy above code and put it into notepad, save it as ps1 file and execute in Windows PowerShell environment

Script output

Quest PowerShell module for Active Directory

To be able to run below code, you need to have installed free Quest PowerShell module for Active Directory

If you have this available then you can run below syntax

Get-QADObject -Identity "dc=testenv,dc=local" -IncludeAllProperties | Select msDS-Behavior-Version,ntMixedDomain

Quest PowerShell syntax for DFL

Get-QADObject -Identity "cn=partitions,cn=configuration,dc=testenv,dc=local" -IncludeAllProperties | Select msDS-Behavior-Version

Quest PowerShell syntax for FFL

Remember to change domain distinguished name from dc=testenv,dc=local to yours

Now, it’s time to see complete script which displays more friendly output for user

Clear-Host
Write-Host ""
Write-Host "Domain Functional Level is " -ForegroundColor Green -NoNewLine
$domain=Get-QADObject -Identity "dc=testenv,dc=local" -IncludeAllProperties | Select msDS-Behavior-Version,ntMixedDomain
if ($domain.ntMixedDomain -eq 1){
Write-Host "Windows 2000 Mixed mode" -ForegroundColor Yellow
}
else {
switch ($domain."msDS-Behavior-Version")
{
0 { Write-Host "Windows 2000 Native mode" -ForegroundColor Yellow }
1 { Write-Host "Windows Server 2003 Interim mode" -ForegroundColor Yellow }
2 { Write-Host "Windows Server 2003 mode" -ForegroundColor Yellow }
3 { Write-Host "Windows Server 2008 mode" -ForegroundColor Yellow }
4 { Write-Host "Windows Server 2008 R2 mode" -ForegroundColor Yellow }
5 { Write-Host "Windows Server 2012 mode" -ForegroundColor Yellow }
6 { Write-Host "Windows Server 2012 R2 mode" -ForegroundColor Yellow }
default { Write-Host "unknown" -ForegroundColor Red }
}
}
Write-Host ""
Write-Host "Forest Functional Level is " -ForegroundColor Green -NoNewLine
$forest=Get-QADObject -Identity "cn=partitions,cn=configuration,dc=testenv,dc=local" -IncludeAllProperties | Select msDS-Behavior-Version
switch ($forest."msDS-Behavior-Version")
{
0 { Write-Host "Windows 2000 mode" -ForegroundColor Yellow }
1 { Write-Host "Windows Server 2003 Interim mode" -ForegroundColor Yellow }
2 { Write-Host "Windows Server 2003 mode" -ForegroundColor Yellow }
3 { Write-Host "Windows Server 2008 mode" -ForegroundColor Yellow }
4 { Write-Host "Windows Server 2008 R2 mode" -ForegroundColor Yellow }
5 { Write-Host "Windows Server 2012 mode" -ForegroundColor Yellow }
6 { Write-Host "Windows Server 2012 R2 mode" -ForegroundColor Yellow }
default { Write-Host "unknown" -ForegroundColor Red }
}
Write-Host ""

Script output

Now, we have two scripts, one to check schema version and one to check DFL and FFL. If you wish, you may combine them into one and get all necessary information in one output 🙂

<<< Previous part

Author: Krzysztof Pytko

5 { Write-Host "Windows Server 2012 mode" -ForegroundColor Yellow }

Schema version using PowerShell

 

I’ve just played with PowerShell in my test environment and I was wondering if it’s possible to verify Active Directory Schema version in some simple way using it. As I know that schema version number is stored in objectVersion attribute of

"cn=Schema,cn=Configuration,dc=domain,dc=local" object

I found that there is in PowerShell cmd-let which allows to query that object and get its attributes

So,you need to simply type below syntax of cmd-let to get version of schema in a domain

for Windows PowerShell (available when you have at least one Domain Controller based on Windows Server 2008R2)

Get-ADObject -Identity "cn=Schema,cn=Configuration,dc=testenv,dc=local" -Properties * | Select objectVersion

Schema version using Windows PowerShell

for Quest PowerShell (required download from 3rd party website. This is free tool)

Get-QADObject -Identity "cn=Schema,cn=Configuration,dc=testenv,dc=local" -IncludeAllProperties | Select objectVersion
<img class="size-full wp-image-884" title="Schema version using Quest PowerShell" src="http://kpytko.pl/wp-content/uploads/2012/08/f011 microsoft project alternative free.png” alt=”” width=”519″ height=”152″ srcset=”http://kpytko.pl/wp-content/uploads/2012/08/f011.png 982w, http://kpytko.pl/wp-content/uploads/2012/08/f011-300×88.png 300w, http://kpytko.pl/wp-content/uploads/2012/08/f011-519×152.png 519w” sizes=”(max-width: 519px) 100vw, 519px” />

Schema version using Quest PowerShell

as you can see, this was very short and quick way to get information about schema version 🙂 However, I went one step further and I prepared some script which checks objectVersion and writes on the screen its OS name. Basically, I started with if syntax but it was not the best possible solution for that. I started looking in the Internet if there is something like “case” which I remember from Turbo Pascal 😀 … and I found … this is switch in PowerShell. So, after I used switch, my code looks better and I’ve decided to share it here 🙂 (perhaps someone would find it useful)

Below you can find complete script code for Windows and Quest PowerShell

Windows PowerShell module for Active Directory

Import-Module ActiveDirectory

Clear-Host
Write-Host ""

Write-Host "Schema version is " -ForegroundColor Green -NoNewLine

$schema_ver=Get-ADObject -Identity "cn=Schema,cn=Configuration,dc=testenv,dc=local" -Properties * | Select objectVersion

switch ($schema_ver.objectVersion)
 {

 13 { Write-Host "Windows 2000 Server" -ForegroundColor Yellow }
 30 { Write-Host "Windows Server 2003" -ForegroundColor Yellow }
 31 { Write-Host "Windows Server 2003 R2" -ForegroundColor Yellow }
 44 { Write-Host "Windows Server 2008" -ForegroundColor Yellow }
 47 { Write-Host "Windows Server 2008 R2" -ForegroundColor Yellow }
 51 { Write-Host "Windows Server 8 Developers Preview" -ForegroundColor Yellow }
 52 { Write-Host "Windows Server 8 Beta" -ForegroundColor Yellow }
 56 { Write-Host "Windows Server 2012" -ForegroundColor Yellow }
 69 { Write-Host "Windows Server 2012 R2" -ForegroundColor Yellow }
 72 { Write-Host "Windows Server Technical Preview (2014)" -ForegroundColor Yellow }
 81 { Write-Host "Windows Server Technical Preview 2 (2015)" -ForegroundColor Yellow }
 82 { Write-Host "Windows Server 2016 Technical Preview 3 (2015)" -ForegroundColor Yellow }
 85 { Write-Host "Windows Server 2016 Technical Preview 4 (2015)" -ForegroundColor Yellow }
 87 { Write-Host "Windows Server 2016" -ForegroundColor Yellow }
default { Write-Host "unknown - "$schema_ver.objectVersion -ForegroundColor Red }  }  Write-Host ""

Copy above code and paste it to notepad, save as ps1  file and you will be able to execute it in your environment (remember that you need to change distinguished name of a domain from dc=testenv,dc=local to yours)

Script based on Windows PowerShell

Quest PowerShell module for Active Directory

Clear-Host
Write-Host ""

Write-Host "Schema version is " -ForegroundColor Green -NoNewLine

$schema_ver=Get-QADObject -Identity "cn=Schema,cn=Configuration,dc=testenv,dc=local" -IncludeAllProperties | Select objectVersion

switch ($schema_ver.objectVersion)
{

13 { Write-Host "Windows 2000 Server" -ForegroundColor Yellow }
30 { Write-Host "Windows Server 2003" -ForegroundColor Yellow }
31 { Write-Host "Windows Server 2003 R2" -ForegroundColor Yellow }
44 { Write-Host "Windows Server 2008" -ForegroundColor Yellow }
47 { Write-Host "Windows Server 2008 R2" -ForegroundColor Yellow }
51 { Write-Host "Windows Server 8 Developers Preview" -ForegroundColor Yellow }
52 { Write-Host "Windows Server 8 Beta" -ForegroundColor Yellow }
56 { Write-Host "Windows Server 2012" -ForegroundColor Yellow }
69 { Write-Host "Windows Server 2012 R2" -ForegroundColor Yellow }
72 { Write-Host "Windows Server Technical Preview (2014)" -ForegroundColor Yellow }
81 { Write-Host "Windows Server Technical Preview 2 (2015)" -ForegroundColor Yellow }
82 { Write-Host "Windows Server 2016 Technical Preview 3 (2015)" -ForegroundColor Yellow }
85 { Write-Host "Windows Server 2016 Technical Preview 4 (2015)" -ForegroundColor Yellow }
87 { Write-Host "Windows Server 2016" -ForegroundColor Yellow }
default { Write-Host "unknown - "$schema_ver.objectVersion -ForegroundColor Red }  }  Write-Host ""

Copy above code and paste it to notepad, save as ps1  file and you will be able to execute it in your Quest PowerShell environment (remember that you need to change distinguished name of a domain from dc=testenv,dc=local to yours)

Script for Quest PowerShell

I hope it would be useful for you.

Next part >>>

Author: Krzysztof Pytko

Global Catalog on additional Domain Controller

 

Sometimes, we need to select additional Domain Controller as Global Catalog and we are wondering how to do that. This is always necessary to add this feature to Domain Controller running Windows Server 2003 after promotion it to DC. This feature is not automatically added.

When we use Windows Server 2008/2008R2 as Domain Controller then during promotion process we can make it as Global Catalog (if we do not turn off default options). However when we disable it during promotion process or you are promoting Windows Server 2003 then you need to enable that feature later.

This short article shows you how to do that.

Important! In single forest, multiple domain environment you need to ensure first, if all of your Domain Controllers are Global Catalogs. If not, you cannot place Global Catalog on a DC with Infrastructure Master Operation role!

To select additional Global Catalog in your domain, you need to use Active Directory Sites and Services console. This tool is located under “Administrative Tools” (even though, it is done on Windows Server 2003, all the same steps are valid for Windows Server 2008/2008R2)

Active Directory Sites and Services console

Navigate to Site in which desired Domain Controller is located and expand “Servers” node. Select that server and in the right pane, click right mouse button on “NTDS Settings” and choose “Properties”

NTDS Settings

Under “NTDS Settings” in “General” tab check “Global Catalog” checkbox.

Configuring Global Catalog

Configuring Global Catalog

Confirm by clicking on “OK” button and that’s all!

Author: Krzysztof Pytko

Adding additional Domain Controller

 

Why do we need to add additional Domain Controller? This answer is very simple: “for services redundancy” or “for domain authentication improvement in remote Site”.

In case of server failure, we still have another one which can provide necessary services in our network, which avoids business discontinuity.

First of all, we need to install new box or virtual machine with a server operating system that is supported in domain environment. To check what Windows Server versions can be installed and promoted as Domain Controller, we need to check Domain Functional Level.

To do that, we have to open Active Directory Users and Computers on existing DC from Administrative Tools and then select domain name. Click on it right mouse button and choose “Raise domain functional level”

Domain Functional Level

Important! Be careful there, do not change anything in configuration. We need to only check what Domain Functional Level is set up. Changes cannot be reverted!

When you choose this option, you will see a window with information about current Domain Functional Level. If the highest possible DFL will be selected, then you cannot change anything. In case that DFL is lower than the highest possible, you will see a dropdown box, where you can select higher DFL modes. Do not do that! You may disrupt your domain environment.

Check Domain Functional Level

Domain Functional Level

This information tells us that only Windows Server 2008 R2 can be promoted as Domain Controller.

You may find one of these Domain Functional Levels:

  • Windows 2000 mixed – this mode supports NT4, Windows 2000 Server, Windows Server 2003
  • Windows 2000 native – it doesn’t support NT4 but additionally supports Windows Server 2008 and Windows Server 2008 R2
  • Windows Server 2003 – supports Windows Server 2003 and above
  • Windows Server 2008 – supports Windows Server 2008 and above
  • Windows Server 2008 R2 – only Windows Server 2008 R2 is supported

In this scenario we see that only Windows Server 2008 R2 can be promoted, so we need to use this OS version.

When server is already installed, you have to configure its network card properties to be able to start promotion process. As it is Domain Controller, server requires static IP address from the same subnet or subnet which is routable within a network. As directory services rely on DNS server, you need to properly point where the service is running. In example this server is 192.168.1.1 (a forest root domain DC).

Network card configuration

Accept NIC changes and start dcpromo from run box

Running dcpromo

and follow with Active Directory Installation wizard (use advance mode)

Active Directory Installation wizard

Skip a screen with information about NT4 and 2008 R2 security incompatibility

NT4 security incompatibility warning

We are adding new Domain Controller into existing forest and existing domain, so in this case we need to choose the first option

Adding DC into existing forest

Provide DNS domain name to which you want to add new Domain Controller and specify domain administrator credentials to be able to do that.

Choosing domain

Select domain and click “Next”

Choosing domain

Point in which Site this DC should be placed (if you are not sure, leave default, you can change it later)

Selecting a Site for DC

Choose additional roles which should be installed on this DC (leave defaults). If you don’t want to use any of them, you can add them later (but I suggest installing them now). The last unchecked option is only for Read-Only Domain Controller which is not an option of this article, so do not check it.

Additional roles on a DC

This DNS server is a part of testenv.local (existing DNS zone), so no action is required. Choose “Yes” and continue

DNS delegation warning

Choose default option to replicate data from other existing DC in a network.

Active Directory data replication

You can select from which Domain Controller data will be replicated, but leave defaults if you don’t need specific one.

At this stage, you have to point where Active Directory database, logs and other AD related data will be stored. You can choose separate drive(s) for that but it’s not necessary.

Active Directory database location

Set up Directory Services Restoration Mode password. It doesn’t have to be the same as Domain Administrator account or DSRM on other Domain Controller(s). This password is used when you need to boot a server in Directory Services Restoration Mode to do non-authoritative/authoritative restore or Active Directory database maintenance.

DSRM password

and start server promotion by clicking on “Next” button

Summary screen

select “reboot on completion” checkbox to reboot server after AD installation and wait until it will be up and running.

Congratulations! Your additional Domain Controller is ready.

Additional Domain Controller

It’s done.

Author: Krzysztof Pytko

Configuring a forest root domain on Windows Server 2008 R2

 

This scenario is suitable mostly for test environments because it is very rarely that someone wants to do that in production (because it already exists). But of course, maybe you start creating domain environment for new company which doesn’t have it. Then this article is also for you.

This article describes only single forest, single domain scenario.

We need some details before we will start configuration.

  • Company name – which will be helpful in choosing forest/domain name
  • Network configuration – valid IP addresses range for our company, router’s IP (as default gateway)
  • ISP DNS servers on any public DNS servers –  to be able to access the Internet resources from our company
  • Services we need to run –  what additional services will be required to fulfill a company requirements

Let’s start to prepare them all.

  • Company name – Test Environment
  • Network configuration – IP addresses range 192.168.1.0/24; the last available IP address is a router (default gateway)
  • Public DNS servers – 8.8.4.4 and 8.8.8.8 (Google public DNS servers)
  • Services – Active Directory: Directory Services, DNS server(s), DHCP server(s)

Now, we can install our first Windows Server 2008 R2 and configure it. After that we will be able to promote this box as a Domain Controller.

When our server is installed, then we need to log on there on local administrator account and we can start its preparation.

Open Network Card configuration and set up static IP address for your server (in this case it’s 192.168.1.1 with 255.255.255.0 network mask)

This is very important part of network configuration before promoting server as a Domain Controller. In DNS preferred IP address type 127.0.0.1 (loopback interface) or the same IP address as server is configured 192.168.1.1 to point the server to DNS itself.

Network card configuration

Accept configuration and start promoting server by typing in run box dcpromo

Running DC promotion

You should see Active Directory Domain Services Installation wizard. Select “Use advanced mode installation” checkbox and follow with its instructions.

Active Directory Installation wizard

This warning is not so important for us, because we have no older operating systems as Domain Controllers within network. It’s about security incompatibility between NT4 and 2008/2008R2, so let’s skip this screen.

OS security incompatibility warning

At this point, we have to choose what we want to do with domain configuration. As this article is about forest root domain, we don’t have to consider another option, now. We are creating completely new domain in a new forest.

A forest root domain creation

You will see a window with question about forest root domain name. It’s good to set up name related with your company. This is so called FQDN (Fully Qualified Domain Name or also known as DNS Domain Name). Create internal domain name to separate it from your external (if it would be necessary, i.e. for e-mail) with .local or .private suffix. These suffixes suggest that DNS domain is for local resources and this is also connected with your local DNS zone name.

DNS domain name

now, specify NetBIOS domain name

NetBIOS domain name

Now, you need to choose Forest Functional Level

Setting up FFL will also configure Domain Functional Level in the same mode.

This is very important step in forest/domain configuration. This setting determines which operating systems can be promoted to Domain Controllers. As we are configuring the only single forest/domain environment it is not so difficult.

Domain Functional Level determines which operating systems can act as Domain Controllers within that particular domain. By default (in new forest/domain configuration) it suggests Windows Server 2003 which means that older OSes cannot be promoted as DCs. So, NT4 and Windows 2000 Server cannot be used in a network with AD:DS role. They still can be a domain member servers but not Domain Controllers.

When you change DFL to Windows Server 2008 then only Windows Server 2008 and 2008 R2 can be promoted to be DCs. And the last choice is Windows Server 2008 R2 – the only possible operating system for Domain Controllers is Windows Server 2008 R2.

Each domain can be set up on a different Domain Functional Levels. But they have to fulfill Forest Functional Level to be able to operate within a forest.

If you have more than one domain in a forest then you have to evaluate which one work in the lowest mode. The lowest Domain Functional Level in a forest determines the highest Forest Functional Level.

Forest Functional Level determines that all Domain Controllers in each domain cannot work on older operating system than it’s specified in FFL.

If your FFL is set up to Windows Server 2003 that means, all of Domain Controllers in a forest are based on at least Windows Server 2003.

It’s similar to other modes (2008/2008 R2)

Important! When you set up Domain/Forest Functional level it cannot be changed to lower mode, so be careful when you choose them. If you are not sure which functional level is adequate for you, choose the lower one. You can always raise it without any business continuity disruption later.

As we don’t want to use older OSes as DCs, we plan to use only Windows Server 2008 R2, we can change Forest Functional Level to Windows Server 2008 R2. Domain Functional Level will be set up on the same level automatically.

Forest Functional Level

This is our first domain and first Domain Controller, so we need to also set up new internal DNS server to be able to use Active Directory. Whole Active Directory services rely on DNS services, so they have to be always available.

Additional roles for DC

We are configuring our first DNS server, so it doesn’t exist right now, don’t worry and continue

DNS warning

Specify Active Directory database, logs location (you can leave defaults, those files are not so huge and if server act as AD,DNS only, that’s enough space)

Active Directory files location

Set up password for Directory Services Restoration Mode which will be used in case of non-authoritative/authoritative restore or other AD database maintenance. This password should be different than Domain Administrator password and should be also changed regularly.

DSRM password

On the summary screen, you can review chosen settings and start server promotion process

Summary screen

After all, server reboot it’s required. You can do it manually, or select “Reboot on completion” checkbox and wait until promotion will be done

Active Directory:Directory Services installation

Congratulations! Your Domain Controller for a forest root domain is ready! You can log on, on it, using password specified during promotion process (the same password as Directory Services Restoration Mode)

A forest root Domain Controller

Log on, using domain administrator credentials into your new Domain Controller. We have to configure DNS server to send unresolved DNS queries to ISP DNS server(s) or any other public DNS server(s). This configuration is necessary to be able to access the Internet resources from our internal network.

Open DNS management console from Administrative Tools and select server name. In the right pane at the bottom of that window, double click on Forwarders

Configuring forwaders on DNS server

You should see a window, where you can put ISP or public DNS servers. Click on “Edit” button to add those servers IP address

Configuring forwarders on DNS server

Enter IP addresses of external DNS servers and wait for their validation. If everything is ok, you would see green shield next to IP addresses.

Configuring forwarders on DNS server

Close DNS management console.

After all, you should consider Domain Controller and DNS server redundancy in your network by placing additional server with these roles. Another very important part is performing System State backup of Domain Controllers regularly.

In case of lack hardware resources in your network, you can consider placing DHCP server on this Domain Controller. However, it’s not recommended to install additional roles on DCs because of security reasons.

Above, topics would be described in another articles.

It’s done.

Author: Krzysztof Pytko

Decommissioning broken Domain Controller

 

Sometimes, we want to remove Domain Controller from a network but it is not possible. We see some errors that DC cannot be demoted. We are afraid because on that server we have also another services or data (which is not recommended, DC should have only AD:DS, DNS and possibly DHCP roles to avoid server overloading or corruption). This situation mostly can be found in small organizations where only very few servers are available.

What we can do in this case when formatting or reinstalling server is not an option? We can use special mode of demoting Domain Controller in case that we see similar error message

decommissioning error

on this broken server in run box we need to run dcpromo but with additional switch to be able to decommission a DC. This switch is /forceremoval

 Log on to that faulty DC and type dcpromo /forceremoval

forcing Domain Controller demotion

If Domain Controller holds any of FSMO roles you will get a warnings that you should transfer them to another server.

FSMO roles warning

It is unfortunately impossible because DC cannot contact to another Domain Controller within network. In this case you have to seize FSMO roles.

How to do that you can find in another article at http://kpytko.wordpress.com/2011/08/28/seizing-fsmo-roles/

To continue press “Yes” on each warning related with FSMO roles. At the final step (if your DC held also DNS role) you will be warned that you should fix your network settings according to DNS servers after its removal. If you didn’t do that before, remember that you have to fix it after DC demotion. Confirm that you are sure with Active Directory services to remove

DNS removal confirmation

When your DC held also Global Catalog you will be warned to check if at least one GC is available in a network to prevent problem with logon to the domain.

Global Catalog removal confirmation

Now, you should see standard Active Directory Installation wizard which helps you in decommission process. Follow with its suggestions

Active Directory Installation wizard

Before this process starts, there is the last information that after all you have to do metadata cleanup because it won’t be done automatically.

Active Directory Installation wizard

Also DNS needs to be clean up after DC demotion, click “OK”

Now, set up local administrator password which will be necessary, to log on to that server. Decommission process removes Active Directory role from a server and makes it a domain member box.

Setting local administrator password

after role removal, reboot server to fully complete a task

on Windows Server 2003 you have to do it manually

Reboot Windows Server 2003

on Windows Server 2008/2008 R2 you can select a checkbox to reboot server automatically

Reboot server

Voila! Your DC has been decommissioned and now it’s a domain member server with all other roles and data on it. You can log on, on a password specified during demotion process

A domain member server - Windows 2008

A domain member server - Windows 2003

Now, you need to do metadata cleanup, remove DNS records related with that server and delete it from Sites and Services.

How to do metadata cleanup you can find in another article at

http://kpytko.wordpress.com/2011/08/29/metadata-cleanup-for-broken-domain-controller/

You can promote this server as DC again or change its name and use only as standard box in your network.

 To clean DNS records, open DNS management console and delete all DNS records related with removed Domain Controller. Next, run Active Directory Sites and Services console and from appropriate Site, remove a server.

Sites and Services

Confirm that you want to remove this object and that’s it.

Removing demoted DC from Sites and Services

It’s done.

Author: Krzysztof Pytko