Archive | Windows Server 2012 RSS for this section

Adding first Windows Server 2016 Domain Controller within Windows 2003/2008/2012 domain environment



The first and the most important part within preparation phase is… installing Windows Server 2016 server. If you do not have it installed, you would not be able to promote it as DC 🙂

This topic does not cover Windows Server 2016 installation process, so you should do this by yourself.

To be able to configure Windows Server 2016 Domain Controller within Windows 2003/2008/2012 domain environment we need to check if Forest Functional Level is set up at least in Windows 2003 mode. This is the lowest allowed Forest Functional Level for Windows Server 2016 Domain Controller. That means, Windows 2000 DCs are not supported anymore. Microsoft does not support them with cooperation with 2012 and 2016 Domain Controllers. It’s time to forget about these old operating systems.

If you do not know how to identify current domain or forest functional level, please follow this article on my blog Determine DFL and FFL using PowerShell

In case of need to raise them, please follow:

You are ready to go with the first Windows Server 2016 Domain Controller installation process

Preparation for Domain Controller promotion


Just before we can go with Domain Controller promotion, we need to identify 2 FSMO Role owners for:

  • Schema Master
  • Infrastructure Master

These 2 role owners must be online and need to be accessible by our new Windows Server. It is required because from Windows Server 2012 forest and domain preparation is done in a background and the entire schema and domain extensions might be done by wizard itself, which is really convenient.

That’s right, there is no more adprep tool needed to be used manually by administrator. Everything can be covered by promotion wizard!

To check which Domain Controller(s) hold appropriate FSMO roles, you can follow one of below steps:

  • use command line netdom utility
netdom query fsmo

and check the output

  • use PowerShell cmd-lets


and check servers holding particular role

  • you can give a try to my new C# application written recently

Identify FSMO Role owners

  • follow any other way you wish, to enumerate the roles

We collected almost all necessary information to start AD preparation for the first Windows Server 2016 Domain Controller. The last and the most important part before we start preparation, is checking Forest/Domain condition by running:

  • dcdiag tool for environment’s health status
  • repadmin tool for environment’s replication status

Run in command-line on a DC:

dcdiag /e /c /v /f:c:\dcdiag.log

review log file and check if there are no errors. If so, please correct them (in case that your forest/domain has a lot of Domain Controllers, please skip /e switch)

now run in command-line:

repadmin /showrepl /all /verbose >c:\repadmin.log

to check if your DCs are replicating data without errors.

For more about Active Directory Troubleshooting Tools check one of my articles on this blog

After those checks, you can start with Active Directory preparation.

Adding first Windows Server 2016 Domain Controller

Before we start preparing AD for new Windows Server 2012 DC, we need to be sure that we are members of:

  • Enterprise Administrators group
  • Schema Administrators group

These 2 groups membership is required to extend forest schema and prepare domain(s) for new DC’s deployment.

Install your new box with Windows Server 2012 and configure its IP address correspondingly to your network settings and change default server name to yours.

Remember that it’s very important to properly configure Network Card settings to be able to promote your new box as domain controller!

The most important part of configuring NIC is setting up DNS server(s). Point your new box to one of the existing Domain Controllers where you have installed and configured DNS or any other DNS server responsible for your domain’s DNS zone.

IPv4 settings verification

IPv4 settings verification

After you verified IP settings, you can start server promotion to Domain Controller. However, you cannot use old good known dcpromo command as it is not valid anymore.

Open Server Manager console (if it was not already opened) and click on “Add roles and features” on Dashboard screen

Adding Roles and Features

Adding Roles and Features

Using default settings in a wizard go up to “Server roles” step (in this article those steps are not described. You may expect their description in another article) and select Active Directory Directory Services role. Accept also default features which are required during installation

Select AD DS role to install

Select AD DS role to install

confirm you wish to install all required tools to manage domain from this server after promotion

Confirm tools installation

Confirm tools installation

Verify if check box is in proper place and go to the next step

Select AD DS role to install

Select AD DS role to install

On “Features” screen also go to the next step as we do not need more at this step to be installed. All required features will be installed as you accepted them a little bit earlier

Adding AD:DS role

Adding AD:DS role

Skip this step as it refers to Active Directory in Azure which is not part of this guide

Adding AD:DS role

Adding AD:DS role

Read information about role you are installing and go to confirmation screen to install it

Adding AD:DS role

Adding AD:DS role

Wait some time until selected role is being installed before you will be able to promote server to Domain Controller

Installing AD:DS role

Installing AD:DS role

Installing AD:DS role

Installing AD:DS role

Now, when role is installed, you can see in notification area an exclamation mark. It tells you that post-installation steps might be required

Notification area

Notification area

Click on it to see what can be done. You will see that now, you can promote your server to Domain Controller and information that features were installed successfully

Notification area

Notification area


OK, let’s start server promotion to Domain Controller! Click on “Promote this server to a domain controller” and you will see a wizard.

As we are adding Domain Controller into existing domain, we need to select proper option. It is selected by default, however, please ensure if you can see that “Add a domain controller to an existing domain” is selected

Domain Controller promotion

Domain Controller promotion

On the screen when you are prompt to provide domain in which new Domain Controller is promoted click on select button

Domain Controller promotion

Domain Controller promotion

You will be asked to provide credentials to discover available domains. Provide Enterprise Administrator credentials and go to the next step

Domain Controller promotion

Domain Controller promotion

You can provide credentials using User Principal Name or user name followed by NetBIOS domain name

Domain Controller promotion

Domain Controller promotion

Domain Controller promotion

Domain Controller promotion

When your credentials are appropriate you get a window with all available domains. Select this one in which you want to introduce Windows Server 2016 Domain Controller and click “OK

Domain Controller promotion

Domain Controller promotion

You should see a screen with all provided details from previous steps

Domain Controller promotion

Domain Controller promotion

Define if server should be DNS server and Global Catalog. I would strongly recommend installing both roles on each Domain Controller in your environment. Select a Site to which this DC should belongs to and define Directory Services Restoration Mode (DSRM) password for this DC.

Important! DSRM password needs to be remembered as it is different than domain administrator’s   and is unique for every Domain Controller (if not configured to be replicated from model account in a domain – this is not a part of this guide)

Domain Controller promotion

Domain Controller promotion

If you have DNS delegation in place, update it here, or skip and do this later

Domain Controller promotion

Domain Controller promotion

In”Additional options” you can define if you want to install this Domain Controller from Install From Media (IFM) (if you have it) and point from which DC replication should be done. When you do not specify, server will choose the best location for AD database replication. If you have no special requirements for that, just leave “Any domain controller”

Important! If you wish to use IFM installation media, you need to be aware that it MUST be prepared on the same Windows Server version as promoted DC. It is not possible to promote Windows Server 2016 DC from Windows Server 2012 IFM or any other than 2016.

Note! As this is your first Windows Server 2016 DC in the environment, you cannot use IFM as deployment option.

Domain Controller promotion

Domain Controller promotion

Specify location for AD database and SYSVOL (if you need different that suggested) and go to the next step

Domain Controller promotion

Domain Controller promotion

Now, wizard informs you that Schema and Domain preparation need to be done. As you did not run adprep before, it will be executed in a background for you

Domain Controller promotion

Domain Controller promotion

You will see a summary screen where you can check all selected options for server promotion. As in Windows Server 2012 everything done over Server Manager is translated into PowerShell code and it is executed in a background, you can check code by clicking on “View script” button. You will see what exactly will be run. This is transparent process and you cannot see PowerShell window in front of you

Domain Controller promotion

Domain Controller promotion

PowerShell code for adding Domain Controller

# Windows PowerShell script for AD DS Deployment

Import-Module ADDSDeployment
Install-ADDSDomainController `
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$false `
-Credential (Get-Credential) `
-CriticalReplicationOnly:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainName "testenv.local" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-ReplicationSourceDC "plwrow082wdc001.testenv.local" `
-SiteName "EUPLWROHQ01" `
-SysvolPath "C:\Windows\SYSVOL" `

If all prerequisites will pass and you are sure that all setting you have set up properly, you can start installation

Domain Controller promotion

Domain Controller promotion

As it was stated earlier, wizard needs to extend schema and prepare domain for the first Windows Server 2016 Domain Controller. You can see this during promotion process

Trnsparent adprep /forestprep

Trnsparent adprep /forestprep

Transparent adprep /domainprep

Transparent adprep /domainprep

wait until wizard will do its job and after server restart you will have new Windows Server 2016 Domain Controller logon screen

Windows Server 2016 Domain Controller logon screen

Windows Server 2016 Domain Controller logon screen

Log on into DC and enjoy its new features

Windows Server 2016 DC's desktop

Windows Server 2016 DC’s desktop

Give DC some time to replicate Directory Services data to be fully operational.

You can check if everything is replicated over LDP utility. Open run box and type ldp

Running LDP

Running LDP

From menu select “Connection -> Connect

LDP utility replication status check

LDP utility replication status check

Specify Windows Server 2016 Domain Controller’s name or leave it blank to connect to the DC itself

LDP utility replication status check

LDP utility replication status check

After connection verify at window bar if you are connected to appropriate Domain Controller


From Active Directory RootDSE context you can read Domain Controller’s functionality level, which in this case is 7 – Windows Server 2016

and search for

  • isGlobalCatalogReady
  • isSynchronized

if both attributes have TRUE as a status, everything is up-and-running properly. If not, you need to wait some time to give replication finish its job.

LDP utility replication status check

LDP utility replication status check

Post-installation steps

Now, you need to do small changes within your environment configuration.

On each server/workstation NIC properties configure alternative DNS server IP address pointing to the new Domain Controller.

Open DHCP management console and under server/scope options (it depends on your DHCP configuration) modify option no. 006

Add there IP address of your new Domain Controller as new DNS server.

That’s all!

Congratulations! You have promoted your first Windows Server 2016 Domain Controller in existing domain. Enjoy!

Author: Krzysztof Pytko

How to identify FSMO Roles owner


This topic is not new to administrators. I have just wondered if I could simplify that action somehow and I realized that this would be possible.

I’m learning C# coding with .NET so I decided to try creating a simple application (of course with GUI) to do the job itself without an administrator’s involvement.

So, you can download simple application written by me in C# using .NET framework and execute it on any domain member workstation/server, does not have to be necessarily Domain Controller (but may be), and get results on the screen.

The only one requirement is to have appropriate version of .NET framework installed on a machine from which this application is executed.

To simplify the entire process, I have compiled the application with .NET 3.5 and .NET 4.5 versions.

Both applications are identical but the only one difference is that one supports .NET 3.5 and the other one .NET 4.5

You can use .NET 3.5 application of Windows Vista/7/2008/2008R2 and .Net 4.5 on Windows 8/8.1/10/2012/2012R2/2016 as those .NET versions are defaults for that servers.

Of course you can always use the existing methods like command-line utilities or check that with PowerShell or even with Microsoft GUI consoles. The first two of them requires some knowledge about command and cmd-let syntax and the last one needs couple of consoles to check all of them.

My application is nothing new but helps a little bit. Just execute it and get results on the screen, that’s all.

Get FSMO Roles GUI

Get FSMO Roles GUI

When you click on any of server names in application’s window, you will copy server’s name into clipboard

Get FSMO GUI copy role owner name

Get FSMO GUI copy role owner name

and you can paste it, in example, to your documentation.

Copied FSMO Roles owner

Copied FSMO Roles owner

So, let’s give a try to the app to do a job for you. Download it and execute within a domain from any supported operating system with appropriate .NET framework installed on it.

  • Get FSMO GUI application for .NET 3.5
    (MD5 checksum: dcda3cca863320077b05f71a2dea4cc1)
    (SHA-1 checksum: 74e07d284e670a142bf0a02de8a7daeb975dbf0f)
    (SHA-256 checksum:55083852d36a8c5839f74a2ef8b91e18d2db327779d76b717ef9210679a20826)
  • Get FSMO GUI application for .NET 4.5
    (MD5 checksum: 2618e57525f60b98a2ce30da1776e272)
    (SHA-1 checksum: 023c7e0c77007ae746e6c8de0d1e7f30f97daf1d)
    (SHA-256 checksum: f23280ea26917c7005114d7a106f479808b377bd14179407ddfc22ce18cb410c)

I hope it would be useful for you.

Author: Krzysztof Pytko

Be Wary of your Network Events Activities – Audit Active Directory for Enhanced Security


The role of auditing network events/activities in maintaining a secure IT environment

If you’re an IT administrator, you probably already know that most security breaches occur because of insider abuse/misuse and the total number of breaches is increasing exponentially each year. The majority of organisations house sensitive data somewhere on their system that, if exposed, could be costly and damaging to the reputation of the business.

Thankfully, Windows comes pre-packed with numerous auditing capabilities that can be used to track events or activities within the network. In this blog, we will discuss the nine audit settings that you can configure through the Windows operating system that will allow you to better monitor your Active Directory environment.

1. Audit Account Logon Events

When active, this audit setting monitors each time your computer is validating the credentials of user accounts with the right level of authority to generate account logon events.

Audit account logon events Properties

There are only two audit options that are available – successful attempts and failed attempts. You can check either one or both options (or neither if you require no auditing) as per your Active Directory monitoring requirements. In the above image, we have checked the “success” option.

After configuring this setting, you can view successful audit events in the audit log generated in the Event Viewer. All you need to do is navigate to the Windows Logs -> Security in the left panel and all the audit success events will be shown in the right panel. Click on a particular event to get detailed information in the lower right section of the window.

Refer to the highlighted portion in the below image for reference.

Event viewer console

2. Audit Account Management

Configuring this audit setting enables you to audit user account management and get details on the following:

  • User accounts or groups that are created, changed, or deleted
  • User accounts that are renamed, disabled or enabled
  • User accounts where the password has been set or changed

Audit account management Properties

3. Audit Directory Service Access

This audit setting determines whether the operating system you have on your computer audits users or user accounts attempting to access objects in the Active Directory. The only objects that can be audited are ones in which the SACL (System Access Control List) is specified by the user and the requested access type, including “Write”, “Read” or “modify,” matches with the settings that have been configured in the SACL.

4. Audit Logon Events

This setting enables users to audit every instance of a user attempting to log in and out of the system.

5. Audit Object Access

The “Audit Object Access” setting enables auditing of user attempts to access objects that are not present in the Active Directory; such as files, emails, Exchange groups or SharePoint items. However, the system will only generate audits for those objects specified in the System Access Control List.

6. Audit Policy Change

Configuring this setting enables users to audit each instance of users attempting to modify critical policies – including trust policy, account policy, audit policy and the user rights assignment policy.

7. Audit Privilege Use

This audit setting is configured to monitor the levels of permissions and rights that each user has to perform specific tasks. Defining this policy setting not only helps track the actions of privileged users but also facilitates in ensuring they don’t misuse the rights granted to them. If you wish to generate an audit entry when a user succeeds in exercising the right or permission assigned to him/her, check the “Success” option. To generate audit entries where the exercise of a user right fails, select the “Failure” option.

8. Audit Process Tracking

Configuring this security setting tracks any process-related activities including the creation of process, duplication handling, termination of process and objects that have been accessed indirectly.

9. Audit System Events

“Audit System Events” monitors details of users who attempt a security system startup or shutdown, try to change system time or aim to load extensible authentication components for personal benefits or other malicious purposes.

Defining this security policy allows you to keep track of the loss of audited events that have occurred due to the auditing system failure. It also shows you whether the security log size has exceeded the configured warning threshold level.

The Alternative

Enabling all these settings and keeping track of them can be quite a laborious and time consuming task. Often, administrators seek the help of third-party solutions to automate the auditing and monitoring of their critical IT systems. LepideAuditor for Active Directory tracks changes across Active Directory and sends real-time alerts and notifications straight to the inbox and generates detailed reports with just a single click.

Manual Active Directory schema extension with Windows Server 2012/2012R2 adprep


When you are using Windows Server 2003 or Windows Server 2008 32bit Domain Controllers, it seems that you cannot simply extend schema manually using Windows Server 2012/2012R2 adprep utility. Especially if you do not need to promote new Windows Server 2012/2012R2 Domain Controller.

Previous Windows Server versions like:

  • Windows Server 2003
  • Windows Server 2008

contained only 32bit adprep utility.

In Windows Server 2008R2 there were two adprep tool versions:

  • adprep32.exe for 32bit operating systems
  • adprep.exe for 64bit operating systems

When Windows Server 2012 was released only one 64bit adprep version is available. There is no more 32bit tool to extend schema. With this Windows version new feature called transparent adpreping was introduced. This feature allows Active Directory promotion wizard automatically extend schema and prepare Infrastructure Master if it was ran with appropriate credentials:

  • Enterprise Admin or Schema Admin to extend schema
  • Enterprise or Domain Administrator to prepare Infrastructure Master

But what if you have 32bit Domain Controllers in your environment and you wish to extend schema without implementing Windows Server 2012/2012R2 DC?

You cannot execute adprep tool on 32bit OS directly, because you will get an error message

Adprep error message on 32bit OS

Adprep error message on 32bit OS

But new adprep released with Windows Server 2012 supports new switches which can be executed remotely on any 64bit OS.

To check them, mount DVD media or ISO file to any 64bit OS machine in your domain environment. In this example Windows 7 Enterprise 64bit workstation joined to the domain is used.

Go to X:\Support\ADPREP folder where X: is your DVD drive letter. In this example Windows Server 2012R2 adprep is used in environment where only Windows Server 2003 32bit Domain Controller is available.

cd support\adprep
adprep.exe /?
New adprep help

New adprep help

Adprep switches

Adprep switches

Adprep switches

Adprep switches

As you can see there is a lot of new switches but they would not be discussed here. You can now simply start extending schema. Execute elevated command prompt and type

adprep.exe /forestprep /user <EnterpriseOrSchemaAdmin> /userdomain <ForestRootDNSDomainName> /password *

in example:

adprep.exe /forestprep /user administrator /userdomain testenv.local /password *
adprep syntax

adprep syntax

instead of /password * you can simply put account’s password but this might be seen by others, so it’s better to leave * because you will be prompted for the password

type password (it will not show on the screen) and press enter to start the action

adprep password input

adprep password input

adprep will start extension procedure

Schema extension start

Schema extension start

just wait couple of minutes to complete schema extension

Schema extension completed

Schema extension completed

and after all, run ADSI Editor (adsiedit.msc) to verify if schema version has changed



Changed schema version

Changed schema version

When you are able to see version 69, then Windows Server 2012R2 schema was applied!

Above procedure showed you how to do that for single forest, single domain environment. What if you have multiple forests in your organization? How to handle that scenario? Let’s see how to do that.

You need to add within adprep syntax one more switch /forest and specify for which forest you would like to extend schema. Of course, you need to be a member of Enterprise or Schema Admins group in that forest, to successfully perform an action.

adprep.exe /forestprep /forest <ForestDNSNameToApplySchema> /user <EnterpriseOrSchemaAdminForThatForest> /userdomain <ForestDomainDNSName> /password *
adprep.exe /forestprep /forest testenv.local /user administrator /userdomain testenv.local /password *
adprep for any forest

adprep for any forest

Just repeat above step for every forest you need to extend schema in.

Everything was done on a workstation which is added into domain. There is also another possibility. All those steps are available to any 64bit OS which is not joined to the domain.

In this case you need to be sure that NIC is configured properly to pointing on DNS server which is able to resolve forest root domain name

64bit OS NIC configuration for DNS settings

64bit OS NIC configuration for DNS settings

check if you can successfully ping forest DNS name and of course if Schema Master server is available from this network

ping <ForestDNSName>
ping testenv.local
Pinging forest DNS name

Pinging forest DNS name

and use adprep as it was shown for other forests with /forest switch

That’s all! I hope it would help you if you need to extend schema manually on 32bit Domain Controllers.

Author: Krzysztof Pytko

Active Directory Topology Visualization


My friend Wojciech has started his blog recently and you can find there a lot of interesting articles. His knowledge base is increasing, so keep an eye on his blog, it’s worth!

One of really useful articles at this moment is about Active Directory Topology Visualization

If you have ever considered documenting your Domain Controllers connection map but you could not find free and easy tool for that, Wojciech prepared Visual Basic Script generating your AD topology which you can simply use in your documentation.

It is really simple in use, just double click on it and wait couple of minutes (depend on the environment size – how many DCs are in your domain). After some time you will receive Domain Controllers connection map.

Generated Active Directory topology - downloaded from

Generated Active Directory topology – downloaded from

This is also helpful in process of troubleshooting. But for the details just take a look at

And do not forget visiting his blog to extend your Active Directory knowledge!

Author: Krzysztof Pytko

Active Directory objects naming convention


Have you ever wondered about Active Directory objects naming convention in your domain environment? If not, but you wish to standardize their naming convention because your current one is not satisfactory then this article is for you.

Of course this is only a suggestion how to build the naming convention because there is no default and suitable template for all environments.

I will try to show you couple of examples for particular Active Directory objects and I hope you would be able to adjust them to your environment’s requirements.


Every domain environment is full of users. That’s why good to have some naming convention for them to avoid mess.

The most popular template is based on user’s first and last name. This allows you to define variety naming conventions.

One of them defines user’s login combined with first name and last name separated by special character like:

  • dot
  • hyphen
  • underscore
  • no special character

Let’s take a look closer to an example for a person: Krzysztof Pytko. Possible logins could look like:

  • Krzysztof.Pytko
  • KrzysztofPytko
  • Krzysztof_Pytko
  • KrzysztofPytko

There is nothing wrong in this convention but what will happen if some day another Krzysztof Pytko would be hired in a company? In this case you need to somehow differentiate users. One of available options is to add a digit/number at the end of user’s login for example:

  • Krzysztof.Pytko1
  • Krzysztof.Pytko2

and so on.

Another option uses user’s last name and part of first name (let’s say 3 letters), in example:

  • pytkokrz

You can of course use a lot of variants based on a solution shown above but this also does not guarantee unique logins in the environment.

It’s good to have a naming convention which defines unique logins. One of option is to use employee number assigned by HR department. This should be unique for every employee in the company. Of course this might be difficult to remember by user but after few usages it should be easily remembered.

Let’s take a look for few examples

  • 1001000001
  • 0000001
  • 1150010001

everything depends on your company’s policy assigning employee numbers.

The last one example uses country and location identifiers with the next free number. Let’s consider this for Poland/Wroclaw for 15th employee

  • PLWRO015 (for smaller environments up to 1000 users in a location)
  • PLWRO0015 (for medium environments up to 10000 users in a location)
  • PLWRO00015 (for larger environments up to 100000 users in a location)
  • PLWRO000015 (for huge environments up to 1000000 users in a location)

That was not all possible options but this should show you a direction to create your own user’s naming convention.


As in previous paragraph, every domain is also full of groups. They are mostly used to grant access to resources but they have other purpose like:

  • role
  • fine-grained password policy
  • mail group
  • or other not mentioned here

However, regardless of their destination, every group must belongs to one of those types:

  • domain local
  • global
  • universal

So, you can use as group prefix, its type and it would look like:

  • l – for domain local groups
  • gfor global groups
  • ufor universal groups

OK, I have mentioned group prefix, so this probably means that I have some template to build group’s name? Yes, you’re right, I have something like that. Group naming convention relies on 2 variants in this case and depends on:

  • group is for resource access
  • group is not for resource access

 Let’s take a look what we need for group’s name, designated for resource access control:

  • group prefix
  • department owner
  • group role
  • group suffix

As group prefix, it’s good to choose group type, to simply underline what kind of type it is. Another possibility is to use prefix indicating for a group role. For department owner, specify short name or unique id of team to which it is designated. Group role should clearly define for what this group is used and it may be few words separated by hyphen () or underscore (_). However, I would recommend using hyphens only, it is much more readable form. Group suffix is mostly used only for resource access groups, which states if group has read-only (-r) or modify (-rw) permissions.

OK, let’s see few examples of resource groups for couple of departments:

  • IT department with licensing data
  • HR department with payroll data
  • Finance department with invoices
  • Common resources for all departments with instructions

All group types for IT department in above example are presented below:

  • litlicensing-datar (for read-only access); litlicensing-datarw (for modify access)
  • gitlicensing-datar (for read-only access); gitlicensing-datarw (for modify access)
  • uitlicensing-datar (for read-only access); uitlicensing-datarw (for modify access)

All group types for HR department with payroll data in above example are presented below:

  • lhrpayrollr; lhrpayrollrw
  • ghrpayrollr; ghrpayrollrw
  • uhrpayrollr; uhrpayrollrw

All group types for finance department with invoices data:

  • lfinanceinvoicer; lfinanceinvoicerw
  • gfinanceinvoicer; gfinanceinvoicerw
  • ufinanceinvoicer; ufinanceinvoicerw

and all group types for common resources share in read-only mode as modify is rarely used for all departments:

  • lallinstructionsr
  • gallinstructionsr
  • uallinstructionsr

That was not all possible options but this should show you a direction to create your own groups’s naming convention.

Computers and Servers

OK, now we are going into another important part on naming convention. This scheme is related with user devices and servers. It is really good to have common template for those machines as it would simply allow identifying them without logging on onto them.

There is a lot of possibilities and they rely on how much big is your environment. I will show you just couple of options which may direct you into your own scheme.


You need to remember that we are still limited to 15 characters in a computer name which is caused by NetBIOS.

Let’s start with the environments where up to 10000 computers in single location is enough.



  • CC – is for country code
  • LLL – is a location code
  • S – is for operating system type (Windows, Unix, Linux, Solaris, BSD)
  • VV – is operating system version (XP, 07, 08, 81, 10)
  • FFF – is machine function (WKS, NTB, TAB, MOB)
  • XXXX – next number for machine

and below you can find few examples of scheme usage for 2 locations (Poland/Wroclaw and England/London):

  • PLWROW07WKS0001 (for computer with Windows 7)
  • PLWROW81WKS0005 (for computer with Windows 8.1)
  • PLWROW81NTB0015 (for notebook with Windows 8.1)
  • PLWROW81TAB0002 (for tablet with Windows 8.1)
  • UKLONWXPWKS0001 (for computer with Windows XP)
  • UKLONW07NTB0004 (for notebook with Windows 7)
  • UKLONW81TAB0150 (for tablet with Windows 8.1)

in a companies where more devices (up to 100000) are needed in one location, this convention might be selected (this is modification of this one above)


  • CC – is for country code
  • LLL – is a location code
  • S – is for operating system type (Windows, Unix, Linux, Solaris, BSD)
  • VV – is operating system version (XP, 07, 08, 81, 10)
  • FF – is machine function (PC, NB, TA, MO)
  • XXXXX – next number for machine

just short single example: PLWROW81PC00005

and a case for really large companies where up to 1000000 devices are needed in one location (this is modification of this one above)

  • CC – is for country code
  • LLL – is a location code
  • S – is for operating system type (Windows, Unix, Linux, Solaris, BSD)
  • VV – is operating system version (XP, 07, 08, 81, 10)
  • F – is machine function (Pc, Notebook, Tablet, Mobile)
  • XXXXXX – next number for machine

just short single example: UKLONW81T000015


Situation with servers name is similar to computers with the same limitation to 15 characters of NetBIOS name. You can simply apply the same scheme with small modifications.

Below scheme is good for environments where no more than 1000 servers of the same role are located within the same site.



  • CC – is for country code
  • LLL – is a location code
  • S – is for operating system type (Windows, Unix, Linux, Solaris, BSD)
  • VV – is operating system version (03 – 2003, 08 – 2008, 12 – 2012)
  • R – is for operating system release (1 – release 1, 2 – release 2)
  • FFF – is machine function (DCR, DCW, FIL, PRT, APP, MGM)
  • XXX – next number for machine

Machine function in template above states:

  • DCR – Read-Only Domain Controller
  • DCW – Domain Controller
  • FIL – File Server
  • PRT – Print Server
  • APP – Application Server
  • MGM – Management Server

Ok, let’s consider few servers according to above naming convention:

  • PLWROW121DCW001
  • PLWROW122DCW002
  • PLWAWW122DCR001
  • PLWROW082FIL001
  • PLWROW082PRT001
  • PLPOZW032MGM003

this should be enough for most environments but if this is too less then you need to replace one server function character for the digit like:


you have less letters to describe more detailed server’s role but this allows you to have up to 10000 servers with the same role in the same site.

Let’s see short example of this scheme usage  PLWROW121APP0001


To define printer naming convention you have a lot of possibilities, so I will present only one which seems to be good in my opinion. This is using:



  • SSS – printer signature
  • P – is it pooled or not (0 – no , 1 – pooled)
  • MMM – device manufacturer (SAM – Samsung, LEX – Lexmark, CAN – Cannon, HPP – HP Printer, KYO – Kyocera, RIC – Ricoh)
  • XXX – device number

Let’s see how this looks in practice:

  • PRT0LEX001
  • PRT0HPP002
  • PRT0RIC001
  • PRT1SAM001

Remember! Put detailed information of the printer’s location in printer’s properties as this is not available in naming convention.

I think that’s all for printers. As I said there is a lot of possibilities but I chose this one.

Group Policies

One more object remained on my list. This is GPO which is rarely used according to any naming convention. Especially in outsourced environments where many administrators are managing group policies.

I strongly suggest to apply some good scheme for those objects as it is much more convenient in management where a lot of policies are deployed.

For Group Policy naming convention you can use:

  • GPO prefix
  • GPO function (words separated by hyphen ““)
  • GPO suffix
  • GPO description (optional out of naming convention)

where GPO prefix is one of:

  • WIN – for Windows policies
  • CTX – for Citrix policies
  • RDS – for Terminal/Remote Desktop Services
  • TST – test policies
  • CUS – customer policies
  • OLD – old policies awaiting for removal

where GPO suffix is one of:

  • LPM – for loopback policy in merge mode
  • LPR – for loopback policy in replace mode
  • SCF – security filtering enabled
  • WMI – WMI filter applied
  • GPP – group policy preferences defined

basing on that, you can create GPOs in your environment. Below couple of examples:

  • winie-restrictions-control-panel
  • ctxscreen-saverlpr
  • tstwsus-updatescf
  • winfolder-mapping-drive-hgpp

and that’s all about naming convention in this article. I hope it was somehow helpful for you and you could build your custom naming convention for Active Directory objects.

Author: Krzysztof Pytko

iSiek’s forum has been launched


I would like to announce you that iSiek’s forum about Microsoft Windows services has been launched!

iSiek's forum

iSiek’s forum

I hope you would participate in building new IT community on this forum. I hope we would be able to help each other.

You are invited! I encourage you to register your account for free and start posting your issues or try to help others.

Just some simple forum’s rules

  1. Forum is free of charge. It is maintained from ads.
  2. To contribute in community, free registration is required
  3. Write posts in English
  4. Check forums if similar problem does not exist
  5. Use appropriate forum to post issue
  6. Do not spam
  7. Use external services to attach images/logs and place only link to them
  8. Be polite and do not use vulgarism
  9. If you do not want to help, do not answer

Be a part of this new community and make family atmosphere here.

I hope we will make this IT world better!

Forum address is

Author: Krzysztof Pytko

Installing Windows Server 2012R2 – video


I have created a video blog on Youtube – iSiek’s video blog about Microsoft Windows services.

You will find there a video showing how to install Windows Server 2012R2 for Domain Controller role. Of course this may be applied to other Windows Server roles too and works the same way for installing Windows Server 2012.

and after server installation, please see another one for post-installation steps

I hope this method would be also useful for you. At this moment there is no voice in the video. I will try to change that in the nearest future 🙂

Author: Krzysztof Pytko

Metadata cleanup over GUI


Sometimes we have problem with broken Domain Controller(s) within our environment. Then we do not think about consequences from removing failed DC from network. We just shut it down and replace with the new one, because mostly we have no system state backup of the old Domain Controller. Everything looks fine for us, we have no failed DC in a network. But Active Directory still knows about it and uses that DC for AD data replication which can cause errors.

To prevent replicating data between broken DC and the rest, you need to perform metadata cleanup.

This can be done using ntdsutil as I showed you some time ago in this article Metadata cleanup for broken Domain Controller or over graphical console – using Active Directory Users and Computers.

You still need to have Domain Admin account to do that and at least one Windows Server 2008 Domain Controller.

I will show you how to do that using Windows Server 2012 R2 Domain Controller but this is exactly the same procedure on previous servers.

To remove metadata about non-existing Domain Controller, log on to Windows Server 2008 or newer DC and open Active Directory Users and Computers console.

Click right mouse button (RMB) on start tile and choose “Run”

Execute run box

Execute run box

and type dsa.msc to open Active Directory Users and Computers console

Opening Active Directory Users and Computers console

Opening Active Directory Users and Computers console

Now, you need to go into main menu and search for “View -> Advanced features” option and select it

Selecting advanced features for ADUC console

Selecting advanced features for ADUC console

Now, go to “Domain Controllers” organizational unit and select Domain Controller for which you want to do metadata cleanup

Selection of Domain Controller to remove

Selection of Domain Controller to remove

Click on it RMB and choose “Properties

Properties of broken Domain Controller

Properties of broken Domain Controller

You need to check if this computer object is not protected by accidental deletion from domain environment. To see that, select “Object” tab. Looks if “Protect object from accidental deletion” is set. If so, uncheck it and apply changes.

Protect from accidental deletion check

Protect from accidental deletion check

Unchecking accidental deletion protection

Unchecking accidental deletion protection

Now, go back to Active Directory Users and Computers console to Domain Controllers OU and select this DC once again

Click RMB on it and choose “Deleteoption

Deleting broken Domain Controller from domain

Deleting broken Domain Controller from domain

Confirm that you are sure and you want to delete this object from the domain

Removing object from the domain

Removing object from the domain

You will get information that you are trying to remove Domain Controller from the domain without appropriate removal process

Domain Controller removal warning

Domain Controller removal warning

you are sure that this Domain Controller does not exists anymore and you wish to delete it anyway, so select this checkbox and confirm deletion

Confirm DC removal

Confirm DC removal

if your server was acting as Global Catalog, you need to confirm once again that you wish to delete it from the domain

Confirm DC removal

Confirm DC removal

There is one more place you need to visit to completely clean up your environment. Open Active Directory Sites and Services console and locate Site in which removed DC was authenticating objects

Sites and Services - removed DC

Sites and Services – removed DC

as you can see, this Domain Contoller has no NTDS Settiings object associated. Just click RMB on it and remove it

Removing DC from Sites and Services

Removing DC from Sites and Services

Confirm that you wnat to delete this object and that’s all!

Confirm DC object removal

Confirm DC object removal

You removed easily metedata of broken Domain Controller from your domain!

Author: Krzysztof Pytko

Seizing FSMO roles with PowerShell


I wrote some time ago an article about Seizing FSMO roles. That was a little bit painful method and it required to use ntdsutil command which is inconvenient in use. Especially for unexperienced administrators.

Now, when Microsoft released PowerShell 3.0 with Windows 8 Remote Server Adminisration Tools and Windows Server 2012 we have new Active Directory module for PowerShell. It allows to use dedicated PowerShell cmd-let for that.

When your Domain Controller holding any FSMO role is down and cannot be brought up again you need to seize that/there role(s) to the new one.

You would be able to use PowerShell cmd-let


Hey, this exactly the same cmd-let as for transferring FSMO roles, am I right? Yes, you are. The only one difference is that you have to specify at the end of the cmd-let -Force switch which tells that role must be seized not transferred!

Of course to be able to use this feature some prerequisites are required:

  • At least one Windows Server 2008R2 Domain Controller
  • Access to Active Directory Web Services (9389/tcp port unblocked)
  • Server or client machine with PowerShell 3.0 or newer
  • Imported PowerShell 2.0  or newer module for Active Directory

 To get an overview of this command let’s see its help by typing

Get-Help Move-ADDirectoryServerOperationsMasterRole
Move-ADDirectoryServerOperationMasterRole help

Move-ADDirectoryServerOperationMasterRole help

In this case 3 parameters are required:

  • target Domain Controller name
  • FSMO role(s) name to seize
  • -Force switch

Important! When you are seizing any FSMO role, you need to know that Domain Controller which held this role previously, cannot be brought up on-line! This machine may be reused, but first it must be reinstalled!

To get an overview of transferring FSMO roles with PowerShell please read an article on my blog showing how to do that. The article is available at this link.

You are allowed to seize one specific FSMO role or set of FSMO roles. This can be done once as this operation requires old Domain Controlller reinstallation. please be aware of that, there is no place for mistake! 🙂

Seizing specific FSMO role

Active Directory contains five unique FSMO roles:

  • Schema Master
  • Domain Naming Master
  • PDC Emulator Master
  • RID Master
  • Infrastructure Master

if any of these roles where held by your broken Domain Controller, you need to seize it to the new one. Just do this like you would be transferring them but at the end of cmd-let place -Force switch

Move-ADDirectoryServerOperationMasterRole -Identity <TargetDomainController> -OperationMasterRole <FSMORoleName> -Force

this will seize specified operation master role to selected Domain Controller. It would take some time as cmd-let tries to connect to the previous DC and check if there is possible role transfer instead of seize.

Move-ADDirectoryServerOperationMasterRole -Identity DC01 -OperationMasterRole InfrastructureMaster -Force

 Seizing specified FSMO role

Seizing specified FSMO role

to seize other role than this one, replace its name with  one of those below

  • SchemaMaster
  • DomainNamingMaster
  • PDCEmulator
  • RIDMaster
  • InfrastructureMaster

Information! When you transfer PDC Emulator role, you need to remember that you should introduce new time server within your environment. If you wish, you may follow steps described in the article on my blog at Advertising new time server in domain environment

and remember, when you are seizing any FSMO role, you need to know that Domain Controller which held this role previously, cannot be brought up on-line! This machine may be reused, but first it must be reinstalled!

Seizing set of FSMO roles

This works exactly the same way as for transferring FSMO roles. You just need to specify operation master role name(s) separated by comma (,) and put -Force switch at the end. All provided FSMO roles will be seized to the selected Domain Controller.

To seize roles use below syntax

Move-ADDirectoryServerOperationMasterRole -Identity <TargetDomainControllerName> -OperationMasterRole <FSMORoleName1>, <FSMORoleName2>, ...<FSMORoleNameN> -Force

and these operation master roles will be seized.

Commonly used scenarios are related with seizing forest-wide, domain-wide or all FSMO roles. Let’s see  how to do that

Seizing forest-wide FSMO roles:

Move-ADDirectoryServerOperationMasterRole -Identity DC01 -OperationMasterRole SchemaMaster, DomainNamingMaster -Force

Seizing domain-wide FSMO roles:

Move-ADDirectoryServerOperationMasterRole -Identity DC01 -OperationMasterRole PDCEmulator, RIDMaster, InfrastructureMaster -Force

Seizing all FSMO roles:

Move-ADDirectoryServerOperationMasterRole -Identity DC01 -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster -Force
Seizing all FSMO roles

Seizing all FSMO roles

It would take some time as cmd-let tries to connect to the previous DC and check if there is possible roles transfer instead of seize.

Information! When you transfer PDC Emulator role, you need to remember that you should introduce new time server within your environment. If you wish, you may follow steps described in the article on my blog at Advertising new time server in domain environment

and remember, when you are seizing any FSMO role, you need to know that Domain Controller which held this role previously, cannot be brought up on-line! This machine may be reused, but first it must be reinstalled!

To verify if operation master roles were seized to selected Domain Controller, execute

for forest-wide FSMO roles:

Get-ADForest | Select SchemaMaster, DomainNamingMaster | Format-List
Veryfying forest-wide FSMO roles

Veryfying forest-wide FSMO roles

and for domain-wide FSMO roles use this one:

Get-ADDomain | Select PDCEmulator, RIDMaster, InfrastructureMaster | Format-List
Veryfying domain-wide FSMO roles

Veryfying domain-wide FSMO roles

At the end, you should do metadata cleanup for that broken Domain Contoller, and that’s all!

If you wish you may follow other articles on my blog, showing how to do metadata cleanup of broken Domain Controller

Author: Krzysztof Pytko