The first and the most important part within preparation phase is… installing Windows Server 2016 server. If you do not have it installed, you would not be able to promote it as DC 🙂
This topic does not cover Windows Server 2016 installation process, so you should do this by yourself.
To be able to configure Windows Server 2016 Domain Controller within Windows 2003/2008/2012 domain environment we need to check if Forest Functional Level is set up at least in Windows 2003 mode. This is the lowest allowed Forest Functional Level for Windows Server 2016 Domain Controller. That means, Windows 2000 DCs are not supported anymore. Microsoft does not support them with cooperation with 2012 and 2016 Domain Controllers. It’s time to forget about these old operating systems.
If you do not know how to identify current domain or forest functional level, please follow this article on my blog Determine DFL and FFL using PowerShell
In case of need to raise them, please follow:
You are ready to go with the first Windows Server 2016 Domain Controller installation process
Preparation for Domain Controller promotion
Just before we can go with Domain Controller promotion, we need to identify 2 FSMO Role owners for:
- Schema Master
- Infrastructure Master
These 2 role owners must be online and need to be accessible by our new Windows Server. It is required because from Windows Server 2012 forest and domain preparation is done in a background and the entire schema and domain extensions might be done by wizard itself, which is really convenient.
That’s right, there is no more adprep tool needed to be used manually by administrator. Everything can be covered by promotion wizard!
To check which Domain Controller(s) hold appropriate FSMO roles, you can follow one of below steps:
- use command line netdom utility
netdom query fsmo
and check the output
- use PowerShell cmd-lets
and check servers holding particular role
- you can give a try to my new C# application written recently
- follow any other way you wish, to enumerate the roles
We collected almost all necessary information to start AD preparation for the first Windows Server 2016 Domain Controller. The last and the most important part before we start preparation, is checking Forest/Domain condition by running:
- dcdiag tool for environment’s health status
- repadmin tool for environment’s replication status
Run in command-line on a DC:
dcdiag /e /c /v /f:c:\dcdiag.log
review log file and check if there are no errors. If so, please correct them (in case that your forest/domain has a lot of Domain Controllers, please skip /e switch)
now run in command-line:
repadmin /showrepl /all /verbose >c:\repadmin.log
to check if your DCs are replicating data without errors.
For more about Active Directory Troubleshooting Tools check one of my articles on this blog
After those checks, you can start with Active Directory preparation.
Adding first Windows Server 2016 Domain Controller
Before we start preparing AD for new Windows Server 2012 DC, we need to be sure that we are members of:
- Enterprise Administrators group
- Schema Administrators group
These 2 groups membership is required to extend forest schema and prepare domain(s) for new DC’s deployment.
Install your new box with Windows Server 2012 and configure its IP address correspondingly to your network settings and change default server name to yours.
Remember that it’s very important to properly configure Network Card settings to be able to promote your new box as domain controller!
The most important part of configuring NIC is setting up DNS server(s). Point your new box to one of the existing Domain Controllers where you have installed and configured DNS or any other DNS server responsible for your domain’s DNS zone.
After you verified IP settings, you can start server promotion to Domain Controller. However, you cannot use old good known dcpromo command as it is not valid anymore.
Open Server Manager console (if it was not already opened) and click on “Add roles and features” on Dashboard screen
Using default settings in a wizard go up to “Server roles” step (in this article those steps are not described. You may expect their description in another article) and select Active Directory Directory Services role. Accept also default features which are required during installation
confirm you wish to install all required tools to manage domain from this server after promotion
Verify if check box is in proper place and go to the next step
On “Features” screen also go to the next step as we do not need more at this step to be installed. All required features will be installed as you accepted them a little bit earlier
Skip this step as it refers to Active Directory in Azure which is not part of this guide
Read information about role you are installing and go to confirmation screen to install it
Wait some time until selected role is being installed before you will be able to promote server to Domain Controller
Now, when role is installed, you can see in notification area an exclamation mark. It tells you that post-installation steps might be required
Click on it to see what can be done. You will see that now, you can promote your server to Domain Controller and information that features were installed successfully
OK, let’s start server promotion to Domain Controller! Click on “Promote this server to a domain controller” and you will see a wizard.
As we are adding Domain Controller into existing domain, we need to select proper option. It is selected by default, however, please ensure if you can see that “Add a domain controller to an existing domain” is selected
On the screen when you are prompt to provide domain in which new Domain Controller is promoted click on select button
You will be asked to provide credentials to discover available domains. Provide Enterprise Administrator credentials and go to the next step
You can provide credentials using User Principal Name or user name followed by NetBIOS domain name
When your credentials are appropriate you get a window with all available domains. Select this one in which you want to introduce Windows Server 2016 Domain Controller and click “OK“
You should see a screen with all provided details from previous steps
Define if server should be DNS server and Global Catalog. I would strongly recommend installing both roles on each Domain Controller in your environment. Select a Site to which this DC should belongs to and define Directory Services Restoration Mode (DSRM) password for this DC.
Important! DSRM password needs to be remembered as it is different than domain administrator’s and is unique for every Domain Controller (if not configured to be replicated from model account in a domain – this is not a part of this guide)
If you have DNS delegation in place, update it here, or skip and do this later
In”Additional options” you can define if you want to install this Domain Controller from Install From Media (IFM) (if you have it) and point from which DC replication should be done. When you do not specify, server will choose the best location for AD database replication. If you have no special requirements for that, just leave “Any domain controller”
Important! If you wish to use IFM installation media, you need to be aware that it MUST be prepared on the same Windows Server version as promoted DC. It is not possible to promote Windows Server 2016 DC from Windows Server 2012 IFM or any other than 2016.
Note! As this is your first Windows Server 2016 DC in the environment, you cannot use IFM as deployment option.
Specify location for AD database and SYSVOL (if you need different that suggested) and go to the next step
Now, wizard informs you that Schema and Domain preparation need to be done. As you did not run adprep before, it will be executed in a background for you
You will see a summary screen where you can check all selected options for server promotion. As in Windows Server 2012 everything done over Server Manager is translated into PowerShell code and it is executed in a background, you can check code by clicking on “View script” button. You will see what exactly will be run. This is transparent process and you cannot see PowerShell window in front of you
PowerShell code for adding Domain Controller
# # Windows PowerShell script for AD DS Deployment # Import-Module ADDSDeployment Install-ADDSDomainController ` -NoGlobalCatalog:$false ` -CreateDnsDelegation:$false ` -Credential (Get-Credential) ` -CriticalReplicationOnly:$false ` -DatabasePath "C:\Windows\NTDS" ` -DomainName "testenv.local" ` -InstallDns:$true ` -LogPath "C:\Windows\NTDS" ` -NoRebootOnCompletion:$false ` -ReplicationSourceDC "plwrow082wdc001.testenv.local" ` -SiteName "EUPLWROHQ01" ` -SysvolPath "C:\Windows\SYSVOL" ` -Force:$true
If all prerequisites will pass and you are sure that all setting you have set up properly, you can start installation
As it was stated earlier, wizard needs to extend schema and prepare domain for the first Windows Server 2016 Domain Controller. You can see this during promotion process
wait until wizard will do its job and after server restart you will have new Windows Server 2016 Domain Controller logon screen
Log on into DC and enjoy its new features
Give DC some time to replicate Directory Services data to be fully operational.
You can check if everything is replicated over LDP utility. Open run box and type ldp
From menu select “Connection -> Connect”
Specify Windows Server 2016 Domain Controller’s name or leave it blank to connect to the DC itself
After connection verify at window bar if you are connected to appropriate Domain Controller
From Active Directory RootDSE context you can read Domain Controller’s functionality level, which in this case is 7 – Windows Server 2016
and search for
if both attributes have TRUE as a status, everything is up-and-running properly. If not, you need to wait some time to give replication finish its job.
Now, you need to do small changes within your environment configuration.
On each server/workstation NIC properties configure alternative DNS server IP address pointing to the new Domain Controller.
Open DHCP management console and under server/scope options (it depends on your DHCP configuration) modify option no. 006
Add there IP address of your new Domain Controller as new DNS server.
Congratulations! You have promoted your first Windows Server 2016 Domain Controller in existing domain. Enjoy!
Author: Krzysztof Pytko
This topic is not new to administrators. I have just wondered if I could simplify that action somehow and I realized that this would be possible.
I’m learning C# coding with .NET so I decided to try creating a simple application (of course with GUI) to do the job itself without an administrator’s involvement.
So, you can download simple application written by me in C# using .NET framework and execute it on any domain member workstation/server, does not have to be necessarily Domain Controller (but may be), and get results on the screen.
The only one requirement is to have appropriate version of .NET framework installed on a machine from which this application is executed.
To simplify the entire process, I have compiled the application with .NET 3.5 and .NET 4.5 versions.
Both applications are identical but the only one difference is that one supports .NET 3.5 and the other one .NET 4.5
You can use .NET 3.5 application of Windows Vista/7/2008/2008R2 and .Net 4.5 on Windows 8/8.1/10/2012/2012R2/2016 as those .NET versions are defaults for that servers.
Of course you can always use the existing methods like command-line utilities or check that with PowerShell or even with Microsoft GUI consoles. The first two of them requires some knowledge about command and cmd-let syntax and the last one needs couple of consoles to check all of them.
My application is nothing new but helps a little bit. Just execute it and get results on the screen, that’s all.
When you click on any of server names in application’s window, you will copy server’s name into clipboard
and you can paste it, in example, to your documentation.
So, let’s give a try to the app to do a job for you. Download it and execute within a domain from any supported operating system with appropriate .NET framework installed on it.
- Get FSMO GUI application for .NET 3.5
(MD5 checksum: dcda3cca863320077b05f71a2dea4cc1) (SHA-1 checksum: 74e07d284e670a142bf0a02de8a7daeb975dbf0f) (SHA-256 checksum:55083852d36a8c5839f74a2ef8b91e18d2db327779d76b717ef9210679a20826)
- Get FSMO GUI application for .NET 4.5
(MD5 checksum: 2618e57525f60b98a2ce30da1776e272) (SHA-1 checksum: 023c7e0c77007ae746e6c8de0d1e7f30f97daf1d) (SHA-256 checksum: f23280ea26917c7005114d7a106f479808b377bd14179407ddfc22ce18cb410c)
I hope it would be useful for you.
Author: Krzysztof Pytko
You may heard that new Microsoft Windows Server 2016 has been released. This Windows version you can download for free from Microsoft Technet Evaluation Center at this link
Domain Controller promotion process did not change from previous Windows Server 2012/2012R2 version and there is still no possibility to do that over dcpromo utility. First of all, you need to install Active Directory Domain Services role from Server Manager console.
But before you will do that, let’s see what information do you need to start promoting DC.
- Company name – which will be helpful in choosing forest/domain name
- Network configuration – valid IP addresses range for our company, router’s IP (as default gateway)
- ISP DNS servers on any public DNS servers – to be able to access the Internet resources from our company
- Services we need to run – what additional services will be required to fulfil a company requirements
Let’s start collecting them all.
- Company name – Test Environment
- Network configuration – IP addresses range 192.168.1.0/24; the first available IP address is a router (default gateway)
- Public DNS servers – 22.214.171.124 and 126.96.36.199 (Google public DNS servers)
- Services – Active Directory: Directory Services, DNS server(s)
Now, you can install your first Windows Server 2016 and configure it. After that you would be able to promote this server as a Domain Controller.
When your server is installed, then you need to log on there on local administrator account and you can start its preparation.
Open Server Manager (or wait short time because it runs itself by default), set up static IP address for your server (in this case it’s 192.168.1.10 with 255.255.255.0 network mask), configure time zone and change server name accordingly to naming convention in your company.
You may also set up there other options like NIC teaming, remote management and remote access.
This is very important part of network configuration before promoting server as a Domain Controller. In DNS preferred IP address type 127.0.0.1 (loopback interface) or the same IP address as server is configured 192.168.1.10 to point the server to DNS itself.
To configure network parameters, click on “Local Server” node on the left side of Server Manager
and then click on “Ethernet” to configure these settings
You will see “Network connections” where you network card is being seen
edit its properties and set up required IP information under IPv4 section
Under its properties put valid IP address, network mask, default gateway and DNS server IP address
Now, let’s configure server name and reboot it to be able start Domain Controller promotion. To change server name, click on “Computer name” section and provide appropriate name
apply changes and reboot server. When your server is up and running again, you can start promotion process.
Install Active Directory: Directory Services role and after all, follow post-install steps which promotes server to Domain Controller. To do that open Server Manager and go to “Add roles and features” on Dashboard screen
You will see a wizard which will guide you through role installation process. Go further up to a screen with roles selection using default options and choose “Active Directory Domain Services” role. Confirm all dependent roles/features to be installed with AD:DS role
confirm also features which will be installed with selected role
Go “Next” to screen with installation summary and click “Install”
and wait until Active Directory: Domain Services role will be installed
When role is installed, you will see yellow exclamation mark in notification area
That means, there are additional steps to do after role installation. Click on that field and you will see what do to next
Click on “Promote this server to a domain controller” and promotion wizard will be displayed.
It is similar to previous wizard from DCPROMO on older OS versions. Promotion process is much more simple than previously and requires less steps to be finished.
In your case, you are configuring new forest root domain, so you need to choose “Add a new forest” option and specify DNS domain name for this new forest. As it was mentioned before, in this example you will use testenv.local as DNS domain name
On the next screen, you need to specify Domain and Forest Functional Levels.
When you are configuring new forest root domain then you cannot set up Windows Server 2003 Domain or Forest Functional Level. The lowest possible mode is Windows Server 2008. You need to know that when you are planning new infrastructure because Windows Server 2003 Domain Controllers are not supported in this scenario anymore because Windows Server 2003 support is end.
Information! Currently, the highest possible Domain and Forest Functional Level is Windows Server 2012R2! It looks like Technical Preview version is not ready for new levels or they are unstable to be implemented yet.
For more details about raising domain and forest functional levels, please check another articles on my blog:
Important! When you set up Domain/Forest Functional level it cannot be changed to lower mode, so be careful when you choose them. If you are not sure which functional level is adequate for you, choose the lower one. You can always raise it without any business continuity disruption later.
Define if that server would have DNS role installed and if it would be Global Catalog. As this is the first Domain Controller, all these roles must be installed.
Specify Directory Services Restore Mode (DSRM) password which will be also used for domain administrator account at this stage
As this is the first Domain Controller and forest root domain, do not worry about DNS delegation and go to the next step
When you specified DNS domain name, you need to type also NetBIOS domain name. By default wizard suggests the first part from DNS domain name. If you have no reasons to use different NetBIOS name, I would suggest to leave that as after this name change, you will have an issue with Active Directory Administrative Center which does not recognize changed NetBIOS domain name (it uses the first part of DNS domain name).
Specify location of AD database and SYSVOL. You may leave defaults or move them to dedicated drive
You will see summary screen with all details before installation. As in Windows Server 2012 everything from Server Manager is translated into PowerShell and executed in the background, you may click on “View script” to see what will be done to install and configure Domain Controller
when you are ready, click on next to go to the final screen where script will be executed in a background
If all prerequisites will pass, you can start installation
Wait a while and server will be rebooted. After reboot, your server will be a Domain Controller.
Congratulations! Your Domain Controller for a forest root domain is ready! You can log on, onto it, using password specified during server preparation process (the same password as for local Administrator or probably the same as for Directory Services Restoration Mode 🙂 )
Log on, using domain administrator credentials into your new Domain Controller.
We have to configure DNS server to send unresolved DNS queries to ISP DNS server(s) or any other public DNS server(s). This configuration is necessary to be able to access the Internet resources from our internal network.
If you do not have public DNS server(s) IP address or you do not want to define them, do not put anything under “Forwarders” tab and by default “Root hints” will be used. For that, skip few below steps.
Open DNS management console from Tools in Server Manager and select server name.
In the right pane at the bottom of that window, double click on Forwarders
When Forwarders window appears, click on “Edit” button to put there public DNS server for the Internet access
You should see a window, where you can put ISP or public DNS servers. Add DNS to the list. In this case we will use Google public DNS servers (188.8.131.52. and 184.108.40.206) Wait until they will be validated and close console
After all, you should consider Domain Controller and DNS server redundancy in your network by placing additional server with these roles. Another very important part is performing System State backup of Domain Controllers regularly.
In case of lack hardware resources in your network, you can consider placing DHCP server on this Domain Controller. However, it’s not recommended to install additional roles on DCs because of security reasons and right delegation scenarios.
Author: Krzysztof Pytko
The role of auditing network events/activities in maintaining a secure IT environment
If you’re an IT administrator, you probably already know that most security breaches occur because of insider abuse/misuse and the total number of breaches is increasing exponentially each year. The majority of organisations house sensitive data somewhere on their system that, if exposed, could be costly and damaging to the reputation of the business.
Thankfully, Windows comes pre-packed with numerous auditing capabilities that can be used to track events or activities within the network. In this blog, we will discuss the nine audit settings that you can configure through the Windows operating system that will allow you to better monitor your Active Directory environment.
1. Audit Account Logon Events
When active, this audit setting monitors each time your computer is validating the credentials of user accounts with the right level of authority to generate account logon events.
There are only two audit options that are available – successful attempts and failed attempts. You can check either one or both options (or neither if you require no auditing) as per your Active Directory monitoring requirements. In the above image, we have checked the “success” option.
After configuring this setting, you can view successful audit events in the audit log generated in the Event Viewer. All you need to do is navigate to the Windows Logs -> Security in the left panel and all the audit success events will be shown in the right panel. Click on a particular event to get detailed information in the lower right section of the window.
Refer to the highlighted portion in the below image for reference.
2. Audit Account Management
Configuring this audit setting enables you to audit user account management and get details on the following:
- User accounts or groups that are created, changed, or deleted
- User accounts that are renamed, disabled or enabled
- User accounts where the password has been set or changed
3. Audit Directory Service Access
This audit setting determines whether the operating system you have on your computer audits users or user accounts attempting to access objects in the Active Directory. The only objects that can be audited are ones in which the SACL (System Access Control List) is specified by the user and the requested access type, including “Write”, “Read” or “modify,” matches with the settings that have been configured in the SACL.
4. Audit Logon Events
This setting enables users to audit every instance of a user attempting to log in and out of the system.
5. Audit Object Access
The “Audit Object Access” setting enables auditing of user attempts to access objects that are not present in the Active Directory; such as files, emails, Exchange groups or SharePoint items. However, the system will only generate audits for those objects specified in the System Access Control List.
6. Audit Policy Change
Configuring this setting enables users to audit each instance of users attempting to modify critical policies – including trust policy, account policy, audit policy and the user rights assignment policy.
7. Audit Privilege Use
This audit setting is configured to monitor the levels of permissions and rights that each user has to perform specific tasks. Defining this policy setting not only helps track the actions of privileged users but also facilitates in ensuring they don’t misuse the rights granted to them. If you wish to generate an audit entry when a user succeeds in exercising the right or permission assigned to him/her, check the “Success” option. To generate audit entries where the exercise of a user right fails, select the “Failure” option.
8. Audit Process Tracking
Configuring this security setting tracks any process-related activities including the creation of process, duplication handling, termination of process and objects that have been accessed indirectly.
9. Audit System Events
“Audit System Events” monitors details of users who attempt a security system startup or shutdown, try to change system time or aim to load extensible authentication components for personal benefits or other malicious purposes.
Defining this security policy allows you to keep track of the loss of audited events that have occurred due to the auditing system failure. It also shows you whether the security log size has exceeded the configured warning threshold level.
Enabling all these settings and keeping track of them can be quite a laborious and time consuming task. Often, administrators seek the help of third-party solutions to automate the auditing and monitoring of their critical IT systems. LepideAuditor for Active Directory tracks changes across Active Directory and sends real-time alerts and notifications straight to the inbox and generates detailed reports with just a single click.
You can install server system with or without GUI, you have two choices:
- install core edition
Windows Server 2016 Technical Preview 3
- install server with GUI
Windows Server 2016 Technical Preview 3 – Server with Desktop Experience
if you choose the second installation option, that’s all in this case. After server OS installation you will get Windows Server desktop with complete GUI.
What if you decided to install full core edition and after some time you don’t want to use it anymore. There is an option to use PowerShell and install missing features to have full server with GUI. This time with Windows Server 2016 it is not so simple as it was in Windows Server 2012/2012R2.
When you try to install missing feature from PowerShell console and your server has no access to the Internet, installation fails!
This happens because from Windows Server 2016, GUI features are removed from installation image and you cannot simply activate them to turn on/off core edition.
Open PowerShell console and search for features name to install
Get-WindowsFeature -Name *GUI*
in “Install state” column you will see that features state is “removed”.
If you simply try to install these features and your server has no access to the Internet or installation source is not defined by Group Policy, operation will fail. This is highly possible that your server has no access to the Internet and if this is the first Windows Server 2016 installation, you would probably not have central location where shared components for this system are available.
In case where your server has access to the Internet, simply type in PowerShell console this syntax and wait couple of minutes
Install-WindowsFeature -Name Server-Gui-Shell,Server-Gui-Mgmt-Infra
but if you have no access to the Internet, you will see similar error in the console
then you have to use your installation media to successfully install server GUI features. Before you can do that, you need to identify appropriate index of Windows Server 2016 edition from which you want to install features. They are only available in full editions, so you need to skip indexes for core editions in the list. To get information of available editions in install.wim installation file, you need to use below PowerShell cmd-let
Get-WindowsImage -ImagePath d:\sources\install.wim
where d:\ is a letter of you drive with installation media
Check index number for Standard of Datacenter edition and remember it. As you can see in the screen above, appropriate image index is 2 or 4
In these images, all required features are available and they can be used as a source of installation.
To install feature from non-default location, you need to specify -Source switch to Install-WindowsFeature cmd-let. The switch requires appropriate syntax
the full installation syntax is available below
Install-WindowsFeature -Name Server-Gui-Shell,Server-Gui-Mgmt-Infra -Source wim:d:\sources\install.wim:2
and now, you installation should succeed even if your server does not have an access to the Internet
after some time, you would be prompted to reboot the server to apply the changes
use PowerShell cmd-let to restart server and wait couple of minutes to apply changes
when server is booting you should see on the screen features configuration
when it is done, you should see logon screen
Provide appropriate credentials and check if you can see desktop
If you are able to see START tile and other desktop features, congratulations. Everything is configured properly. You can do whatever you want with your server, now.
Author: Krzysztof Pytko