a blog about nothing

This weekend I attended at the NIC2012 conference in Oslo.

Many interesting sessions were on the schedule like DS MVP Brian Desmond’s “What’s new in Windows Server 8 Active Directory” and “Kerberos uncovered”.

Key notes from WinServer 8 AD:

• USN Rollback preventions when restoring a snapshot (PDCe needs to be on a Win Server 8 DC)
• Support for cloning DCs (handy when you have to deploy dozens of them)
• GUI for the AD Recycle Bin and Fine Grained Password Policy
• Dcpromo.exe is gone (you promote a DC from the server manager)
• AD delivers the mechanism for file server access with Claims Based Authentication
• A huge amount of new Powershell cmdlets

Unfortunately it looks like the video for this session is missing, though I’d recommend you to have a look at some other sessions like:

“Kerberos uncovered” by Brian Desmond:
http://vimeo.com/nicconf/review/35059113/4695c41e86

”How to Not Screw Up Your PKI Environment“ by Brian Komar:
http://vimeo.com/nicconf/review/35053082/aaff51b192

“What’s new in Windows 8 Hyper-V” by Ronald Beeklaar:
http://vimeo.com/nicconf/review/35059126/939388d621

 

All sessions: http://www.nic2012.com/nic2012_agenda

 

 

An updated version of ADTD was just realased. Go get it if you like to have a graphical documentation of your domain. It requires MS Visio. The older version worked with the Visio trial version. I’ve not tested if this version do.

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=13380

If you’re going to prepare your domain/forest for 2008/2008R2 domain controllers, you’ve to run ADPREP before you can promote them. If your existing domain consists of 32-bits 2003 DC’s, you have to run the 32-bit version of ADPREP, named adprep32.exe.

Let’s say you have 3 domains in your forest and you want to raise the Forest Functional Level (FFL) and Domain Functional Level (DFL) to 2008R2.

1. Verify replication health (important):

The first thing you have to make sure of is that your replication is working. To get a quick forest wide overview, you can use a tool called repadmin.exe. (run it from cmd)

repadmin /replsum * /bysrc /bydest /sort:delta

Look at the output and if all DC’s shows “Fails” = 0, you’re ready to move on. If it report errors, you have to look into those before proceeding.

2. Extend the schema:

Log into the DC holding the Schema Master. If you don’t know who that is, run “netdom query fsmo” from any DC. Have the 2008R2 media reachable from the Schema Master.

If the Schema Master DC is a 2003 32-bit run:

adprep32 /forestprep

If you want to be 100 per cents sure that the extensions are replicated to all DC’s before move on to the next step:

Open ADSIedit.msc and navigate to:

Schema > (Properties on) “CN=Schema,CN=Configuration,DC=domain,DC=com

Check “objectVersion” value. Value should be “47″ if it has replicated.

Also verify this on the PDCe DC in the other domains. If the value is “30″ (2003 level), the change has not been replicated yet. To trigger a replication:

On the PDCe DC: “repadmin /syncall /A /P /e”

When all DC’s got the correct value you can;

 3.  Prepare the domain:

Run “adprep32 /domainprep” on each DC holding the Infrastructure Master (IM) FSMO. One IM in each domain. If you don’t plan to add 2008 DC’s to i.e. Domain C, you don’t have to run this on the IM in Domain C.

 4. If you have a Windows 2000 domain, you have to run:

“adprep32 /domainprep /gpprep”

It will not hurt to run this on a 2003 domain, as you can run the adpreps so many times you want.

5. RODC’s

If you plan to apply RODC’s into your domain, run:

“adprep32 /rodcprep”

 If you’ll never add RODC’s you can skip this, but DCDIAG will report an error regarding “NCSecDesc”. You can ignore the error, but who likes to do that?

 
FAQ’s and common errors regarding ADPREP from the Technet Wiki:

http://social.technet.microsoft.com/wiki/contents/articles/troubleshooting-adprep-exe-errors-dsforum2wiki.aspx

No, you do not!

Unless:

• You have Exchange 2000/2003 and want to preserve full functionality. Changing a domain password with OWA 2003, export/import with Exmerge and Outlook clients prior to 2003, all requires WINS.
• You have a large sub netted network, NETBIOS broadcast may not work between the networks.
• You have a 3.party program that requires WINS.

I assume you don’t have any NT servers or Win98 clients :) 

If you do have a WINS server in play, you could use “Performance Monitor” to monitor WINS queries (“Successful Queries/sec”).

 

If you have a lot of queries, you should take into consideration if NETBIOS name query broadcasts are acceptable. Just take into mind that broadcasts will increase the load on your network.

References:

http://technet.microsoft.com/en-us/library/cc784180(WS.10).aspx
http://support.microsoft.com/?kbid=837391

AD Group membership should be documented, but there are none good built-in MS tools that can do it for you (atleast that I’m aware of). You can use tools such as ”dsget group” but you can’t pipe it to Excel and get it user/customer friendly

Here is a script that will do the job for you. It requires that you have Excel installed.
If you don’t have Excel, it will work on a trial version that you’ll find here.

'------------------Save me as .vbs ----------------------------------------------

' The script searces for all AD groups (as you can specify) and writes
' the group name with the group manager and its members to an Excel spred sheet.
' One sheet per group.
' Privilages to run: "domain users"
' v.1.1
' rsoe(a)hotmail.com
' www.adfordummiez.com
'-------------------------------------------------------------------------------

On Error Resume Next

' -----CHANGE THIS CONSTANT SO IT REFLECTS YOUR DOMAIN NAME -------------

Const MyDomain = "dc=spurs,dc=local"

' If you don't want all built-in groups but only groups in a spesific OU:
' Const MyDomain = "ou=ChildOU,ou=ParentOU,dc=spurs,dc=local"

'------------------------------------------------------------------------

Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

' Open Excel for writing
Set objExcel = CreateObject("Excel.Application")
objExcel.Visible = True
objExcel.Workbooks.Add

' Find all groups
objCommand.CommandText = _
    "SELECT ADsPath, Name FROM 'LDAP://" & MyDomain & "' WHERE objectCategory='group'"

Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

Do Until objRecordSet.EOF
    Set objGroup = GetObject(objRecordSet.Fields("ADsPath").Value)
 strGroupName = objRecordSet.Fields("Name").Value

 ' Find if the group has a manager
 strManagedBy = objGroup.Get("managedBy")
 If IsEmpty(strManagedBy) = FALSE Then
       strManager = strManagedBy  
    Else strManager = "-"
    End If
 ' Give the sheet the Group name. One sheet per group.
 objExcel.Sheets.Add.Name = strGroupName

 Err.Clear
 arrMemberOf = objGroup.GetEx("member")
 objExcel.Cells(1, 1).Value = "Members of " & strGroupName & ":"
 objExcel.Cells(2, 1).Value = "Managed by: " & strManager
 i = 3
 count = 0

    ' Check to see if the group contains users
 If Err.Number <> E_ADS_PROPERTY_NOT_FOUND then
    For Each strMemberOf in arrMemberOf
          Set objMember = GetObject("LDAP://" & strMemberOf)
       strMemberName = right(objMember.Name,len(objMember.Name)-3)
       objExcel.Cells(i, 1).Value = strMemberName
       set objMember = nothing
       i = i + 1
       count = count + 1
    Next
    objExcel.Cells(i, 1).Value = "Member count: " & count
    Else
       ' The group don't have any members
    objExcel.Cells(i, 1).Value = "Member count: " & count
 End If

 i = 0
 count = 0
 strManagedBy = ""
 objRecordSet.MoveNext
 Set objGroup = nothing
Loop
' EOF

Most of the phone calls the AD service desk receives are about user accounts that have been disabled or forgotten passwords.
This is a small task to handle if you have a task pad of ADUC in front of you.

It’s Saturday and you are watching a Tottenham game with a fellow Spurs fan at his place. You receive a call from your boss that has forgotten his AD password. He tells you reset his password *now*! 

Your friend doesn’t have an Internet connection, so you have to get down to the office to reset his bloody password. Arrrgg! 

I just bought an iPhone 4 and downloaded an app called “AD Helpdesk”. If you have one, you can watch the game and please your boss at the same time.

Setup a VPN connection on the phone to reach your internal network and start the App.

Search AD for his username and just reset his password from the app.

More about the app: http://adhelpdesk.com/

Applies to Server 2003/2008. Not for Windows 2000.

Time is crucial in an Active Directory domain. If there are i.e. more than 5 minutes offset between a DC and a client computer, the Kerberos protocol used for authentication will fail.

You may also see problems with AD replication if two DCs are out of time sync, since attributes that are changed are time stamped when the change occurred. The time stamp is one of three functions to prevent replication/attribute conflicts.

When a user logs on to his/her workstation and authenticates, the computer will synchronize its time with the authenticating DC.

This DC, if it’s not the PDC role holder, synchronizes its time with the domain’s PDCe role holder.

The PDCe holder should synchronize its time with a reliable time source. You could find a NTP server close to you HER.
If the DC holding the PDC dies, the role is transferred or siezed you have to configure the time source on the new PDCe.
Configuring the external time source can be a mess, and maintaining it might be even more messy

The MS DS team made a blog entry about this some time ago and I must say it’s a really elegant approach!!

In short terms they create a GPO, sets an external time source, configures a WMI filter so the GPO only applies to the domains PDCe role holder, and link the GPO to the Domain Controller container.

Open the GPMC and create a new WMI filter:

Query: Select * from Win32_ComputerSystem where DomainRole = 5

Create a new GPO and set the external time source:

Computer Configuration/Administrative Templates/System/Windows Time Service/Time Providers/Configure Windows NTP Client

You set the NtpServer you prefer and change the type to NTP.

Activate the WMI filter to this GPO:

and link the GPO to the Domain Controllers container:

To see how the DCs is synchronizing their time, run: w32tm / monitor

Here dc01test.spurs.local (the PDCe holder) uses its HW clock while dc4test.spurs.local is synchronizing with dc01test.

Restart the time service (net stop w32time && net start w32time) and force a Group Policy update (gpupdate /force or wait 5 minutes)

Now the newly created GPO is applied and now dc01test is synchronizing with the external time source.

You can also see this in the System Event log:

So what happens if I transfer the PDCe role from dc01test to dc4test?

I wait for 5 minutes (and run w32tm /monitor just to check):

As you can see dc4test is now synchronizing with the external time source, while dc01test is synchronizing with dc4test.

You don’t have to think of configure the time source if your PDCe is transferred.
You even don’t have to clean the old PDCe holder as the registry don’t gets tattooed by this!!!
If you configure the time with a GPO, the registry settings will be located here:

HKLM/Software/Policies/Microsoft/Windows/W32time

If you don’t use a GPO, the settings will be set here:

HKLM/System/CurrentControlSet/Services/W32time

The first one takes precedence over the second one.

References:

http://www.pool.ntp.org/en/

http://support.microsoft.com/kb/816042

http://blogs.technet.com/b/askds/archive/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering.aspx

When you take a System state backup of a DC it includes a backup of your SYSVOL with all your GPO’s. If a GPO get corrupted or is accidentally deleted you have to restore the System state to get the policy back. This operation is time consuming.

With the Group Policy Management Consol (GPMC) you can take backups of your GPO’s directly from the consol (and even restore them) which is less time consuming then a System state restore.

Even better are the scripts that follow with the GPMC. With them you can i.e. schedule a regular backup of all GPO’s.

I made a script that dumps the GPO’s to a file share, using some the scripts that followed with the installation of the GPMC.

Download the GPMC here for Win2003.

”””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””

‘ Backup all GPO’s in the domain
‘ author: Rune Sørensen
‘ 14.04.2009 , v.1.0
‘
‘ Save the script as a vbs file and run it once or create a scheduled task
‘ runnning the script.
‘ \\server\share should reflect your servername and sharename

Dim fso, strPath, objShell

‘ Filepath to the share
strPath = “\\server\share\GPO_Backup\*”

Set fso = CreateObject(“Scripting.FileSystemObject”)
Set objShell = CreateObject(“Wscript.Shell”)

‘ Delete the last taken backup
fso.DeleteFile(strPath)
fso.DeleteFolder(strPath)

strExecuteBackup = “cmd /c ” & “cd %programfiles%\gpmc\scripts\ && cscript BackupAllGPOs.wsf \\server\share\GPO_Backup”‘

strQueryBackups = “cmd /c ” & “cd %programfiles%\gpmc\scripts\ && cscript QueryBackupLocation.wsf \\server\share\GPO_Backup > \\server\share\GPO_Backup\BackupLocations.txt”

strCreateReport = “cmd /c ” & “cd %programfiles%\gpmc\scripts\ && cscript GetReportsForAllGPOs.wsf \\server\share\GPO_Backup”

objShell.Run strExecuteBackup
WScript.Sleep (120000)

objShell.Run strQueryBackups
WScript.Sleep (60000)

objShell.Run strCreateReport
Set objShell = nothing
Set fso = nothing

””””””””””””””””””””” EOF ”””””””””””’

Assuming you have a 2003 DC SP1< and a good System state backup. Not older than your domains tombstone lifetime.

Start the DC in DSRM (F8 at boot)

fig.1

Start NTBackup

Restore Wizard > Next

Choose the System state backup file > Next > Advanced

Restore files to “Original Location”

Leave exsisting files > Next

fig.2

If you have only one DC in your domain. Tick the last checkbox (fig.2). If you have more than one, don’t tick it.

Press “Finish”

Do not restart the DC at this moment.

Mark the object as authoritative (meaning the object(s) will get replicated to other DC’s because it’s authoritative)

http://technet.microsoft.com/en-us/library/cc757068(WS.10).aspx

Open cmd >ntdsutil

> authoritative restore

> restore subtree destinguishedName

ie. An OU accidentally got deleted called “Reserves” holding all the Tottenhams reserves user objects. (What the heck. They aren’t good enough for the first team, but maybe someday they will so let’s get them back).

fig.3

> quit

Restart the DC in normal mode (SP1 or newer). The AD Replication will do the job to get the OU and the user objects replicated to the other DC’s in the domain.

If you have a Windows 2003 SP1 or newer DC, the ntdsutil will create two files if the restored user object have any back-links to group membership. If they do you have to restore the back-link aswell. But wait until all DC’s have got the users replicated.

Syntax: ldifde -i -f <ar*.ldf>

ie: ldifde -i -f ar_20100129-081113_links_spurs.local.ldf

If you have a Win2008 R2 domain and restore a user from the Recycle Bin you don’t have to worry about the back-links. The process will do it for you.

Domain renaming is not a daily task but a task you do if the management forces you to do it! (ie. because of a company restructure, take over etc )

There are many resources on the Internet sharing a “walk through” about this job, but I made my own documentation some years ago when I was told to rename the domain. So I just go with the flow and publish it.

To do this task your domain/forest functional level has to be at least 2003 and all DC’s need at least SP1.

Exchange 2003 SP2. This is the only version that supports a domain rename. Exchange 5.5, 2000 and 2007 is not supported and Exchange can’t be installed on a DC.

Before you proceed you do have to read the official documentation and requirements from Microsoft:  http://technet.microsoft.com/nb-no/windowsserver/bb405948(en-us).aspx

- Download the domain rename tools

- Understanding How Domain Rename Works

- Step-by-Step Guide to Implementing Domain Rename

The environment consisted of:

One forest (2003 Functional level) with three domains (2003 FL, transitive trust and a parent-child trust), six DC’s (Win2003 SP1) and four Exchange servers (Win2003 SP1 with Exchange SP1).

The objective was to rename one of the three domains. (The domain without a child).

Before we started banging on the production environment, we made a test environment to test the rename and its impact on all third-part applications like Citrix, MSSQL based applications, HP Data Protector. After a month of testing and three successful renaming, we moved over to the production environment.

Preparing:

To increase your chance of a successful renaming your domain have to be in a good shape.

· Your event logs should be clean on all DC’s and Exchange servers
· “dcdiag /v /e /c” should be clean
· “netdiag /debug /v” should be clean

You need to have a domain member to act as the Control station (CS). Should be at least a Win2003 SP1 server. Log on to the control station with an enterprise admin (I guess you don’t bother the “run as” in this situation) and download the domain rename tools to this server (domainrename.exe and xdr-fixup.exe).

Install by running the domainrename.exe. It will install rendom.exe and gpfixup.exe to “C:\Program files\Microsoft Domain Rename Tools”

Copy both these files to “C:\Rename”

Now it’s time to take some System State backups of your domain controllers and keep them in a safe place.

In this documentation I will use theses domain names:

Old domain name: tottenham.int
New domain name: spurs.local

Create a new DNS zone:

· Open the DNS management consoll (dnsmgmt.msc)
· Right click “Forward Lookup Zones” > “Add new forward lookup zone”
· Call it “spurs.local” (without quotes)
· If you have a trusting domain, create the same zone as a secondary zone in the trusting domain

DNS suffix:

When you rename the domain the DNS suffix in the domain will change. Two conditions must be checked:

· The computers DNS suffix should be configured to change when the domain membership changes (default)
· No Group Policy must configured to set the primary DNS suffix to computers.

Do the renaming procedure:

Open cmd and change the directory to “C:\Rename”.

1. rendom /list

· This will create a list of the directory partitions in the forest
· Copy the “domainlist.xml” file to “domainlist-save.xml”
· Open “domainlist.xml” in Notepad and change it to the new forest description

2. rendom /showforest

· Verify that it reflect the new domain name

3. rendom /upload

· Generates the domain rename instructions
· Pushes the rename instruction to all DC’s
· Force a replication. “repadmin /syncall /APed”

4. rendom /prepare

· Verify that all DC’s are ready
· You should get an answer from all DC’s and they should NOT return an error. If they do, open “dclist.xml” (that was created in step 3). The DC’s that have reported errors will not be tagged with <state>prepared</state>. You have to troubleshoot any errors. DO NOT set the state to “prepared” manually in this file for any DCs!

You should fix any errors and re-run “rendom /prepare” until all DCs are in the “prepared” state.

5. rendom /execute

· If everything goes as planned you should get an answer from all DCs. The DCs will reboot automatically. When the DCs are back online the domain name is changed, but not the DNS suffix on the DCs itself. This has to be done manually on each DC in the renamed domain:

Add the new DNS suffix:

· netdom computername dc01.tottenham.int /add:dc01.spurs.local

Change the primary DNS suffix:

· netdom computername dc01.tottenham.int /makeprimary dc01.spurs.local

Reboot the server.

Remove the old DNS suffix:

· netdom computername dc01.spurs.local /remove:dc01.tottenham.int

Reboot the CS twice!

5.1. Exchange

(still working from the CS):

Before you proceed to the Exchange specific tasks, you got to be sure you are not going back with a domain restore.

· xdr-fixup /s:domainlist-save.xml /e:domainlist.xml /trace:TRACEFILE /changes:CHANGESCRIPT.ldf

This will create two files. changescript.ldf and restorescript.ldf. You run this command only one time (not one time per Exchange server).

· ldifde -i -f changescript.ldf

(to revert, run “ldifde -i -f restorescript.ldf”)

· Restart all Exchange servers twice

6. rendom /end

· this will unfreeze the forest

Side steps:

Reestablish external trusts and validate:

· “nltest /sc-query:foreign_domain.com” (from a DC in the renamed domain)

· “nltest /sc-query:spurs.local” (from the trusting domain)
Fix DFS topology (if you use DFS)

Fix GPO links:

gpfixup /olddns:tottenham.int /newdns:spurs.local /oldnb:tottenham /newnb:spurs /dc:dc01.spurs.local /user:administrator /pwd:password 2>1 > gpfixup.log

Look for errors in the created log.

Take a new System state of the DC’s.

Restart all other servers twice.

Verify the Exchange rename:

· xdrfixup /verify:restorescript.ldf /changes:verifycorrections.ldf

this should give you:

Verified that the server exch01.tottenham.int was renamed to exch01.spurs.local. Verify pass has completed.(it should list all Exchange servers involved in this output)

Verify/update the Recipient Update Services (RUS) which DC it should use.

If applicable, update the Active Directory Connector (ADC)

Reboot every computer in the domain twice. When it’s done. Do the last step **:

7. rendom /clean

Side steps:

· Authorize the DHCP server
· Delete the old Forward Lookup Zone from DNS
· dcdiag /v /e /c
· netdiag /debug /v
· Check Event logs

** If you have many domain member laptops out of the house during the rename, you can wait with step 7 until they have logged on the domain and rebooted twice. I think I waited a week before I ran step 7.

If you run step 7 and there are members that have not been booted twice you have to rejoin them to the domain. I made a script to keep track of computers that have not been updated with the new domain name.

''''''''''''''''''''''''''''''''''''''' Save me as a vbs file '''''''''''''''''''''''''''''''''''''''

On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

””” Create a text file with all computers holding the old domain name

Set objResultsFile = objFSO.CreateTextFile(“C:\temp\tottenham.txt”, True)  Set objConnection = CreateObject(“ADODB.Connection”) Set objCommand = CreateObject(“ADODB.Command”) 

objConnection.Provider = “ADsDSOObject” objConnection.Open “Active Directory Provider” 

Set objCommand.ActiveConnection = objConnection objCommand.Properties(“Page Size”) = 1000 objCommand.Properties(“Searchscope”) = ADS_SCOPE_SUBTREE  

””’ Modify the query so that it responds to your domain 

objCommand.CommandText = _ “SELECT dnsHostName, distinguishedName FROM ‘LDAP://dc=spurs,dc=local’” & _ “WHERE objectCategory=’computer’ AND dnsHostName=’*tottenham.int’”

Set objRecordSet = objCommand.Execute

Do Until objRecordSet.EOF 

objResultsFile.Write objRecordSet.Fields(“dnsHostName”).Value & ” –> OU: ” objResultsFile.Write objRecordSet.Fields(“distinguishedName”).Value objResultsFile.Writeline objRecordSet.MoveNext Loop

Wscript.Echo objRecordSet.RecordCount objResultsFile.Close

'''''' EOF ''