Transfer/Seize FSMO Roles to Windows Server 2012 Using Powershell

Following information explains the Active Directory FSMO roles transfer process using powershell cmdlets.

If FSMO role holder DC goes under upgradation process or down, we think about FSMO roles as its important and we know the traditional NTDSUTIL way of transferring and seizing FSMO roles which takes few minutes. However, using the power shell this is relatively easy and completes within few seconds.

Powershell command :  Move-ADDirectoryServerOperationMasterRole

Transfering all 5 FSMO roles syntax:
Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_name” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster

If target DC name is ADC, use below command to transfer all FSMO roles:
Move-ADDirectoryServerOperationMasterRole -Identity “ADC” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster

Role numbers can be used in command instead of role names.

Operation Master Role Name

Number

PDCEmulator

0

RIDMaster

1

InfrastructureMaster

2

SchemaMaster

3

DomainNamingMaster

4

 

 

 

 

 

 

 

Transfer all 5 FSMO roles using numbers:
Move-ADDirectoryServerOperationMasterRole -Identity “ADC” –OperationMasterRole 0,1,2,3,4

If FSMO role owner is permanently offline, seize FSMO roles using below command, just add –Force parameter.
Sezing FSMO roles syntax:

Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_name” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster -Force

 Command:
Move-ADDirectoryServerOperationMasterRole -Identity “ADC” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster –Force


If you want to transfer/seize single operation master role to another DC then use role name or its number.

Examples:
Move-ADDirectoryServerOperationMasterRole -Identity “ADC” –OperationMasterRole RIDMaster
Move-ADDirectoryServerOperationMasterRole -Identity “ADC” –OperationMasterRole 1
Move-ADDirectoryServerOperationMasterRole -Identity “ADC” –OperationMasterRole RIDMaster –Force
Move-ADDirectoryServerOperationMasterRole -Identity “ADC” –OperationMasterRole 1 -Force

Quick Notes:

  • No need to connect future FSMO role owner DC, before transferring /seizing roles operation.
  • Powershell command can be run from any DC or windows7 workstation and 2008/R2 member server where RSAT tool is installed.
Advertisements

Best practices for DNS settings on DC and domain members.

Information:
The following information explains the Best practices for DNS client settings on Domain Controller and Domain Member.

Domain controller with DNS installed:
On a domain controller that also acts as a DNS server, recommended that you configure the domain controller’s DNS client settings according to these specifications:

IP configuration on domain controller:

  • In single DC/DNS in a domain environment,  DC / DNS server points to its private IP address (not to loopback 127.x.x.) as preferred DNS server in TCP/IP property.
  • If multiple DCs that’s the DNS servers are in a domain environment, recommendation to have all DCs point to ANOTHER/REMOTE DC’s IP address as preferred DNS and then point to it’s private IP address as an alternate DNS.
  • Each DC has just one IP address and one network adapter is enabled (disable unused NICs).
  • IPv6 should not be disabled on DC’s NIC card. Set it to “obtain IPV6 address automatically” and “obtain DNS server address automatically”
  • If multiple NICs (enabled and disabled) are present on server, make sure the active NIC should be on top in NIC binding.
  • Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP settings of DC.

How to set/view the NIC bind order in Windows
http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows/

IP configuration on domain member:

  • Each workstation/member server should point to local DNS server as preferred DNS and remote DNS servers as an alternate DNS server in TCP/IP property.
  • Do not set public DNS server in TCP/IP setting of domain member.

Once you are done with above, run “ipconfig /flushdns & ipconfig /registerdns“, restart DNS server and NETLOGON service on each DC.

Quick note: MULTIHOMED domain controller is not recommended, it always results in multiple problems.

  • Being a VPN Server and even simply running RRAS makes it multi-homed.
  • Domain Controllers with the PDC Role are automatically Domain Master Browser. Master Browsers should not be multi-homed

Active Directory Communication Fails on Multihomed Domain Controllers http://support.microsoft.com/default.aspx?scid=kb;en-us;272294

Symptoms of Multihomed Browsers
http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611

Reference: http://support.microsoft.com/kb/825036

Active Directory Metadata Cleanup, What is that?

Information:
The following information explains Active Directory Metadata Cleanup process, What is it & why its required?

Explanation:
Metadata cleanup is the process which removes the failed Domain Controller’s object from Active Directory.

When it’s required?
Metadata cleanup is required when you try to remove a domain controller from your Active Directory domain by using Dcpromo.exe and fail, or when you began to promote a member server to be a Domain Controller and failed, or you cannot demote the domain controller gracefully or DC has been failed /crashed due to hardware failure.

When you are performing any mentioned step above, you will be left with remains of the DCs object in the Active Directory. As part of a successful demotion process, the DCPROMO wizard removes the configuration data for the domain controller from Active Directory, but as noted above, a failed DCPROMO attempt might leave these objects in place.

The effects of leaving such remains inside the Active Directory may vary, but one thing is sure, whenever you’ll try to re-install the server with the same computer name and try to promote it to become a Domain Controller, you will fail because the DCPROMO process will still find the old object and therefore will refuse to re-create the objects for the new-old server.

In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe utility to manually remove the NTDS Settings object this process is called metadata cleanup.

As a part of metadata you need to perform below procedures:
Perform metadata cleanup.
Manually remove the failed DC object from the site & Services.
Manually remove the computer object from the domain controller container in ADUC.
Manually remove the failed DC entries (NS, A, PTR, Etc records) from DNS console.

Note:  At least one healthy DC is required from where you can perform metadata cleanup.

Perform Metadata Cleanup steps using below articles:
Clean Up Server Metadata Windows Server 2003 and Windows Server 2003 R2
http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx

Clean Up Server Metadata Windows Server 2008 and higher
http://technet.microsoft.com/en-us/library/cc816907(WS.10).aspx

The Local System Account

Information:
The following information and links explains about the The Local System Account.

Questions:
What is NT Authority\System (Local System) account?
Is it a part of Authenticated Users ?? 
Service running in local system account. Will it be able to access the AD/GP objects which are only accessible to Authentticated users?

Explanation:
The  Local System account is a powerful account that has full access to the computer. The actual name of the account is NT AUTHORITY\System. The Local System account does not have any rights to access the network. When network access is necessary, Local System uses the account Domain\computername$.

Additional note:
With the release of Windows Server 2003, two new built-in account types similar to Local System were added: the Network Service account and the Local Service account.

Read the below articles for more information:
http://networkadminkb.com/KB/a41/differences-between-authenticated-users-domain-users.aspx

http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx

http://technet.microsoft.com/en-us/library/bb680595.aspx

Reference thread

Trust relationship between this workstation and primary domain failed

Problem Statement :
We are in the process of deploying Windows 7 and started getting this error: “Trust relationship between this workstation and primary domain failed”.  FYI – We started getting this error after our server team started deploying Server 2008 R2 Domain Controllers.  Rebooting seems to fix the problem, but we need a permanent preventative solution!

Resolution:

  • Make sure that the workstations are pointing to local DNS server IP as preferred DNS in NIC.
  • Also make sure that you “Enable NETBios over TCP/IP” under WINS tab at both places (Server, Workstation).
  • Dis-join the workstation from domain, delete computer account from ADUC and rejoin problem workstation again to the domain.

NOTE : If you are on Windows 2008R2 and Windows 7 platform,  Install this hot-fix .

Reference  Thread.  

How to configure “Authorative Time server” in a AD domain.

If you want to ensure that the clocks on your machines are more accurate in terms of absolute (and not just relative) time, you need to sync the PDC Emulator role owner DC in your forest root domain to one of the reliable time servers available on the Internet. This is a good idea if your company is a large enterprise with sites spanning several countries, or if your organization has two or more forests linked by forest trusts.

Verify PDC role holder DC name by running command “netdom query fsmo“.

IMPORTANT UPDATE:
If  PDC role owner is on Hyper-V, then its recommended to partially Disable the HyperV Time Service on PDC role owner DC only.

To partially disable the Hyper-V time synchronization provider, leave Time synchronization enabled under Integration Services and run the following command from an elevated command prompt on the guest domain controller:”
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0

CONFIGURATION SECTION:
Run following commands on PDC role holder DC in the forest root domain:
W32tm /config /manualpeerlist:time.windows.com,0x1 /syncfromflags:manual /reliable:yes /update

net stop w32time & net start w32time & W32tm /resync /rediscover

Run following commands on former PDC and/or NON-PDC role holder DC:
w32tm /config /syncfromflags:domhier /update

net stop w32time & net start w32time & W32tm /resync /rediscover

You can use any of reliable external time server in below link: http://support.microsoft.com/kb/262680

Commonly used external time servers  : “time.windows.com,0x1” “pool.ntp.org,0x1″ etc.

It may take an hour or so for the PDC Emulator to fully synchronize with the external time server because of the nature of the polling method W32Time uses. Depending on the latency of your Internet connection, the accuracy of the CMOS clock on your forest root PDC Emulator may be within a second or two of UTC. If you need more accurate time however, you can purchase a hardware time source like an atomic clock and connect it to your PDC emulator.

Alternatively, if you don’t want to wait for time convergence to occur between your stratum 2 time server (your forest root PDC Emulator) and the external stratum 1 time server, you can run the following command on your PDC Emulator:  w32tm /resync /rediscover

Quick note and parameter explanation:
Domain Controllers (except PDC) and Domain members  TYPE entry in registry should be NT5DS :http://support.microsoft.com/kb/223184

both the server and the client are communicating with each other using the SNTP protocol which normally uses User Datagram Protocol (UDP) port 123. so make sure that UDP port 123 is open on firewall.

/manualpeerlist:peers
Set the manual peer list to <peers>, which is a space-delimited list of DNS or IP address of the reliable external time server.

/syncfromflags:manual
Set what sources the NTP client should sync from.

/update:
Set the time service configuration update.

Time Configuration using Group Policy:
To alter the Windows Time Service on the PDC emulator role holder DC, authoritative Windows Time server cannot be changed with GPO even that is not recommended. However, you may use Group Policy to make all the domain clients to sync time with the authoritative time server in the domain.

You can find the Group Policy settings used to configure W32Time in the Group Policy Object Editor snap-in in the following locations:

Configure Global Configuration Settings at following path:
Computer Configuration\Administrative Templates\System\Windows Time Service

Configure Windows NTP Client settings  at following path:
Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers

Windows cannot access the file gpt.ini

This error usually indicates that the user or computer does not have the appropriate permissions to access the GPO or or GPO has been corrupted/deleted.

Default permissions:
Authenticate Users – Read & Apply Group Policy
Creator Owner – Special permission
Domain Admins – Full Control & Special permission
Enterprise Admins – Full Control & Special permission
Enterprise Domain Controllers – Special permission
System – Full Control except Apply Group Policy

Troubleshooting steps:
1. First of all check the SYSVOL and NETLOGON shares are available and on server, problematic GPO is present.
2. Run Group Policy Best Practice Analyzer to check errors.
3. Right click on the problematic gpt.ini file and click Permissions.
4. Switch to Security tab and click Edit.
5. Highlight Authenticated Users, remove all the boxes under Deny and check the following items under Allow.
  Read & execute
  Read
6. Click OK twice to test the issue.

For more information,Event ID 1058 — Group Policy Preprocessing
http://technet.microsoft.com/en-us/library/cc727259(WS.10).aspx
 
If the issue persists, please run the following command and check output:
Cacls %systemroot%\SYSVOL\sysvol\DomainName\Policies\{GUID}\gpt.ini

Note: Replace DomainName and GUID with the real DomainName and GUID.

If it still cannot work, follow the troubleshooting suggestions in KB article provides:
Userenv errors occur and events are logged after you apply Group Policy to computers that are running Windows Server 2003, Windows XP, or Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;887303