Category Archives: Active Directory

Transfer/Seize FSMO Roles to Windows Server 2012 Using Powershell

Following information explains the Active Directory FSMO roles transfer process using powershell cmdlets.

If FSMO role holder DC goes under upgradation process or down, we think about FSMO roles as its important and we know the traditional NTDSUTIL way of transferring and seizing FSMO roles which takes few minutes. However, using the power shell this is relatively easy and completes within few seconds.

Powershell command :  Move-ADDirectoryServerOperationMasterRole

Transfering all 5 FSMO roles syntax:
Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_name” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster

If target DC name is ADC, use below command to transfer all FSMO roles:
Move-ADDirectoryServerOperationMasterRole -Identity “ADC” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster

Role numbers can be used in command instead of role names.

Operation Master Role Name

Number

PDCEmulator

0

RIDMaster

1

InfrastructureMaster

2

SchemaMaster

3

DomainNamingMaster

4

 

 

 

 

 

 

 

Transfer all 5 FSMO roles using numbers:
Move-ADDirectoryServerOperationMasterRole -Identity “ADC” –OperationMasterRole 0,1,2,3,4

If FSMO role owner is permanently offline, seize FSMO roles using below command, just add –Force parameter.
Sezing FSMO roles syntax:

Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_name” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster -Force

 Command:
Move-ADDirectoryServerOperationMasterRole -Identity “ADC” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster –Force


If you want to transfer/seize single operation master role to another DC then use role name or its number.

Examples:
Move-ADDirectoryServerOperationMasterRole -Identity “ADC” –OperationMasterRole RIDMaster
Move-ADDirectoryServerOperationMasterRole -Identity “ADC” –OperationMasterRole 1
Move-ADDirectoryServerOperationMasterRole -Identity “ADC” –OperationMasterRole RIDMaster –Force
Move-ADDirectoryServerOperationMasterRole -Identity “ADC” –OperationMasterRole 1 -Force

Quick Notes:

  • No need to connect future FSMO role owner DC, before transferring /seizing roles operation.
  • Powershell command can be run from any DC or windows7 workstation and 2008/R2 member server where RSAT tool is installed.

Best practices for DNS settings on DC and domain members.

Information:
The following information explains the Best practices for DNS client settings on Domain Controller and Domain Member.

Domain controller with DNS installed:
On a domain controller that also acts as a DNS server, recommended that you configure the domain controller’s DNS client settings according to these specifications:

IP configuration on domain controller:

  • In single DC/DNS in a domain environment,  DC / DNS server points to its private IP address (not to loopback 127.x.x.) as preferred DNS server in TCP/IP property.
  • If multiple DCs that’s the DNS servers are in a domain environment, recommendation to have all DCs point to ANOTHER/REMOTE DC’s IP address as preferred DNS and then point to it’s private IP address as an alternate DNS.
  • Each DC has just one IP address and one network adapter is enabled (disable unused NICs).
  • IPv6 should not be disabled on DC’s NIC card. Set it to “obtain IPV6 address automatically” and “obtain DNS server address automatically”
  • If multiple NICs (enabled and disabled) are present on server, make sure the active NIC should be on top in NIC binding.
  • Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP settings of DC.

How to set/view the NIC bind order in Windows
http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows/

IP configuration on domain member:

  • Each workstation/member server should point to local DNS server as preferred DNS and remote DNS servers as an alternate DNS server in TCP/IP property.
  • Do not set public DNS server in TCP/IP setting of domain member.

Once you are done with above, run “ipconfig /flushdns & ipconfig /registerdns“, restart DNS server and NETLOGON service on each DC.

Quick note: MULTIHOMED domain controller is not recommended, it always results in multiple problems.

  • Being a VPN Server and even simply running RRAS makes it multi-homed.
  • Domain Controllers with the PDC Role are automatically Domain Master Browser. Master Browsers should not be multi-homed

Active Directory Communication Fails on Multihomed Domain Controllers http://support.microsoft.com/default.aspx?scid=kb;en-us;272294

Symptoms of Multihomed Browsers
http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611

Reference: http://support.microsoft.com/kb/825036

Active Directory Metadata Cleanup, What is that?

Information:
The following information explains Active Directory Metadata Cleanup process, What is it & why its required?

Explanation:
Metadata cleanup is the process which removes the failed Domain Controller’s object from Active Directory.

When it’s required?
Metadata cleanup is required when you try to remove a domain controller from your Active Directory domain by using Dcpromo.exe and fail, or when you began to promote a member server to be a Domain Controller and failed, or you cannot demote the domain controller gracefully or DC has been failed /crashed due to hardware failure.

When you are performing any mentioned step above, you will be left with remains of the DCs object in the Active Directory. As part of a successful demotion process, the DCPROMO wizard removes the configuration data for the domain controller from Active Directory, but as noted above, a failed DCPROMO attempt might leave these objects in place.

The effects of leaving such remains inside the Active Directory may vary, but one thing is sure, whenever you’ll try to re-install the server with the same computer name and try to promote it to become a Domain Controller, you will fail because the DCPROMO process will still find the old object and therefore will refuse to re-create the objects for the new-old server.

In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe utility to manually remove the NTDS Settings object this process is called metadata cleanup.

As a part of metadata you need to perform below procedures:
Perform metadata cleanup.
Manually remove the failed DC object from the site & Services.
Manually remove the computer object from the domain controller container in ADUC.
Manually remove the failed DC entries (NS, A, PTR, Etc records) from DNS console.

Note:  At least one healthy DC is required from where you can perform metadata cleanup.

Perform Metadata Cleanup steps using below articles:
Clean Up Server Metadata Windows Server 2003 and Windows Server 2003 R2
http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx

Clean Up Server Metadata Windows Server 2008 and higher
http://technet.microsoft.com/en-us/library/cc816907(WS.10).aspx

How to configure “Authorative Time server” in a AD domain.

If you want to ensure that the clocks on your machines are more accurate in terms of absolute (and not just relative) time, you need to sync the PDC Emulator role owner DC in your forest root domain to one of the reliable time servers available on the Internet. This is a good idea if your company is a large enterprise with sites spanning several countries, or if your organization has two or more forests linked by forest trusts.

Verify PDC role holder DC name by running command “netdom query fsmo“.

IMPORTANT UPDATE:
If  PDC role owner is on Hyper-V, then its recommended to partially Disable the HyperV Time Service on PDC role owner DC only.

To partially disable the Hyper-V time synchronization provider, leave Time synchronization enabled under Integration Services and run the following command from an elevated command prompt on the guest domain controller:”
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0

CONFIGURATION SECTION:
Run following commands on PDC role holder DC in the forest root domain:
W32tm /config /manualpeerlist:time.windows.com,0x1 /syncfromflags:manual /reliable:yes /update

net stop w32time & net start w32time & W32tm /resync /rediscover

Run following commands on former PDC and/or NON-PDC role holder DC:
w32tm /config /syncfromflags:domhier /update

net stop w32time & net start w32time & W32tm /resync /rediscover

You can use any of reliable external time server in below link: http://support.microsoft.com/kb/262680

Commonly used external time servers  : “time.windows.com,0x1” “pool.ntp.org,0x1″ etc.

It may take an hour or so for the PDC Emulator to fully synchronize with the external time server because of the nature of the polling method W32Time uses. Depending on the latency of your Internet connection, the accuracy of the CMOS clock on your forest root PDC Emulator may be within a second or two of UTC. If you need more accurate time however, you can purchase a hardware time source like an atomic clock and connect it to your PDC emulator.

Alternatively, if you don’t want to wait for time convergence to occur between your stratum 2 time server (your forest root PDC Emulator) and the external stratum 1 time server, you can run the following command on your PDC Emulator:  w32tm /resync /rediscover

Quick note and parameter explanation:
Domain Controllers (except PDC) and Domain members  TYPE entry in registry should be NT5DS :http://support.microsoft.com/kb/223184

both the server and the client are communicating with each other using the SNTP protocol which normally uses User Datagram Protocol (UDP) port 123. so make sure that UDP port 123 is open on firewall.

/manualpeerlist:peers
Set the manual peer list to <peers>, which is a space-delimited list of DNS or IP address of the reliable external time server.

/syncfromflags:manual
Set what sources the NTP client should sync from.

/update:
Set the time service configuration update.

Time Configuration using Group Policy:
To alter the Windows Time Service on the PDC emulator role holder DC, authoritative Windows Time server cannot be changed with GPO even that is not recommended. However, you may use Group Policy to make all the domain clients to sync time with the authoritative time server in the domain.

You can find the Group Policy settings used to configure W32Time in the Group Policy Object Editor snap-in in the following locations:

Configure Global Configuration Settings at following path:
Computer Configuration\Administrative Templates\System\Windows Time Service

Configure Windows NTP Client settings  at following path:
Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers

IPv4 and IPv6 Reverse Lookup Zone Configuration

Configuring Reverse Lookup Zones for IPv4
Now, we need to create a matching reverse lookup zone. This will handle reverse resolution for our subnet. In this case, it is 192.168.1.x.
1. Choose Start Administrative Tools DNS.
2. In the console tree, click Reverse Lookup Zones.
3. Right-click Reverse Lookup Zones, and then click New Zone.
4. When the New Zone Wizard appears, click Next.
5. On the Zone Type page, select Primary Zone, and then click Next.
6. On the Reverse Lookup Zone Name page, make sure IPv4 is selected, and then click Next.
7. On the Reverse Lookup Zone Name page, in the Network ID field, type the start of the subnet range of your network (in this case, 192.168.1.x), and then click Next.
8. On the Zone File page, click Next.
9. On the Dynamic Update page, click Next.
10. On the Completing The New Zone Wizard page, click Finish.

Configuring Reverse Lookup Zones for IPv6
1. In the console tree, click Reverse Lookup Zones.
2. Right-click Reverse Lookup Zones, and then click New Zone.
3. When the New Zone Wizard appears, click Next.
4. On the Zone Type page, select Primary Zone, and then click Next.
5. On the Reverse Lookup Zone Name page, make sure IPv6 is selected, and then click Next.
6. In the Reverse Lookup Zone Name field, type in the prefix, and then click Next.
7. On the Dynamic Update page, choose Allow Both Nonsecure And Secure Dynamic Updates, and click Next.
8. Click Finish to create the New Zone.

Create IPv6 Record:

1.Rright-click the Primary Lookup Zone for your domain, and then click New Host.
2. In the Name field, enter the name of your server or ws.
3. In the IP address field, enter the IPv6 address we set for the server.
4. Verify that Create Associated Pointer (PTR) Record is checked, and click Add Host.
You should now see a new AAAA record for the server, as well as a new PTR record in the Reverse Lookup Zone we created.

.

How to Reset Local Group Policy Objects to default settings

Sometimes viruses or people use  Group Policy against us and we need to reset it back to the default. It can control access to a number of things in windows from logon scripts to access to the screensaver settings. Resetting it is actually pretty simple, which is why you shouldn’t rely on it solely to guard your network.

 

Group Policy

1. If you need to clear IPSec settings and software restriction settings do these two sub-steps, otherwise go on to the second step:
a. reg delete hklm\software\policies\microsoft /f
b. regedit /s “c:\policies.reg” (where c:\policies.reg is the exported hklm\software\policies\microsoft hive of a virgin or target configured machine)
2. Issue this magical command to reset the rest of the GPO settings to their defaults (enter this all on one line):
secedit /configure /db reset /cfg “c:\windows\security\templates\setup security.inf” /overwrite
3. Delete the registry.pol file if it exists:
del c:\windows\system32\grouppolicy\machine\registry.pol

Don’t forget to reboot! All the group policies should now be reset to default. Works with XP, 2000, 2003 and 2008.

Use Group Policy to Change the Password for the Local Administrator Account on Multiple Machines

With the stricter security requirements that many of my customers have been facing lately, the question about how to change the local administrator password on 10’s, 100’s, or even 1000’s of windows machines has come up several times recently. With the introduction of Group Policy Preferences, this has become a very easy task. Here are some instructions on how to accomplish this with a minimum amount of work on the part of the administrator.

NOTES: These procedures involve making changes to group policies. Thorough testing should always be performed in a lab environment prior to making any changes to group policy in a production environment. Also, GPP’s are not supported in Windows 2000, so these procedures are only useful on XP SP2 and later operating systems.

 

1. Ensure that the managed clients have the update installed to support group policy preferences. These updates are on Windows Update and can also be found here: http://support.microsoft.com/?kbid=943729

2. On either a Windows Server 2008 server, or on a Vista SP1 client, enable the RSAT (Remote Server Administration) tools. On Vista SP1, they must be installed first, whereas on Server 2008 they only need to be enabled. After installing, enable them by using the Turn On Features option in the Programs and Features applet in the control panel. The RSAT tools can be downloaded here: http://support.microsoft.com/?kbid=941314  Note that just installing the update will not add anything to the Administrative Tools menu. You must also turn the feature on:

clip_image002

Tip: In most open windows in Vista and later operating systems, there is a search box in the upper right hand corner. If you’re not sure how or where to configure a setting, type in a keyword in the search box. In Control Panel, for example, type in something like “screensaver” (without the quotes). You will instantly see relevant settings displayed to help you modify your screensaver. You can save yourself tons of time when looking for features and settings by using this handy search capability.

3. Using the GPMC tool on either Windows Server 2008 or on the Vista SP1 machine with RSAT, note the new Preferences section when editing a group policy:

clip_image004

4. Under Computer Configuration, expand Preferences, Control Panel Settings, and then right-click on Local Users and Groups. Choose New, Local User:

clip_image006

5. Leave the Action drop-down set to Update. From the drop down box for User Name, select Administrator (built-in). Type in a password to reset the password for this account. NOTE: You MUST type in a new password for this step to work. If you do not, the changes will not be made. Optional: UNCHECK the box for Password Never Expires. The end result of these settings will be to have an expiring local password for the built-in admin account, and for the password to be changed to the new value.

You can also use this section to perform other changes, such as renaming the Administrator account or modifying other local accounts.

clip_image008

6. Note the additional settings available via the Common tab:

clip_image010

 

There is also a good whitepaper on this topic located here. This whitepaper covers GPP’s in more detail, along with their many capabilities.

NOTE: When using Group Policy Preferences, keep in mind that the stored password is obfuscated. From a security standpoint, it would be best to use this procedure to change the password using a separate group policy. Then, once finished, delete the group policy so that the stored password (although obfuscated) is also deleted.

 Read the complete @> Jim Ratsch’s Technical Ramblings : How to change the password for the local administrator account on multiple machines (the easy way without scripting)