Posts

Posted on

The place where I’ve been spending most of the time the past 12 months: Jönköping

As many of you already noticed (especially my friends) I haven’t spent much time at home in Stockholm this year cause of an Active Directory consolidation and migration project (DCMP as we refer to it internally) – anyway it’s been an extensive amount of traveling the past 12 months beyond what I’ve expected when I first signed up for this project. It has overall been an interesting project and quite some challenges with migrations/consolidations in 192 countries, 250 + DCs (logistical issues) and the list goes on here.

The picture above is the view from a conference room at a hotel in Jönköping (where I spent most of the time in this project) – In total about 60 nights out of the 120 hotel nights I’ve spent the past 12 months – Thanks goes to all the people I’ve come to know working at the hotel, In the city of Jönköping (that made my stay even more enjoyable) and of course other project members with that being said I’m finished with my part of the project and will hopefully spend more time at home again (I enjoy traveling to some extent J )

Here are some travel madness facts the past 12 months (In points) – those who ever worked with me or know me well also know that I love to collect points in various bonus programs (most of them are local in Sweden)  

Scandic Hotels:  149 200 points
SJ Prio: 105 248 points
SAS EuroBonus: 58420 points

Posted on

Upgrade Active Directory from WS03 to WS08R2 – Session is now available online

For those of you that couldn’t attend Microsoft TechDays 2011 in Sweden on site; I did a session on upgrading a Windows Server 2003 Active Directory environment to Window Server 2008 R2 with a focus on automated processes. The scripts used in this session (also available for download at this blog) were developed by the Enfo Zipper – Directory Services Team and used in a real world scenario to upgrade an enterprise customer’s forest.

The session is now available online (SV-SE, Swedish only):
Visa videon som WMV-fil

Posted on

Are you storing your AD-Integrated DNS Zones in the DNS Application Partitions (NCs)?

  1. Background

    Overview

    A partition is a data structure within Active Directory used to distinguish data for different replication purposes. Every domain controller contains the following three directory partitions: configuration, schema, and domain. A directory partition is also called the “naming context”. Domain controllers in the same forest but in different domains share the same configuration and schema data, but they do not share the same domain data.

    In Windows 2000, if the DNS server is configured to use Active Directory Integrated zones, then the DNS zone data is stored in the domain naming context (DNC) partition of Active Directory. Conversely, in Windows Server 2003, application directory partitions enable storage and replication of the DNS zones stored in the non-domain naming context (NDNC) partition of Active Directory.

    Every object created in the domain naming context, which includes DNS zones and nodes (DNS names, e.g., microsoft.com), are replicated to all the GC’s in the domain.
    By using application directory partitions to store the DNS data, essentially all DNS objects are removed from the GC. This is a significant reduction in the number of objects that are normally stored in the GC.

    Furthermore, when the DNS zone data is stored under the domain naming context of Active Directory (such as in Windows 2000), it is replicated to all DC’s in the domain irrespective of whether a DNS server is configured to run on the DC or not. This is an instance where full domain-wide replication is an over-kill.

    It would be preferable to redefine the scope of replication of the DNS zone data to only the subset of DC’s in the domain that actually run DNS.
    This can be done with domain-wide application directory partitions. Additionally, an application directory partition that is replicated to all DNS servers in the forest can be used for zones like _msdcs.<forestname> which should be visible to the entire forest.

    This is ideal because all DC’s register their DsaGuid CNAME resource record in the _msdcs.<forestname> zone.

     

    Zone Replication Options

    There are four replication options for Active Directory-integrated DNS zones. These can be selected when the zone is created or when the administrator wants to change the storage method for an existing zone. When deciding which replication option to choose, consider that the broader the replication scope, the greater the network traffic caused by replication. For example, if the administrator chooses to have Active Directory-integrated DNS zone data replicated to all DNS servers in the forest, this will produce greater network traffic than replicating the DNS zone data to all DNS servers in a single Active Directory domain in that forest. The following table describes zone replication options.

    Table 1.1 Zone Replication Option Descriptions

    Storage Option

    Replication Scope
    Domain partition Active Directory domain partition for each domain in the forest. DNS zones stored in this partition are replicated to all domain controllers in the domain. This is the only Active Directory storage option for DNS zones that are replicated to domain controllers running Windows 2000 Server.
    Forest-wide DNS application directory partition DNS application directory partition for the entire forest. DNS zones stored in this application directory partition are replicated to all DNS servers running on domain controllers in the forest. This DNS application directory partition is created when you install the DNS Server service on the first Windows Server 2003 or later domain controller in the forest.
    Domain-wide DNS application directory partition DNS application directory partition for each domain in the forest. DNS zones stored in this application directory partition are replicated to all DNS servers running on domain controllers in the domain. For the forest root domain, this DNS application directory partition is created when you first install the DNS Server service on a Windows Server 2003 or later domain controller in the forest.

     

    For each new domain in the forest (child domain), this DNS application directory partition is created when you first install the DNS Server service on a Windows Server 2003 or later domain controller for the new domain.
    Custom DNS application directory partition DNS application directory partition for any domain controller that is enlisted in its replication scope. This type of DNS application directory partition does not exist by default and must be created. DNS zones stored in this application directory partition are replicated to all DNS servers running on domain controller that enlist in the partition.

     

    Note: DNS zones stored in application directory partitions cannot be accessed by Windows 2000 Server domain controllers.

    Forest-Wide Replication

    Given any scenario one might be able to argue that replicating DNS zone data to every DNS server in a multiple domain forest might cause excessive traffic. However, the trade off is extreme ease of administration and deployment. Especially in organizations where a dedicated DNS team may not exist, configuring DNS for Active Directory can be difficult for most. In these situations, the best solution should be the easiest solution. Therefore, using forest-wide replication for any DNS zone is considered the best option. If every zone is replicated to all DNS servers in the forest, then a customer should not need to use stub zones, secondary zones, or forwarders when configuring internal DNS resolution within the Active Directory forest.

     

    Default DNS Application Directory Partitions

    Before any of the forest or domain wide application partition replication options can be used, the DNS application directory partitions must be created within Active Directory. By default, when the DNS Server service is started, it will attempt to locate and create (if necessary) the default DNS application directory partitions (ForestDnsZones.DnsForestName and DomainDnsZones.DnsDomainName) in Active Directory.

    However, if the DNS Server service is unable to do this, an Enterprise Administrator can manually create the DNS application directory partitions as discussed below.

    Note: Enterprise Admin credentials are required to create an application directory partition.

    While it would be ideal to make a DNS server use the credentials of the administrator to create the DNS application partitions during the installation and configuration of DNS in DcPromo, it is impossible since Active Directory is not yet available until the computer is rebooted. To workaround this problem the following solution has been implemented (this is also true if the DNS service is installed on a computer that is already a DC):


    When on startup a DNS server detects that the forest- and/or domain-wide application partitions do not exist, the DNS server attempts to create the DNS application partitions.

    If it fails (which is usually the case since DNS does not have the appropriate credentials) when the first user logs in, a separate executable (waiting for the user to log in) will notify the DNS server that the user is logged in and will provide the DNS server with the credentials of the logged in user.

    Next, the DNS server will check again whether the forest- and/or domain-wide application partitions exist. If at least one of them does not exist, then DNS will attempt to create the missing application directory partitions corresponding to the domain and forest of the DNS server using the user’s credentials.

     

  2. Operation Implementation Prerequisites

    Active Directory Integrated DNS Zones

    DNS zones stored in application directory partitions must be of type Active Directory-integrated, secondary or other type of zones can’t be stored within Active Directory at, I recommends that those zones are left unchanged and stored the way they are today while Active Directory-Integrated Zones are moved to be stored in the application directory partitions (if there isn’t a specific reason to why not).

    Windows 2000 Server Domain Controllers

    DNS zones stored in application directory partitions cannot be accessed by Windows 2000 Server domain controllers, technically if a forest contains multiple domains and one or more of those domains contain at least only Windows Server 2003 DCs or later those can utilize the Domain-wide DNS application directory partition even if Windows 2000 Server domain controllers exists in other domains within the forest.

    However I recommend that the entire forest consists of Windows Server 2003 DCs or later and that all Windows 2000 Server DCs has been removed prior to the implementation of DNS application directory partitions (So shouldn’t be running Windows 2000 anyway since it’s out of support).

    Active Directory Replication Health

    I recommend that you verify the Active Directory replication health prior to the implementation, using repadmin. (repadmin /showreps /v)

     

  3. Operation Implementation Details

    The operations implementations details outlines the necessary steps required to implement and/or move DNS zones to DNS Directory Application Partitions.

     

    The operation requires Domain Admins rights and/or DNS Admins rights within the forest.

    Change replication option of existing Active Directory-Integrated Zones

    Using the DNS Manager MMC to perform the change:

    1. Open DNS.
    2. In the console tree, right-click the applicable zone, and then click Properties.
    3. On the General tab, note the current zone replication type, and then click Change.
    4. Select the following replication scope: Forest-wide DNS application directory partition.

     

    Using the command line to perform the change:

    dnscmd
    ServerName
    /ZoneChangeDirectoryPartition
    ZoneName
    NewPartitionName – The FQDN of the DNS application directory partition where the zone will be stored.

Posted on

How do I store a conditional forwarding zone in Active Directory in Windows Server 2003

This is easy in Windows Server 2008 R2 and later as you can do this simply by selecting the store this conditional forwarder in Active Directory and replicate it as follows: in the DNS Manager when you create a new conditional forwarder

  • All DNS Servers in this forest
  • All DNS Servers in this domain
  • All Domain controllers in this domain (for Windows 2000 compatibility)

If you want to store a conditional forwarder in the DS and let’s say have the replication scope set to: All DNS Servers in this forest. You can still do so but not in the DNS Manager UI, You have to use the dnscmd command line tool as follows:

  • Run the following command to create a directory integrated conditional forwarding:
    dnscmd %computername% /zoneadd <ForestRootDomain> /dsforwarder IPtoNS1 IPtoNS2 /DP /forest

     

    Note:
    If the above command failed it’s most likely because the forwarding zone already existed, either as a file based forwarding zone at one of the DCs in the forest, or already as a ds based forwarding zone. (Note a DS based forwarding can already exist in the scope of: domain, in any domain in the forest, if that’s the case either use /ZoneResetType /DP /forest or delete and re-create the forwarder)

Posted on

Upgrade Active Directory from WS03 to WS08 R2 – Sample Scripts

The sample scripts is provided “AS-IS” with no warranties

Table 1.1 Upgrade Active Directory from WS03 to WS08 R2 Sample Scripts

Name

Description

CopyLogs.VBS

This script will backup all event logs and store them in C:migdata.

GetDHCPConfig.BAT

This script will backup the DHCP database and the DHCP Server configuration and store them in C:migdata

GetDNSConfig.BAT

This script will backup none-Active Directory primary zones and store them in C:migdata

GetIASConfig.VBS

This script has a prerequisite that the iasmigreader.exe has been run (You can find this tool at your Windows Server 2008 R2 DVD at the following location: “sourcesdlmanifestsmicrosoft-windows-iasserver-migplugin” the script will move the config to C:migdata.

GetIPConfig.BAT

This script will save the current IP-config and save it in a text file stored in C:migdata

GetPrefBH.VBS

This script can be used to locate preferred bridgehead servers that can use replication issues during domain controller replacement.

GetTombstone.VBS

This script can be used to determine the current tombstone life time, if less than 180 days, we recommend to set it to 180 days.

RetireDC.cmd

This script will change the name of a demoted Windows Server 2003 domain controller to its current name __RET (retired) and configure it to acquire an IP address from DHCP.

RunDcPromo.VBS

This script is a wrapper around DCPROMO to demote a Windows Server 2003 DC, It has a feature to work around the “NETLOGN timeout bug”

SetDHCPConfig.BAT

This script will read and restore the previous backed up the DHCP database and the DHCP Server configuration from C:restore

SetDNSConfig.BAT

This script will read and the previous backed up none-Active Directory Integrated DNS Zones from C:restore

SetIASConfig.BAT

This script will read and import the previous backed up IAS config in C:restore  to NPS

unattend_demote.txt

This file contains environment specific parameters that need to be changed to reflect your environment.

The file is used to demote Windows Server 2003 DCs

unattend_first.txt

This file contains environment specific parameters that need to be changed to reflect your environment.

The file is used to promote the first Windows Server 2008 R2 DC

 

unattend_promote.txt

This file contains environment specific parameters that need to be changed to reflect your environment.

The file is sued to promote additional Windows Server 2008 R2 DCs using IFM.
Posted on

Upgrade Active Directory from WS03 to WS08 R2

First of all thanks to everyone that attended my session ” Upgrade Active Directory from WS03 to WS08 R2″ at Microsoft Tech Days 2011 in Sweden. For those of you that couldn’t attend on site I did a session on upgrading a Windows Server 2003 Active Directory environment to Window Server 2008 R2 with a focus on automated processes. The scripts used in this session (also available for download at this blog) were developed by the Enfo Zipper – Directory Services Team and used in a real world scenario to upgrade an enterprise customer’s forest.

FYI: The session will be available online later during the spring.

 

Note: The steps below including the sample scripts is provided “AS-IS” with no warranties. Some of the sample scripts have a dependence that the Windows Support Tools for Windows Server 2003 – Service Pack 2 are installed on all Domain Controllers.

 

Table 1.1 Upgrade Active Directory from WS03 to WS08 R2 Sample Scripts

 

Name

Description
CopyLogs.VBS This script will backup all event logs and store them in C:migdata.
GetDHCPConfig.BAT This script will backup the DHCP database and the DHCP Server configuration and store them in C:migdata
GetDNSConfig.BAT This script will backup none-Active Directory primary zones and store them in C:migdata
GetIASConfig.VBS This script has a prerequisite that the iasmigreader.exe has been run (You can find this tool at your Windows Server 2008 R2 DVD at the following location: “sourcesdlmanifestsmicrosoft-windows-iasserver-migplugin” the script will move the config to C:migdata.
GetIPConfig.BAT This script will save the current IP-config and save it in a text file stored in C:migdata
GetPrefBH.VBS This script can be used to locate preferred bridgehead servers that can use replication issues during domain controller replacement.
GetTombstone.VBS This script can be used to determine the current tombstone life time, if less than 180 days, we recommend to set it to 180 days.
RetireDC.cmd This script will change the name of a demoted Windows Server 2003 domain controller to its current name __RET (retired) and configure it to acquire an IP address from DHCP.
RunDcPromo.VBS This script is a wrapper around DCPROMO to demote a Windows Server 2003 DC, It has a feature to work around the “NETLOGN timeout bug”
SetDHCPConfig.BAT This script will read and restore the previous backed up the DHCP database and the DHCP Server configuration from C:restore
SetDNSConfig.BAT This script will read and the previous backed up none-Active Directory Integrated DNS Zones from C:restore
SetIASConfig.BAT This script will read and import the previous backed up IAS config in C:restore to NPS
unattend_demote.txt This file contains environment specific parameters that need to be changed to reflect your environment.
The file is used to demote Windows Server 2003 DCs
unattend_first.txt This file contains environment specific parameters that need to be changed to reflect your environment.
The file is used to promote the first Windows Server 2008 R2 DC
unattend_promote.txt This file contains environment specific parameters that need to be changed to reflect your environment.
The file is sued to promote additional Windows Server 2008 R2 DCs using IFM.

 

 

 

In addition to the presentation slide’s I will also share some additional information about compatibility between a forest/domain running Windows Server 2003 DCs compared to running Windows Server 2008 R2 and how this can effect LOB apps, services and your business.

 


Prepare a new Windows Server 2008 R2 Domain Controller

 


Operating System Configuration

 

We generally recommend that customers apply its standard Windows Server 2008 R2 Standard Edition image as long as your desired “Domain Controller Configuration” (Disk layout, Unnecessary agents are uninstalled) is applied.
Note: If you’re going to reuse the name that the previous Windows Server 2003 DC you’re replacing had, assign a temporary name.

 

The following hotfixes should be installed to prevent known issues when introducing Windows Server 2008 R2 Domain Controllers:

 


Note: The listed hotfixes has to be installed before the machine is promoted to domain controller (Or Windows Server 2008 R2 Service Pack 1).

 

Table 3.2   Required Domain Controller Hotfixes before promotion

 

Microsoft KB

Description
977158 (http://go.microsoft.com/fwlink/?LinkId=178225) Windows Server 2008 R2 Dynamic DNS updates to BIND servers log NETLOGON event 5774 with error status 9502
974639 (http://go.microsoft.com/fwlink/?LinkId=165961) Event ID 1202 logged with status 0x534 if security policy modified
2001086 (http://go.microsoft.com/fwlink/?LinkId=178226) TimeZoneKeyName registry entry name is corrupt on 64-bit upgrades
2005074 (http://go.microsoft.com/fwlink/?LinkId=185205) Event ID 1988 Logged in Directory Service Log after Schema Update
832223 (http://go.microsoft.com/fwlink/?LinkId=186576) Windows Server 2008 R2 DNS servers that use root hints are unable to resolve some DNS queries.
978055 (http://go.microsoft.com/fwlink/?LinkId=185219) Windows Server 2008 R2 domain controllers fail to authenticate DES-enabled clients.
977073 (http://go.microsoft.com/fwlink/?LinkId=186934) Digest authentication fails on a Windows XP or Windows Server 2003 member server when authenticating against a Windows Server 2008 R2 domain controller

 

We recommend that in addition to those hotfixes, the customer should ensure that the machine has reached the desired/approved patch level within the organization.

 

 

  1. Replace an existing Windows Server 2003 Domain Controller

    DHCP Service
    If the particular domain controller also acting as a DHCP Server, Logon using Domain Admin or DHCP Administrator credentials (the later also requires the logon locally right).
    Use the following steps to backup the DHCP database:

 

 

    • Click Start, click Run, type cmd in the Open box, and then click OK.

 

    • Type md C:migdata and then press enter.

 

    • Type net use X: \serverprojectshare <TBD>

 

    • Type CD scripts and press enter.

 

  • Type GetDHCPConfig.BAT -export and press enter.

    Note: While the export command runs, DHCP server is stopped and does not respond to clients seeking new leases or lease renewals. (Verify if there is another DHCP server with overlapping scopes in the same site and/or service interruption is approved)

 

DNS Service

 

If the particular domain controller also acting as a DNS Server and hosting additional none Active Directory Integrated Zones. (Active Directory Integrated Zones are stored in Active Directory and will be replicated to the destination domain controller)

 

Logon using Domain Admins or DNS Admins (the later also requires the logon locally right).Use the following steps to backup none Active Directory Integrated Zones:

 

 

    • Click Start, click Run, type cmd in the Open box, and then click OK.

 

    • Type md C:migdata and then press enter (if not already created in a previous step)

 

    • Type net use X: \serverprojectshare <TBD> (if not already created in a previous step)

 

    • Type CD scripts and press enter.

 

  • Type GetDNSConfig.BAT and press enter.


    Note: While the export command runs, The DNS Services is stopped and started.

 

Event Logs

 

We recommend to backup the event logs of the domain controller prior to the replacement since it can help with troubleshooting.

 

 

    1. Click Start, click Run, type cmd in the Open box, and then click OK.

 

    1. Type md C:migdata and then press enter (if not already created in a previous step)

 

    1. Type net use X: \serverprojectshare <TBD> (if not already created in a previous step)

 

    1. Type CD scripts and press enter.

 

  1. Type script copyLogs.vbs and press enter (make sure the logs where successfully backed up)

 

TCP/IP Settings

 

Save the TCP/IP Settings configuration so those can be applied to the destination domain controller.

 

 

    1. Click Start, click Run, type cmd in the Open box, and then click OK

 

    1. Type md C:migdata and then press enter (if not already created in a previous step)

 

    1. Type net use X: \serverprojectshare <TBD> (if not already created in a previous step)

 

    1. Type CD scripts and press enter.

 

  1. Type GetIPConfig.bat and press enter

 

System State Backup

 

Ensure there is enough and health system backups before proceeding to next step.

 


Backup the captured configuration in previous step by taking the following steps:

 

 

    1. Type net use X: \serverprojectshare <TBD>

 

  1. Type xcopy C:migdata X:DCs%computername% /E and then press enter.

 

Directory Services

 

This is the final step and enters the critical point of no return where the Windows Server 2003 Domain Controller is going to be demoted to a member server and will no longer acting as a Directory Service Agent (DSA) or a replica (Replication Partner) and won’t keep an instance of the Directory Services Database.

 

Enfo Zipper recommends to run the demotion process unattended and automated to avoid mistakes and errors.

 

 

    1. Click Start, click Run, type cmd in the Open box, and then click OK.

 

    1. Type net use X: \serverprojectshare <TBD> (if not already created in a previous step)

 

    1. Type CD scripts and press enter.

 

  1. Type cscript RunDCPromo.VBS . (The demotion process should now start, please wait while the Windows Server 2003 Domain Controller being demoted and restarts)

 

Decommissioning

 

Logon to the server as local administrator using the password specified in the unattended_demote.txt file above and either shutdown the server and/or disconnect it from the network. For safety reasons we recommend that the server is renamed to something else before its shutdown and that the IP-address is changed from static to dynamic.

 

 

    1. Click Start, click Run, type cmd in the Open box, and then click OK

 

    1. Type netdom renamecomputer %computername% /NewName:%computername%_retired and press enter

 

    1. Type netsh interface ip set address “Local Area Connection” dhcp and press enter.
      Note: The name “Local Area Connection” may differ from server to server.

 

  1. Type shutdown –s –t 00 and press enter.

 

 


  1. Promote a new Windows Server 2008 R2 Domain Controller

    Configure TCP/IP Settings and Names
    Logon locally to the domain controller and take the following steps in order to restore the name and TCP/IP Settings from the retired Windows Server 2003 Domain Controller that this domain controller is intend to replace:

      1. Click Start, click Run, type cmd in the Open box, and then click OK
      1. Type net use X: \serverprojectshare <TBD>
      1. Type CD scripts and press enter.
      1. Type xcopy X:DCs<NAME OF SOURCE DC> C:restore /E
      1. Type netdom renamecomputer %computername% /NewName:<NAME> and press enter (if you wish to re-use the same name)
      1. Type netsh interface ip set dns “Local Area Connection” static <IP_OF_WIN2K3DC>
        Note: The name “Local Area Connection” may differ from server to server
      1. Type netsh interface ip set dns “Local Area Connection” static <IP_OF_NEARESTBYDC>
        Note: The name “Local Area Connection” may differ from server to server
    1. Type shutdown –r –t 00

    Promote the server to a Domain Controller
    Logon locally to the domain controller and take the following steps in order to promote the server to Domain Controller, Enfo Zipper recommends to run the promotion process unattended and automated to avoid mistakes and errors.

      1. Click Start, click Run, type cmd in the Open box, and then click OK.
      1. Type net use X: \serverprojectshare <TBD> (if not already created in a previous step)
    1. Type dcpromo /answer: X:scriptsunattended_first.txt and press enter. (The promotion process should now start, please wait while the Windows Server 2008 R2 Domain Controller is being promoted and restarts)

    Verify that the promotion to Doman Controller was successful
    Logon as Domain Admin to the domain controller and take the following steps in order to verify that the promotion of the Domain Controller completed successfully without errors

      1. Once logged on back, Review the DCPROMO.txt log file. Click Start, Click run and type Notepad C:WindowsDebugdcpromo.log and press enter. Search the file for the word error using notepad, ensure there were no errors, close notepad.
    1. Quickly review the DCPROMOUI.log file. Click Start, Click run and type Notepad C:WindowsDebugdcpromoui.log and press enter. Close notepad.

    DNS Service
    Enfo Zipper recommends that full replication has taken place before you proceed with the following step, in order to ensure that please run the DNSConvergeCheck script between the local domain controller and one of the domain controllers in the hub site.
    The DNSConvergeCheck script can be found at: http://go.microsoft.com/fwlink/?LinkId=135502
    If full replication has taken place, please proceed with the following commands in order to import DNS Zone data (None-Active Directory integrated Zones).

      1. Click Start, click Run, type cmd in the Open box, and then click OK
      1. Type net use X: \serverprojectshare <TBD> (if not already created in a previous step)
      1. Type CD scripts and press enter.
      1. Type SetDNSConfig.BAT
    1. All DNS Zones should now successfully have been restored.

    DHCP Service
    Logon as Enterprise Admin and take the following steps to install the DHCP Server service and restore the database and settings for the Windows Server 2003 Domain Controller.

      1. Click Start, click Run, and click Administrative Tools and then Click PowerShell Modules
      1. Type Add-WindowsFeature DHCP and press enter. (if asked to/promoted to restart the server, please follow the instructions given)
      1. If a restart was required, Logon back as Enterprise Admin, Click Start, click Run, type cmd in the Open box, and then click OK
      1. Type net use X: \serverprojectshare <TBD> (if not already created in a previous step)
      1. Type CD scripts and press enter.
      1. Type sc config dhcpserver start= auto
    1. Type SetDHCPConfig.BAT -import

    Post-Operating System Configuration
    The following hotfixes should be installed to prevent known issues when introducing Windows Server 2008 R2 Domain Controllers:

    Note: The listed hotfixes has to be installed after the machine is promoted to domain controller (Or Windows Server 2008 R2 Service Pack 1)

    Table 3.6   Required Domain Controller Hotfixes after promotion

    Microsoft KB

    Description
    978387 (http://go.microsoft.com/fwlink/?LinkId=184915): Dcdiag fails with error code 0x621
    978277 (http://go.microsoft.com/fwlink/?LinkId=184911): The specified account does not exist
    978516 (http://go.microsoft.com/fwlink/?LinkId=185190) Significant delays when you read the same set of files several times
    978837 (http://go.microsoft.com/fwlink/?LinkId=185191) Group Policy Management Editor window crashes when you apply some changes for NRPT policy settings

    Disable EDNS
    Disable EDNS to avoid issues with global DNS servers that doesn’t support EDNS, (Not needed if forwarders is configured to handle external DNS queries outside the forest and to the internet)

      1. Click Start, click Run, type cmd in the Open box, and then click OK
    1. Type dnscmd /config /EnableEDNSProbes 0 and press enter.

    Configure Kerberos supported encryption types
    Note this step is only required if the domain contains service accounts and/or computer accounts that are configured to use DES-only encryption.

      1. In the Group Policy Management Console (GPMC), locate the following location: Computer Configuration Windows Settings Security Settings Local Policies Security Options
      1. Click to select the Network security: Configure encryption types allowed for Kerberos option.
      1. Click to select Define these policy settings and all the six check boxes for the encryption types
        .
    1. Click OK. Close the GPMC.

    Note: The policy sets the SupportedEncryptionTypes registry entry to a value of 0x7FFFFFFF. The SupportedEncryptionTypes registry entry is at the following location:
    HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemKerberosparameters

Posted on

Guidelines for choosing the most appropriate store for directory information

Here are some guidelines to follow to choose the most appropriate store for placing directory information (usually requested as a schema extension, with additions of attributes and/or classes)

If a schema change is required for an enterprise-wide application, such as Exchange Server that has a major integration (effect’s most objects in the forest) and required interaction with security principals the change probably has to take place in the main forest. However, if the schema change is required for an application that a small population of the organization will use, You should determine whether deploying a such global change to satisfy the needs of this small population of the organization is warranted, in addition you should analyze whether the schema change is a long-term or short-term requirement, also if the data to be hosted in the directory is frequently changing, or is already hosted in a different format with in the forest,

You should consider an alternative directory store, such as a specific application directory using Active Directory Lightweight Directory Services (AD LDS) to support applications that depend on schema extensions that are not desirable in the AD DS directory— for one or more reasons such as schema extensions that only are useful to a single application or only required on a short-term basis.

The following table supports the process to determine the most appropriate directory information store for a particular application/schema extension.

 

Description

Points
A small population of the organization will benefit/use the schema extension, less than 40% 2 points
Schema extension are deployed on short-term basis, application/system lifecycle equal to/or less than 2 years 2 points
Schema extension will host data already available in AD DS 8 points
Schema extension will store more than 256k on a single object 3 points
Schema extension will introduce none-optimizeable LDAP queries 4 points
Schema extension OIDs can’t be verified 12 points

If the schema extension qualifies for more than 3 points above, I advised to choose Active Directory Lightweight Directory Services (AD LDS) as the directory information store over Active Directory Domain Services (AD DS).

Posted on

Identity Management Strategy Ideas

I recommend most customers to implement an identity Life-Cycle Management process to provision and de-provision identities where those identities and it’s associated data on a best effor will automatically flow in from an authoritative data source with the ability for approved managers to use an manual process to fill in missing data (there is usally no way to fully automate all scenarios in large enterprises) in existing identities or request new ones outside the automated flow. I also believes that providing Self-Service into the flow, so that end-users can complement any missing data will enhance the overall identity quality. 

 

Here is some general ideas and recommendations :

 

·        FTE – Full Time Employees. On best effort HR-driven provision and de-provision with the ability for approved managers to request an identity before it becomes available in the HR system, once the identity appear in the HR system it will merge with the one requested on forehand by the manager.

FTE’s should be able to some extent modify/correct the data about their own identity(s) using a Self-Service Portal, such as adding a cell-phone number. Security mechanisms, compliance management and approved managers should have the ability to quarantine identities and keep them on hold.

The de-provisioning process should be HR-driven and identities should be archived up on unemployment so that tracking possibilities remain and approved managers should be able to access/transfer remaining work associated with the identity(s).

 

·        Vendors and Contractors. On best effort Sponsor-driven provisioning and de-provisioning where the sponsor (the person responsible for contracting the vendor/contractor) approves and provide a central repository with required information for external users, the end date for the contract should also be defined.

Vendors and Contractors should have limited access to modify/correct the data about their own identity(s) using a Self-Service Portal, such as perform a reset of their passwords, Security mechanisms, compliance management and the sponsor should have the ability to quarantine identities and keep them on hold.

The de-provisioning process should be Sponsor-driven and/or expire date-driven, identities should be archived so that tracking possibilities remain and the sponsor should be able to access/transfer remaining work associated with the identity(s).
 

 

·        Temporary Accounts. Temporary accounts should be provisioned by approved managers which are required to provide a central repository with required information about the identity that will gain temporary access, defining an end date for the temporary account should be required.

Temporary Accounts should not have access to modify data using a Self-Service Portal, Security mechanisms, Compliance management and the managers should have the ability to quarantine identities and keep them on hold.

The de-provisioning process should be expire date-driven, identities should be archived so that tracking possibilities remain and approved managers should be able to access/transfer remaining work associated with the identity(s).

 

 

·        Administrative Accounts. Administrative Accounts Administrative Accounts should be driven by an already existing identity that controls provisioning and de-provisioning where an approved manager after that the identity has been validated either by a board or/and in conjunction with security responsibilities approves and provide a central repository with required information for an administrative account.

Administrative Accounts should have limited access to modify/correct the data about their own identity(s) using a Self-Service Portal, such as perform a reset of their passwords, Security mechanisms, compliance management and approved managers should have the ability to quarantine identities and keep them on hold.

The de-provisioning process should be driven by an already existing (regular) identity and/or expire date-driven, identities should be archived so that tracking possibilities remain and approved managers should be able to access/transfer remaining work associated with the identity(s).

Posted on

Active Directory Migration Tool version 3.2 (ADMT v3.2) has been released


ADMT v3.2 has finally been released to the public; I’m currently involved in a migration project where we consolidate over 70+ forests to one corporate forest running Windows Server 2008 R2 and one of the main benefits with version 3.2 is the support for Windows Server 2008 R2


About ADMT 3.2

 

ADMT v3.2 is an out-of-band tool available as a free download (in 8 languages: English, Chinese (Simplified and Traditional), French, German, Japanese, Portuguese, and Spanish) to enable customers to deploy Active Directory in the following scenarios:

 

        Migration of Active Directory data from one environment to another. ADMT 3.2 specifically supports migration to Windows Server 2008 R2 with added support for Managed Service Accounts.

 

        Restructuring of Active Directory environment due to mergers, acquisitions, divestitures, consolidations, etc.

 

 

 

From the download page:

 

 

 

Overview

 

The Active Directory Migration Tool version 3.2 (ADMT v3.2) simplifies the process of migrating objects and restructuring tasks in an Active Directory® Domain Service (AD DS) environment. You can use ADMT v3.2 to migrate users, groups, service accounts, and computers between AD DS domains in different forests (inter-forest migration) or between AD DS domains in the same forest (intra-forest migration). ADMT can also perform security translation (to migrate local user profiles) when performing inter-forest migrations.

 

 

 

System Requirements

 

·        Supported Operating Systems: Windows Server 2008 R2

 

·        ADMT can be installed on any computer capable of running the Windows Server 2008 R2 operating system, unless they are Read-Only domain controllers or in a Server Core configuration.

 

·        Target domain: The target domain must be running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2

 

·        Source domain: The source domain must be running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2

 

·        The ADMT agent, installed by ADMT on computers in the source domains, can operate on computers running Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

 

 

You can download ADMT v3.2 here

Posted on

Preparing for Microsoft TechDays 2010

So it’s been almost a year since I posted to the blog. (Lots of things has happened since then, I will try to catch up with the most interesting things that I think is worth sharing) It’s early in the morning and I have spent the entire night playing with Direct Access, Network Access Protection and Server/Domain Isolation in combination. I will speak at Microsoft TechDays (In Örebro) next week. Having one session together with Danwei Tran, Evangelist at Microsoft and also a very good friend of mine, the concept of the session is to drilldown into the topic “How to take advantage of Windows 7 and Windows Server 2008 today” most sessions I’ve seen on Windows Server 2008 R2 and Windows 7 speaks about new technology and features, how cool it is and how easy it is to implement, without taking the existing legacy environment in concern, it’s like who? Doesn’t everyone flatten there environment and rebuild it with the latest bits as soon it gets released from Microsoft.

Back to our reality, we’re going to be stuck with previous releases for about another decade. So how do we integrate and take advantage of technology released within Windows 7 and Windows Server 2008 R2 today? The session covers: – How to benefit from BitLocker Drive-Encryption enhancements in Windows 7, without touching your server infrastructure. – How Authentication Assurance leverages security (even to your down-level clients) by only upgrading your domain controllers to Windows Server 2008 R2. – How to integrate my existing deployments of NAP, DI/SI with Direct Access in Windows 7 and Window Server 2008 R2 and why should I? If this sounds interesting look for the session: Take advantage of Windows 7 & Windows Server 2008 R2

For those who looking forward to hear me speak about AD again, I’m sorry I don’t do any sessions on AD this year at TechDays but of course I will be around to discuss AD as much you want, you probably find me where you find the bar J