Tech Info's

Microsoft Windows, RedHat and VMware Virtualization Platform

Archive for October, 2011

For Active Directory Administrators – Monitoring Replication Status (Daily)

Posted by Prashanth P on October 23, 2011


Repadmin command either execute or create a .bat file and schedule it for Daily

c:\>Repadmin /replsummary /bysrc /bydst /sort:delta >”replication summary.txt”

c:\>Repadmin /showrepl * /csv /errorsonly >showrepl.csv

Note: It is better run the above mentioned commands with Enterprise Admin Credentials

Posted in Active Directory | Tagged: | Leave a Comment »

How to raise Active Directory domain and forest functional levels

Posted by Prashanth P on October 22, 2011


Microsoft detailed link for How to raise Active Directory domain and forest functional levels

http://support.microsoft.com/kb/322692

Posted in Active Directory | Tagged: | Leave a Comment »

Schema Upgrade from Windows Server 2003 to Windows Server 2008 R2 Testing Plan in ISONet Network

Posted by Prashanth P on October 19, 2011


Schema Upgrade from Windows Server 2003 to Windows Server 2008 R2 for Testing purpose in ISONet Network. Here we are only performing Schema Preparation, Domain Preparation and Group Policy Preparation for Windows Server 2008 R2 (Read Only Domain controller Preparation will be done later during the Upgrade to Windows Server 2008 R2).

Requirements

1. Replica of the Active Directory Forest in ISONet Network.  

2. If you have multiple Domains in the Forest, we need at least one Domain Controller from each Domain in ISONet Network (better if we have 2 Domain Controllers from Root of the Forest). 

3. Full Successful Tested Backup of Active Directory Forest with all the Domains.  

4. Windows Server 2008 R2 Media (ADPREP.exe from Windows Server 2008 R2).  

5. Windows Server 2003 Support Tools for testing the Schema preparation, Domain preparation and Group Policy preparation.  

6. If the Domain Controller is Windows Server 2000 then it should have SP4 Installed.  

7. We can prepare the Schema using ADPREP.exe (for Domain Controllers with 64 bit) or ADPREP32.exe(for Domain Controllers with 32 bit), but Windows Server 2008 R2 is one support x64 base platform.  

8. Domain Functional Level should be Windows 2000 Native or Higher for preparing the Domain using ADPREP.exe and Windows Server 2003 or Higher Forest Functional Level for Promoting RODC.  

9. Credentials to be set proper for executing ADPREP.exe as per the table below.

Adprep.exe command Credentials that are required to run the command
adprep /forestprep
  • Schema Admins 
  • Enterprise Admins 
  • Domain Admins of the domain that hosts the schema master
adprep /domainprep Domain Admins
adprep /domainprep /gpprep Domain Admins
adprep /rodcprep Enterprise Admins

  10. ADPREP.exe execution order as per the table below.

Command Domain controller Number of times to run the command
adprep /forestprep Must be run on the schema operations master for the forest. Once for the entire forest
adprep /domainprep Must be run on the infrastructure operations master for the domain. Once in each domain where you plan to install an additional domain controller that runs a later version of Windows Server than the latest version that is running in the domain.
adprep /domainprep /gpprep Must be run on the infrastructure operations master for the domain. If you already ran the /gpprep parameter for Windows Server 2003, you do not have to run it again for Windows Server 2008 or Windows Server 2008 R2. Once in each domain within the forest
adprep /rodcprep Can be run from any computer. This command performs operations remotely. For the operations to complete successfully, the domain naming operations master for the forest and the infrastructure operations master for each application directory partition and each domain partition must be accessible. If you already ran this command for Windows Server 2008, you do not have to run it again for Windows Server 2008 R2. Once for the entire forest

 

 Plan for Schema Upgrade

1. Forest Replica to be ready with at least two Domain Controllers from Root of the Forest and one Domain Controller from each Domain.  

2. Assigning the FSMO Roles properly to the Domain Controllers in each Domain (Forest wide roles on one Domain Controller and Domain wide roles on one Domain Controller in Root of the Forest). 

Using Ntdsuitl.exe, DSA.msc, Domain.msc and Active Directory Schema MMC.  

3. Verifying the Forest and Domain Functional Levels. 

Using Domain.msc or Replmon.exe  

4. Verifying the FSMO Roles for the Domain Controllers. 

Using command “Netdom query fsmo” or Replmon.exe  

5. Backing up Active Directory  

Using Ntbackup or Third party backup tools. 

6. Checking the entire Forest Replication Status  

Using Repadmin.exe or Replmon.exe  

7. Running ADPREP /Forestprep 

a. Now we are ready to prepare your forest. This procedure takes a while depending on the speed of your computer so do not interrupt it. Insert your Windows Server 2008 DVD into the DVD drive on the schema master.   

b. Open a command prompt.   

c. Change your drive letter to the DVD drive. If you do not have a DVD drive on your schema master you can copy the Sources\Adprep folder to your local drive and run it from the copy.   

d. Change into the Sources\Adprep directory.   

e. Run ADPREP /forestprep.  

f. You will get a warning that you need to be running Windows 2000 SP4 or later.   

g. Type C and press Enter.   

h. You will see a series of updates from LDF files.   

i. If all goes well, you will see ADPREP successfully updated the forest-wide information. 

8. Verifying that adprep /forestprep completed successfully

When the adprep /forestprep command completes, a message appears in the Command Prompt window to indicate that Adprep has successfully updated the forest-wide information. We can also use the following procedure to verify that adprep /forestprep completed successfully.

To verify that adprep /forestprep completed successfully  

a. Log on to an administrative workstation that has ADSIEdit installed.  

b. Click Start, click Run, type ADSIEdit.msc, and then click OK.   

c. Click Action, and then click Connect to.  

d. Click Select a well known Naming Context, select Configuration in the list of available naming contexts, and then click OK.  

e. Double-click Configuration, and then double-click CN=Configuration,DC=forest_root_domain 

Where forest_root_domain is the distinguished name of your forest root domain. 

f. Double-click CN=ForestUpdates. 

g. Right-click CN=ActiveDirectoryUpdate, and then click Properties.  

h. Adprep /forestprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, and then click OK. 

i. Click ADSI Edit, click Action, and then click Connect to. 

j. Click Select a Well known naming context, select Schema in the list of available naming contexts, and then click OK.  

 k. Double-click Schema.  

l. Right-click CN=Schema,CN=Configuration,DC=forest_root_domain, and then click Properties 

where forest_root_domain is the distinguished name of your forest root domain. 

m. Adprep /forestprep for Windows Server 2008 R2, confirm that the objectVersion attribute value is set to 47, and then click OK. 

9. Running ADPREP /domainprep /gpprep 

a. Insert the Windows Server 2008 DVD.  

b. Open a command prompt.   

c. Change your drive letter to the DVD drive. 

d. Change your directory to Sources\Adprep.   

e. Run ADPREP /domainprep /gpprep.   

10. Verifying adprep /domainprep /gpprep  

When we run adprep /domainprep /gpprep we see a message that indicates that adprep /domainprep successfully updated the domain-wide information, followed by a message that indicates that Adprep successfully updated the GPO information.  

To verify that adprep /domainprep completed successfully  

a. Log on to an administrative workstation that has ADSIEdit installed.   

b. Click Start, click Run, type ADSIEdit.msc, and then click OK.   

c. Click Action, and then click Connect to.  

d. Click Select a well known Naming Context, select Default naming context in the list of available naming contexts, and then click OK. 

e. Double-click Default naming context, double-click the container that is the distinguished name of the domain, and then double-click CN=System.

f. Double-click CN=DomainUpdates, right-click CN=ActiveDirectoryUpdate, and then click Properties. 

g. If you ran adprep /domainprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, and then click OK. 

To verify that adprep /gpprep completed successfully  

We can verify that the operation added the Read permission for the Enterprise Domain Controllers group on all GPOs.

Running adprep /rodcprep

Running the adprep /rodcprep command is optional. It is required only if you want to install an RODC in the forest. This command can be executed later once we deiced to go for RODC in the Forest/Domain and it requires Forest Functional Level to be Windows Server 2003 or Higher at the time of RODC promotion. This command updates the security descriptors for application directory partitions to give RODCs permission to replicate updates to the partitions. Each application directory partition has an infrastructure master. The adprep /rodcprep command must update the security descriptor for each application directory partition on the infrastructure master for that partition.

There are two application directory partitions that are created by default for Domain Name System (DNS) data: DomainDNSZones and ForestDNSZones. If the infrastructure master for either of these partitions is offline or if it has been forcefully removed from the forest, adprep /rodcprep fails with an error. In addition, this command must contact the domain naming operations master to obtain a list of the application and domain directory partitions that are in the forest. Therefore, the domain naming master must be accessible when you run this command.

Conclusion

Once Verifications are met as mentioned above in the Document “Plan for Schema Upgrade” Schema Upgrade is Successful. If errors we have to fine the Solutions to fix and repeat the Schema Upgrade Steps and Incase of Issue with Schema Upgrade we can also test for Roll back using the Backup.

Posted in Active Directory | Tagged: | 22 Comments »

My Blog…

Posted by Prashanth P on October 19, 2011


This Site is all about Technical Information’s regarding Microsoft Active Directory, Microsoft Exchange & RedHat Enterprise Linux….. right from Introduction to Administration, Implementation, Upgradation, Re-Structuring, Maintenance, Migration and Troubleshooting…..

Posted in My Blog | Tagged: | 30 Comments »