Tech Info's

Microsoft Windows, RedHat and VMware Virtualization Platform

Archive for the ‘Active Directory’ Category

Active Directory Forest Disaster Recovery using System State Backup

Posted by Prashanth P on January 21, 2013


Pre-Requisite for Active Directory Forest Disaster Recovery

1. The OS version should be the same as it was on the original server.

2. The service pack level should be the same as on the original server

3. The IE version should be the same.

4. The disk layout and size should be same or higher compared to the original server.

5. In case of VMWARE, VMTOOLS should be installed on the machine (Good to have but not necessary).

6. The guest should be assigned static memory, processor and other resources.

7. The server should be isolated on the network with no connectivity back to production Active Directory Environment.

8. Make sure the system state backups for appropriate parent and child domains are made available to the machine respectively.

9. The machine should be set NOT TO SYNCHRONIZE with host.

10. Windows Server 2003 R2 SP2 ISO/Install Media.

Lab Exercise (Steps to perform Active Directory Forest Disaster Recovery)

1. Lab Servers should be built as workgroup with basic configuration.

2. Copy the Latest Active Directory System State Backup to the Lab Servers.

Note:

Make sure the Latest Active Directory System State Backup should not have any Permission Restrictions (specially Backup taken through Applications like Quest and etc.,). 

3. Install the DNS Service, Windows Support Tools and Admin Pack on the Lab Server.

4. Boot the Lab Server to “DSRepair” mode.

5. Recovery the Latest System State Backup copied to the Lab Server with “Advanced Options”.

Note:

a. Make sure to choose below mentioned options while using Recovery “Advanced Options”.

b. Restore files to: Original Location.

c. When restoring files that already exist on your computer: Replace existing files.

d. Select the options you want to use:

i. Restore security settings.

ii. Restore junction points, but not the folders and file data they reference.

iii. Preserve existing volume mount points.

iv. When restoring replicated data sets, mark the restored data as the primary data for all replicas.

6. After the Successful System State Backup Recovery, Set the Boot Option to Normal and Server has to be rebooted.

7. Login to the Domain Account (Preferably Domain Admin).

8. Update the IP Address, Subnet Mask, Gateway and Preferred DNS Server IP address (Include Local Server IP address as Preferred or Alternate DNS Server).

9. Identify the Built-In Administrator Account and Reset Password.

Note:

Using LDP Tool we can find the Built-In Administrator Account

a. Open LDP, Connect to Server and Bind with your account.

b. Switch to Tree view (enter the Domain DN), search and select any Admin Privileged account (Eg. Domain Admin account).

c. On the right hand side search for “objectSid”, copy it and open search window past it in place of * with “objectclass=*”.

d. Change “objectclass” as “objectsid”, select scope as subtree, delete last 5 digits and replace it with 500 and select Domain DN as Base DN.

e. Search for DN and other details (that will be the built-in administrator account).

10. Disable Global Catalog if it is enabled in Active Directory Sites and Services.

Note:

Need to update registry as mentioned in KB http://support.microsoft.com/kb/241789

11. Increase RID Pool by 100,000.

Note:

Using Adsiedit.msc we can update the RID Pool

 a. Open adsiedit.msc, expand Domain, select “CN=System” and on the right hand side double click “CN=RID Manager$”.

b. Add 100,000 to “rIDAvailablePool”.

12. Login to the Built-In Administrator Account.

13. Seize FSMO Roles depending upon the Root of the Forest or Root of the Tree.

14. Perform Metadata Clean Up for rest of the Domain controllers in the Domain.

Note:

a. From a command prompt, run “dsquery server > dclist.cmd”.

Now run “notepad dclist.cmd”

b. Remove the DC that will remain in the environment from the list (the one just restored)

c. add the following to the first line of the file

for %%a in (

d. add the following to the last line of the file

) do (

NTDSUTIL “me cl” “re se se %%a” q q)

e. Save the file and run the script.

f. Reopen the same script and change the last line. Instead of this line “ntdsutil “me cle” “re se se %%a” q q” have this line added:

dsrm %%a –noprompt –q)

g. Now open AD Sites and Services and make sure the DCs are no longer listed there.

15.   Remove all other Name Server Entries in DNS Server.

16.   Reset Computer account password.

Note:

a. At a command prompt, type the following:

C:> netdom resetpwd /server:<SERVER NAME> /userd:<Administrator Account> /passwordd:<password>

Note that the /passwordd switch does in fact have two “d”s.

b. Repeat the command to reset the password again.

17.   Reset “krbtgt” account password.

Note:

a. Run Active Directory Users and Computers.

b. Find the “krbtgt” account.

c. Note that you have to have Advanced options enabled to see this account.

d. Right-click on it and select Reset password. Enter a strong password.

e. Repeat to reset the password a second time, and enter a new password.

f. Close ADUC.

18.   Reset all Trust passwords.

Note:

a. At a command prompt, type the following:

C:> netdom trust <NETBIOS NAME OF THE ROOT DOMAIN> /domain:<NETBIOS NAME OF OTHER DOMAIN> /resetoneside /passwordt:<new trust password> /usero:<Administrator Account> /passwordo:<password>

Caution:

This command also resets the trust password history.

b. Remember the password, as you will need to set the same password on the other side as well, when you reset the trust from child or other domains.

19.   Configure Domain Time Server.

Note:

a. To check the Time Source Configuration execute the below mentioned command

c:>w32tm /dumpreg /subkey:parameters /computer:DC_Name

Note:

Where DC_Name is the Name of the Domain Controller

b. On Root of the Forest Domain Controller configure NTP Server

To configure the Domain Controller with the PDC Emulator FSMO to another time source, run

C:>w32tm /config /manualpeerlist:DC_Name /syncfromflags:manual /reliable:yes /update

C:>net stop w32time

C:>net start w32time

Note:

Please set for “DC_Name” the time source as listed above, either with its IP address or DNS name. If more than one is needed separate them with a space in between and don’t forget the quotes: “time.domain.com time1.domain.com”

c. On any other Domain Controller in the Forest, configuring domain computer for automatic domain time synchronization, run

C:>w32tm /config /syncfromflags:domhier /update

d. After that you have to run

C:>net stop w32time

C:>net start w32time

20.   Finally after restoring all Domains’ DC Enable Global Catalog on all the Domain Controllers and Check for Replication Status or Summary.

Posted in Active Directory | Tagged: | 2 Comments »

Configuring Time Source on Active Directory

Posted by Prashanth P on November 16, 2011


Time Source configuration is very important and Critical for Active Directory. It has to be as close as possible for all domain machines, which is realized with the setup of the hierarchy how the domain time is prepared.

Important to know is, that Domain Controllers use with NTP the UTC (Coordinated Universal Time), as this is the universal standard for current time. UTC is independent of time zones and enables NTP to be used anywhere in the world regardless of time zone settings. You will not realize the UTC time itself, as the time zone information which is stored in the computer’s registry, is added to the system time just before it is displayed to the user.

One Domain Controller, the DC with the PDC Emulator FSMO (Flexible Single Master Operations) role, is the time master in the domain. It uses its own BIOS time but should be changed to another time source like a NTP hardware device, routers, layer3 switches or external time servers, which are able to act as a time provider.

All other Domain Controllers synchronize with this machine and all domain member servers and domain workstations synchronize with one available DC. Therefore it is needed to open the UDP port 123 for NTP on all machines. In a domain, time synchronization takes place when Windows Time Service turns on during system startup and periodically while the system is running. In the default configuration, the Net Logon service looks for a Domain Controller that can authenticate and synchronize time with the client. When a Domain Controller is found, the client sends a request for time and waits for a reply from the Domain Controller. This communication is an exchange of Network Time Protocol (NTP) packets intended to calculate the time offset and round-trip delay between the two computers.

The correct time is needed from Kerberos V5 authentication to prevent “replay attacks,” Kerberos V5 uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the Domain Controller need to be in sync as much as possible. The default maximum time tolerance is 5 minutes and defined with a Group Policy setting and should not be changed.

If you have the need for changing the default tolerance, you have to choose the following GPO setting

Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Kerberos Policy -> “Maximum tolerance for computer clock synchronization”

Configurations on Windows Server 2003 or higher OS

To check the Time Source Configuration execute the below mentioned command

c:\>w32tm /dumpreg /subkey:parameters /computer:DC_Name

Note: Where DC_Name is the Name of the Domain Contoller

  1. To configure the Domain Controller with the PDC Emulator FSMO to another time source, run

C:\>w32tm /config /manualpeerlist:DC_Name /syncfromflags:manual /reliable:yes /update

Please set for “DC_Name” the time source as listed above, either with its IP address or DNS name. If more than one is needed separate them with a space in between and don’t forget the quotes: “time.domain.com time1.domain.com”

2.   To configure a domain computer for automatic domain time synchronization, run

C:\>w32tm /config /syncfromflags:domhier /update

After that you have to run

C:\>net stop w32time

C:\>net start w32time

3.  To reconfigure the previous PDC Emulator, in case of transferring/seizing the FSMO to another Domain Controller, run

C:\>w32tm /config /syncfromflags:domhier /reliable:no /update

After that you have to run

C:\>net stop w32time

C:\>net start w32time

4. If you have to reconfigure a Windows 2000 Server Domain Controller, the steps are different after transferring/seizing the PDC Emulator role to another Domain Controller

You have to modify the “Type” value to “Nt5Ds” without the quotes under this registry key

HKLM\ SYSTEM\ CurrentControlSet\ Services\ W32Time\ Parameters\

Note: If you have problems with the time service configuration, because too many changes where done in the registry or you like start fresh on a computer, then you can reset the time service to a default state the following way. Make sure to use an elevated command prompt, to have full administrative permissions.

Then Execute the following commands

C:\>net stop w32time

C:\>w32tm /unregister

C:\>w32tm /register

C:\>net start w32time

Repeat the Steps mentioned in “Configurations on Windows Server 2003 or higher OS” as per the requirement.

Posted in Active Directory | Tagged: | 5 Comments »

Enabling and Disabling Active Directory Replication

Posted by Prashanth P on November 2, 2011


You want to enable or disable inbound or outbound replication on a domain controller?

Using a command-line interface

To disable outbound replication on a domain controller, enter the following:

                c:\> repadmin /options +DISABLE_OUTBOUND_REPL

To re-enable outbound replication, enter the following:

                c:\> repadmin /options DISABLE_OUTBOUND_REPL

To disable inbound replication, enter the following:

                c:\> repadmin /options +DISABLE_INBOUND_REPL

To re-enable inbound replication, enter the following:

                c:\> repadmin /options DISABLE_INBOUND_REPL

When Enabling and Disabling Replication is required?

When you are making major changes to Active Directory, particularly in cases where you are extending the schema, it is recommended that you disable outbound replication on the DC that you’re modifying. This will allow you to test any changes that you’ve made on a single DC without propagating those changes to the remainder of your directory. If you make a mistake or find that the changes you’ve made are otherwise unacceptable, you can restore a single DC rather than being faced with the prospect of performing a disaster recovery operation on your entire domain.

It’s important to note that disabling outbound replication on a domain controller will not have any effect on inbound replication; the DC will still receive updates from its other replication partners unless you disable inbound replication on them as well.

In a worst-case scenario, you can disable replication for an entire forest by issuing the following command:

                c:\> repadmin /options * +DISABLE_INBOUND_REPL

Posted in Active Directory | Tagged: | 4 Comments »

For Active Directory Administrators – Monitoring Replication Status (Daily)

Posted by Prashanth P on October 23, 2011


Repadmin command either execute or create a .bat file and schedule it for Daily

c:\>Repadmin /replsummary /bysrc /bydst /sort:delta >”replication summary.txt”

c:\>Repadmin /showrepl * /csv /errorsonly >showrepl.csv

Note: It is better run the above mentioned commands with Enterprise Admin Credentials

Posted in Active Directory | Tagged: | Leave a Comment »

How to raise Active Directory domain and forest functional levels

Posted by Prashanth P on October 22, 2011


Microsoft detailed link for How to raise Active Directory domain and forest functional levels

http://support.microsoft.com/kb/322692

Posted in Active Directory | Tagged: | Leave a Comment »

Schema Upgrade from Windows Server 2003 to Windows Server 2008 R2 Testing Plan in ISONet Network

Posted by Prashanth P on October 19, 2011


Schema Upgrade from Windows Server 2003 to Windows Server 2008 R2 for Testing purpose in ISONet Network. Here we are only performing Schema Preparation, Domain Preparation and Group Policy Preparation for Windows Server 2008 R2 (Read Only Domain controller Preparation will be done later during the Upgrade to Windows Server 2008 R2).

Requirements

1. Replica of the Active Directory Forest in ISONet Network.  

2. If you have multiple Domains in the Forest, we need at least one Domain Controller from each Domain in ISONet Network (better if we have 2 Domain Controllers from Root of the Forest). 

3. Full Successful Tested Backup of Active Directory Forest with all the Domains.  

4. Windows Server 2008 R2 Media (ADPREP.exe from Windows Server 2008 R2).  

5. Windows Server 2003 Support Tools for testing the Schema preparation, Domain preparation and Group Policy preparation.  

6. If the Domain Controller is Windows Server 2000 then it should have SP4 Installed.  

7. We can prepare the Schema using ADPREP.exe (for Domain Controllers with 64 bit) or ADPREP32.exe(for Domain Controllers with 32 bit), but Windows Server 2008 R2 is one support x64 base platform.  

8. Domain Functional Level should be Windows 2000 Native or Higher for preparing the Domain using ADPREP.exe and Windows Server 2003 or Higher Forest Functional Level for Promoting RODC.  

9. Credentials to be set proper for executing ADPREP.exe as per the table below.

Adprep.exe command Credentials that are required to run the command
adprep /forestprep
  • Schema Admins 
  • Enterprise Admins 
  • Domain Admins of the domain that hosts the schema master
adprep /domainprep Domain Admins
adprep /domainprep /gpprep Domain Admins
adprep /rodcprep Enterprise Admins

  10. ADPREP.exe execution order as per the table below.

Command Domain controller Number of times to run the command
adprep /forestprep Must be run on the schema operations master for the forest. Once for the entire forest
adprep /domainprep Must be run on the infrastructure operations master for the domain. Once in each domain where you plan to install an additional domain controller that runs a later version of Windows Server than the latest version that is running in the domain.
adprep /domainprep /gpprep Must be run on the infrastructure operations master for the domain. If you already ran the /gpprep parameter for Windows Server 2003, you do not have to run it again for Windows Server 2008 or Windows Server 2008 R2. Once in each domain within the forest
adprep /rodcprep Can be run from any computer. This command performs operations remotely. For the operations to complete successfully, the domain naming operations master for the forest and the infrastructure operations master for each application directory partition and each domain partition must be accessible. If you already ran this command for Windows Server 2008, you do not have to run it again for Windows Server 2008 R2. Once for the entire forest

 

 Plan for Schema Upgrade

1. Forest Replica to be ready with at least two Domain Controllers from Root of the Forest and one Domain Controller from each Domain.  

2. Assigning the FSMO Roles properly to the Domain Controllers in each Domain (Forest wide roles on one Domain Controller and Domain wide roles on one Domain Controller in Root of the Forest). 

Using Ntdsuitl.exe, DSA.msc, Domain.msc and Active Directory Schema MMC.  

3. Verifying the Forest and Domain Functional Levels. 

Using Domain.msc or Replmon.exe  

4. Verifying the FSMO Roles for the Domain Controllers. 

Using command “Netdom query fsmo” or Replmon.exe  

5. Backing up Active Directory  

Using Ntbackup or Third party backup tools. 

6. Checking the entire Forest Replication Status  

Using Repadmin.exe or Replmon.exe  

7. Running ADPREP /Forestprep 

a. Now we are ready to prepare your forest. This procedure takes a while depending on the speed of your computer so do not interrupt it. Insert your Windows Server 2008 DVD into the DVD drive on the schema master.   

b. Open a command prompt.   

c. Change your drive letter to the DVD drive. If you do not have a DVD drive on your schema master you can copy the Sources\Adprep folder to your local drive and run it from the copy.   

d. Change into the Sources\Adprep directory.   

e. Run ADPREP /forestprep.  

f. You will get a warning that you need to be running Windows 2000 SP4 or later.   

g. Type C and press Enter.   

h. You will see a series of updates from LDF files.   

i. If all goes well, you will see ADPREP successfully updated the forest-wide information. 

8. Verifying that adprep /forestprep completed successfully

When the adprep /forestprep command completes, a message appears in the Command Prompt window to indicate that Adprep has successfully updated the forest-wide information. We can also use the following procedure to verify that adprep /forestprep completed successfully.

To verify that adprep /forestprep completed successfully  

a. Log on to an administrative workstation that has ADSIEdit installed.  

b. Click Start, click Run, type ADSIEdit.msc, and then click OK.   

c. Click Action, and then click Connect to.  

d. Click Select a well known Naming Context, select Configuration in the list of available naming contexts, and then click OK.  

e. Double-click Configuration, and then double-click CN=Configuration,DC=forest_root_domain 

Where forest_root_domain is the distinguished name of your forest root domain. 

f. Double-click CN=ForestUpdates. 

g. Right-click CN=ActiveDirectoryUpdate, and then click Properties.  

h. Adprep /forestprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, and then click OK. 

i. Click ADSI Edit, click Action, and then click Connect to. 

j. Click Select a Well known naming context, select Schema in the list of available naming contexts, and then click OK.  

 k. Double-click Schema.  

l. Right-click CN=Schema,CN=Configuration,DC=forest_root_domain, and then click Properties 

where forest_root_domain is the distinguished name of your forest root domain. 

m. Adprep /forestprep for Windows Server 2008 R2, confirm that the objectVersion attribute value is set to 47, and then click OK. 

9. Running ADPREP /domainprep /gpprep 

a. Insert the Windows Server 2008 DVD.  

b. Open a command prompt.   

c. Change your drive letter to the DVD drive. 

d. Change your directory to Sources\Adprep.   

e. Run ADPREP /domainprep /gpprep.   

10. Verifying adprep /domainprep /gpprep  

When we run adprep /domainprep /gpprep we see a message that indicates that adprep /domainprep successfully updated the domain-wide information, followed by a message that indicates that Adprep successfully updated the GPO information.  

To verify that adprep /domainprep completed successfully  

a. Log on to an administrative workstation that has ADSIEdit installed.   

b. Click Start, click Run, type ADSIEdit.msc, and then click OK.   

c. Click Action, and then click Connect to.  

d. Click Select a well known Naming Context, select Default naming context in the list of available naming contexts, and then click OK. 

e. Double-click Default naming context, double-click the container that is the distinguished name of the domain, and then double-click CN=System.

f. Double-click CN=DomainUpdates, right-click CN=ActiveDirectoryUpdate, and then click Properties. 

g. If you ran adprep /domainprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, and then click OK. 

To verify that adprep /gpprep completed successfully  

We can verify that the operation added the Read permission for the Enterprise Domain Controllers group on all GPOs.

Running adprep /rodcprep

Running the adprep /rodcprep command is optional. It is required only if you want to install an RODC in the forest. This command can be executed later once we deiced to go for RODC in the Forest/Domain and it requires Forest Functional Level to be Windows Server 2003 or Higher at the time of RODC promotion. This command updates the security descriptors for application directory partitions to give RODCs permission to replicate updates to the partitions. Each application directory partition has an infrastructure master. The adprep /rodcprep command must update the security descriptor for each application directory partition on the infrastructure master for that partition.

There are two application directory partitions that are created by default for Domain Name System (DNS) data: DomainDNSZones and ForestDNSZones. If the infrastructure master for either of these partitions is offline or if it has been forcefully removed from the forest, adprep /rodcprep fails with an error. In addition, this command must contact the domain naming operations master to obtain a list of the application and domain directory partitions that are in the forest. Therefore, the domain naming master must be accessible when you run this command.

Conclusion

Once Verifications are met as mentioned above in the Document “Plan for Schema Upgrade” Schema Upgrade is Successful. If errors we have to fine the Solutions to fix and repeat the Schema Upgrade Steps and Incase of Issue with Schema Upgrade we can also test for Roll back using the Backup.

Posted in Active Directory | Tagged: | 22 Comments »