Active Directory is the cornerstone of many networking environments. Active Directory Domain Controllers offer the means to authenticate, authorize and account for actions by employees, colleagues and guests. The availability of these Windows Servers is crucial for them to log on and gain access to resources.
Therefore, as a best practice, Microsoft recommends monitoring them closely. There are many monitoring solutions out there, but Microsofts own System Center 2012 R2 – Operations Manager (OpsMgr) is the one recommended, of course.
Alas, when you use System Center 2012 R2 – Operations Manager (OpsMgr) to monitor Windows Server 2012 R2-based Active Directory Domain Controllers, through the Microsoft Monitoring Agent (MMA) 2012 R2, you receive a lot of heartbeat failure alerts. Visually, these Domain Controllers are greyed out in the OpsMgr console.
You do not experience heartbeat failure alerts on Windows Server 2008 R2-based or Windows Server 2012-based Active Directory Domain Controllers, when you monitor them with System Center 2012 R2 – Operations Manager.
You do not experience heartbeat failure alerts on Windows Server 2012 R2-based machines, prior to Domain Controller configuration.
When you experience this situation the Agent Service will still be running on the Windows Server 2012 R2-based Domain Controllers, but have stopped responding and/or sending heartbeats.
Apparently, the issue is caused by an issue in the Windows 8.1, Windows RT 8,1 and Windows Server 2012 R2 Operating Systems. The issue is outlined in Microsoft KnowledgeBase Article 2923126.
A search path is constructed for non-static dependencies of a module on the Windows Server 2012 R2-based Domain Controllers . When the module is loaded, the search path flags are passed to the LoadLibrary function. However, when the LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR flag is set, the module search path is initialized to null. If the original module is loaded by using the LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR flag, this field is dereferenced when the search path is constructed. Therefore, the Monitoring Agent crashes.
A hotfix is available for this issue and is currently being redistributed through the Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: February 2014.
I recommend installing the Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: February 2014 on Windows Server 2012 R2-based Domain Controllers.
The Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: February 2014 is an optional update. Make sure to select it from the list of available optional updates to install it.
Agents on Windows 2012 R2 Domain Controllers can stop responding or heart-beating
Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: February 2014
Application crashes when the search path is constructed for non-static dependencies of the module in Windows 8.1
A couple of years back, I organized a couple of trips to the CeBIT fair in Hannover, Germany for my company. It was great to see all the new technologies on display and talk strategy with many of the industries biggest companies and countries.
This year, to my great pleasure, I’m back at CeBIT Hannover.
A few years back, the big plan was to spend the Saturday and Sunday with sixty-odd colleagues at the fair. We would leave from Delft at 5 AM, spend a couple of hours on a bus and then spend the rest of the opening hours at the fair. For diner we would eat schnitzels and drink 1-liter beers at the Münchner Halle at the Hannover fair grounds:
A couple of nights rest at a hotel nearby would recharge the batteries for another full day at the fair. At around 5 PM we would ride back. This has been our rather successful playbook for four company visits to CeBIT Hannover 2005 though 2008.
Putting sixty people in a bus didn’t sound like a good plan in the current economic situation, so for this year, I opted to go with four colleagues. Since CeBIT Hannover no longer spans the weekend, we’re visiting Wednesday March 12th, 2014. On our way back we’re staying at the Best Western Premier Parkhotel Kronsberg, conveniently located an hours drive in the direction home.
If you have a stand at CeBIT Hannover or are visiting CeBIT Hannover on Wednesday March 12th, 2014 and would like to chat, just contact me.
Earlier today, Raymond and I, presented a slightly modified version of our Bring Your Own Device (BYOD) Show to High School students at the Graafschap College in Doetinchem, the Netherlands.
Since we had a blast presenting this topic to the fifty High School students present at the session, and got some great responses on the topic that is nowhere to be found in their school books, I wanted to share the pictures that were taken that day with you on my blog:
Raymond and I would like to thank Ronald Wassink and Arnold Maatman of the Graafschap College for this opportunity.
Throughout the past six months, Raymond Comvalius and I have delivered a couple of editions of your Bring-Your-Own Show. We delivered it at my employer, at the Dutch Networking User Group, at Experts Live 2013 and at the 2014 Nordic Infrastructure Conference.
Last week, I was approached by a High School teacher to come deliver the two 1-hour sessions at a local High School.
About our BYO Show
During these two hours, Raymond Comvalius (Windows IT Pro MVP) and I will be sharing our thoughts on Bring Your Own Device (BYOD) Essentials with Windows technologies. We’ll be focusing on the new BYO and Identity capabilities found in Windows 8.1 and Windows Server 2012 R2. As part of the session, Raymond and I will convince the students on the practical use cases of claims-based authentication, multi-factor authentication, the web application proxy, workplace join and work folders. We’ll show them how to open the network infrastructure up to the outside world, but, at the same time, still remain in control.
About the High School
We were invited by Ronald Wassink and Arnold Maatman, the two teachers for the MBO Level 4 ICT Management Year 3curriculum at the Graafschap College in Doetinchem, the Netherlands.
Personally, I feel honored to contribute to making the education of these ICT Professionals-to-be more future proof by telling them about Bring-Your-Own technologies. Their textbooks don’t contain this information yet, so I feel getting it presented to them by two passionate Microsoft MVPs is the best they could wish for..
I will be speaking at NGNs and NGIs shared BYO Event
I’ll be speaking at Experts Live 2013
I will be speaking at NIC 2014
Sometimes, when you work somewhere, you just want to let everyone know what a great place it is to work. I guess you know the feeling, or, alternatively, a company you might get that feeling at…
Next week, I get a renewed opportunity to tell people how much fun it is to work at OGD and how they help me to be the best I can be, both in my professional career, and as a father and husband.
About the Delftse Bedrijvendagen
The Delftse Bedrijvendagen is an annual event for students to kick start their careers. This event consists of various events that marks the start of the professional careers of the 2200 students attending this event, this year.
The two ‘presentation days’ are an integral part of the event. During these days, employers have the opportunity to entice soon-to-be Bachelors of Science (BSc) and Masters of Science (MSc) at the Delft University of Technology to come work for them.
The presentation days hosted at the Aula building of the University of Technology Delft on Tuesday February 18th, 2014 and Wednesday February 19th, 2014.
About my presentation
On February 19th, 2014, my employer has a nice presentation slot, between 1:30 PM and 2:10PM. My presentation is part of this 40-minute time slot.
First, our CEO, Roel Nikkessen, will give a broad overview of the company and its 26 years of history. Next, I’ll be sharing my view on our core values and how these translate in the current way we work. Of course, I’ll be sharing the way I found my niche within the organization, how I started with blogging and speaking and how these two factors continue to shape my career and the future of OGD.
My part of the presentation is likely to be similar to the presentation I provided at the Dutch Career Event (March 2011). Luckily I’ll be able to slightly update it, since I advanced my career somewhat since then.
Sometimes, when opportunity comes knocking, it’s best to open the door and embrace the person standing in front of you. That’s exactly what I did, when Christian van Woerkom, an Audience Manager from Microsoft Netherlands, called me and asked me if I wanted to organize a Dutch stop for the worldwide CloudOS MVP Roadshow.
About the CloudOS
The CloudOS is Microsofts vision on efficient, agile, valuable IT for the modern age. It’s a platform approach, allowing organizations to embrace trends like Bring-Your-Own, Big Data and the Cloud.
Under the hood it features Windows Server 2012 R2, System Center 2012 R2, Windows Azure, SQL Server 2012 R2 and modern apps built with Visual Studio 2013.
You can read more on microsoft.com/cloudOS.
About the CloudOS MVP Roadshow
Who better to explain this vision than Microsoft Most Valuable Professionals (MVPs)?
In contrast to Microsoft employees, Microsoft MVPs are involved in real-world implementations of the above products and technologies and have the space and time to form their own opinion outside of ‘the Microsoft bubble’.
Microsoft MVPs around the world organize events under the CloudOS MVP Roadshow moniker to tell you why they are passionate about the new technologies and products, how Microsoft envisions you can use them and how they and their organizations actually use them.
Together with Christian van Woerkom, I’m responsible for this event. together, we’ve created the schedule, contacted the speakers, made sure the speakers are able to prepare their sessions, translated the marketing materials, announced the event, oversee the registration, and covered the budget. (actually, Christian took care of that last item completely.)
Dutch CloudOS MVP Roadshow
We’re organizing the Dutch CloudOS MVP Roadshow on March 7, 2014 at the Auditorium at Microsoft Netherlands in Schiphol, the Netherlands.
We’re starting off with an introduction by Isabel Moll, the Product Marketing Manager Datacenter and Cloud for Microsoft Netherlands. The schedule contains eight sessions by six MVPs:
08h30 – 09h00 Walk-in
09h00 – 09h15 Introduction to the CloudOS (Isabel Moll)
09h15 – 10h00 Extend your datacenter with virtualization and networking (Marc van Eijk)
10h00 – 10h45 Ensure business continuity and service delivery (James van den Berg)
10h45 – 11h00 Coffee break
11h00 – 11h45 Unlocking Data Insights (André Kamman)
11h45 – 12h30 The Modern Data Warehouse (André Kamman)
12h30 – 13h15 Lunch break
13h15 – 14h00 Access and information Protection (Raymond Comvalius)
14h00 – 14h45 Unified Device Management (Maarten Goet)
14h45 – 15h00 Coffee break
15h00 – 15h45 Enable modern business apps (Tom Verhoeff)
15h45 – 16h30 Why cloud matters for modern business applications (Tom Verhoeff)
16h30 – 17h00 wrap-up & Drinks
Although the slide decks will be in English, all sessions will be delivered in Dutch.
This event is aimed at IT Managers and Technical Decision Makers (TDMs) at organizations with 100 to 350 seats.
You can find out more on this event and, of course, register for this event at aka.ms/MVPCloudOSNL.
I hope to see you there!
Last night, during SuperBowl XLVIII, a version of Windows 8.1 Update 1 was, inadvertently, released to the web. While this release focuses on the integration between Windows Phone and Windows for the desktop, laptop and tablet, it also features a slew of User Interface (UI) improvements for those still on the fence on The New Interface (previously referred to as ‘Metro’).
The information and screenshots below are part of build 9600.16596 as installed with 9600.16596.WINBLUES14_GDR_LEAN.140114-0237_X64FRE_CLIENT_EN-US-IR3_CCSA_X64FRE_EN-US_DV5.iso media. By no means, do they imply the implementation of inclusion of these features in the final release of Windows 8.1 Update 1.
I’ve had some time to look into this build on non-touchscreen enabled devices.
Here’s my view on it:
Start Screen improvements
A lot of people I talk to, are still on the fence on The New Interface and its Start Screen, that was introduced with Windows 8. Most of these people use non-touchscreen enabled devices. While Windows 8.1 introduced a couple of tweaks that might help IT departments with the user adoption of their deployments, but inefficiencies, obviously, remained.
So, let’s look at the Start Screen in Windows 8.1 Update 1:
Windows 8.1 Update 1 offers four Start Screen improvements for point and click aficionados. Two of these changes are visible right off the bat:
- Shutdown icon on the Start Screen
When you left-click the Shutdown icon in the top right corner of the Start Screen, a context menu appears with two options: Shut Down and Restart. When you right-click it, nothing happens.
- Search icon on the Start Screen
When you left-click the Search icon in the top right corner of the Start Screen, the Search menu appears, just like when you start typing on the Start Screen, when you press Win + S or when you open the Charms Bar and select Search from it.
The third and four improvement only becomes available after you right-click on the Start Screen. When you right-click, instead of showing the App bar at the bottom of the Start Screen, where you needed to get to with your mouse each time, you now get presented with a context menu:
While the majority of the options in the context menu were available in Windows 8 and Windows 8.1, the Pin to taskbar and Unpin from taskbar are new to Modern Apps.
The Windows Store App was pinned to the Desktop Taskbar, by default.
When you select multiple apps, the Clear selection option is also available from the context menu. It seems the App bar for the Start Screen is gone in Windows 8.1 Update 1.
Modern App improvements
Throughout The New Interface, the Windows team also made some tweaks. For every Modern App, there’s now a Title bar, displaying the apps icon, its title and a close button when you move your mouse pointer towards the top of the Modern App:
You can pick the app up by its Title bar and snap it (like in the above screenshot). When you pull it down or when you close the x in the top right corner, it will close the app as it would in Windows 8.1.
As with Windows 8.1, the close button does not end the app, but merely closes it. It still shows in the Task Manager. It will not show up when you use Alt + Tab to switch between apps, though.
As we’ve already seen in the Start Screen improvements, you can now pin Modern Apps to the taskbar on the Desktop. By default, the Store App is pinned to the taskbar:
You can pin and unpin Modern Apps to the Desktop Taskbar through the Start Screen, and you can unpin them when you’re on the Desktop by right-clicking it. This features blurs the line between The New Interface and the Desktop. I think, as a desktop guy or girl, you’ll love this, since it helps you start an App without going through the Start Screen first.
Rumors on Microsoft adding the Control Panel link to the Desktop Settings in the Charm bar, however, are a bit strange. The Control Panel link is already present in Windows 8.1 with the same functionality (linking to the desktop-style Control Panel). You don’t need Update 1 for that…
Looking at Internet Explorer, we see an updated version (11.0.3) in the About Internet Explorer screen, whereas a fully updated Windows 8.1 installation would display version 11.0.2. Internet Explorer in Windows 8.1 Update 1 is rumored to have an Enterprise Mode, but besides information from Rafael Rivera and Russian website pcportal.org.ru, not much is available on this.
The Control Panel in The New Interface has also seen a few new additions, including a nice feature, for me personally as a Directory Services MVP: You can now join the device to an Active Directory Domain through The New Interface Control Panel:
To use this feature, start the Charms Bar by swiping into the screen from the right, by moving the mouse in the top right corner of the screen and then down, or by pressing Win + C. From the Charms Bar, select Settings and then Change PC Settings. In the left pane, select PC and Devices and then PC Info. The button to Join a domain is new.
Windows 8 Update 1 doesn’t make Modern Apps on non-touch enabled devices as intuitive (and windowable) as Desktop Apps, but the Windows team is moving towards ‘fixing’ the issues desktop users have with the Start Screen and Modern Apps.
Microsoft forges ahead toward Windows 8.1 Update 1
No news about Windows 9
Leaked Windows 8.1 Update 1 screen shots point to more tweaks to aid desktop users
Windows 8.1 Update 1 due March 11th?
Microsoft's Windows 8.1 Update 1: Rumored release target is March 11
Windows 8.1 Update 1 reportedly arriving in March
Need to Know: Windows 8.1 Update 1 and Windows Phone 8.1
Microsoft to hide Metro start screen with Windows 8.1 Update 1?
Windows 8.1 Update 1 leaks on the web ahead of its March release
Coming soon: Internet Explorer Enterprise Mode
Internet Explorer в Windows 8.1 Update 1 получит режим "Enterprise Mode"
There are many organizations with the ‘VMUG’ initials. I’ve presented sessions to the UK VMUG, which stands for Virtual Machine User Group.
In the Netherlands, VMUG stands for VMware User Group. This organization hosts their annual meeting on March 6th, 2014 in Den Bosch and I will be there too, to present a session.
About NL VMUG
The Dutch VMware User Group (NL VMUG) is governed by the VMUG Customer Council and is officially associated with VMware User Group International (vmug.com).
NL VMUG supports and inspires the VMware community in the Netherlands, through regular meetings with the opportunities to share best practices and experiences.
About the 2014 NL VMUG Event
On March 6th, 2014, NL VMUG organizes its annual meeting at Conference center 1931 in Den Bosch, the Netherlands. During the meeting you may benefit from presentations, workshops, bootcamps, lunch and drinks (afterwards).
The entrance fee is set at 49,00 (excluding 21% VAT), but if that doesn’t hold you back, and you’re a VMware customer or VMware partner, then please register here. Dutch
About my session
My session, titled ‘Virtualization-safe Active Directory & VM-GenerationID’ is a 45-minute session on Active Directory Domain Services in Windows Server 2012 and Windows Server 2012 R2. Specifically, I will be explaining and demoing the way Active Directory Domain Services leverage Virtual Machine Generation Identifier in VMware vSphere to prevent problems commonly associated with reverting snapshots, like USN Rollbacks and Lingering Objects, and how organizations benefit when deploying Windows Server 2012 and Windows Server 2012 R2-based Domain Controllers virtually.
My session is planned for the last timeslot of the event, between 4:45 PM and 5:30 PM.
New features in AD DS in Windows Server 2012, Part 12: Virtualization-safe Active Directory
New features in AD DS in Windows Server 2012, Part 13: Domain Controller Cloning
In Windows Server 2012, Microsoft introduced the new streamlined Active Directory Domain Services Configuration Wizard, that in most Microsoft documentation is labeled the successor to dcpromo.exe. I’m a big fan of the new wizard, but there’s one feature I don’t use: the automatic Active Directory preparation steps it can perform for you to update the schema to accommodate new Domain Controllers. I still use adprep.exe.
It has a default time-out
One of my biggest grips with the automatic preparation feature is the way it checks whether it can continue to promote the server to a Domain Controller. For this, the Active Directory preparation needs to be replicated throughout the Active Directory domain. If you use time restrictions on Active Directory replication or a lag site in the domain, the replication of the schema updates would take a longer time to complete, than the wizard expects, and it will time out.
When you reach this time out, you will need to prepare the Active Directory domain manually.
It doesn’t support strict delegation
Preparing the Active Directory domain and Active Directory forest requires specific administrative privileges. In environments with decentralized management, these administrative privileges may be assigned to different people.
This way, an administrator in a domain has control over the Active Directory capabilities defined by the Domain Functional Level (DFL) and the Domain Controllers (s)he is capable to deploy and maintain.
Deploying Windows Server 2012 Domain Controllers requires the Windows Server 2003 Domain Functional Level.
Arguably, the delegated administrator doesn’t have much to say anyway. Since the Active Directory schema is maintained centrally, this is the one place of management.
When the administrative privileges have been separated, a Domain Admin in a domain, can not use the automatic Active Directory preparation feature in the Active Directory Domain Services Configuration Wizard, because (s)he doesn’t have the privileges to perform a forest-wide preparation.
It doesn’t perform all preparations
As detailed in KnowledgeBase article 2737129, the automatic preparation feature does not perform the Group Policy Preparation step. This is to prevent needless resets of administrator-set specific delegation permissions on the System Volume (SYSVOL).
When you need the Active Directory environment prepared for cross domain planning functionality for Group Policy and RSOP Planning Mode, you will need to prepare the Active Directory domain manually, but only if your Active Directory domain has ever run on Windows 2000 Server-based Domain Controllers.
Not every promotion method works
There’s three methods to promote a server to a Domain Controller after installation:
- The Active Directory Domain Services Configuration Wizard
- The Install-ADDSDomainController Windows PowerShell Cmdlet
- Dcpromo.exe with an answer file.
First off, the Active Directory Domain Services Configuration Wizard is only available on ‘Server with a GUI’ installations. On Server Core installations, only the latter two methods to promote a server to a Domain Controller are available.
Choosing dcpromo.exe with an answerfile to promote a server to a Domain Controller, you’ll find yourself confronted with the following error:
To install a domain controller into this Active Directory forest, you must first prepare the forest using "adprep /forestprep". The Adprep utility is available on the Windows Server 2012 installation media in the \support\adprep folder.
Using the Install-ADDSDomainController Windows PowerShell Cmdlet, however, will trigger the automatic Active Directory preparation.
The Install-ADDSDomainController Windows PowerShell Cmdlet is only available after you install the Active Directory Domain Services Server Role, since it’s part of the ADDSDeployment module.
Replication could result in Denial of Service
In really large environments, admins would want to replicate the Active Directory schema updates separately throughout the environment. Marking an attribute as indexable in the Active Directory schema for such an environment, might result in all Active Directory Domain Controllers building the index for the attribute, using up CPU cycles. You could perform a Denial of Service on your Domain Controllers with this.
Windows Server 2012 does offer the Deferred Index Creation feature to avoid this situation, but it won’t be available to you when you are migrating to Windows Server 2012 Domain Controllers; it’s available when you migrate from Windows Domain Controllers onwards. Plus, you need to enable Deferred Index Creation, manually. It’s not enabled by default.
The automatic Active Directory preparation steps the Active Directory Domain Services Configuration Wizard can perform for you to update the schema to accommodate new Domain Controllers is designed for small environments. It is perfect for environments with a couple of Domain Controllers in a single Active Directory site, in a single Active Directory domain, in a single Active Directory forest.
KnowledgeBase: Gpprep is not performed when you automatically prepare
KnowledgeBase: Adprep "not a valid Win32 application" error on Windows Server 2003 x64 KnowledgeBase: "The system cannot find the file specified" Adprep /gpprep error
Transitioning your Windows Server 2003 Domain Controllers to Windows Server 2012
New features in AD DS in Windows Server 2012, Part 3: New Upgrade Process
Your organization might still be running their Active Directory Domain Services on top of Windows Server 2003-based Domain Controllers. You might be looking to replace these servers with Windows Server 2012-based Domain Controllers, either to utilize the new features, make the most out of your virtualization project or to simply do away with the aging technology that is soon out of support.
In this blogpost, I’ll walk you through the steps required to replace your aging Windows Server 2003 (R2) Domain Controllers with spanking new Windows Server 2012 Domain Controllers, while keeping your Active Directory running smoothly. This process is called transitioning your Active Directory.
Table of contents
- Ways to migrate Active Directory
- Reasons to transition
- Steps to transition
- Before you begin
- First steps
- Prepare your Active Directory environment
- Install the first Windows Server 2012 Domain Controller
- Install additional Domain Controllers
- Take care of FSMO roles and Global Catalog placement
- Demote your old Domain Controllers
- Raise the domain and forest functional levels
- Enable Active Directory Optional Features
- Run the Active Directory Best Practices analyzer
Ways to migrate
In general, you can migrate your Active Directory environment to a next version in three distinct ways:
- In-place upgrading
However, migrating your Windows Server 2003 (R2) Active Directory environment to Windows Server 2012 can only be done in two ways:
Migrating this way means adding Windows Server 2012 Domain Controllers to your existing Active Directory environment. After successfully moving the Flexible Single Master Operations (FSMO) roles you can simply demote the previous Domain Controllers, remove them from the domain and throw them out of the window.
A second way to go from Windows Server 2003 (R2) Domain Controllers to Windows Server 2012 Domain Controllers is restructuring your Active Directory environment. This involves moving all your resources from one (Windows Server 2003) domain to a new and fresh (Windows Server 2012) domain (with at least one Windows Server 2008 R2 Domain Controller) with the Active Directory Migration Tool (ADMT).
The third option to migrate, in-place upgrading, is not supported. 32bit version of Windows Server 2003 and Windows Server 2003 R2 cannot be upgraded in-place, because Windows Server 2012 is only available as a 64bit Operating System (OS). Cross-architecture upgrades are not supported. Also,I don’t consider in-place upgrading an x64 version of Windows Server 2003 (R2) to Windows Server 2008 (R2) and then to Windows Server 2012 a valid upgrade option, since you would be chaining migrations. This practice might introduce errors that might pile up towards the end of your migration.
Reasons to transition
Restructuring means filling a new Active Directory from scratch, while transitioning means you get to keep your current Active Directory lay-out, contents, group policies and schema. Transitioning also means moving to new machines, which can be dimensioned to last another three to five years without trouble.
Transitioning is good when:
- You worked hard to get your Active Directory in the shape it's in.
- Your current Windows Server 2003-based Domain Controllers are faced with aging.
- In-place upgrading leaves you with an undesired outcome
(for instance Server Core or Enterprise edition Domain Controllers)
- You need a chance to place your Active Directory files on different partitions/volumes.
When done right your colleagues might not even suspect a thing! The downside is you need to know exactly what you're doing, because things can go wrong pretty fast. that's why I wrote this post.
Steps to transition
1. Before you begin
1.1 Avoid common mistakes
There is a very good Microsoft Knowledge Base article on Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain, written by community experts. I suggest you read it (twice). Most of the contents also apply to transitioning to Windows Server 2012.
1.2 Plan your server lifecycle
It's not uncommon for a Domain Controller to sit on your network for a period of five years. I believe you should take this in mind when selecting and buying a server. You should plan your partitions (or volumes) carefully and place the Active Directory files on separate volumes when your needs justify it. The Windows Server catalog helps you pick systems that will run Windows Server 2012 with ease.
1.3 Assess your readiness
Microsoft has kindly provided a tool to scan systems to assess whether systems are capable of running Windows Server 2012, whether drivers are available (either from Microsoft update or on the installation media) and what problems you might encounter when deploying Windows Server 2012. I recommend checking your systems with this tool, which is called the Microsoft Assessment and Planning Solution Accelerator (MAP for short).
1.4 Map out your 64bit transition
Since Windows Server 2012 is only available in 64bit flavors, you’ll need to make sure every aspect of your Active Directory Domain Controller implementation is 64bit ready. The MAP tool will not sort everything out for you, so you will have to dive into stuff like anti-malware, backup, software for uninterruptible power supplies, monitoring, systems management, time synchronization and your licensing (VAMT/ MAK / KMS) solution.
1.5 Review the considerations for upgrading
Active Directory Domain Services in Windows Server 2012 breaks some functionality present in previous versions of Active Directory. For instance, NT 4.0 compatible encryption is off by default on Windows Server 2012 Domain Controllers. Review these considerations and determine whether they are show stoppers in your environment.
Make backups of all your Domain Controllers and verify you can restore these backups when needed.
It is a good thing to know exactly what you're migrating. When things go wrong you might need to be able to revert back to the old situation.
The transitioning steps might require the Directory Services Restore Mode (DSRM) password and credentials for service accounts, which might not be written down anywhere. In multiple Domain Controller, multiple domain, multiple forest and multiple sites scenarios it's very wise to make a table containing the relevant information per Domain Controller in terms of Flexible Single Master Operations (FSMO) roles, Global Catalog placement, domain membership, site membership, replication topology, routing tables, IP addressing, etc.
When done right your colleagues might not even suspect a thing, but it's important to shed some light on what you're doing. (Make someone) communicate to the end users that you're going to mess with the core of their infrastructure. This might result in colleagues understanding you're (really) busy and might also result in problems being reported fast. Both are good things if you'd ask me...
2. First steps
2.1 Install the Support Tools
During the transitioning, you’ll need some tools, that are not native to Windows Server 2003 Domain Controllers. Luckily, for the 32bit version of Windows Server 2003 and Windows Server 2003 R2, they are part of the free Windows Server 2003 Service Pack 2 32-bit Support Tools.
To install these tools, like replmon.exe and repadmin.exe the Windows Server 2003-based Domain Controller on which you install them, needs to run at least Service Pack 2. After you install the Support Tools, reboot and reapply the latest Service Pack for Windows Server 2003 again.
Installation is simple:
- Download both the support.cab and support.msi file for the Windows Server 2003 Service Pack 2 32-bit Support Tools and place them in one folder.
- Double-click support.msi.
- click Next > in the Welcome to the Windows Support Tools Setup Wizard screen.
- Select the I Agree radio button in the End User License Agreement screen and then click Next >.
- Click Next > in the User Information screen to accept the default Name: and Organization: fields (or change them first, if you want to).
- Click the Install Now button in the Destination Directory screen if you’re fine with the default location to install the Support Tools into (C:\Program Files\Support Tools) or change the location first.
The Support Tools require 24 MB of free space.
- Click Finish in the Completing the Windows Support Tools Setup Wizard to close the wizard.
2.2 Check for proper replication
Since we’re applying big changes to our Active Directory infrastructure, we need to check forest-wide replication, before we can change anything. We’re going to rely on replication to replicate changes in the configuration to all Domain Controllers in the Active Directory forest, so let’s see if it’s trustworthy. Since we’re going to have to say goodbye to replmon.exe in our new environment, anyway, why not fire up repadmin.exe to this purpose?
- In the Start Menu on a Domain Controller, go to All Programs, then Windows Support Tools and click on Command Prompt.
- Type the following command:
3. Prepare your environment
Before you can begin to introduce the first Windows Server 2012 Domain Controller into your existing Active Directory environment, you first have to prepare the Active Directory.
3.1 Raise the domain and forest functional levels
To introduce Window Server 2012-based Domain Controllers, the Active Directory forest needs to run the Windows Server 2003 Forest Functional Level (FFL). In an environment where the forest functional level is Windows Server 2003, the Domain Functional Level of all domains in the forest needs to be Windows Server 2003 (not Windows Server 2003 interim)or higher.
Although you won’t run into problems when preparing the schema in an Active Directory environment running Windows 2000 domain functional level (DFL) and Windows 2000 forest functional level (FFL), you can’t actually install a Windows Server 2012-based Domain Controller in it.
So, before you can transition the Active Directory infrastructure to Windows Server 2012, you will need to get rid of all the Windows 2000 Server-based Domain Controllers, Windows NT4 Server-based Primary Domain Controllers and Windows NT4 Server-based Backup Domain Controllers.
In an Active Directory forest, containing one Active Directory domain, perform these action on a Domain Controller:
- Log on with an account that is a member of the Enterprise Admins group.
- Start the Active Directory domains and the Trusts MMC snap-in (domain.msc).
- In the left pane, right-click Active Directory Domains and Trusts, (above the domain name) and from the context menu, select Raise Forest Functional Level…
- If the Current forest functional level: states Windows 2000, click Save As to generate a detailed report (else click OK and skip to 3.2 Update the Schema).
- Click Save to accept the default location (the domain name, appended with -log.csv in the My Documents folder for the logged on user account)
- Browse to the location where you saved the log, and open it.
- The log contains two sections of interest for our migration:
- The lines below The following domains include domain controllers that are running earlier versions of Windows: contains Domain Controllers that are not running Windows Server 2003. These Domain Controllers do not have msds-behavior-version set to the desired target level. These are assumed to be either Windows Server 2000 domain controllers or newer Windows Server domain controller objects that are damaged.
If earlier version Domain Controllers or Domain Controllers that have damaged or missing computer objects were found, they are included in the report. The status of these Domain Controllers must be investigated, and the Domain Controller representation in Active Directory must be repaired or removed by using ntdsutil.exe.
- The lines below The following domains must be updated to a domain functional level of Windows 2000 native or Windows Server 2003: contain the Active Directory Domains we need to upgrade.
- Now, switch back to the Active Directory domains and the Trusts MMC snap-in (domain.msc)
- In an Active Directory forest, containing multiple Active Directory domains, perform the actions on one of the Domain Controllers in each of the Active Directory domains in the forest. Start with the Active Directory domain that is the root domain in the forest.
Right-click the first domain in the domain list in the left pane that was mentioned in the detailed log file. Select Raise Domain Functional Level… from the context menu.
- From the Select an available domain functional level: drop-down list, select Windows Server 2003. Then, press Raise.
- In the This change affects the entire domain. After you raise the domain functional level, it cannot be reversed. warning message, click OK.
- After a short while, you’ll see the The functional level was raised successfully. The new functional level will now replicate to each domain controller in the domain. The amount of time this will take varies, depending on your replication topology. informational message. Click OK.
- Repeat steps 9 to 12 for each Active Directory domain mentioned in the detailed log. To track your progress, you might want to run a detailed log after raising each domains functional level.
- When you’ve successfully raised all Active Directory domains in the Active Directory forest, the option to raise the Forest Functional Level becomes available. In the left pane, right-click Active Directory Domains and Trusts, (above the domain name) and from the context menu, select Raise Forest Functional Level…
- Click Raise.
- In the This change affects the entire forest. After you raise the forest functional level, it cannot be reversed. warning message, click OK.
- After a short while, you’ll see the The functional level was raised successfully. The new functional level will now replicate to each domain controller in the forest. The amount of time this will take varies, depending on your replication topology. informational message. Click OK.
One of the new features of the Windows Server 2003 Domain Functional Level (DFL) is the ability to redirect User objects and Computer objects to newly created well-known locations. Take advantage of this goodie right away!
You do not, necessarily, need to wait for replication of the functional level raise actions, since updating the schema can be performed while your domains and forest are still in the Windows 2000 functional level. (You can’t install your first Windows Server 2012-based Domain Controller though.)
3.2 Update the schema
With the Domain Functional Level and Forest Functional Level upgraded, we can prepare the Active Directory schema. Microsoft provides adprep.exe, but running adprep.exe on a Windows Server 2003 x64 server results in an ‘not a valid Win32 application’ error. Running it on a 32bit Windows Server 2003 edition results in the following error:
This leaves you with two options:
- Perform adprep.exe from a Windows Server 2012-based server with the Active Directory Domain Services installed, after you make sure DNS Name resolution works flawlessly.
- Perform adprep.exe from a workstation with Windows 8 x64, after you make sure DNS Name resolution works flawlessly.
Perform these steps on the Windows 8 workstation or Windows Server 2012-based server:
- On this installation copy the entire contents of the \support\adprep folder from the Windows Server 2012 DVD to a folder on the local hard disk.
- Install the PortQry tool version 2.0 on the machine. Unpack the installer.
- Check for proper name resolution and network connectivity with the following commands:
Based on the output of this command, target the IP address(es) returned using the following commands:
portqry.exe -n ReturnedIPAddress -p udp -e 389
portqry.exe -n ReturnedIPAddress -p udp -e 135
- Run the following commands:
adprep.exe /forestprep /forest domain.tld /user EntAdm /userdomain domain.tld /password Passw0rd
Press C followed by Enter to perform the forest preparation.
The message Adprep successfully updated the forest-wide
information. indicates successful preparation.
adprep.exe /rodcprep /forest domain.tld /user EntAdm /userdomain domain.tld /password Passw0rd
The message Rodcprep completed without errors. All partitions
are updated. See the ADPrep.log in directory
C:\Windows\debug\adprep\logs\ for more information.
indicates successful preparation.
adprep.exe /domainprep /gpprep /domain domain.tld /user DomAdm /userdomain domain.tld /password P@ssw0rd
The line with Adprep successfully updated the
domain-wide information. indicates successful preparation of the
domain. Adprep successfully updated the Group Policy Object
(GPO) information. indicates successful preparation of the cross
domain planning functionality for Group Policy and RSOP Planning
Perform the last command for each Active Directory domain in the forest.
After preparing your Active Directory for Windows Server 2012 be sure to check the process. Breadcrumbs to failures may be found in the event viewer, but real men will check the adprep.log files.
3.3 Check proper replication of the schema preparation
Allow sufficient time for proper replication to all Domain Controllers. (In large environments with specific replication needs this might take hours.) When you feel all changes have been replicated use the repadmin tool on one of your Windows Server 2003-based Domain Controllers to check and optionally troubleshoot Active Directory replication. The following one-liner will show you the schema version per Domain Controller:
repadmin /showattr * "cn=schema,cn=configuration,
When all your Domain Controllers report Schema version 56, you’re good to go with the next steps.
4. Install the first Windows Server 2012 Domain Controller
Now that we’ve got all the preparations done, we can install Windows Server 2012 on our first Domain Controller to be.
When you use your organizations golden Windows Server image to build the Domain Controllers for your environment, instead of installing by hand as outlined in the steps below, make sure the Windows Server installation was sysprepped.
Either configure a Virtual Machine on your favorite virtualization platform or let the purchasing department spend their money on some physical datacenter iron.
When installing physical servers, make sure you purchase a server with four spindles. Create two mirror (RAID1) volumes. Then, you can use the first set of spindles for Windows and programs, and the second set for the Active Directory database, Active Directory transaction logs and System Volume (SYSVOL).
4.1 Install Windows Server
Boot your configuration from the Windows Server 2012 installation media. Then, perform these actions:
- In the first screen of Windows Setup, choose the Language to install:, the Time and currency format: and the Keyboard or input method: for the Domain Controller installation. Click Next to continue.
- Click Install now.
- Select the Operating System (OS) you want to install.
The Server Core installation option is the preferred installation option. Performing this type of installation will result in a lean mean Windows Server (virtual) machine, but will not allow you to manage it through the Graphical User Interface (GUI) you know from Windows Server 2003. You will need a Windows Server 2012 management server or Windows 8-based management workstation with the Remote Server Administration Tools (RSAT) to manage Server Core Domain Controllers most of the time. Click a Server with a GUI installation when this is your first Windows Server 2012 installation.
Click Next when done.
- Select the I accept the license terms option and click Next in the License Terms screen.
- Choose Custom: Install Windows only (advanced) to perform a clean Windows Server installation.
- Choose where to install Windows Server in the Where do you want to install Windows? screen.
- When this is a physical server, choose the first set of spindles.
- When this is a virtual server, choose the entire virtual disk.
After installation of the virtual server, shrink the volume in the virtual disk to accommodate the partition(s) for the Active Directory database, Active Directory transaction logs and System Volume (SYSVOL).
Click Next when done.
- After installation, type a password for the built-in administrator account. You will use this account to sign in, until you promote it to a Domain Controller.
The password needs to comply with the default complexity requirements.
Click Finish when done.
- Press Ctrl+Alt+Del on the lock screen. Then, sign into your new Windows Server installation with the password you just set for Administrator.
4.2 Configure the server
After you’ve installed the server, make these configuration changes:
- Change the name of the server using the server naming policy of your organization.
- Provide the correct time zone for the location of the Domain Controller.
- Check for proper activation of the Windows Server Operating System.
- Update the server with the latest Service Pack and updates.
- Configure the server with a fixed IPv4 address, a fixed IPv6 address and proper name resolution. Plan for Active Directory-integrated DNS. Avoid multi-homing Domain Controllers.
- Configure the pagefile properly.
- Implement Information Security measures (anti-malware, UPS, monitoring, backup)
- Create a backup of the server.
Do not use the snapshot features of your backup or virtualization solution.
4.3 Configure Active Directory storage
Now that we have a Windows Server installation that is configured properly, we need to plan the storage of the Active Directory database, the Active Directory transaction logs and the System Volume (SYSVOL).
An Active Directory performance best practice is to place this data on separate spindles. This is easily achieved when you’re working with physical servers by placing an extra set of mirrored hard disks. The Active Directory Domain Services Configuration Wizard, that we’ll use in a short while will disable write-back caching on these separate spindles, and not the spindles the Operating System (OS) is on. The purpose behind this is to make the storage more robust by not writing data meant for disk to memory first, but straight to disk. In case of a black- or brown-out, the Active Directory database would not be instantly corrupted.
Disabling write-back caching deteriorates the performance of storage by roughly 30%.
However, creating ‘spindles’ in the virtual world is a bit more tricky. Luckily, virtualization solutions, nowadays, are smart enough to see when a virtual machine requests to have write-back caching off on its storage and offer the best available performance per storage block.
Since Active Directory would break, when we bring an Active Directory Domain Controller up without its files, we’ll keep all these files together in one virtual hard disk. So, in a virtual machine, shrink the system volume (C:\) sufficiently and create a separate NTFS-formatted volume for your Active Directory files:
- Open the Disk Management MMC Snap-in (diskmgmt.msc)
- Right-click the C: volume in the bottom main pane and select Shrink Volume… from the context menu.
- Shrink the volume with the amount you need. You can use the information here to plan the size of the volume. Apply a safety factor, but don’t make it too big. Active Directory has some builtin mechanisms to cope with scarce disk space. In the example above I shrink the volume by 20GB. Press Shrink.
- Right-click in the Unallocated space you created with the step above. Choose New Simple Volume… from the context menu.
- Click Next > in the Welcome to the New Simple Volume Wizard screen.
- Accept the maximum disk space allowed by clicking Next > in the Specify Volume Size screen.
- Accept the automatically assigned drive letter by clicking Next > in the Assign Drive Letter of Path screen.
- Accept the defaults for formatting the partition, by clicking Next > again. This will create a NTFS-based quickly formatted partition with label New Volume. Make changes if you want to.
- Click Finish.
4.4 Make the server a member of the domain
To allow Kerberos authentication between the Windows Server 2003 (R2) Domain Controllers and our Windows Server 2012 Domain Controller to be, we need to make the Windows Server a member of the Active Directory domain.
Restart to make the changes apply.
After the restart, make sure you log on with a domain account.
4.5 Install the Active Directory Domain Services role
We can now install the Active Directory Domain Services (AD DS) Server Role and accompanying tools, like the Active Directory Administrative Center and Active Directory PowerShell Cmdlets, onto the Windows Server 2012 installation.
If you want to click through this, follow these steps:
- Open Server Manager (if not opened automatically),
- Click on the Manage link in the top task pane and select Add Roles and Features from the context menu.
- Click Next > in the Before you begin screen.
- Click Next > to perform a Role-based or feature-based installation.
- Click Next > to select the local server as the target of the operation.
- Click Active Directory Domain Services in the list with available roles in the Select server roles screen.
- Click Add Features in the pop-up window.
- Now, click Next > in the Select server roles window.
- Click Next > in the Select features screen.
- Click Next > after you’ve read what Active Directory Domain Services does.
- Click Install in the Confirum installation selections screen to perform the installation of the Active Directory Domain Services Server Role with its accompanying tools.
- After the installation has completed, click Close.
4.6 Promote the server
With everything in place for our Domain Controller, we can go ahead and promote the Windows Server installation to a Domain Controller for your Active Directory domain. In this capacity it will operate as an additional Domain Controller, next to your Windows Server 2003-based Domain Controllers.
Perform these steps:
- Make sure you are logged on as a domain administrator.
- Open Server Manager (if not opened automatically).
- Click on the yellow warning sign on the top action bar. It will feature the Post-deployment Configuration for Active Directory Domain Services.
- Click the Promote this server to a domain controller link.
This will trigger the Active Directory Domain Services Configuration Wizard to start.
- In the Deployment Configuration screen, the default choices are the one you need, to make the server an additional Domain Controller for the domain already joined, using the credentials of the logged on user. Click Next >.
- In the Domain Controller Options screen, the wizard asks us for the Directory Services Restore Mode (DSRM) password for this Domain Controller. Specify it.
Add this password to the documentation for the Domain Controller.
Choose an Active Directory site, when appropriate. Accept the DNS Server and Global Catalog capabilities by pressing Next > next.
- Click Next > in the DNS Options screen.
- Click Next > in the Additional Options screen.
- In the Paths screen, change the locations for the Active Directory database, log files and System Volume (SYSVOL), by replacing C:\Windows with the drive letter of the second partition on the server. Click Next > when done.
- Click Next > in the Review Options screen.
- Click Install in the Prerequisites Check screen. you will encounter a couple of warnings, but you can safely ignore these.
After promotion is successful, the server will automatically reboot.
4.7 Check for proper promotion
After the server has rebooted, log onto it with administrative privileges, and perform these actions to check for proper Domain Controller promotion:
4.7.1 Check the promotion logs
It is a best practice to review the logs to identify any problems that might have occurred during the promotion. The logs to scrutinize, specifically, are:
All the events regarding the creation and removal of Active Directory, SYSVOL trees and the installation, modification and removal of key services
All the events from a graphical interface perspective
4.7.2 Check the Event Viewer
Check the event viewer (eventvwr.msc) of the newly created Domain Controller for Active Directory-related events.
Six specific Application and Services Logs have been created to quickly find errors and warnings on Active Directory Domain Services:
- Active Directory Web Services
- DFS Replication
- Directory Service
- DNS Server
- File Replication Service
- Key Management Service
Check these logs for errors.
4.8 Configure the server
With the Active Directory Domain Services Server Role installed, we need to rerun Windows Update, to get the updates to the Server Role.
Also, this is a good time to configure scheduled system state backups, so you’d be able to restore this single Windows Server 2012-based Domain Controller in your environment.
5. Install additional Domain Controllers
With your first Windows Server 2012-based Domain Controller installed, you can go forward with installing additional Windows Server 2012-based Domain Controllers. All the steps for installing the first Domain Controller (Steps 4.1 through 4.8) apply to each of your Windows Server 2012-based Domain Controllers.
Because we will be demoting the Windows Server 2003-based Domain Controllers as one of the next steps, be sure to install at least two Domain Controllers per domain in the forest.
When you’re planning on using the Kerberos Armoring (FAST) feature after the migration, plan a sufficiently provisioned Domain Controller per Active Directory site per domain, because after Kerberos Armoring (FAST) is enabled, Windows 8 clients will only communicate with Windows Server 2012-based Domain Controllers. This might create a pile-on effect. Therefore, ensure you have sufficient Domain Controllers to prevent authentication traffic passing Active Directory site links.
6. Take care of FSMO roles and Global Catalog placement
Using the Active Directory Sites and Services MMC Snap-in (dssite.msc) make new Windows Server 2012 Domain Controllers Global Catalog servers appropriately.
Also transfer Flexible Single Master Operations (FSMO) Role to appropriate servers. You can use the Graphical Interface to move the Flexible Single Master Operations (FSMO), or go full out on the command line using ntdsutil.
In multiple Domain scenarios Jorge has a good rule of thumb on Global Catalogs and the Infrastructure Master Flexible Single Master Operations (FSMO) Role. Either:
- Don't make the Domain Controller holding the Infrastructure Master Flexible Single Master Operations (FSMO) Role a Global Catalog server, (and only) if there is another Domain Controller in the same Active Directory domain that is also not a Global Catalog;
- Make all Domain Controllers Global Catalog servers.
When your environment includes Microsoft Exchange Server reboot a Domain Controller after making it a Global Catalog server. Microsoft Exchange communicates with Active Directory through Global Catalogs using MAPI. Although the Active Directory Sites and Services MMC Snap-in doesn't ask for it you need to restart a Domain Controller at least one time after making it a Global Catalog before it starts talking MAPI.
Make sure your Windows Server 2003 (R2)-based Domain Controllers are no longer clinging on to any of the Flexible Single Master Operations (FSMO) Roles using the graphical user interface, or the following command using netdom.exe:
netdom.exe query fsmo
7. Demote your old Domain Controllers
I've seen Domain Controllers became the prostitutes of the server room in many environments. Any software that didn't require a dedicated server or was deemed highly dependent on the Active Directory was installed on the Domain Controller. When you're one of the administrators treating their Domain Controllers like that, you're going to have a hard time demoting your Domain Controllers.
Testing demotions in a separate (virtual) testing environment could give your a clear picture on the behavior of your ex-Domain Controllers though! Remember: “Everyone has a test environment, not just everyone has a production environment…”
From my personal experience I can tell it's not recommended to demote a Domain Controller when it has Exchange Server or Internet Information Services installed after it was promoted. You're going to have to find another box to install these services on.
When your Windows Server 2003 (R2)-based Domain Controllers are also Domain Name System (DNS) servers it is recommended to change the DNS zones into Active Directory Integrated DNS zones (when possible) so they get replicated to any Domain Controller running the DNS service. Installing the DNS Server role on a Windows Server 2012 Domain Controller using Server Manager would then suffice to migrate DNS settings and information. Be sure to change the DNS information on your other servers and workstations, before removing DNS servers from your network.
You can safely demote a Windows Server 2003-based Domain Controller using the following steps:
- Click Start, then click Run... Type dcpromo.exe as the name of the program and click OK.
- Click Next > in the Welcome to the Active Directory Installation Wizard screen.
- When the Domain Controller is a Global Catalog, you will see the This domain controller is a Global Catalog server. Global Catalogs are used to process user logons. You should make sure other Global Catalogs are accessible to users of this domain before removing Active Directory from this computer. warning. Click OK.
- In the Remove Active Directory screen, click Next >.
- In the Administrator Password screen, type the new password for the local Administrator password for the soon demoted Domain Controller, twice.
The demoted Domain Controller will be a member server after the demotion.
You will be able to log onto it with domain credentials, as will you be able with
the local Administrator account and the password you set here.
Click Next > when done.
- In the Summary screen, click Next >.
- After the Domain Controller has successfully been demoted, click Finish to close the wizard.
- Click Restart Now in the pop-up for the Active Directory Installation Wizard to restart the server.
If you're unsuccessful, you might want to try to remove the barriers that prevent demotion one by one, or ultimately remove the server from Active Directory the hard way, which is described in Microsoft KnowledgeBase article 332199.
8. Raise the domain and forest functional levels
8.1 Raise the Domain Functional Level
After you've successfully demoted the last Windows Server 2003 (R2)-based Domain Controller for a specific domain (or you don't feel the need to ever add pre-Windows Server 2003 (R2)-based Domain Controllers to your Active Directory environment) you're ready to raise the Domain functional level of that domain.
Upgrading the Domain Functional Level (DFL) to Windows Server 2008 adds these features to your environment:
- Improved DFS Replication
Support to use Distributed File System (DFS) Replication for the System Volume. Wen used in Windows Server 2008 mode, DFS also supports access-based enumeration and increased scalability.
- Advanced Encryption Standards
After you raise the Domain Functional Level to Windows Server 2008 and reset the passwords for users, they can enjoy AES128 and AES256 support for the Kerberos protocol.
- Last Interactive Logon Information
Last Interactive Logon Information displays information on the total number of failed logon attempts, the total number of failed logon attempts after a successful logon, the time of the last failed logon attempt and the time of the last successful logon attempt, when a user account is used to log on.
- Fine-grained password policies
this feature allows you specify password and account lockout policies for user accounts and global security groups in a domain.
Upgrading the Domain Functional Level (DFL) to Windows Server 2008 R2 adds two features to your environment:
- Authentication Mechanism Assurance
This mechanism adds information to the user’s Kerberos token on the type of authentication used. This allows administrators to modify group membership based on how the user authenticates. For example, a user can have access to different resources if they log in with a certificate versus when they log in with just their username and password.
- Automatic SPN management
In the past administrators regularly used Active Directory user accounts as service accounts for Exchange Server, SQL Server and Internet Information Services (IIS).
Managed Service Accounts (MSAs) can now be used since Windows Server 2008 R2 and this features allows for automatic SPN management, one of the two main benefits of these accounts.
Upgrading the Domain Functional Level (DFL) to Windows Server 2012 adds one feature to your environment:
- The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 Domain Functional Level (DFL).
Start with the forest root domain and follow the steps outlined in section 3.1 Raise the domain and forest functional levels but instead of raising the Domain Functional Level to Windows Server 2003, raise the Domain Functional level to Windows Server 2012:
8.2 Raise the Forest Functional Level
After you've successfully upgraded the Domain Functional Level (DFL) of all the domains in your Active Directory forest, you're ready to upgrade the Forest Functional Level (FFL).
- Upgrading the Forest Functional Level (FFL) to Windows Server 2008 adds no features to your environment.
- Upgrading the Forest Functional Level (FFL) to Windows Server 2008 R2 adds the Active Directory Recycle Bin functionality to your environment, but only after you enable it, afterwards.
- Upgrading the Forest Functional Level (FFL) to Windows Server 2012 adds no features to your environment.
Although some of the Forest Functional Levels (FFLs) don’t add features, raising the Forest Functional Level (FFL) to Windows Server 2012 will result in all domains subsequently added to the forest will operate at the Windows Server 2012 Domain Functional Level (DFL).
Follow the steps outlined in section 3.1 Raise the domain and forest functional levels to raise the Forest Functional level to Windows Server 2012:
9. Enable Active Directory Optional Features
When your Active Directory environment runs a Forest Functional Level beyond Windows Server 2012, you can enable the Active Directory Recycle Bin.
One of the new features in Windows Server 2012 is the ability to turn this feature on in the Graphical User Interface (GUI). Follow these steps to do so:
- Log onto a Windows Server 2012-based Domain Controller or a domain-joined Windows 8 installation, with the Remote Server Administration Tools installed and the Active Directory Administrative Center feature installed, with an account with administrative privileges.
- Start the Active Directory Administrative Center (dsac.exe)
- Select the domain name in the left pane.
- Click the Enable Recycle Bin … link in the right task pane.
- Click OK in the Enable Recycle Bin Confirmation pop-up.
- Also click OK in the Active Directory Administrative Center to acknowledge the need to refresh the Administrative Center console.
- Press the round refresh button in the grey top pane of the Active Directory Administrative Center to refresh it.
10. Run the Active Directory Best Practices analyzer
On Domain Controllers running Windows Server 2008 R2 and up, you can use the Active Directory Domain Services Best Practices Analyzer (BPA). With the BPA, you can scan your Active Directory infrastructure for compliance with the Best Practices. These best practices were designed with the input from Microsoft Consultancy Services and help you avoid most of the situations that can lead to data loss and unavailability of Domain Controllers.
The Active Directory Domain Services BPA can be run using the Server Manager or using the PowerShell Cmdlets. To run the scan from Server Manager perform the following steps:
Server Manager can be used to scan a local or remote computer. To scan a remote computer, simply use the Connect to Another Computer option in Server Manager.
- Log onto a Windows Server 2012-based Domain Controller or a domain-joined Windows 8 installation, with the Remote Server Administration Tools installed and the Server Manager feature installed, with an account with administrative privileges.
- Open Server Manager.
- In the left pane of Server Manager, click on AD DS.
- Scroll down in the main pane to the Best Practice Analyzer section.
- Click on the Tasks button and then select Start BPA Scan from the context menu.
- Click Start Scan in the Select Servers screen.
Using your common sense, make the configuration changes for the non-compliant settings listed as warnings and errors.
Transitioning your Active Directory to Windows Server 2012 seems as easy installing new Windows Server 2012 Domain Controllers to your current environment. It might be in small shops with only a single Domain Controller in a single Active Directory domain in its own forest with one single Active Directory site.
In larger environments, be sure to check whether what you're doing is successfully installed, performed and replicated before you screw up your Active Directory environment though!
As previously announced, Raymond and I delivered two sessions at the Nordic Infrastructure Conference (NIC) in Oslo, Norway.
We flew from Amsterdam Schiphol Airport (AMS) to Oslo Gardermoen Lufthavn (OSL) and upon arrival of our 2-hour flight, we took the FlyToGet to get to Oslo’s SentralStasjion within half an hour. We arrived at our hotel, the Clarion Christiania at 11PM.
Too late for any party.
Nonetheless, Raymond found a way to dance in The Dubliner.
Thursday was the first day of the event, so we hung out in the most appropriate place for us during the event.
Luckily, besides tweaking our sessions, we also had time to enjoy the continuous food service, some sessions, and the Experts Panel. Of course, we also met with the other speakers. It’s a small world, after all…
After the sessions, a group with Brian Desmond, Brian Komar, Justin Morris, Johan Arwidmark and me had dinner, that landed moose on my plate:
Thursday night, we met with Jimmy Andersson at the 34th floor of the Radisson Blu hotel, next door to the Oslo Spektrum. It was fun, but unfortunately I lost track of time a bit too much, leaving me with ample time to catch up on sleep…
Friday, Raymond and I delivered our two sessions on Bring-Your-Own essentials with Microsoft technologies, focusing on the new BYO and Identity capabilities found in Windows 8.1 and Windows Server 2012 R2.
As part of these sessions, Raymond and I convinced the audiences (packed rooms with 130 participants) on the practical use cases of claims-based authentication, multi-factor authentication, workplace join and work folders.
Friday night, Raymond and I wandered through snowy Oslo, enjoying famous sights like the Oslo Theater, the Nobel Peace Center, the City Council building and Akershus Castle.
Saturday morning we flew back to the Netherlands, but not before we enjoyed a breakfast in our hotel with John Craddock, discussing the very technologies above.
The 2014 Nordic Infrastructure Conference (NIC) was very worth it.
Many Active Directory admins use and like the Quest Active Directory PowerShell Cmdlets, that are part of the free ActiveRoles Management Shell for Active Directory. They have been freely available since 2007 and have been the long trusted scripting companion for many.
I am not one of them. It’s nothing personal. Let me explain.
The 2007 situation
Back in April 2007, when the ActiveRoles Management Shell for Active Directory was introduced as simply AD Cmdlets by Quest Software, Microsoft offered no PowerShell support for Active Directory.
PowerShell itself, you could say, was still in its infancy; a version 1 product, you could download for Windows XP, Windows Server 2003 and Windows Vista. When Windows Server 2008 came around in February 2008, PowerShell 1.0 was an optional feature.
Windows Server 2008, however, offered no PowerShell Cmdlets for Active Directory.
Back in those days, the Quest Active Directory Cmdlets made sense.
Today, with the release of Windows Server 2012 R2 and PowerShell 4.0, Microsoft offers 147 PowerShell Cmdlets to manage and deploy Active Directory (growing from 135 available Active Directory-related PowerShell Cmdlets in Windows Server 2012). I haven’t found anything I couldn’t do with them (and the Active Directory drive), that I could with the Quest Active Directory PowerShell Cmdlets.
These PowerShell Cmdlets are built-in, easily kept up to date through Windows Updates and ServicePacks, and are easily unlockable with a single line of PowerShell code in both Windows (with the RSAT update installed) and Windows Server:
PowerShell History Viewer
However, when you run the above PowerShell line, I also urge you to use the following line:
This enables the Active Directory Administrative Center (dsac.exe). This management tool contains the Active Directory PowerShell History Viewer. You can access it by clicking on the up arrow in the bar called Windows PowerShell History in the right bottom corner of the Active Directory Administrative Center screen. This flicks up a the Active Directory PowerShell History pane. Now, whenever you perform an action using the drag and drop interface, you see the equivalent of the PowerShell steps involved to do so in the PowerShell History viewer.
The Active Directory PowerShell History Viewer makes it extremely easy to learn the Active Directory PowerShell Cmdlets, by showing the equivalent PowerShell Cmdlets, associated with actions in the Graphical User Interface of the Active Directory Administrative Center.
Whenever I install software on multiple machines in a network environment I remind myself of asking the following question: “Am I introducing the next Java?”.
Oracle Java is a programming language platform that has implementations for almost all Operating Systems (OSs) and in this way allows code to run on all these platforms without recompiling. The Java implementation on Windows has been updated many times since its inception in 1996, but topped the list of the most vulnerable Windows-based applications many times. No wonder, that in my book, Java is an abbreviation for Just another vulnerability announcement…
Now, when a business is using a Java implementation, it is hard to get rid of Java. Often, the program using Java needs to be rewritten, often multiple programs use Java, programs need different Java versions, etc. … and Java needs to be kept up to date. Monthly. Java gets updated, but updated versions might break the business application, etc.
I’m better off without software like Java on my network. I don’t need the headache.
The same goes for the Quest Active Directory Cmdlets. It’s software running on my Domain Controllers. It needs to be kept up to date. I need to check my scripts against new versions of the Cmdlets before I can update them.
I feel the Quest PowerShell Active Directory Cmdlets are harder to install, harder to maintain and harder to learn than the PowerShell Cmdlets Microsoft ships with Windows Server nowadays.
It’s been a good ride. Quest has shown the way forward. Quest deserved to win prizes with their Cmdlets. Now, let’s move on.
Free PowerShell Commands for Active Directory
How to add Quest AD tools to your native PowerShell
Quest Powershell for Active Directory
Active Directory Administration with Windows PowerShell
In the previous parts of this series, I have shared my tips on travelling to tech conferences, including tips for booking flights and hotels, tips for coping with jetlag, how to convince your boss, and the top tech events to visit.
Today, I’ll share my tips on the gear to pack, besides the Wi-Fi router and power distribution unit (PDU) you’ll need in your hotel room.
Ultimately, with the gear you pack, you’ll need to be able to:
- Take notes during a day packed with interesting tech sessions
- Take pictures of interesting slides with too much information to take notes on (for instance slides with informational tables)
- Take videos of awesome demos
- Keep in touch with the home front
- Keep safe in the hostile networking environments of hotels and conferences
- Find your way to and from the conference and other hotspots
- Keep yourself entertained during flights and rides
- (Optionally) blog your experiences
- (Optionally) present sessions and/or deliver demos
Now, you might already see that one device won’t cut it. Two might:
- A smartphone, equipped with navigation software, music, videos and a way to transfer pictures and videos to and from another device. Also, make sure it has the app for the event installed and kept up to date.
- A laptop/tablet, equipped with a keyboard, a webcam and microphone and your favorite software to keep in touch and blog.
The ‘smartphone’ device
A smartphone device should last for 18 hours when used intensively: from 7AM in the morning when you leave your hotel room to 1AM when you might return to it. Since most smartphones don’t last that long, pack a mobile battery with it. When you use Bluetooth to share information between your phone and other gear, note that that may drain your battery fast, unless the devices are equipped with Bluetooth LE.
Make sure you charge both devices each night in your hotel room.
Most smartphone cameras are incapable of taking photos of information on slides due to the large contrast between the screen and the room. Information will consistently be non-readable. Take a proper camera when this is a big issue for you.
The ‘laptop’ device
A laptop/tablet device should last for 7 hours when used intensively. Depending on your needs, this may include browsing the Internet using WiFi, taking notes, blogging and running virtual machines (VMs).
I use a Dell Precision M4700 as my laptop device. To reach the 7 hours battery time, it is equipped with a 9-cells (97Wh) primary battery and a click-on 9-cells (97Wh) battery using the docking station connector… but only when I use the following power savings:
- Disable keyboard lighting (Fn + Cursor Right multiple times)
- Disable Screen backlight (Fn + Cursor Down multiple times)
- Disable WiFi and Bluetooth (using the switch on the right side of the device)
If you want to use it for work during an intercontinental flight, you might need to pack more battery power or find yourself a seat on the plane, equipped with a power outlet.
When you merely want to listen to music on a flight without onboard entertainment, you might want to use the smartphone device to that purpose. When you want to watch videos on your own, a laptop device might be overkill and a tablet device like an iPad or Surface may prove more useful.
The ‘demo’ device
When you deliver a session during a tech conference, it’s a good idea to pack a separate demo device.
As a frequent presenter, I carry around a separate demo device, next to the Dell Precision machine and my Surface 2. While my Surface 2 can be used to deliver a PowerPoint-based presentation, it can’t run Virtual Machines. When my Precision M4700 breaks during the trip, the spare demo device could save my behind.
Of course, packing two laptop devices will probably make your carry-on luggage exceed the maximum allowed weight for it, but don’t be tempted to put one of your devices in your checked luggage. It’s a recipe for it to get stolen.
The tech we all love to hate.
New gear for the 2012 release cycle (and beyond)
Tips for Travelling to Tech Conferences, Part 1
Tips for Travelling to Tech Conferences, Part 2
Tips for Travelling to Tech Conferences, Part 3
Tips for Travelling to Tech Conferences, Part 4
Tips for Travelling to Tech Conferences, Part 5
Tips for Travelling to Tech Conferences, Part 6
Tips for Travelling to Tech Conferences, Part 7
Tips for Travelling to Tech Conferences, Part 8
Last month, Microsoft released a KnowledgeBase article for Active Directory Certificate Services running on Windows Server 2008 R2 with Service Pack 1 and Windows Server 2012.
This KnowledgeBase article doesn’t apply to Windows Server 2012 R2, although the same issue exists as in Windows Server 2008 R2 and Windows Server 2012.
When you configure a server running Windows Server 2008 R2 with Service Pack 1 or Windows Server 2012 as a Certification Authority (CA), you have the option to also configure it as an Online Responder.
The Online Responder is installed as the Online Responder Service (OSCP), an additional Server Role feature for the Active Directory Certificate Services (AD CS) Server Role. The Server Role is available in both Server with a GUI and Server Core installations.
The Online Responder is an alternative to the way Certificate Revocation Lists (CRLs) are used to check the status of a certificate, issued by a Certification Authority (CA).
When you enable auditing for requests to the Online Responder, it will log event ID 5125 in the Security log of the server, running the Online Responder Service.
Enabling auditing for the Online Responder Service
To enable request auditing for the Online Responder, you will need to audit object access on the server level. Perform these steps:
Open the Local Group Policy Editor (gpedit.msc) to adit the local Group Policy for a server running the Online Responder Service, or start the Group Policy Management Console (gpmc.msc) to create a domain-based Group Policy Object (GPO) targeting (an Organizational Unit, containing) servers, running the Online Responder Service.
Under (Policies,) Computer Configuration, expand Windows Settings, Security Settings, and Local Policies, and then click Audit Policy.
Double-click the Audit object access policy.
Select the Success and Failure check boxes, and click OK.
Then, perform these steps to enable auditing for the Online Responder:
- Open Online Responder Management (ocsp.msc), and select the Online Responder in the left pane.
- Right-click on the Online Responder and select Responder Properties from the Action menu, or click Responder Properties in the Action pane on the right.
- Click the Audit tab
- Select the Requests submitted to the Online Reponder audit option, and then click OK.
By default, Event ID 5125 will contain the following information:
However, this information does not meet the basic requirement of the Common Criteria for Information Technology Security Evaluation. The Common Criteria for Information Technology Security Evaluation is an international standard (ISO/IEC 15408) for computer security certification.
KnowledgeBase article 2891347 contains a hotfix for this issue.
After you install this hotfix, the audit event ID 5125 contains certificate serial number, issuer CA name, and revocation status. The event ID 5125 is logged resembling the following:
A request was submitted to OCSP Responder Service.
Certificate Serial Number: 61342231000000000007
Issuer CA Name: CN=ocsp-audit-CA, DC=test, DC=mydomain, DC=com
Revocation Status: Good/Revoked/Unknown/Empty String
When you want more useful auditing information on requests submitted to the Online Responder Service on Windows Server 2008 R2 with Service Pack 1 or Windows Server 2012, install this hotfix.
Related KnowledgeBase articles
2891347 A hotfix is available that records more information in event ID 5125 for an OCSP response in Windows Server 2012 and Windows Server 2008 R2 SP1
Audit Online Responder Operations
AD CS Online Responder Service
Implementing an OCSP responder: Part I - Introducing OCSP
Implementing an OCSP responder: Part II Preparing Certificate Authorities
Implementing an OCSP responder: Part III Configuring OCSP for use with Enterprise CAs
Implementing an OCSP responder: Part IV Configuring OCSP for use with Standalone CAs
Implementing an OCSP Responder: Part V High Availability
Implementing an OCSP Responder: Part VI Configuring Custom OCSP URIs via Group Policy
Today I received an e-mail message titled
“Congratulations 2014 Microsoft MVP!”
This means I’ve been renewed for the fifth time. 2014 will be my sixth consecutive year as a Microsoft Most Valuable Professional (MVP) in the Directory Services area, as I’ve been awarded on January 1, in 2009, 2010, 2011, 2012 and 2013 before.