Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

Pictures of our BYOD High School session

Earlier today, Raymond and I, presented a slightly modified version of our Bring Your Own Device (BYOD) Show to High School students at the Graafschap College in Doetinchem, the Netherlands.

Since we had a blast presenting this topic to the fifty High School students present at the session, and got some great responses on the topic that is nowhere to be found in their school books, I wanted to share the pictures that were taken that day with you on my blog:


Behind door number 1, Fivty High School students await our session. Exciting!  (Click for original photo) As a true (Microsoft Certified) Trainer, Raymond writes our names down. (Click for original photo)
Yep, that's us! ;-) (Click for original photo)
Explaining how people in the Netherlands are number 1 in circumventing company policies (Click for original photo taken by Ronald Wassink)
Raymond explaining Workplace Join, his favorite feature in Windows 8.1 (Click for original photo)

 

Raymond and I would like to thank Ronald Wassink and Arnold Maatman of the Graafschap College for this opportunity.

Raymond and I will be delivering our BYOD Show to High School students

Throughout the past six months, Raymond Comvalius and I have delivered a couple of editions of your Bring-Your-Own Show. We delivered it at my employer, at the Dutch Networking User Group, at Experts Live 2013 and at the 2014 Nordic Infrastructure Conference.

Last week, I was approached by a High School teacher to come deliver the two 1-hour sessions at a local High School.

About our BYO Show

During these two hours, Raymond Comvalius (Windows IT Pro MVP) and I will be sharing our thoughts on Bring Your Own Device (BYOD) Essentials with Windows technologies. We’ll be focusing on the new BYO and Identity capabilities found in Windows 8.1 and Windows Server 2012 R2. As part of the session, Raymond and I will convince the students on the practical use cases of claims-based authentication, multi-factor authentication, the web application proxy, workplace join and work folders. We’ll show them how to open the network infrastructure up to the outside world, but, at the same time, still remain in control.

About the High School

Logo Graafschap CollegeWe were invited by Ronald Wassink and Arnold Maatman, the two teachers for the MBO Level 4 ICT Management Year 3curriculum at the Graafschap College in Doetinchem, the Netherlands.

Personally, I feel honored to contribute to making the education of these ICT Professionals-to-be more future proof by telling them about Bring-Your-Own technologies. Their textbooks don’t contain this information yet, so I feel getting it presented to them by two passionate Microsoft MVPs is the best they could wish for..

     

Related blogposts

I will be speaking at NGNs and NGIs shared BYO Event 
I’ll be speaking at Experts Live 2013 
I will be speaking at NIC 2014

I’m presenting at the 2014 Delftse Bedrijvendagen

Sometimes, when you work somewhere, you just want to let everyone know what a great place it is to work. I guess you know the feeling, or, alternatively, a company you might get that feeling at…

Next week, I get a renewed opportunity to tell people how much fun it is to work at OGD and how they help me to be the best I can be, both in my professional career, and as a father and husband.

  

Logo De Delftste Bedrijvendagen

About the Delftse Bedrijvendagen

The Delftse Bedrijvendagen is an annual event for students to kick start their careers. This event consists of various events that marks the start of the professional careers of the 2200 students attending this event, this year.

The two ‘presentation days’ are an integral part of the event. During these days, employers have the opportunity to entice soon-to-be Bachelors of Science (BSc) and Masters of Science (MSc) at the Delft University of Technology to come work for them.

The presentation days hosted at the Aula building of the University of Technology Delft on Tuesday February 18th, 2014 and Wednesday February 19th, 2014.

About my presentation

On February 19th, 2014, my employer has a nice presentation slot, between 1:30 PM and 2:10PM. My presentation is part of this 40-minute time slot.

First, our CEO, Roel Nikkessen, will give a broad overview of the company and its 26 years of history. Next, I’ll be sharing my view on our core values and how these translate in the current way we work. Of course, I’ll be sharing the way I found my niche within the organization, how I started with blogging and speaking and how these two factors continue to shape my career and the future of OGD.

My part of the presentation is likely to be similar to the presentation I provided at the Dutch Career Event (March 2011). Luckily I’ll be able to slightly update it, since I advanced my career somewhat since then. Knipogende emoticon

I’m hosting the Dutch CloudOS MVP Roadshow

Sometimes, when opportunity comes knocking, it’s best to open the door and embrace the person standing in front of you. That’s exactly what I did, when Christian van Woerkom, an Audience Manager from Microsoft Netherlands, called me and asked me if I wanted to organize a Dutch stop for the worldwide CloudOS MVP Roadshow.

    

About the CloudOS

The CloudOS is Microsofts vision on efficient, agile, valuable IT for the modern age. It’s a platform approach, allowing organizations to embrace trends like Bring-Your-Own, Big Data and the Cloud.

Under the hood it features Windows Server 2012 R2, System Center 2012 R2, Windows Azure, SQL Server 2012 R2 and modern apps built with Visual Studio 2013.

You can read more on microsoft.com/cloudOS.

About the CloudOS MVP Roadshow

Who better to explain this vision than Microsoft Most Valuable Professionals (MVPs)?
In contrast to Microsoft employees, Microsoft MVPs are involved in real-world implementations of the above products and technologies and have the space and time to form their own opinion outside of ‘the Microsoft bubble’.

Microsoft MVPs around the world organize events under the CloudOS MVP Roadshow moniker to tell you why they are passionate about the new technologies and products, how Microsoft envisions you can use them and how they and their organizations actually use them.

My Role

Together with Christian van Woerkom, I’m responsible for this event. together, we’ve created the schedule, contacted the speakers, made sure the speakers are able to prepare their sessions, translated the marketing materials, announced the event, oversee the registration, and covered the budget. (actually, Christian took care of that last item completely.)

   

     

Dutch CloudOS MVP Roadshow

We’re organizing the Dutch CloudOS MVP Roadshow on March 7, 2014 at the Auditorium at Microsoft Netherlands in Schiphol, the Netherlands.

Schedule

We’re starting off with an introduction by Isabel Moll, the Product Marketing Manager Datacenter and Cloud for Microsoft Netherlands. The schedule contains eight sessions by six MVPs:

08h30 – 09h00 Walk-in
09h00 – 09h15 Introduction to the CloudOS (Isabel Moll)
09h15 – 10h00 Extend your datacenter with virtualization and networking (Marc van Eijk)
10h00 – 10h45 Ensure business continuity and service delivery (James van den Berg)
10h45 – 11h00 Coffee break 
11h00 – 11h45 Unlocking Data Insights (André Kamman)
11h45 – 12h30 The Modern Data Warehouse (André Kamman)
12h30 – 13h15 Lunch break
13h15 – 14h00 Access and information Protection (Raymond Comvalius)
14h00 – 14h45 Unified Device Management (Maarten Goet)
14h45 – 15h00 Coffee break
15h00 – 15h45 Enable modern business apps (Tom Verhoeff)
15h45 – 16h30 Why cloud matters for modern business applications (Tom Verhoeff)
16h30 – 17h00 wrap-up & Drinks

Although the slide decks will be in English, all sessions will be delivered in Dutch.

Audience

This event is aimed at IT Managers and Technical Decision Makers (TDMs) at organizations with 100 to 350 seats.

Registration

You can find out more on this event and, of course, register for this event at aka.ms/MVPCloudOSNL.

I hope to see you there! Glimlach

A first look at Windows 8.1 Update 1 (build 9600.16596)

Last night, during SuperBowl XLVIII, a version of Windows 8.1 Update 1 was, inadvertently, released to the web. While this release focuses on the integration between Windows Phone and Windows for the desktop, laptop and tablet, it also features a slew of User Interface (UI) improvements for those still on the fence on The New Interface (previously referred to as ‘Metro’).

Note:
The information and screenshots below are part of build 9600.16596 as installed with 9600.16596.WINBLUES14_GDR_LEAN.140114-0237_X64FRE_CLIENT_EN-US-IR3_CCSA_X64FRE_EN-US_DV5.iso media. By no means, do they imply the implementation of inclusion of these features in the final release of Windows 8.1 Update 1.

I’ve had some time to look into this build on non-touchscreen enabled devices.
Here’s my view on it:

       

Start Screen improvements

A lot of people I talk to, are still on the fence on The New Interface and its Start Screen, that was introduced with Windows 8. Most of these people use non-touchscreen enabled devices. While Windows 8.1 introduced a couple of tweaks that might help IT departments with the user adoption of their deployments, but inefficiencies, obviously, remained.

So, let’s look at the Start Screen in Windows 8.1 Update 1:

The Start Screen in Windows 8.1 Update 1 build 9600.16596 (click for original screenshot)

Windows 8.1 Update 1 offers four Start Screen improvements for point and click aficionados. Two of these changes are visible right off the bat:

  1. Shutdown icon on the Start Screen
    When you left-click the Shutdown icon in the top right corner of the Start Screen, a context menu appears with two options: Shut Down and Restart. When you right-click it, nothing happens.
       
  2. Search icon on the Start Screen
    When you left-click the Search icon in the top right corner of the Start Screen, the Search menu appears, just like when you start typing on the Start Screen, when you press Win + S or when you open the Charms Bar and select Search from it.

The third and four improvement only becomes available after you right-click on the Start Screen. When you right-click, instead of showing the App bar at the bottom of the Start Screen, where you needed to get to with your mouse each time, you now get presented with a context menu:

Context Menus for Tiles on the Start Screen in Windows 8.1 Update 1

While the majority of the options in the context menu were available in Windows 8 and Windows 8.1, the Pin to taskbar and Unpin from taskbar are new to Modern Apps.

Note:
The Windows Store App was pinned to the Desktop Taskbar, by default.

When you select multiple apps, the Clear selection option is also available from the context menu. It seems the App bar for the Start Screen is gone in Windows 8.1 Update 1.

      

Modern App improvements

Throughout The New Interface, the Windows team also made some tweaks. For every Modern App, there’s now a Title bar, displaying the apps icon, its title and a close button when you move your mouse pointer towards the top of the Modern App:

The Title Bar for a snapped Modern App in Windows 8.1 Update 1 build 9600.16596 (click for original screenshot)

You can pick the app up by its Title bar and snap it (like in the above screenshot). When you pull it down or when you close the x in the top right corner, it will close the app as it would in Windows 8.1.

Note:
As with Windows 8.1, the close button does not end the app, but merely closes it. It still shows in the Task Manager. It will not show up when you use Alt + Tab to switch between apps, though.

        

Desktop improvements

As we’ve already seen in the Start Screen improvements, you can now pin Modern Apps to the taskbar on the Desktop. By default, the Store App is pinned to the taskbar:

Unpinning a Modern App on the Desktop of Windows 8.1 Update 1

You can pin and unpin Modern Apps to the Desktop Taskbar through the Start Screen, and you can unpin them when you’re on the Desktop by right-clicking it. This features blurs the line between The New Interface and the Desktop. I think, as a desktop guy or girl, you’ll love this, since it helps you start an App without going through the Start Screen first.

  

Rumors on Microsoft adding the Control Panel link to the Desktop Settings in the Charm bar, however, are a bit strange. The Control Panel link is already present in Windows 8.1 with the same functionality (linking to the desktop-style Control Panel). You don’t need Update 1 for that…

    

Further improvements

Looking at Internet Explorer, we see an updated version (11.0.3) in the About Internet Explorer screen, whereas a fully updated Windows 8.1 installation would display version 11.0.2. Internet Explorer in Windows 8.1 Update 1 is rumored to have an Enterprise Mode, but besides information from Rafael Rivera and Russian website pcportal.org.ru, not much is available on this.

The Control Panel in The New Interface has also seen a few new additions, including a nice feature, for me personally as a Directory Services MVP: You can now join the device to an Active Directory Domain through The New Interface Control Panel:

The PC and Devices section in the Control Panel for The New Interface with the Join a Domain option (click for original screenshot)

To use this feature, start the Charms Bar by swiping into the screen from the right, by moving the mouse in the top right corner of the screen and then down, or by pressing Win + C. From the Charms Bar, select Settings and then Change PC Settings. In the left pane, select PC and Devices and then PC Info. The button to Join a domain is new.

       

Concluding

Windows 8 Update 1 doesn’t make Modern Apps on non-touch enabled devices as intuitive (and windowable) as Desktop Apps, but the Windows team is moving towards ‘fixing’ the issues desktop users have with the Start Screen and Modern Apps.

Further reading

Microsoft forges ahead toward Windows 8.1 Update 1   
No news about Windows 9   
Leaked Windows 8.1 Update 1 screen shots point to more tweaks to aid desktop users    
Windows 8.1 Update 1 due March 11th? 
Microsoft's Windows 8.1 Update 1: Rumored release target is March 11  
Windows 8.1 Update 1 reportedly arriving in March      
Need to Know: Windows 8.1 Update 1 and Windows Phone 8.1  
Microsoft to hide Metro start screen with Windows 8.1 Update 1? 
Windows 8.1 Update 1 leaks on the web ahead of its March release    
Coming soon: Internet Explorer Enterprise Mode  
Internet Explorer в Windows 8.1 Update 1 получит режим "Enterprise Mode"

I will be speaking at the 2014 NL VMUG Event

There are many organizations with the ‘VMUG’ initials. I’ve presented sessions to the UK VMUG, which stands for Virtual Machine User Group.

In the Netherlands, VMUG stands for VMware User Group. This organization hosts their annual meeting on March 6th, 2014 in Den Bosch and I will be there too, to present a session.

    

About NL VMUG

The Dutch VMware User Group (NL VMUG) is governed by the VMUG Customer Council and is officially associated with VMware User Group  International (vmug.com).

NL VMUG supports and inspires the VMware community in the Netherlands, through regular meetings with the opportunities to share best practices and experiences.

    

About the 2014 NL VMUG Event

On March 6th, 2014, NL VMUG organizes its annual meeting at Conference center 1931 in Den Bosch, the Netherlands. During the meeting you may benefit from presentations, workshops, bootcamps, lunch and drinks (afterwards).

The entrance fee is set at  49,00 (excluding 21% VAT), but if that doesn’t hold you back, and you’re a VMware customer or VMware partner, then please register here. Dutch

About my session

My session, titled ‘Virtualization-safe Active Directory & VM-GenerationID’ is a 45-minute session on Active Directory Domain Services in Windows Server 2012 and Windows Server 2012 R2. Specifically, I will be explaining and demoing the way Active Directory Domain Services leverage Virtual Machine Generation Identifier in VMware vSphere to prevent problems commonly associated with reverting snapshots, like USN Rollbacks and Lingering Objects, and how organizations benefit when deploying Windows Server 2012 and Windows Server 2012 R2-based Domain Controllers virtually.

My session is planned for the last timeslot of the event, between 4:45 PM and 5:30 PM.

     

Related blogposts

New features in AD DS in Windows Server 2012, Part 12: Virtualization-safe Active Directory
New features in AD DS in Windows Server 2012, Part 13: Domain Controller Cloning

I’m still an ADPrep kinda guy

In Windows Server 2012, Microsoft introduced the new streamlined Active Directory Domain Services Configuration Wizard, that in most Microsoft documentation is labeled the successor to dcpromo.exe. I’m a big fan of the new wizard, but there’s one feature I don’t use: the automatic Active Directory preparation steps it can perform for you to update the schema to accommodate new Domain Controllers. I still use adprep.exe.

Here’s why.

          

It has a default time-out

One of my biggest grips with the automatic preparation feature is the way it checks whether it can continue to promote the server to a Domain Controller. For this, the Active Directory preparation needs to be replicated throughout the Active Directory domain. If you use time restrictions on Active Directory replication or a lag site in the domain, the replication of the schema updates would take a longer time to complete, than the wizard expects, and it will time out.

When you reach this time out, you will need to prepare the Active Directory domain manually.

        

It doesn’t support strict delegation

Preparing the Active Directory domain and Active Directory forest requires specific administrative privileges. In environments with decentralized management, these administrative privileges may be assigned to different people.

This way, an administrator in a domain has control over the Active Directory capabilities defined by the Domain Functional Level (DFL) and the Domain Controllers (s)he is capable to deploy and maintain.

Note:
Deploying Windows Server 2012 Domain Controllers requires the Windows Server 2003 Domain Functional Level.

Arguably, the delegated administrator doesn’t have much to say anyway. Since the Active Directory schema is maintained centrally, this is the one place of management.

When the administrative privileges have been separated, a Domain Admin in a domain, can not use the automatic Active Directory preparation feature in the Active Directory Domain Services Configuration Wizard, because (s)he doesn’t have the privileges to perform a forest-wide preparation.

      

It doesn’t perform all preparations

As detailed in KnowledgeBase article 2737129, the automatic preparation feature does not perform the Group Policy Preparation step. This is to prevent needless resets of administrator-set specific delegation permissions on the System Volume (SYSVOL).

When you need the Active Directory environment prepared for cross domain planning functionality for Group Policy and RSOP Planning Mode, you will need to prepare the Active Directory domain manually, but only if your Active Directory domain has ever run on Windows 2000 Server-based Domain Controllers.

        

Not every promotion method works

There’s three methods to promote a server to a Domain Controller after installation:

  1. The Active Directory Domain Services Configuration Wizard
  2. The Install-ADDSDomainController Windows PowerShell Cmdlet
  3. Dcpromo.exe with an answer file.

First off, the Active Directory Domain Services Configuration Wizard is only available on ‘Server with a GUI’ installations. On Server Core installations, only the latter two methods to promote a server to a Domain Controller are available.

Choosing dcpromo.exe with an answerfile to promote a server to a Domain Controller, you’ll find yourself confronted with the following error:

To install a domain controller into this Active Directory forest, you must first prepare the forest using "adprep /forestprep". The Adprep utility is available on the Windows Server 2012 installation media in the \support\adprep folder.

Using the Install-ADDSDomainController Windows PowerShell Cmdlet, however, will trigger the automatic Active Directory preparation.

Note:
The Install-ADDSDomainController Windows PowerShell Cmdlet is only available after you install the Active Directory Domain Services Server Role, since it’s part of the ADDSDeployment module.

         

              

Replication could result in Denial of Service

In really large environments, admins would want to replicate the Active Directory schema updates separately throughout the environment. Marking an attribute as indexable in the Active Directory schema for such an environment, might result in all Active Directory Domain Controllers building the index for the attribute, using up CPU cycles. You could perform a Denial of Service on your Domain Controllers with this.

Windows Server 2012 does offer the Deferred Index Creation feature to avoid this situation, but it won’t be available to you when you are migrating to Windows Server 2012 Domain Controllers; it’s available when you migrate from Windows Domain Controllers onwards. Plus, you need to enable Deferred Index Creation, manually. It’s not enabled by default.

       

Concluding

The automatic Active Directory preparation steps the Active Directory Domain Services Configuration Wizard can perform for you to update the schema to accommodate new Domain Controllers is designed for small environments. It is perfect for environments with a couple of Domain Controllers in a single Active Directory site, in a single Active Directory domain, in a single Active Directory forest.

Related blogposts

KnowledgeBase: Gpprep is not performed when you automatically prepare     
KnowledgeBase: Adprep "not a valid Win32 application" error on Windows Server 2003 x64  KnowledgeBase: "The system cannot find the file specified" Adprep /gpprep error  
Transitioning your Windows Server 2003 Domain Controllers to Windows Server 2012 
New features in AD DS in Windows Server 2012, Part 3: New Upgrade Process

Transitioning your Windows Server 2003 Domain Controllers to Windows Server 2012

Your organization might still be running their Active Directory Domain Services on top of Windows Server 2003-based Domain Controllers. You might be looking to replace these servers with Windows Server 2012-based Domain Controllers, either to utilize the new features, make the most out of your virtualization project or to simply do away with the aging technology that is soon out of support.

In this blogpost, I’ll walk you through the steps required to replace your aging Windows Server 2003 (R2) Domain Controllers with spanking new Windows Server 2012 Domain Controllers, while keeping your Active Directory running smoothly. This process is called transitioning your Active Directory.

  

Table of contents

  • Ways to migrate Active Directory
  • Reasons to transition
  • Steps to transition
    1. Before you begin
    2. First steps
    3. Prepare your Active Directory environment
    4. Install the first Windows Server 2012 Domain Controller
    5. Install additional Domain Controllers
    6. Take care of FSMO roles and Global Catalog placement
    7. Demote your old Domain Controllers
    8. Raise the domain and forest functional levels
    9. Enable Active Directory Optional Features
    10. Run the Active Directory Best Practices analyzer
  • Concluding

  

Ways to migrate

In general, you can migrate your Active Directory environment to a next version in three distinct ways:

  1. Transitioning
  2. Restructuring
  3. In-place upgrading

However, migrating your Windows Server 2003 (R2) Active Directory environment to Windows Server 2012 can only be done in two ways:

  • Transitioning
    Migrating this way means adding Windows Server 2012 Domain Controllers to your existing Active Directory environment. After successfully moving the Flexible Single Master Operations (FSMO) roles you can simply demote the previous Domain Controllers, remove them from the domain and throw them out of the window.  
      
  • Restructuring
    A second way to go from Windows Server 2003 (R2) Domain Controllers to Windows Server 2012 Domain Controllers is restructuring your Active Directory environment. This involves moving all your resources from one (Windows Server 2003) domain to a new and fresh (Windows Server 2012) domain (with at least one Windows Server 2008 R2 Domain Controller) with the Active Directory Migration Tool (ADMT).

The third option to migrate, in-place upgrading, is not supported. 32bit version of Windows Server 2003 and Windows Server 2003 R2 cannot be upgraded in-place, because Windows Server 2012 is only available as a 64bit Operating System (OS). Cross-architecture upgrades are not supported. Also,I don’t consider in-place upgrading an x64 version of Windows Server 2003 (R2) to Windows Server 2008 (R2) and then to Windows Server 2012 a valid upgrade option, since you would be chaining migrations. This practice might introduce errors that might pile up towards the end of your migration.

  

Reasons to transition

Restructuring means filling a new Active Directory from scratch, while transitioning means you get to keep your current Active Directory lay-out, contents, group policies and schema. Transitioning also means moving to new machines, which can be dimensioned to last another three to five years without trouble.

Transitioning is good when:

  • You worked hard to get your Active Directory in the shape it's in.
  • Your current Windows Server 2003-based Domain Controllers are faced with aging.
  • In-place upgrading leaves you with an undesired outcome
    (for instance Server Core or Enterprise edition Domain Controllers)
  • You need a chance to place your Active Directory files on different partitions/volumes.

When done right your colleagues might not even suspect a thing! The downside is you need to know exactly what you're doing, because things can go wrong pretty fast. that's why I wrote this post.

    

Steps to transition

1. Before you begin

1.1 Avoid common mistakes

There is a very good Microsoft Knowledge Base article on Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain, written by community experts.  I suggest you read it (twice). Most of the contents also apply to transitioning to Windows Server 2012.

1.2 Plan your server lifecycle

It's not uncommon for a Domain Controller to sit on your network for a period of five years. I believe you should take this in mind when selecting and buying a server. You should plan your partitions (or volumes) carefully and place the Active Directory files on separate volumes when your needs justify it. The Windows Server catalog helps you pick systems that will run Windows Server 2012 with ease.

1.3 Assess your readiness

Microsoft has kindly provided a tool to scan systems to assess whether systems are capable of running Windows Server 2012, whether drivers are available (either from Microsoft update or on the installation media) and what problems you might encounter when deploying Windows Server 2012. I recommend checking your systems with this tool, which is called the Microsoft Assessment and Planning Solution Accelerator (MAP for short).

1.4 Map out your 64bit transition

Since Windows Server 2012 is only available in 64bit flavors, you’ll need to make sure every aspect of your Active Directory Domain Controller implementation is 64bit ready. The MAP tool will not sort everything out for you, so you will have to dive into stuff like anti-malware, backup, software for uninterruptible power supplies, monitoring, systems management, time synchronization and your licensing (VAMT/ MAK / KMS) solution.

1.5 Review the considerations for upgrading

 Active Directory Domain Services in Windows Server 2012 breaks some functionality present in previous versions of Active Directory. For instance, NT 4.0 compatible encryption is off by default on Windows Server 2012 Domain Controllers. Review these considerations and determine whether they are show stoppers in your environment.

1.6 Backups

Make backups of all your Domain Controllers and verify you can restore these backups when needed.

1.7 Documentation

It is a good thing to know exactly what you're migrating. When things go wrong you might need to be able to revert back to the old situation.

The transitioning steps might require the Directory Services Restore Mode (DSRM) password and credentials for service accounts, which might not be written down anywhere. In multiple Domain Controller, multiple domain, multiple forest and multiple sites scenarios it's very wise to make a table containing the relevant information per Domain Controller in terms of Flexible Single Master Operations (FSMO) roles, Global Catalog placement, domain membership, site membership, replication topology, routing tables, IP addressing, etc.

1.8 Communications

When done right your colleagues might not even suspect a thing, but it's important to shed some light on what you're doing. (Make someone) communicate to the end users that you're going to mess with the core of their infrastructure. This might result in colleagues understanding you're (really) busy and might also result in problems being reported fast. Both are good things if you'd ask me...

  

2. First steps

2.1 Install the Support Tools

During the transitioning, you’ll need some tools, that are not native to Windows Server 2003 Domain Controllers. Luckily, for the 32bit version of Windows Server 2003 and Windows Server 2003 R2, they are part of the free Windows Server 2003 Service Pack 2 32-bit Support Tools.

Note:
To install these tools, like replmon.exe and repadmin.exe the Windows Server 2003-based Domain Controller on which you install them, needs to run at least Service Pack 2. After you install the Support Tools, reboot and reapply the latest Service Pack for Windows Server 2003 again.

Installation is simple:

  1. Download both the support.cab and support.msi file for the Windows Server 2003 Service Pack 2 32-bit Support Tools and place them in one folder.
  2. Double-click support.msi.
        
    Welcome to the Windows Support Tools Setup Wizard (click for original screenshot)
        
  3. click Next > in the Welcome to the Windows Support Tools Setup Wizard screen.
  4. Select the I Agree radio button in the End User License Agreement screen and then click Next >.
  5. Click Next > in the User Information screen to accept the default Name: and Organization: fields (or change them first, if you want to).
  6. Click the Install Now button in the Destination Directory screen if you’re fine with the default location to install the Support Tools into (C:\Program Files\Support Tools) or change the location first. 
         
         Note:
         The Support Tools require 24 MB of free space.
        
  7. Click Finish in the Completing the Windows Support Tools Setup Wizard to close the wizard.

  

2.2 Check for proper replication

Since we’re applying big changes to our Active Directory infrastructure, we need to check forest-wide replication, before we can change anything. We’re going to rely on replication to replicate changes in the configuration to all Domain Controllers in the Active Directory forest, so let’s see if it’s trustworthy. Since we’re going to have to say goodbye to replmon.exe in our new environment, anyway, why not fire up repadmin.exe to this purpose?

  1. In the Start Menu on a Domain Controller, go to All Programs, then Windows Support Tools and click on Command Prompt.
  2. Type the following command:
      
         repadmin.exe /replsummary
       
         

3. Prepare your environment

Before you can begin to introduce the first Windows Server 2012 Domain Controller into your existing Active Directory environment, you first have to prepare the Active Directory.

3.1 Raise the domain and forest functional levels

To introduce Window Server 2012-based Domain Controllers, the Active Directory forest needs to run the Windows Server 2003 Forest Functional Level (FFL). In an environment where the forest functional level is Windows Server 2003, the Domain Functional Level of all domains in the forest needs to be Windows Server 2003 (not Windows Server 2003 interim)or higher.

Note:
Although you won’t run into problems when preparing the schema in an Active Directory environment running Windows 2000 domain functional level (DFL) and Windows 2000 forest functional level (FFL), you can’t actually install a Windows Server 2012-based Domain Controller in it.

So, before you can transition the Active Directory infrastructure to Windows Server 2012, you will need to get rid of all the Windows 2000 Server-based Domain Controllers, Windows NT4 Server-based Primary Domain Controllers and Windows NT4 Server-based Backup Domain Controllers.

In an Active Directory forest, containing one Active Directory domain, perform these action on a Domain Controller:

  1. Log on with an account that is a member of the Enterprise Admins group.
  2. Start the Active Directory domains and the Trusts MMC snap-in (domain.msc).
  3. In the left pane, right-click Active Directory Domains and Trusts, (above the domain name) and from the context menu, select Raise Forest Functional Level…
        
    Raise Forest Functional Level (click for original screenshot)
        
  4. If the Current forest functional level: states Windows 2000, click Save As to generate a detailed report (else click OK and skip to 3.2 Update the Schema).
  5. Click Save to accept the default location (the domain name, appended with -log.csv in the My Documents folder for the logged on user account)
  6. Browse to the location where you saved the log, and open it.
  7. The log contains two sections of interest for our migration:
    1. The lines below The following domains include domain controllers that are running earlier versions of Windows:  contains Domain Controllers that are not running Windows Server 2003. These Domain Controllers do not have msds-behavior-version set to the desired target level. These are assumed to be either Windows Server 2000 domain controllers or newer Windows Server domain controller objects that are damaged.
         
      Note:
      If earlier version Domain Controllers or Domain Controllers that have damaged or missing computer objects were found, they are included in the report. The status of these Domain Controllers must be investigated, and the Domain Controller representation in Active Directory must be repaired or removed by using ntdsutil.exe.
          
    2. The lines below The following domains must be updated to a domain functional level of Windows 2000 native or Windows Server 2003: contain the Active Directory Domains we need to upgrade.
          
  8. Now, switch back to the Active Directory domains and the Trusts MMC snap-in (domain.msc)
  9. In an Active Directory forest, containing multiple Active Directory domains, perform the actions on one of the Domain Controllers in each of the Active Directory domains in the forest. Start with the Active Directory domain that is the root domain in the forest.
        
    Right-click the first domain in the domain list in the left pane that was mentioned in the detailed log file. Select Raise Domain Functional Level… from the context menu.  
        
    Raise Domain Functional Level (click for original screenshot)
        
  10. From the Select an available domain functional level: drop-down list, select Windows Server 2003. Then, press Raise.
  11. In the This change affects the entire domain. After you raise the domain functional level, it cannot be reversed. warning message, click OK.
  12. After a short while, you’ll see the The functional level was raised successfully. The new functional level will now replicate to each domain controller in the domain. The amount of time this will take varies, depending on your replication topology. informational message. Click OK.
  13. Repeat steps 9 to 12 for each Active Directory domain mentioned in the detailed log. To track your progress, you might want to run a detailed log after raising each domains functional level.
  14. When you’ve successfully raised all Active Directory domains in the Active Directory forest, the option to raise the Forest Functional Level becomes available. In the left pane, right-click Active Directory Domains and Trusts, (above the domain name) and from the context menu, select Raise Forest Functional Level…
        
    Raise Forest Functional Level (click for original screenshot)
        
  15. Click Raise.
  16. In the This change affects the entire forest. After you raise the forest functional level, it cannot be reversed. warning message, click OK.
  17. After a short while, you’ll see the The functional level was raised successfully. The new functional level will now replicate to each domain controller in the forest. The amount of time this will take varies, depending on your replication topology. informational message. Click OK.

Tip!
One of the new features of the Windows Server 2003 Domain Functional Level (DFL) is the ability to redirect User objects and Computer objects to newly created well-known locations. Take advantage of this goodie right away!
    
Tip!
You do not, necessarily, need to wait for replication of the functional level raise actions, since updating the schema can be performed while your domains and forest are still in the Windows 2000 functional level. (You can’t install your first Windows Server 2012-based Domain Controller though.)

3.2 Update the schema

With the Domain Functional Level and Forest Functional Level upgraded, we can prepare the Active Directory schema. Microsoft provides adprep.exe, but running adprep.exe on a Windows Server 2003 x64 server results in an ‘not a valid Win32 application’ error. Running it on a 32bit Windows Server 2003 edition results in the following error:

Adprep architecture error (click for original screenshot)

This leaves you with two options:

  1. Perform adprep.exe from a Windows Server 2012-based server with the Active Directory Domain Services installed, after you make sure DNS Name resolution works flawlessly.
  2. Perform adprep.exe from a workstation with Windows 8 x64, after you make sure DNS Name resolution works flawlessly.

Perform these steps on the Windows 8 workstation or Windows Server 2012-based server:

  1. On this installation copy the entire contents of the \support\adprep folder from the Windows Server 2012 DVD to a folder on the local hard disk.
  2. Install the PortQry tool version 2.0 on the machine. Unpack the installer.
  3. Check for proper name resolution and network connectivity with the following commands:
         
          nslookup domain.tld 
         
    Based on the output of this command, target the IP address(es) returned using the following commands:
          
         portqry.exe -n ReturnedIPAddress -p udp -e 389
         
         portqry.exe -n
    ReturnedIPAddress -p udp -e 135
        
     
  4. Run the following commands:
     
    1. adprep.exe /forestprep /forest domain.tld /user EntAdm /userdomain domain.tld /password Passw0rd
          
                Press C followed by Enter to perform the forest preparation.
          
                The message Adprep successfully updated the forest-wide
                information.
      indicates successful preparation.

    2. adprep.exe /rodcprep /forest domain.tld /user EntAdm /userdomain domain.tld /password Passw0rd
          
                The message Rodcprep completed without errors. All partitions
                are updated. See the ADPrep.log in directory
                C:\Windows\debug\adprep\logs\ for more information.

                indicates successful preparation.

    3. adprep.exe /domainprep /gpprep /domain domain.tld /user DomAdm /userdomain domain.tld /password P@ssw0rd
          
                The line with Adprep successfully updated the
                domain-wide information
      . indicates successful preparation of the
                domain. Adprep successfully updated the Group Policy Object
                (GPO) information.
      indicates successful preparation of the cross
                domain planning functionality for Group Policy and RSOP Planning
                Mode.
           
           Note:
           Perform the last command for each Active Directory domain in the forest.
          

After preparing your Active Directory for Windows Server 2012 be sure to check the process. Breadcrumbs to failures may be found in the event viewer, but real men will check the adprep.log files.

3.3 Check proper replication of the schema preparation

Allow sufficient time for proper replication to all Domain Controllers. (In large environments with specific replication needs this might take hours.) When you feel all changes have been replicated use the repadmin tool on one of your Windows Server 2003-based Domain Controllers to check and optionally troubleshoot Active Directory replication. The following one-liner will show you the schema version per Domain Controller:

repadmin /showattr * "cn=schema,cn=configuration,
dc=
domain,dc=tld" /atts:objectVersion

When all your Domain Controllers report Schema version 56, you’re good to go with the next steps.

           

4. Install the first Windows Server 2012 Domain Controller

Now that we’ve got all the preparations done, we can install Windows Server 2012 on our first Domain Controller to be.

Note!
When you use your organizations golden Windows Server image to build the Domain Controllers for your environment, instead of installing by hand as outlined in the steps below, make sure the Windows Server installation was sysprepped.

Either configure a Virtual Machine on your favorite virtualization platform or let the purchasing department spend their money on some physical datacenter iron.

Tip!
When installing physical servers, make sure you purchase a server with four spindles. Create two mirror (RAID1) volumes. Then, you can use the first set of spindles for Windows and programs, and the second set for the Active Directory database, Active Directory transaction logs and System Volume (SYSVOL).

4.1 Install Windows Server

Boot your configuration from the Windows Server 2012 installation media. Then, perform these actions:

  1. In the first screen of Windows Setup, choose the Language to install:, the Time and currency format: and the Keyboard or input method: for the Domain Controller installation. Click Next to continue.
        
  2. Click Install now.
         
  3. Select the Operating System (OS) you want to install.
        
    Tip!
    The Server Core installation option is the preferred installation option. Performing this type of installation will result in a lean mean Windows Server (virtual) machine, but will not allow you to manage it through the Graphical User Interface (GUI) you know from Windows Server 2003. You will need a Windows Server 2012 management server or Windows 8-based management workstation with the Remote Server Administration Tools (RSAT) to manage Server Core Domain Controllers most of the time. Click a Server with a GUI installation when this is your first Windows Server 2012 installation.
        
    Click Next when done.
        
  4. Select the I accept the license terms option and click Next in the License Terms screen.
       
  5. Choose Custom: Install Windows only (advanced) to perform a clean Windows Server installation.
        
  6. Choose where to install Windows Server in the Where do you want to install Windows? screen.
        
    1. When this is a physical server, choose the first set of spindles.
    2. When this is a virtual server, choose the entire virtual disk.
          
      Note:
      After installation of the virtual server, shrink the volume in the virtual disk to accommodate the partition(s) for the Active Directory database, Active Directory transaction logs and System Volume (SYSVOL).
          
      Click Next when done.
          
  7. After installation, type a password for the built-in administrator account. You will use this account to sign in, until you promote it to a Domain Controller.
        
         Tip!
         The password needs to comply with the default complexity requirements.
        
    Click Finish when done.
        
  8. Press Ctrl+Alt+Del on the lock screen. Then, sign into your new Windows Server installation with the password you just set for Administrator.

4.2 Configure the server

After you’ve installed the server, make these configuration changes:

  1. Change the name of the server using the server naming policy of your organization.
  2. Provide the correct time zone for the location of the Domain Controller. 
  3. Check for proper activation of the Windows Server Operating System.
  4. Update the server with the latest Service Pack and updates.
  5. Configure the server with a fixed IPv4 address, a fixed IPv6 address and proper name resolution. Plan for Active Directory-integrated DNS. Avoid multi-homing Domain Controllers.
  6. Configure the pagefile properly.
  7. Implement Information Security measures (anti-malware, UPS, monitoring, backup)
  8. Create a backup of the server.

    Note:
    Do not use the snapshot features of your backup or virtualization solution.

4.3 Configure Active Directory storage

Now that we have a Windows Server installation that is configured properly, we need to plan the storage of the Active Directory database, the Active Directory transaction logs and the System Volume (SYSVOL).

An Active Directory performance best practice is to place this data on separate spindles. This is easily achieved when you’re working with physical servers by placing an extra set of mirrored hard disks. The Active Directory Domain Services Configuration Wizard, that we’ll use in a short while will disable write-back caching on these separate spindles, and not the spindles the Operating System (OS) is on. The purpose behind this is to make the storage more robust by not writing data meant for disk to memory first, but straight to disk. In case of a black- or brown-out, the Active Directory database would not be instantly corrupted.

Note:
Disabling write-back caching deteriorates the performance of storage by roughly 30%.

However, creating ‘spindles’ in the virtual world is a bit more tricky. Luckily, virtualization solutions, nowadays, are smart enough to see when a virtual machine requests to have write-back caching off on its storage and offer the best available performance per storage block.

Since Active Directory would break, when we bring an Active Directory Domain Controller up without its files, we’ll keep all these files together in one virtual hard disk. So, in a virtual machine, shrink the system volume (C:\) sufficiently and create a separate NTFS-formatted volume for your Active Directory files:

  1. Open the Disk Management MMC Snap-in (diskmgmt.msc)
  2. Right-click the C: volume in the bottom main pane and select Shrink Volume… from the context menu.
        
    Shrink Volume (click for original screenshot)
        
  3. Shrink the volume with the amount you need. You can use the information here to plan the size of the volume. Apply a safety factor, but don’t make it too big. Active Directory has some builtin mechanisms to cope with scarce disk space. In the example above I shrink the volume by 20GB. Press Shrink.
  4. Right-click in the Unallocated space you created with the step above. Choose New Simple Volume… from the context menu.
  5. Click Next > in the Welcome to the New Simple Volume Wizard screen.
  6. Accept the maximum disk space allowed by clicking Next > in the Specify Volume Size screen.
  7. Accept the automatically assigned drive letter by clicking Next > in the Assign Drive Letter of Path screen.
  8. Accept the defaults for formatting the partition, by clicking Next > again. This will create a NTFS-based quickly formatted partition with label New Volume. Make changes if you want to.
  9. Click Finish.

4.4 Make the server a member of the domain

To allow Kerberos authentication between the Windows Server 2003 (R2) Domain Controllers and our Windows Server 2012 Domain Controller to be, we need to make the Windows Server a member of the Active Directory domain.

Restart to make the changes apply.
After the restart, make sure you log on with a domain account.

4.5 Install the Active Directory Domain Services role

We can now install the Active Directory Domain Services (AD DS) Server Role and accompanying tools, like the Active Directory Administrative Center and Active Directory PowerShell Cmdlets, onto the Windows Server 2012 installation.

If you want to click through this, follow these steps:

  1. Open Server Manager (if not opened automatically),
  2. Click on the Manage link in the top task pane and select Add Roles and Features from the context menu.
  3. Click Next > in the Before you begin screen.
  4. Click Next > to perform a Role-based or feature-based installation.
  5. Click Next > to select the local server as the target of the operation.
  6. Click Active Directory Domain Services in the list with available roles in the Select server roles screen.
  7. Click Add Features in the pop-up window.
  8. Now, click Next > in the Select server roles window.
  9. Click Next > in the Select features screen.
  10. Click Next > after you’ve read what Active Directory Domain Services does.
  11. Click Install in the Confirum installation selections screen to perform the installation of the Active Directory Domain Services Server Role with its accompanying tools.
  12. After the installation has completed, click Close.

4.6 Promote the server

With everything in place for our Domain Controller, we can go ahead and promote the Windows Server installation to a Domain Controller for your Active Directory domain. In this capacity it will operate as an additional Domain Controller, next to your Windows Server 2003-based Domain Controllers.

Perform these steps:

  1. Make sure you are logged on as a domain administrator.
  2. Open Server Manager (if not opened automatically).
  3. Click on the yellow warning sign on the top action bar. It will feature the Post-deployment Configuration for Active Directory Domain Services.
  4. Click the Promote this server to a domain controller link.
    This will trigger the Active Directory Domain Services Configuration Wizard to start.
        
    Deployment Configuration screen of the Active Directory Domain Services Configuration Wizard (click for original screenshot)
        
  5. In the Deployment Configuration screen, the default choices are the one you need, to make the server an additional Domain Controller for the domain already joined, using the credentials of the logged on user. Click Next >.
        
    Domain Controller Options screen of the Active Directory Domain Services Configuration Wizard (click for original screenshot)
        
  6. In the Domain Controller Options screen, the wizard asks us for the Directory Services Restore Mode (DSRM) password for this Domain Controller. Specify it.
        
         Note:
         Add this password to the documentation for the Domain Controller.
         
    Choose an Active Directory site, when appropriate. Accept the DNS Server and Global Catalog capabilities by pressing  Next > next.
  7. Click Next > in the DNS Options screen.
        
    Additional Options screen of the Active Directory Domain Services Configuration Wizard (click for original screenshot)
        
  8. Click Next > in the Additional Options screen.
        
    Paths screen of the Active Directory Domain Services Configuration Wizard (click for original screenshot)
        
  9. In the Paths screen, change the locations for the Active Directory database, log files and System Volume (SYSVOL), by replacing C:\Windows with the drive letter of the second partition on the server. Click Next > when done.
  10. Click Next > in the Review Options screen.
  11. Click Install in the Prerequisites Check screen. you will encounter a couple of warnings, but you can safely ignore these.

After promotion is successful, the server will automatically reboot.

4.7 Check for proper promotion

After the server has rebooted, log onto it with administrative privileges, and perform these actions to check for proper Domain Controller promotion:

4.7.1 Check the promotion logs

It is a best practice to review the logs to identify any problems that might have occurred during the promotion. The logs to scrutinize, specifically, are:

  • C:\Windows\debug\dcpromo.log
    All the events regarding the creation and removal of Active Directory, SYSVOL trees and the installation, modification and removal of key services
      
  • C:\Windows\debug\dcpromoui.log
    All the events from a graphical interface perspective

4.7.2 Check the Event Viewer

Check the event viewer (eventvwr.msc) of the newly created Domain Controller for Active Directory-related events.

Six specific Application and Services Logs have been created to quickly find errors and warnings on Active Directory Domain Services:

  • Active Directory Web Services
  • DFS Replication
  • Directory Service
  • DNS Server
  • File Replication Service
  • Key Management Service

Check these logs for errors.

4.8 Configure the server

With the Active Directory Domain Services Server Role installed, we need to rerun Windows Update, to get the updates to the Server Role.

Also, this is a good time to configure scheduled system state backups, so you’d be able to restore this single Windows Server 2012-based Domain Controller in your environment.

  

5. Install additional Domain Controllers

With your first Windows Server 2012-based Domain Controller installed, you can go forward with installing additional Windows Server 2012-based Domain Controllers. All the steps for installing the first Domain Controller (Steps 4.1 through 4.8) apply to each of your Windows Server 2012-based Domain Controllers.

Because we will be demoting the Windows Server 2003-based Domain Controllers as one of the next steps, be sure to install at least two Domain Controllers per domain in the forest.

Note:
When you’re planning on using the Kerberos Armoring (FAST) feature after the migration, plan a sufficiently provisioned Domain Controller per Active Directory site per domain, because after Kerberos Armoring (FAST) is enabled, Windows 8 clients will only communicate with Windows Server 2012-based Domain Controllers. This might create a pile-on effect. Therefore, ensure you have sufficient Domain Controllers to prevent authentication traffic passing Active Directory site links.

    

6. Take care of FSMO roles and Global Catalog placement

Using the Active Directory Sites and Services MMC Snap-in (dssite.msc) make new Windows Server 2012 Domain Controllers Global Catalog servers appropriately.

Also transfer Flexible Single Master Operations (FSMO) Role to appropriate servers. You can use the Graphical Interface to move the Flexible Single Master Operations (FSMO), or go full out on the command line using ntdsutil.

In multiple Domain scenarios Jorge has a good rule of thumb on Global Catalogs and the Infrastructure Master Flexible Single Master Operations (FSMO) Role. Either:

  • Don't make the Domain Controller holding the Infrastructure Master Flexible Single Master Operations (FSMO) Role a Global Catalog server, (and only) if there is another Domain Controller in the same Active Directory domain that is also not a Global Catalog;
  • Make all Domain Controllers Global Catalog servers.

When your environment includes Microsoft Exchange Server reboot a Domain Controller after making it a Global Catalog server. Microsoft Exchange communicates with Active Directory through Global Catalogs using MAPI. Although the Active Directory Sites and Services MMC Snap-in doesn't ask for it you need to restart a Domain Controller at least one time after making it a Global Catalog before it starts talking MAPI.

Make sure your Windows Server 2003 (R2)-based Domain Controllers are no longer clinging on to any of the Flexible Single Master Operations (FSMO) Roles using the graphical user interface, or the following command using netdom.exe:

netdom.exe query fsmo

       

7. Demote your old Domain Controllers

I've seen Domain Controllers became the prostitutes of the server room in many environments. Any software that didn't require a dedicated server or was deemed highly dependent on the Active Directory was installed on the Domain Controller. When you're one of the administrators treating their Domain Controllers like that, you're going to have a hard time demoting your Domain Controllers.

Testing demotions in a separate (virtual) testing environment could give your a clear picture on the behavior of your  ex-Domain Controllers though! Remember: “Everyone has a test environment, not just everyone has a production environment…

From my personal experience I can tell it's not recommended to demote a Domain Controller when it has Exchange Server or Internet Information Services installed after it was promoted. You're going to have to find another box to install these services on.

When your Windows Server 2003 (R2)-based Domain Controllers are also Domain Name System (DNS) servers it is recommended to change the DNS zones into Active Directory Integrated DNS zones (when possible) so they get replicated to any Domain Controller running the DNS service. Installing the DNS Server role on a Windows Server 2012 Domain Controller using Server Manager would then suffice to migrate DNS settings and information. Be sure to change the DNS information on your other servers and workstations, before removing DNS servers from your network.

You can safely demote a Windows Server 2003-based Domain Controller using the following steps:

  1. Click Start, then click Run... Type dcpromo.exe as the name of the program and click OK.
  2. Click Next > in the Welcome to the Active Directory Installation Wizard screen.
  3. When the Domain Controller is a Global Catalog, you will see the This domain controller is a Global Catalog server. Global Catalogs are used to process user logons. You should make sure other Global Catalogs are accessible to users of this domain before removing Active Directory from this computer. warning. Click OK.
        
    Remove Active Directory screen of the Active Directory Installation Wizard (click for original screenshot)
        
  4. In the Remove Active Directory screen, click Next >.
  5. In the Administrator Password screen, type the new password for the local Administrator password for the soon demoted Domain Controller, twice.
        
         Note:
         The demoted Domain Controller will be a member server after the demotion.
         You will be able to log onto it with domain credentials, as will you be able with
         the local Administrator account and the password you set here.
        
    Click Next > when done.
  6. In the Summary screen, click Next >.
  7. After the Domain Controller has successfully been demoted, click Finish to close the wizard.
  8. Click Restart Now in the pop-up for the Active Directory Installation Wizard to restart the server.

If you're unsuccessful, you might want to try to remove the barriers that prevent demotion one by one, or ultimately remove the server from Active Directory the hard way, which is described in Microsoft KnowledgeBase article 332199.

  

8. Raise the domain and forest functional levels

8.1 Raise the Domain Functional Level

After you've successfully demoted the last Windows Server 2003 (R2)-based Domain Controller for a specific domain (or you don't feel the need to ever add pre-Windows Server 2003 (R2)-based Domain Controllers to your Active Directory environment) you're ready to raise the Domain functional level of that domain.

Upgrading the Domain Functional Level (DFL) to Windows Server 2008 adds these features to your environment:

  1. Improved DFS Replication
    Support to use Distributed File System (DFS) Replication for the System Volume. Wen used in Windows Server 2008 mode, DFS also supports access-based enumeration and increased scalability.
          
  2. Advanced Encryption Standards
    After you raise the Domain Functional Level to Windows Server 2008 and reset the passwords for users, they can enjoy AES128 and AES256 support for the Kerberos protocol.
        
  3. Last Interactive Logon Information
    Last Interactive Logon Information displays information on the total number of failed logon attempts, the total number of failed logon attempts after a successful logon, the time of the last failed logon attempt and the time of the last successful logon attempt, when a user account is used to log on.
        
  4. Fine-grained password policies
    this feature allows you specify password and account lockout policies for user accounts and global security groups in a domain.

Upgrading the Domain Functional Level (DFL) to Windows Server 2008 R2 adds two features to your environment:

  1. Authentication Mechanism Assurance
    This mechanism adds information to the user’s Kerberos token on the type of authentication used. This allows administrators to modify group membership based on how the user authenticates. For example, a user can have access to different resources if they log in with a certificate versus when they log in with just their username and password.
        
  2. Automatic SPN management
    In the past administrators regularly used Active Directory user accounts as service accounts for Exchange Server, SQL Server and Internet Information Services (IIS).
    Managed Service Accounts (MSAs) can now be used since Windows Server 2008 R2 and this features allows for automatic SPN management, one of the two main benefits of these accounts.

Upgrading the Domain Functional Level (DFL) to Windows Server 2012 adds one feature to your environment:

  1. The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 Domain Functional Level (DFL).

Start with the forest root domain and follow the steps outlined in section 3.1 Raise the domain and forest functional levels but instead of raising the Domain Functional Level to Windows Server 2003,  raise the Domain Functional level to Windows Server 2012:

Raise the Domain Functional Level (click for original screenshot)

8.2 Raise the Forest Functional Level

After you've successfully upgraded the Domain Functional Level (DFL) of all the domains in your Active Directory forest, you're ready to upgrade the Forest Functional Level (FFL).

  • Upgrading the Forest Functional Level (FFL) to Windows Server 2008 adds no features to your environment.
  • Upgrading the Forest Functional Level (FFL) to Windows Server 2008 R2 adds the Active Directory Recycle Bin functionality to your environment, but only after you enable it, afterwards.
  • Upgrading the Forest Functional Level (FFL) to Windows Server 2012 adds no features to your environment.

Although some of the Forest Functional Levels (FFLs) don’t add features, raising the Forest Functional Level (FFL) to Windows Server 2012 will result in all domains subsequently added to the forest will operate at the Windows Server 2012 Domain Functional Level (DFL).

Follow the steps outlined in section 3.1 Raise the domain and forest functional levels to raise the Forest Functional level to Windows Server 2012:

Raise the Forest Functional Level (click for original screenshot)

  

9. Enable Active Directory Optional Features

When your Active Directory environment runs a Forest Functional Level beyond Windows Server 2012, you can enable the Active Directory Recycle Bin.

One of the new features in Windows Server 2012 is the ability to turn this feature on in the Graphical User Interface (GUI). Follow these steps to do so:

  1. Log onto a Windows Server 2012-based Domain Controller or a domain-joined Windows 8 installation, with the Remote Server Administration Tools installed and the Active Directory Administrative Center feature installed, with an account with administrative privileges.
  2. Start the Active Directory Administrative Center (dsac.exe)
  3. Select the domain name in the left pane.
  4. Click the Enable Recycle Bin … link in the right task pane.
        
    Enable Recycle Bin Confirmation Pop-up (click for original screenshot)
        
  5. Click OK in the Enable Recycle Bin Confirmation pop-up.
        
    Active Directory Administrative Center Refresh Pop-up (click for original screenshot)
        
  6. Also click OK in the Active Directory Administrative Center to acknowledge the need to refresh the Administrative Center console.
  7. Press the round refresh button in the grey top pane of the Active Directory Administrative Center to refresh it.

 

10. Run the Active Directory Best Practices analyzer

    On Domain Controllers running Windows Server 2008 R2 and up, you can use the Active Directory Domain Services Best Practices Analyzer (BPA). With the BPA, you can scan your Active Directory infrastructure for compliance with the Best Practices. These best practices were designed with the input from Microsoft Consultancy Services and help you avoid most of the situations that can lead to data loss and unavailability of Domain Controllers.

    The Active Directory Domain Services BPA can be run using the Server Manager or using the PowerShell Cmdlets. To run the scan from Server Manager perform the following steps:

    Tip!
    Server Manager can be used to scan a local or remote computer. To scan a remote computer, simply use the Connect to Another Computer option in Server Manager.

    1. Log onto a Windows Server 2012-based Domain Controller or a domain-joined Windows 8 installation, with the Remote Server Administration Tools installed and the Server Manager feature installed, with an account with administrative privileges.
    2. Open Server Manager.
    3. In the left pane of Server Manager, click on AD DS.
    4. Scroll down in the main pane to the Best Practice Analyzer section.
          
      Active Directory Best Practices Analyzer in Server Manager (click for original screenshot)
          
    5. Click on the Tasks button and then select Start BPA Scan from the context menu.
    6. Click Start Scan in the Select Servers screen.

    Using your common sense, make the configuration changes for the non-compliant settings listed as warnings and errors.

      

    Concluding

    Transitioning your Active Directory to Windows Server 2012 seems as easy installing new Windows Server 2012 Domain Controllers to your current environment. It might be in small shops with only a single Domain Controller in a single Active Directory domain in its own forest with one single Active Directory site.

    In larger environments, be sure to check whether what you're doing is successfully installed, performed and replicated before you screw up your Active Directory environment though!

    Pictures of the 2014 Nordic Infrastructure Conference

    As previously announced, Raymond and I delivered two sessions at the Nordic Infrastructure Conference (NIC) in Oslo, Norway.

    We flew from Amsterdam Schiphol Airport (AMS) to Oslo Gardermoen Lufthavn (OSL) and upon arrival of our 2-hour flight, we took the FlyToGet to get to Oslo’s SentralStasjion within half an hour. We arrived at our hotel, the Clarion Christiania at 11PM.

    Arriving at Oslo Airport, I can't help but feeling how the Norwegian language looks and sounds like Dutch (click for original photo)
    Proud Speaker for the 2014 Nordic Infrastructure Conference (click for original screenshot)
    View from the room at the Clarion Hotel Royal Chrisitiania (click for original screenshot)

    Too late for any party.
    Nonetheless, Raymond found a way to dance in The Dubliner. Knipogende emoticon

    Raymond Comvalius in snowy Oslo (click for original screenshot)

    Thursday was the first day of the event, so we hung out in the most appropriate place for us during the event.
    View at the Oslo Sentralstasjion from our hotel (click for original photo)View from the Speakers Lounge (click for original photo)
    Speakers Lounge at the 2014 Nordic Infrastructure Conference (click for original screenshot)

    Luckily, besides tweaking our sessions, we also had time to enjoy the continuous food service, some sessions, and the Experts Panel. Of course, we also met with the other speakers. It’s a small world, after all…

    The Experts Panel led by Alex de Jong (click for original photo)"Just a participant" ;-) (click for original photo)
    1504449_10202850528374574_1316474441_o

    After the sessions, a group with Brian Desmond, Brian Komar, Justin Morris, Johan Arwidmark and me had dinner, that landed moose on my plate:

    Moose (click for original photo)

    Thursday night, we met with Jimmy Andersson at the 34th floor of the Radisson Blu hotel, next door to the Oslo Spektrum. It was fun, but unfortunately I lost track of time a bit too much, leaving me with ample time to catch up on sleep…

    Friday, Raymond and I delivered our two sessions on Bring-Your-Own essentials with Microsoft technologies, focusing on the new BYO and Identity capabilities found in Windows 8.1 and Windows Server 2012 R2.

    Raymond Comvalius as Proud NIC speaker (click for original screenshot)Delivering our session (photo by Sami Laiho) (click for original photo)
    Delivering our session for a packed room (photo by Adnan Hendricks) (click for original photo)Delivering our second session (photo by Adnan Hendricks) (click for original photo)

    As part of these sessions, Raymond and I convinced the audiences (packed rooms with 130 participants) on the practical use cases of claims-based authentication, multi-factor authentication, workplace join and work folders.

    Friday night, Raymond and I wandered through snowy Oslo, enjoying famous sights like the Oslo Theater, the Nobel Peace Center, the City Council building and Akershus Castle.

    In front of Oslo's NationalTheater (click for original screenshot)Oslo's Nobel Peace Center (click for original photo)Oslo's City Council Building (click for original screenshot)

    Saturday morning we flew back to the Netherlands, but not before we enjoyed a breakfast in our hotel with John Craddock, discussing the very technologies above.

         

    The 2014 Nordic Infrastructure Conference (NIC) was very worth it.
    Thank you!

    Why I don’t like the Quest Active Directory PowerShell Cmdlets

    PowershellMany Active Directory admins use and like the Quest Active Directory PowerShell Cmdlets, that are part of the free ActiveRoles Management Shell for Active Directory. They have been freely available since 2007 and have been the long trusted scripting companion for many.

    I am not one of them. It’s nothing personal. Let me explain.

      

    The 2007 situation

    Back in April 2007, when the ActiveRoles Management Shell for Active Directory was introduced as simply AD Cmdlets by Quest Software, Microsoft offered no PowerShell support for Active Directory.

    PowerShell itself, you could say, was still in its infancy; a version 1 product, you could download for Windows XP, Windows Server 2003 and Windows Vista. When Windows Server 2008 came around in February 2008, PowerShell 1.0 was an optional feature.

    Windows Server 2008, however, offered no PowerShell Cmdlets for Active Directory.
    Back in those days, the Quest Active Directory Cmdlets made sense.

    Today, with the release of Windows Server 2012 R2 and PowerShell 4.0, Microsoft offers 147 PowerShell Cmdlets to manage and deploy Active Directory (growing from 135 available Active Directory-related PowerShell Cmdlets in Windows Server 2012). I haven’t found anything I couldn’t do with them (and the Active Directory drive), that I could with the Quest Active Directory PowerShell Cmdlets.

    These PowerShell Cmdlets are built-in, easily kept up to date through Windows Updates and ServicePacks, and are easily unlockable with a single line of PowerShell code in both Windows (with the RSAT update installed) and Windows Server:

    Add-WindowsFeature RSAT-AD-PowerShell

     

    PowerShell History Viewer

    However, when you run the above PowerShell line, I also urge you to use the following line:

    Add-WindowsFeature RSAT-AD-AdminCenter

    This enables the Active Directory Administrative Center (dsac.exe). This management tool contains the Active Directory PowerShell History Viewer. You can access it by clicking on the up arrow in the bar called Windows PowerShell History in the right bottom corner of the Active Directory Administrative Center screen. This flicks up a the Active Directory PowerShell History pane. Now, whenever you perform an action using the drag and drop interface, you see the equivalent of the PowerShell steps involved to do so in the PowerShell History viewer.

    The Active Directory PowerShell History Viewer makes it extremely easy to learn the Active Directory PowerShell Cmdlets, by showing the equivalent PowerShell Cmdlets, associated with actions in the Graphical User Interface of the Active Directory Administrative Center.

     

    Lifecycle management

    Whenever I install software on multiple machines in a network environment I remind myself of asking the following question: “Am I introducing the next Java?”.

    Oracle Java is a programming language platform that has implementations for almost all Operating Systems (OSs) and in this way allows code to run on all these platforms without recompiling. The Java implementation on Windows has been updated many times since its inception in 1996, but topped the list of the most vulnerable Windows-based applications many times. No wonder, that in my book, Java is an abbreviation for Just another vulnerability announcement…

    Now, when a business is using a Java implementation, it is hard to get rid of Java. Often, the program using Java needs to be rewritten, often multiple programs use Java, programs need different Java versions, etc. … and Java needs to be kept up to date. Monthly. Java gets updated, but updated versions might break the business application, etc.  

    I’m better off without software like Java on my network. I don’t need the headache.

    The same goes for the Quest Active Directory Cmdlets. It’s software running on my Domain Controllers. It needs to be kept up to date. I need to check my scripts against new versions of the Cmdlets before I can update them.

      

    Concluding

    I feel the Quest PowerShell Active Directory Cmdlets are harder to install, harder to maintain and harder to learn than the PowerShell Cmdlets Microsoft ships with Windows Server nowadays.

    It’s been a good ride. Quest has shown the way forward. Quest deserved to win prizes with their Cmdlets. Now, let’s move on.

    Further reading

    Free PowerShell Commands for Active Directory 
    How to add Quest AD tools to your native PowerShell 
    Quest Powershell for Active Directory   
    Active Directory Administration with Windows PowerShell

    Tips for Travelling to Tech Conferences, Part 9

    In the previous parts of this series, I have shared my tips on travelling to tech conferences, including tips for booking flights and hotels, tips for coping with jetlag, how to convince your boss, and the top tech events to visit.

    Today, I’ll share my tips on the gear to pack, besides the Wi-Fi router and power distribution unit (PDU) you’ll need in your hotel room.

    Ultimately, with the gear you pack, you’ll need to be able to:

    • Take notes during a day packed with interesting tech sessions
    • Take pictures of interesting slides with too much information to take notes on (for instance slides with informational tables)
    • Take videos of awesome demos
    • Keep in touch with the home front
    • Keep safe in the hostile networking environments of hotels and conferences
    • Find your way to and from the conference and other hotspots
    • Keep yourself entertained during flights and rides
    • (Optionally) blog your experiences
    • (Optionally) present sessions and/or deliver demos

    Now, you might already see that one device won’t cut it. Two might:

    • A smartphone, equipped with navigation software, music, videos and a way to transfer pictures and videos to and from another device. Also, make sure it has the app for the event installed and kept up to date.
    • A laptop/tablet, equipped with a keyboard, a webcam and microphone and your favorite software to keep in touch and blog.

       

    The ‘smartphone’ device

    A smartphone device should last for 18 hours when used intensively: from 7AM in the morning when you leave your hotel room to 1AM when you might return to it.  Since most smartphones don’t last that long, pack a mobile battery with it. When you use Bluetooth to share information between your phone and other gear, note that that may drain your battery fast, unless the devices are equipped with Bluetooth LE.

    Make sure you charge both devices each night in your hotel room.

    Tip!
    Most smartphone cameras are incapable of taking photos of information on slides due to the large contrast between the screen and the room. Information will consistently be non-readable. Take a proper camera when this is a big issue for you.

        

    The ‘laptop’ device

    A laptop/tablet device should last for 7 hours when used intensively. Depending on your needs, this may include browsing the Internet using WiFi, taking notes, blogging and running virtual machines (VMs).

    I use a Dell Precision M4700 as my laptop device. To reach the 7 hours battery time, it is equipped with a 9-cells (97Wh) primary battery and a click-on 9-cells (97Wh) battery using the docking station connector… but only when I use the following power savings:

    • Disable keyboard lighting (Fn + Cursor Right multiple times)
    • Disable Screen backlight (Fn + Cursor Down multiple times)
    • Disable WiFi and Bluetooth (using the switch on the right side of the device)

    If you want to use it for work during an intercontinental flight, you might need to pack more battery power or find yourself a seat on the plane, equipped with a power outlet.

    Tip!
    When you merely want to listen to music on a flight without onboard entertainment, you might want to use the smartphone device to that purpose. When you want to watch videos on your own, a laptop device might be overkill and a tablet device like an iPad or Surface may prove more useful.

        

    The ‘demo’ device

    When you deliver a session during a tech conference, it’s a good idea to pack a separate demo device.

    As a frequent presenter, I carry around a separate demo device, next to the Dell Precision machine and my Surface 2. While my Surface 2 can be used to deliver a PowerPoint-based presentation, it can’t run Virtual Machines. When my Precision M4700 breaks during the trip, the spare demo device could save my behind.

    Of course, packing two laptop devices will probably make your carry-on luggage exceed the maximum allowed weight for it, but don’t be tempted to put one of your devices in your checked luggage. It’s a recipe for it to get stolen.

        

    Concluding

    The tech we all love to hate.

    Related blogposts

    New gear for the 2012 release cycle (and beyond)   
    Tips for Travelling to Tech Conferences, Part 1
    Tips for Travelling to Tech Conferences, Part 2
    Tips for Travelling to Tech Conferences, Part 3
    Tips for Travelling to Tech Conferences, Part 4
    Tips for Travelling to Tech Conferences, Part 5
    Tips for Travelling to Tech Conferences, Part 6 
    Tips for Travelling to Tech Conferences, Part 7 
    Tips for Travelling to Tech Conferences, Part 8

    KnowledgeBase: A hotfix is available that records more information in event ID 5125 for an OCSP response

    Last month, Microsoft released a KnowledgeBase article for Active Directory Certificate Services running on Windows Server 2008 R2 with Service Pack 1 and Windows Server 2012.

    Note:
    This KnowledgeBase article doesn’t apply to Windows Server 2012 R2, although the same issue exists as in Windows Server 2008 R2 and Windows Server 2012.

        

    The situation

    When you configure a server running Windows Server 2008 R2 with Service Pack 1 or Windows Server 2012 as a Certification Authority (CA), you have the option to also configure it as an Online Responder. 

    The Online Responder is installed as the Online Responder Service (OSCP), an additional Server Role feature for the Active Directory Certificate Services (AD CS) Server Role. The Server Role is available in both Server with a GUI and Server Core installations.

    The Online Responder is an alternative to the way Certificate Revocation Lists (CRLs) are used to check the status of a certificate, issued by a Certification Authority (CA).

    When you enable auditing for requests to the Online Responder, it will log event ID 5125 in the Security log of the server, running the Online Responder Service.

    Enabling auditing for the Online Responder Service

    To enable request auditing for the Online Responder, you will need to audit object access on the server level. Perform these steps:

    1. Open the Local Group Policy Editor (gpedit.msc) to adit the local Group Policy for a server running the Online Responder Service, or start the Group Policy Management Console (gpmc.msc) to create a domain-based Group Policy Object (GPO) targeting (an Organizational Unit, containing) servers, running the Online Responder Service.

    2. Under (Policies,) Computer Configuration, expand Windows Settings, Security Settings, and Local Policies, and then click Audit Policy.

    3. Double-click the Audit object access policy.
         
      Audit Object Access
         

    4. Select the Success and Failure check boxes, and click OK.

    Then, perform these steps to enable auditing for the Online Responder:

    1. Open Online Responder Management (ocsp.msc), and select the Online Responder in the left pane.
    2. Right-click on the Online Responder and select Responder Properties from the Action menu, or click Responder Properties in the Action pane on the right.
    3. Click the Audit tab
         
      Audit Tab in the Online Responder Properties
         
    4. Select the Requests submitted to the Online Reponder audit option, and then click OK.

       

    The issue

    By default, Event ID 5125 will contain the following information:

    Event ID 5125: "A request was submitted to OCSP Responder Service." (click for original screenshot)

    However, this information does not meet the basic requirement of the Common Criteria for Information Technology Security Evaluation. The Common Criteria for Information Technology Security Evaluation is an international standard (ISO/IEC 15408) for computer security certification.

        

    The resolution

    KnowledgeBase article 2891347 contains a hotfix for this issue.

    After you install this hotfix, the audit event ID 5125 contains certificate serial number, issuer CA name, and revocation status. The event ID 5125 is logged resembling the following:

    A request was submitted to OCSP Responder Service.
    Certificate Serial Number: 61342231000000000007
    Issuer CA Name: CN=ocsp-audit-CA, DC=test, DC=mydomain, DC=com
    Revocation Status: Good/Revoked/Unknown/Empty String

      

    Concluding

    When you want more useful auditing information on requests submitted to the Online Responder Service on Windows Server 2008 R2 with Service Pack 1 or Windows Server 2012, install this hotfix.

    Related KnowledgeBase articles

    2891347 A hotfix is available that records more information in event ID 5125 for an OCSP response in Windows Server 2012 and Windows Server 2008 R2 SP1 

    Further reading

    Audit Online Responder Operations 
    AD CS Online Responder Service  
    Implementing an OCSP responder: Part I - Introducing OCSP  
    Implementing an OCSP responder: Part II Preparing Certificate Authorities 
    Implementing an OCSP responder: Part III Configuring OCSP for use with Enterprise CAs 
    Implementing an OCSP responder: Part IV Configuring OCSP for use with Standalone CAs 
    Implementing an OCSP Responder: Part V High Availability 
    Implementing an OCSP Responder: Part VI Configuring Custom OCSP URIs via Group Policy

    Six in a row! - 2014 MVP Directory Services

    mvplogopng5b375d1Today I received an e-mail message titled

         “Congratulations 2014 Microsoft MVP!

    This means I’ve been renewed for the fifth time. 2014 will be my sixth consecutive year as a Microsoft Most Valuable Professional (MVP) in the Directory Services area, as I’ve been awarded on January 1, in 2009, 2010, 2011, 2012 and 2013 before.

    2013 in Review

    As the calendar year 2013 comes to an end, today, it’s perhaps the perfect time to update all those who haven’t been able to keep up with the blog, but still want to know what went on this year.

    You’ll find my month-by-month personal highlights below, easily digestible within five minutes and including both my speaker and booth babe gigs for 2013 and a tiny little peek into the jobs I performed as a professional for my employer.

    Enjoy!

      

    January 2013

    On January 1, 2013, around 4 PM, I received the much anticipated message from Microsoft, awarding me as a Microsoft Most Valuable Professional (MVP) for the 5th time. Since the MVP Award is a yearly award, I’ll be waiting anxiously for the message tomorrow, to see if I made it to my 6th year and thus be invited back to Redmond in 2014…

    February 2013

    Between Christmas 2012 and February 15, I did a series of interviews for the Microsoft Virtual Academy (MVA). It was fun to get their perspectives on this Microsoft initiative, that has already touched a million and a half lives.

    The second week of February was reserved for the MVP Summit; my yearly opportunity to chat with the people behind Windows Server and System Center.

    Somehow, I ended up lunching with a couple of Windows IT Pro Expert MVPs at Snoqualmie Falls on Thursday and visiting Canada on Friday…

    March 2013

    My speaking season started late. On March 6, 2013 I performed a 1-hour session on Virtualization-safe(r) Active Directory and Domain Controller Cloning during the Dutch TechDays.

    During the TechDays my employer launched the ICT Expert Talks channel. It was fun to work with them to launch it and build upon it throughout the year.

    April 2013

    In April, Dave and I presented on Exchange ActiveSync once again. ActiveSync was ahead of its time, and I gained a lot of BYO-related feedback from these sessions.

    May 2013

    In May, I presented at the UK VMUG London meeting. Luckily, I had a chance to meet up with my niece and, finally, meet her partner.

    On May 30, 2013, I attended an unofficial Surface launch in Amsterdam. During this event, organized by the Marketing department of Microsoft Netherlands, I won the first official Dutch Surface Pro!

    June 2013

    The first week of June marked TechEd North America in New Orleans, for which I was selected to staff the ‘People-centric IT’ Microsoft booth. I had a blast at the event and the spare day we had in Louisiana:

     

    In June, I signed an ad deal with STEALTHbits to celebrate my 7 years of blogging.

    On June 20, Adnan and I visited the Belgian Community Day. We met up with our Belgian friends and colleagues and attended sessions we weren’t able to attend during TechEd or didn’t made the cut for TechEd and other international events, but are presented by the best experts in our region.

    The last week of June had TechEd Europe written all over it. Madrid is a stunning place to be and Maarten, Chris and I made the best of our time there, including a visit to the Bull fights at Las Ventas.

    July 2013

    In July, I delivered my 9th class, guiding 7 colleagues to their MCSA certifications. A half year’s work resulted in yet another batch of highly motivated and skilled colleagues, ready to take on new challenges at customers.

    On July 30, 2013 I finally negotiated my new job at OGD. While I’ve been with them for 13 years, I haven’t had a manager for the last five years. Now I do. And I am their Microsoft Technology Lead. The function is comparable to a CTO position, but only for about 80% of the business.

    August 2013

    We ended up in Egypt during the big riots. Luckily we chose a Red Sea resort in Sharm el-Sheikh instead of Hurghada…

    September 2013

    As part of my continuing effort to support IT Pro communities throughout Europe, I attended the MVP ‘Transform the Datacentre’ event at the Microsoft London Office on September 10th. The office at Cardinal Place is located around the corner of Buckingham Palace, so at lunch time we went over there.

    Also, It was fun to sit down after the event with David Allen and Simon Skinner and hear what they’re doing in the UK.

    October 2013

    In October, Raymond and I presented our BYO Essentials sessions for the first times. This is the topic that we are presenting on for 2014 and have provided to the TechEd organization for consideration. We presented on this topic at the Experts Live 2013 event too, just as the Nordic Infrastructure Conference, scheduled in two weeks.

    November 2013

    In November, I wrote a BYO Roadmap for the market leader in lifting, transporting, installing and decommissioning large and heavy structures in the petrochemical and mining industries. They are located only 5 miles from my home…

    December 2013

    This December, I visited a large Dutch critical infrastructure provider and gave them some practical Active Directory advice in relation to ISO 27001.

    In between this job, I visited Greece for the European ITPRO|DEV Connections.

    On December 31, 2013 I concluded my own series of Microsoft exams, as part of the job description I agreed upon late July. I’m now a MCSA | Windows 8, MCSA | Windows Server 2012, MCSE | Desktop Infrastructure and MCSE | Server Infrastructure.

      

    Thank you for a wonderful 2013!

    Cross-forest Migrating Dynamic Access Control

    Six months ago, I wrote on 10 Things you need to be aware of before deploying Dynamic Access Control. As point 8, I told that the Active Directory Migration Tool (ADMT) does not support cross-forest migrating Dynamic Access Control (DAC).

    As an Active Directory admin, ADMT, obviously, would be the first tool to look you can cross-forest migrate user accounts, groups and group memberships with it. Unfortunately, you cannot migrate Dynamic Access Control between Active Directory forests with it. The Data Classification Toolkit (DCT), however, can. It is PowerShell only.

    About the Data Classification Toolkit (DCT)

    The Data Classification Toolkit (DCT) is a free solutions accelerator from Microsoft. The latest version, Microsoft Data Classification Toolkit for Windows Server 2012, or version 2.1 supports Dynamic Access Control.

    The Data Classification Toolkit for Windows Server 2012 works in conjunction with Windows Server 2008 R2 File Classification Infrastructure (FCI) and Dynamic Access Control in Windows Server 2012 to help IT pros gain insight into stored information, enforce access policies, and configure access policies for files based on claims.

        

    Migrating Dynamic Access Control

    So, in an Active Directory environment with multiple Domain Controllers, that you want to migrate stuff from, you might have Dynamic Access Control configured, this means you would have created:

    • Resource properties
    • Property lists
    • Central access rules
    • Central access policies

    Additionally, you would have pushed resource properties to your file servers and deployed the central access policies through Group Policy. Of course, you’ve classified data and have enjoyed using Dynamic Access Control.

    Note:
    When you haven’t actually used file classification with Dynamic Access Control, you might not have any need to migrate the information from your Active Directory forest when you migrate to a new Active Directory forest…

    Now, the above four types of information in Active Directory can be migrated with the Data Classification Toolkit, although you might have thought that you needed the Active Directory Migration Tool (ADMT) to do this.

    Tip!
    To cross-forest migrate Group Policy Objects (GPOs), you can use the Group Policy Management Console (GPMC) or other solutions, like the BackupGPO.wsf and ImportGPO.wsf scripts from the Group Policy Management Console sample scripts download.

    The process to migrating the Dynamic Access Control configuration cross-forest is through export and import. This adds to the flexibility of the solution, since you don’t need to set up a trust or worry about network connectivity or time synchronization (unless you want to).

    One down side of using the Data Classification Toolkit to importing and exporting the Dynamic Access Control configuration for a cross-forest migration, is that it is only available through PowerShell.

         

    Download the Data Classification Toolkit

    The Data Classification Toolkit for Windows Server 2012 is available as a free download from the Microsoft Download Center. Download it here.

         

    Installing the Data Classification Toolkit

    After you downloaded the Data Classification Toolkit, install it on a server in the source domain by double-clicking Microsoft Data Classification Toolkit.msi.

    Installing the Microsoft Data Classification Toolkit, Step 1 (click for original screenshot)

    Click on Next in the Welcome screen.

    Installing the Microsoft Data Classification Toolkit, Step 2 (click for original screenshot)

    Select the  I accept the terms in the License Agreement option and, then, click Next.

    Installing the Microsoft Data Classification Toolkit, Step 3 (click for original screenshot)

    Change… the location where you want to install the Microsoft Data Classification Toolkit or click Next regardless when you accept the default location in the 32bit Program Files folder.

    Installing the Microsoft Data Classification Toolkit, Step 4 (click for original screenshot)

    Click Install.

    Installing the Microsoft Data Classification Toolkit, Step 5 (click for original screenshot)

    Click Finish in the Completed the Microsoft Data Classification Toolkit for Windows Server 2012 Setup Wizard.

         

    Exporting the Claims Configuration

    As part of the Data Classification Toolkit installation, on the server where you’ve installed it, a Tools folder will be created underneath the installation path. In a default installation, this folder will be:

    C:\Program Files (x86)\Microsoft\Data Classification Toolkit\Tools

    In this folder you will find two PowerShell scripts:

    • Export-ClaimsConfiguration.ps1
    • Import-ClaimsConfiguration.ps1

    We’ll use the first script to export the Claims Configuration from the source Active Directory environment. Start PowerShell from the taskbar or Start Screen. Then type the following commands:

    Set-ExecutionPolicy Unrestricted

    Export-ClaimsConfiguration -file C:\DAC.xml 
    -server DC1.sourcedomain.tld -IncludeCentralAccessPolicies

    Where C:\ClaimsExport\ClaimConfig.xml is the file to which you want to export the Dynamic Access Control (DAC) Configuration for the source Active Directory environment and where DC1.domain.tld is a Domain Controller in the source domain.

    Note:
    The server needs to be a Global Catalog in the source domain.

    Tip!
    The script will export dependent data types, unless you willingly specify the 
    -DontExportDependencies parameter.

    Now, you will have an XML-based file with the Dynamic Access Control configuration:

    Example of a XML-based Claims Export file (click for original screenshot)

        

    Importing the Claims Configuration

    Now, to import the Dynamic Access Control (DAC) Configuration in the target domain, we’ll need the XML file. Also, we’ll need the Import-ClaimsConfiguration.ps1 script from the Data Classification Toolkit folder.

    Tip!
    We can execute the command from the migration PC in the source Active Directory environment, or from any domain-joined Windows Server 2012-based server in the target Active Directory environment.

    Tip!
    On another server, don’t forget to run Set-ExecutionPolicy unrestricted, since both scripts are unsigned, although they originate from within Microsoft.

    Within PowerShell, combine the two files within the following PowerShell command:

    Import-ClaimsConfiguration.ps1 -file C:\DAC.xml -server DC1.targetdomain.tld -ProtectedFromAccidentalDeletion

    Example of the output from a succesful Import-ClaimsConfiguration.ps1 execution (click for original screenshot)

          

    Concluding

    It’s easy, when you know how.

    Related blogposts

    10 Things you need to be aware of before deploying Dynamic Access Control    
    New features in AD DS in Windows Server 2012, Part 20: Dynamic Access Control (DAC) 
    Common Challenges when Managing Active Directory Domain Services, Part 2: Unnecessary Complexity and Token Bloat 

    Related downloads

    Data Classification Toolkit 
    Group Policy Management Console Sample Scripts

    Further reading

    PowerShell – Data Classification Toolkit for Windows Server 2012 
    TechNet Library - Data Classification Toolkit 
    Important Information about the Data Classification Toolkit 
    TechNet Blogs - The Data Classification Toolkit for Windows Server 2012 is now available!  
    TechNet Blogs - Data Classification Toolkit for Windows Server 2008 R2-Now Available 
    TechNet Blogs - Data Classification Toolkit for Windows Server 2008 R2 
    Data Classification Toolkit for Windows Server 2008 R2  
    Data Classification Toolkit for Windows Server 2012   
    How to Use Microsoft’s Data Classification Toolkit 
    Microsoft Solution Accelerators for the Datacenter and Private Cloud Module 6 Part 1 

    Acknowledgements

    Thanks to Nir Ben-Zvi for the tip.