Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

Export DNS Forwarders

If you have ever had to move or rebuild a DNS server and have a complicated forwarder list there is an easy way to export the list and then import them back into the new server and/or use this export for a new build.

  • open up regEdit
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones

From the menu select File and then Export.  Saving the file to a location that will be available for the new server.

Open up the newly exported files and clean up any zones you may not want to transfer, save and close it

Log onto the new server and open up regEdit then select File and Import.

Follow this by restarting the DNS server service

Bring up the DNS mmc console and you should now see the new zones.

Inconsistent Membership of a Security Group

I ran across an issue the other day that had me scratching my head and calling PSS to try and track down the problem.

For some reason we had members of a security group that were inconsistently being denied access to RDP to our SQL servers.  There is a special group the SQL DB's belonged to which elevated them to Local Administrators on the box and this would also provide them the ability to RDP to the box.  We created a new security group and granted the exact same memberhsip and permissions to a test box and we couldn't get the permissions to fail, yet we continued to have the intermittent issues with our original group.

Running WireShark on the SQL box we could see where the proper connections were being sent and received, since originally we expected some type of Kerberos issue that we didn't see but we soon ruled that out.  Finally the Microsoft tech asked us to run a command within NTDSUtil I had never even known about before "Group Membership Evaluation".

Evaluate Group Membership will dump the contents of what groups for the user token to a text file and you can then look to see what the DC sees.  In this case we ran the command against each DC within the domain and sent the data off to Microsoft.  In the mean time I looked at each text file and found three DC's with a rather odd Group-Owner attribute on three different DC's.  The owner was a SID that couldn't be translated to a friendly name and looking closer I could see that the SID wasn't defined correctly, it had a corrupted value.  With this corruption also caused the evaluation of the group to quit showing the members within the group <DING, DING, DING>.  It couldn't evaluate who belonged to the group since the owner SID was corrupted.

I figured I would try and change the owner to a new administrative group and whah lah the group immediately exposed all the correct members within NTDSUtil.  I had the SQL DB's attempt to logon and it was still failing for them so I figured I would and reboot the box to correct any possible caching issue and upon this the problem went away.

When logged on the DC, open a CMD prompt
Type NTDSUTIL
Type: group membership evaluation
Type: run "Domain FQDN" "User Name"

Output is a "Tab Seperated Value" (.tsv) file, so open in Excel and it will show you all the tokens associated with the security principal in nice order.

NTDSUtil and Group Membership Evaluation
http://technet.microsoft.com/en-us/library/cc733025.aspx

Clean Up DCs SYSVOL FRS Member Object

If you have ever run dcDiag and ended up with the error output as follows:

      Starting test: VerifyEnterpriseReferences

         The following problems were found while verifying various important DN

         references.  Note, that  these problems can be reported because of

         latency in replication.  So follow up to resolve the following

         problems, only if the same problem is reported on all DCs for a given

         domain or if  the problem persists after replication has had

         reasonable time to replicate changes.

           [1] Problem: Missing Expected Value

             Base Object:

            CN=OLDDC,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=domainName,DC=loc

             Base Object Description: "SYSVOL FRS Member Object"

             Value Object Attribute Name: frsComputerReference

             Value Object Description: "DC Account Object"

             Recommended Action: Check if this server is deleted, and if so

            clean up this DCs SYSVOL FRS Member Object.  Also see Knowledge

            Base Article:  Q312862

            

            [2] Problem: Missing Expected Value

             Base Object:

            CN=OLDDC,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=domainName,DC=loc

             Base Object Description: "SYSVOL FRS Member Object"

             Value Object Attribute Name: serverReference

             Value Object Description: "DSA Object"

             Recommended Action: Check if this server is deleted, and if so

            clean up this DCs SYSVOL FRS Member Object.  Also see Knowledge

            Base Article  Q312862

            

         ......................... DC01 failed test VerifyEnterpriseReferences

This probably occured from a lost DC that was never fully cleaned up or some similar hoursekeeping task that doesn't cause any type of error generation on day to day tasks.

To clean this up you will want to bring up ADSIEdit and browse to the object and right click on it and delete it.  Obviously you will always want to get a backup in the event of some unknown issue.

Details from Microsoft that discuss this
http://support.microsoft.com/kb/555846

Unexplained dcDiag Errors

So I have been banging my head against a wall trying to figure out why I have been getting these crazy errors in dcDiag.  From all that I can tell replication is working as expected but yet I am getting errors that are mostly undocumented and difficult to find out any real information on.

Starting test: VerifyReplicas
            For the partition

            (DC=ForestDnsZones,DC=Domain,DC=COM) we encountered

            the following error retrieving the cross-ref's

            (CN=78c43cf5-2740-4337-a139-341965555f1,CN=Partitions,CN=Configuration,DC=Domain,DC=COM)

             information:
               LDAP Error 0x52b (1323).
......................... DC-02 failed test VerifyReplicas

Starting test: VerifyEnterpriseReferences
   Can't determine the age of the cross-ref

   CN=78c43cf5-2740-4337-a139-341965555f1,CN=Partitions,CN=Configuration,DC=Domain,DC=COM

   for the partition DC=ForestDnsZones,DC=Domain,DC=COM, so

   following errors relating to this cross-ref/partition may disappear

   after replication  coalesces.  Please ensure that replication is

   working from the Domain Naming FSMO to this DC, and retry this test to

   see if errors continue.
   Can't determine the age of the cross-ref
......................... DC-02 failed test VerifyEnterpriseReferences

Starting test: CutoffServers
   * Configuration Topology Aliveness Check
   * Analyzing the alive system replication topology for DC=ForestDnsZones,DC=Domain,DC=COM.
   * Performing upstream (of target) analysis.
   DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
   * Performing downstream (of target) analysis.
   DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
......................... DC-02 passed test CutoffServers

 

I went through and verified i was in the Domain Admins group, I verified that the Domain Admins security group had full permissions to the objects in error.  Did extensive research on the internet in a number of different Bing searches to try and come up with even a hint as to what the problem was.  Still nothing.  I posed the question to DS MVP colleagues and the one thing Jorge pointed out was this was some type of password issue related to the 0x52b error.  I had run across something on the internet as well related to password and had been why I checked into the permissions on the objects.

Finally a thought crossed my mind... I was using a trusted administrator user account from a User Forest, so out of desperation I logged on as a local admin.       BAM!!!!!!  All the errors went away.  So the password error was probably some how related, but I couldn't explain why...

Long story short - When running dcDiag always use a domain local admin account.

How to Build an AD Replication Delay (Lag) Site

To prevent having to restore objects from Active Directory due to accidentally deleting an object, you can have a remote DC which only sends/receives replication on a limited basis.  You also want to prevent users from authenticating against, as well as services being used by other machines, since the metadata on this DC is aging away w/o replication keeping it up to date

 

Because of this you want to remove all advertised services via dns lookup.  To do this, this DC must be isolated from other DC’s and all replication controlled.  For that reason a separate site is required to control Intersite Replication.

 

The following are the steps taken to create a single lag site dc.  If you would like to have more than one time frame to fall back upon, all you need do is repeat these steps for a different DC.

 

  • Promote a member server to a DC and allow replication to complete
    • Don’t load any unnecessary services
    • Don’t load WINS nor make this a WINS client
  • Create a separate site and site link (I use “Lag” as part of the name to help document it)
    • Create a new site
    • Create a new site link, including the source and the Lag sites.  If you notice I have set the Site Link Replication Frequency (Replicate Every) to 15 minutes.

 

    • Click on the “Change Schedule” button to set the replication schedule to a time frame that fits for your enterprise.  In this example, I have set the replication schedule for Saturday morning from the hours of 12:00 am to 2:00 am.  So this site should allow replication updates to occur every 15 minutes, on Saturday’s, from the hours of 12:00 am until 2:00 am.  Once a replication cycle starts it will continue until complete, which can go beyond the 2:00 am time frame, but no new cycles will start after 2:00 am.

 

  • Define the subnet and link it to a site
    • Borrowing some knowledge from a blog from Brian Desmond, I have created a separate single host site sub-net.  I have reserved the address for the dc in dhcp (I reserved .240) and then defined the subnet as a /32 ip mask.  The most precisely defined subnet in sites and services is considered the subnet location.

 

  • Move the new dc to the newly defined site (Lag Site)

Now that the DC has been placed in its own site and is no longer receiving regular AD replication updates, it needs to no longer advertise itself as a usable DC.  To do this, a Group Policy Object will be created and linked to this new site.

 

  • Create a new GPO, but do not link it to any OU or Site at this time
  • Edit the Policy DC Locator DNS records not registered by the DCs.  This is located at Computer Configuration / Administrative Templates / System / Net Logon / DC Locator DNS Records.  The following mnemonics should be entered into the entry box:
    • Ldap LdapAtSite Pdc Gc GcAtSite GcIpAddress DcByGuid Kdc KdcAtSite Dc DcAtSite Rfc1510Kdc Rfc1510KdcAtSite GenericGc GenericGcAtSite Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd
  • Link this new Group Policy to the “Lag” site, where the new DC resides
    • Change the policy to allow authenticated users to read and remove (Don’t deny) the right to apply
    • Add the computer name of the new DC and grant it Read and Apply.  This will help prevent the wrong DC’s from having policy applied against.
  • Shut down the new Lag site DC
    • Open up the dns zone _msdcs and remove all of the new DC’s dns service records
      • Do not remove the Alias (CNAME) record at the root of the zone
    • Power the DC backup
      • During the reboot any dns records that would be needed will be rebuilt

Run dcdiag, repadmin and dnslint in verbose mode.

  • DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
  • repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
  • dnslint /ad /s  "ip address of your dc"

 

**Note 1: Using the /E switch in dcdiag will run diagnostics against ALL dc's in the forest.  If you have significant numbers of DC's this test could generate significant detail and take a long time.  You also want to take into account slow links to dc's which will also add to the time.

 

**Note 2: There are certain errors to expect, since the lag site DC won’t be advertising as a KDC you will be warned about this, etc…  But, replication should be error free.

 

**Note 3: Forced replication will still occur, this model only prevents scheduled replication.

Posted by Paul Bergson | 0 Comments

Upgrading AD from 2003 to 2008

Upgrading Active Directory from 2003 to 2008

--- (Note: This is a copy from another site and at this time my snapshots are missing)---

·        Microsoft’s Preupgrade check list

·        Before upgrading AD verify all current applications are compatible     

o   Verify you are on the correct version for 2008

§  For example, does your SAN at its current release support 2008

§  Does the version of Exchange you are running support 2008

o   Ensure all dc’s Windows 2000 dc’s are at least at SP4

§  From a command prompt run

Ø repadmin/showattr

·        Verify that your Active Directory forest is healthy

o   DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log

o   netdiag.exe /v > c:\netdiag.log (On each dc)

o   repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

o   ntfrsutl ds your_dc_name > c:\sysvol.log

o   dnslint /ad /s "ip address of your dc"

·        Get a backup up of at least two separate dc’s, including your PDCe

·        Although you can upgrade, I would strongly urge you to do fresh install on all new 2008 installations

o   Upgrading

§  Verify that the hardware will be compatible with 2008

§  You cannot directly upgrade from W2K to W2K8, you must go W2K to W2K3 and then W2K3 to W2K8

§  The bloat associated with patching, etc… just is a waste of space

Ø Verify you have plenty of disk space available

Ø If you don’t have a good 20gb of free space, you are probably going to run into space issues, trust me on this.  All future patches, etc… that roll into the o/s are kept in the system folder and slowly over time start to chew your volume.

§  verify that the machine upgrading holds the FSMO role of operations Master (Upgrade DC order)

o   Fresh install

§  Ensure you had at least a 50gb system partition

§  Consider using x64, all future Windows server operating systems are going to x64 bit, starting with 2008 R2

Prep the forest, domain and dns zones

·        Prep your forest

o   Copy the adprep folder to a local folder on your dc or run from the cd

o   Make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain.

o   Execute adprep  (See KB753437, Be sure this is run on the Schema master, otherwise it will not run)

C:\adprep>adprep /forestprep 

ADPREP WARNING:

Before running adprep, all Windows 2000 Active Directory Domain Controllers in the forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.

[User Action]

If ALL your existing Windows 2000 Active Directory Domain Controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit.

c

Opened Connection to DCTEST

SSPI Bind succeeded

Current Schema Version is 30

Upgrading schema to version 44

Connecting to "DCTEST"

Logging in as current user using SSPI

Importing directory from file "C:\WINDOWS\system32\sch31.ldf"

Loading entries............................................................................................................................................

139 entries modified successfully.

 

You should see multiple entries similar to above.  Just let the system spin and you can go take a break while waiting.  At the end you will see the following (Hopefully!).

................................................................................

................................................................................

................................................................................

................................................................................

 

Adprep successfully updated the forest-wide information.

 

o   Although this dc has completed the schema upgrade, you must wait until ALL dc’s in your forest receive this change via replication (Converge). 

§  Depending on your forest this could be in a few minutes to possibly days

 

·        Once the proper amount of time has passed, the domain’s should now also be ready to be prep’ped

o   If you would like to verify that the forest has been upgraded

§  Start up ADSIEdit

1.     Connect to Configuration / Configuration / ForestUpdates / ActiveDirectoryUpdate

1.     Right Click and select Properties

1.     Revision = 2

Ø Connect to Schema / Schema

        Right click and select properties

1.     ObjectVersion = 44

o   Adprep /domainprep    (Domain must be in Native Mode 2003)

§  Adprep /domainprep /gpprep  (Use this command line if upgrading from Windows 2000, Windows must be in Native Mode 2000)

C:\adprep>adprep /domainprep

Running domainprep ...

Adprep successfully updated the domain-wide information.

The new cross domain planning functionality for Group Policy, RSOP Planning Mode, requires file system and Active Directory Domain Services permissions to be updated for existing Group Policy Objects (GPOs). You can enable this functionality at any time by running "adprep.exe /domainprep /gpprep" on the Active Directory Domain Controller that holds the infrastructure operations master role.

This operation will cause all GPOs located in the policies folder of the SYSVOL to be replicated once between the AD DCs in this domain.  Microsoft recommends reading KB Q324392, particularly if you have a large number of Group policy Objects.

o   Although this dc has completed the domain prep upgrade, you must wait until ALL dc’s in this domain receive this change via replication (Converge). 

§  Depending on your domain this could be in a few minutes to possibly days

 

·        Once the proper amount of time has passed

o   If you would like to verify that the domain has been upgraded

§  Start up ADSIEdit

Ø Connect to Configuration / Configuration / ForestUpdates / ActiveDirectoryUpdate

 

·        If there are any near or far term plans to install RODC’s, prep your dns zones

o   Adprep /rodcprep

§  This will traverse through the separate partitions and update the permissions

Ø Verify that the prep completed without error

        Adprep completed without errors. All partitions are updated. See the ADPrep.log in directory C:\WINDOWS\debug\adprep\logs\yyyymmdd999999 for more information.

·        Prep your domain

o   Connect to the FSMO Infrastructure Master role holder

o   From the cd either copy the \sources\adprep or run the following:

§  Adprep /domainprep /gpprep

 

Begin the actual installation

·       New 2008 DC

o   Verify that the AD DS role has been installed on your 2008 member server

o   From an elevated command prompt promote this new DC

§  Dcpromo

·      

 

·       The following will pop up

o  

 

·       Followed by, Select Next

o  

 

·       Read the description on new secure channel controls and verify that you understand its impact and then select next

o   KB942564 explains in greater details its impact within your organization

o  

 

·       Select Existing Forest and click next

o  

 

·       Verify the forest and credentials are properly set and click next

o  

 

·       Select a domain for this additional domain controller and click next

o  

 

·       Select the site where you would like the new dc to be placed in and click next

o  

 

·       Select those additional services you would require this dc to have and click next

o  

 

·       If the following pop up box appears

o  

 

§  If you are installing an additional domain controller in either the forest root domain or a tree root domain, you do not have to create the DNS delegation. In this case, click Yes and disregard the message.

 

·       Verify the default locations are as expected and click Next

o  

 

·       Enter the AD DS password and click Next

o  

 

·       On the Summary dialog box, verify all settings are correct and hit Next

o  

 

·       The following box will appear while the promotion advances.  Please be patient during this process, depending on the size of your AD environment this could take a few minutes to multiple hours.

o  

 

·       Once the promotion is complete, click Finish and Restart the newly promoted dc

o  

 

o  

 

 

·       Once complete allow all DC’s to properly replicate all changes within the infrastructure

·       Microsoft recommends moving the FSMO roles to a 2008 DC

o   From Active Directory Users and Computers (ADUC) right click on the domain and select Operations Masters

§ 

 

o   From each of the three tabs (RID, PDC and Infrastructure) change to a 2008 DC

§ 

 

§  If your destination IM is also a GC, make sure all other dc’s are gc’s or that this is a single domain forest.  Otherwise you can create phantom object problems.

o   From Active Directory Domain and Trusts

§  Verify you are connected to the DC you want to transfer the Domain Naming role to

§  Right click and select Operations Manager

§ 

 

o   From Schema Management

§  If you haven’t already, register the schema management

·       From a command prompt

o   regsvr32 schmmgmt.dll

·       In the mmc console add the Schema management

·       Select the Schema management console and connect to the DC you want to move the FSMO role to

·       Right click on Schema management and Select operations Management

o  

 

o   To verify all fsmo roles have been transferred run the following from a command prompt

§  Netdom query fsmo

 

Preventing Spoke DC’s from Advertising in the Hub Site for Authentication Availability

If you have a hub and spoke site topology, it may not be a good idea for certain (Or all) spoke dc’s to be advertising, via dns services, the ability to provide authentications services.  If you have a remote site with a dc that fails it is usually best that the spoke send its users to the hub for authentication purposes.  By default Active Directory (AD) doesn’t act this way.  If you would like set up your spokes to only advertised in its own site then you will want to configure a group policy (Windows 2003 and above) to prevent these spoke dc’s from advertising.  For machines running Windows 2000 you will need to do a reg hack (KB article defined later).

You will need to create a new group policy and define which DC’s will have read and apply policy.  Make sure to remove the authenticated users apply permission otherwise ALL dc’s will have this policy applied once it is link to the Domain Controllers ou.

 

·         Open up Group Policy Management and create a new Policy

·         Select this new Policy and click on the Delegation tab

o   Select the Advanced button

§  Remove the apply permission to the Authenticated users

§  Add each DC you would like to apply this policy to  and provide read and apply permissions

·         Right click on the policy and select Edit

o   Computer Configuration / Administrative Templates / System / Net Logon / DC Locator DNS records

§  Double click on DC Locator DNS records not registered by the DCs

·         Key in the Mnemonics below (Copy and paste)

DC DcByGuid Gc GcIpAddress GenericGC Kdc Ldap LdapIpAddress Rfc1510Kdc Rfc1510Kpwd Rfc1510UpdKdc Rfc1510UdpKpwd

·         See below for Mnemonics definitions

 

 

Wait for/or force replication and then from a command prompt on each dc in question key in the following:

·         Gpupdate /force

o   This will apply the new policy

·         Restart the NetLogon service (Or run netdiag /fix)

o   This will update the dns records.  Make sure when you check that you verify on the server this dc is attached to or wait for replication to take place.

 

 

The following table was taken from the KB article KB306602

Reference Tables

The following tables contain mnemonics, types, and the owner names of the domain controller locator DNS records that should not be registered by the satellite domain controllers and global catalogs to optimize the domain controller location.

Domain Controller-Specific Records

Collapse this tableExpand this table

Mnemonic

Type

DNS Record

LdapIpAddress

A

<DnsDomainName>

Ldap

SRV

_ldap._tcp.<DnsDomainName>

DcByGuid

SRV

_ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>

Kdc

SRV

_kerberos._tcp.dc._msdcs.<DnsDomainName>

Dc

SRV

_ldap._tcp.dc._msdcs.<DnsDomainName>

Rfc1510Kdc

SRV

_kerberos._tcp.<DnsDomainName>

Rfc1510UdpKdc

SRV

_kerberos._udp.<DnsDomainName>

Rfc1510Kpwd

SRV

_kpasswd._tcp.<DnsDomainName>

Rfc1510UdpKpwd

SRV

_kpasswd._udp.<DnsDomainName>

Global Catalog-Specific Records

Collapse this tableExpand this table

Mnemonic

Type

DNS Record

Gc

SRV

_ldap._tcp.gc._msdcs.<DnsForestName>

GcIpAddress

A

gc._msdcs.<DnsForestName>

GenericGc

SRV

_gc._tcp.<DnsForestName>

Posted by Paul Bergson | 1 Comments

How to Decommission a Domain Controller

Decommissioning a dc requires all domain services that currently reside on a server need to be moved to other dc’s. 

 

  • You need to move any fsmo roles from this dc to another dc (KB255960)
    • To learn where the roles reside run the command     netdom query fsmo
    • If the PDCe fsmo role resided on this DC then you need to reconfigure the new holder of the PDCe to either use the internal hardware clock or an external source.  I would recommend using an external source KB816042.
  • There needs to be at least one Global Catalog (GC) in each domain and it is recommended that there is one in each site (KB313994)
  • Move DNS services to other DC’s if this DC is a DNS provider.  Also point all clients that use this server for DNS to the new DNS server
    • If AD integrated simply installing DNS on a member server prior to promotion will bring up a new DNS server
    • If not AD integrated and this is a primary server then a new primary server will need to be brought online.  From DNS server manager the server needs to be promoted to primary
    • If a secondary server then make the new dc a new secondary server
  • If a dhcp server then the dhcp servers database needs to be backed up and copied to the new dhcp server.  The old dhcp server deauthorized and the new dhcp server authorized (KB325473)
  • If you have Encryption File System (EFS) enabled you will need to move the private key if it resides on this dc (KB241201).  You use the recovery agent's private key to recover data in situations when the copy of the EFS private key that is located on the local computer is lost
  • If this server manages Terminal Server Licensing (TSL) then it will have to be moved to a new DC.  From Add/Remove programs you will need to add a new TSL.  You can then restore the licenses by using the TS License Manager tool with the Telephone activation mechanism. You can switch to the Telephone mechanism by right clicking on the server in TS License Manager, and then selecting properties from the menu. (TS FAQ)
  • What about WINS
  • Check to see if your clients are using the ip address of this DC for DNS services, if so point the DNS clients to a new DNS server

 

Finally once this is all accomplished go ahead and demote the dc to a member server (KB238369)

Once the DC is demoted, as a final step you will need to go into Active Directory Sites and Services and manually remove the computer object from the site

Create A Test Domain (Old Style)

This document was prepared for the building of a copy of the production Active Directory. Following these steps will define how to rebuild the entire Microsoft Active Directory for a test domain. *** Be careful ***

The first set of steps is to get a good pc into the production domain. Once this pc is a member it needs to be promoted and be a healthy participant in the network. The new DC then needs to be removed from the network before it is restarted (From its restore) to prevent any replication activity from damaging the production system. Reconnection to the production system will create major problems in the production system

1. Shutdown ALL pc’s within the test sub-net (For this document it will be 192.168.1.x, gateway = 192.168.1.250), mask = 255.255.255.0

2. Remove the physical cable for the new pc and build the member server (This all should reside within the test domain) in production

· Install DNS (AD Integrated needed for this document)

3. Re-connect the cable and join the Domain_Name.com domain

· Select the IP Address 192.168.1.101

· Select the mask to 255.255.255.0

· Select the Gateway 192.168.1.250

· Point the DNS services to a production AD DNS server

4. Promote the server to a Domain Controller (DC) via dcpromo.exe

5. Promote the server to a Global Catalog Server

6. Let the system sit idle (2 hours) for Replication to sync up

· Point the DNS services to itself

7. Open up a command prompt

· dcdiag /v /test:ridmanager

· Make sure no errors with the rid manager

· Create an object on the new DC

· Physically disconnect the cable

· Bring up “Active Directory Users and Computers”

· By disconnecting you force the system to attach locally

· Create a test user with the account disabled

· Reconnect the physical cable

8. At a command prompt type in NTBACKUP and do a system state backup saving the file to the local server

9. Demote this server to a member server with in the production domain (DCPROMO)

· Remove the NS record in the production environment

10. Physically disconnect the server from the network by unplugging the cable from the hub

11. Move the server to the test domain

12. Re-Promote once this system has been disconnected and the ip changed

· Dcpromo

· Domain Name = Domain_Name.com

· NetBios Name = NetBIOS_Name

· Allow the promotion to create the DNS domain

· Once this DC is brought online (The DNS services on the member server can be shut down), define it with Integrated Active Directory DNS and all name space records will be restored. Make sure to bring up DNS and select reload to refresh all data

· Active Directory Integrated

· Only Secure Updates

13. Reboot this server and After the POST Select F8

· Scroll down and select the option

“Directory Services Restore Mode (Windows 200x domain controllers only)”

14. Log on as the administrator (This is within the old SAM account)

15. Restore the System State from the previous NTBACKUP

16. Re-boot the Domain Controller (DC)

Now that the DC is restored it needs to take control of all Flexible Single Master Operation roles (FSMO and the File Replication service). Because of this utilities need to be loaded off of the Windows 200x install CD. NTDSUTIL will perform most of these steps. Since this is the first DC it needs to be a Global Catalog server and validate that it is the primary server in the domain.

17. After the POST Select F8

· Scroll down and select the option

“Directory Services Restore Mode (Windows 200x domain controllers only)”

18. Log on as the administrator (This is within the old SAM account)

19. Install the Windows 200x Active Directory Administration Tools from the server cd

· D:\i386\ Adminpak.msi

20. Install the Windows 200x Server Resource Kit from the server cd

· D:\support\tools\200xrkst.msi

21. Re-boot the Domain Controller (DC)

22. Log on as the administrator (This is with the AD account)

23. Reset the ip address to the test domain, the restore resets the ip address. Make sure to also point the dns server to itself as well

24. Set this server as a Global Catalog (Ignore this step in a multi-domain environment and this DC holds the Infrastructure Master Role)

· Click Start, click Run, type mmc, and then click OK

· On the Console menu, click Add/Remove Snap-in, click Add, double-click Active Directory Sites and Services, click Close, and then click OK

· Double Click Active Directory Sites and Services

· Double Click Sites

· Double Click MP-Default-Site

· Double Click Servers

· Double Click the DC

· Right Click on NTDS Settings and Select Properties

· If the “Global Catalog” check box is not checked, check it

25. All Flexible Single Master Operations (FSMO) roles need to reside on this DC

· Seize the PDC

· Click Start and then click Run

· In the Open text box, type ntdsutil

· Type roles

· Type connections

· Type connect to server <DC name>

· Type q

· Type seize pdc

· Click “Yes”

· Seize the Infrastructure master role

· Type seize infrastructure master

· Click “Yes”

· Seize the Domain Naming master role

· Type seize domain naming master

· Click “Yes”

· Seize the schema master role

· Type seize schema master

· Click “Yes”

· Seize the RID Master Role

· Type seize rid master

· Click “Yes”

· Type q

· Type q

26. Remove all other DC server objects (Repeat this step for each DC) KB216498

· Click Start and then click Run

· In the Open text box, type ntdsutil

· Type metadata cleanup

· Type connections

· Type connect to server <DC>

· Type q (The metadata cleanup prompt should now show)

· Type select operation target

· Type list domains (A list of domains should be displayed)

· Type select domain <#> (This is the domain of the server to be pruned)

· Type list sites (A list of sites should be displayed)

· Type select site <#> (This is the site of the server to be pruned)

· Type list servers in site (A list of servers should be displayed)

· Type select server <#> (This is the server to be pruned)

· Type q

· Type remove selected server (You should get confirmation of the removal)

· Type q

· Type q

27. Remove all other DC orphaned records in Active Directory (Repeat this step for each DC) KB216498

· Click Start - Programs - Windows 200x Support Tools - Tools - ADSI Edit

· Delete the computer account in OU=Domain Controllers, DC=Domain_Name,DC=com

· Delete the FRS member object in CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=Domain_Name,DC=com

28. Remove all other DC orphaned records in DNS

· Click Start - Programs - Administrative Tools - DNS

· Click <DC>.Domain_Name.com - Forward Lookup Zones - Domain_Name.com

· Delete the cname (alias) of all other DC’s

· Delete the a record of all other DC’s

29. This DC needs to be the File Replication Service Master (KB316790)

· Stop the File Replication service on the DC

· Make sure the following folders exist, if not create them

· C:\WINNT\SYSVOL\staging

· C:\WINNT\SYSVOL\sysvol (Share as SYSVOL)

· C:\WINNT\SYSVOL\sysvol\Domain_Name.com

· copy the contents of C:\WINNT\SYSVOL\domain to this folder

· Start Registry Editor (Regedt32.exe)

· Locate and then click the BurFlags value under the following key in the registry:

· HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

· On the Edit menu, click DWORD, click Hex, type D2, and then click OK

· Quit Registry Editor

· Restart the File Replication Service

· Check the FRS event viewer to see if the system states that the sysvol is now being shared and defines all the paths

30. Ensure that the DC has registered the proper computer role

· Enter net accounts at a dos prompt

· The computer role should say "primary”

Finally any information related to the old DC’s need to be purged from AD.

31. Re-boot the Authoritatively restored DC

32. Within the production system delete the test user and computer account

33. Within the production system delete the server object within the site that it was placed into for replication

Note: The File Replication Service can prevent the computer from becoming a Domain Controller (See below). If when doing a dcdiag a message states that the rid pool is corrupt, what is probably happening is there are problems with replication. Check the “File Replication Service” Event Log. Also make sure that all sub-folders are available within c:\winnt\sysvol.

To re-test just the rid pool: dcdiag /v test:ridmanager

Never again connect this server to the production system!!!

When you restore a domain controller from backup (or when you restore the System State), the FRS database is not restored because the most up-to-date state exists on a current replica instead of in the restored database. When FRS starts, it enters a "seeding" state and then tries to locate a replica with which it can synchronize. Until FRS completes replication, it cannot share Sysvol and Netlogon.

If you restore all of the domain controllers in the domain backup, all the domain controllers enter the seeding state for FRS and try to synchronize with an online replica. This replication does not occur because all of the domain controllers are in the same seeding state. Setting the primary domain controller FSMO role holder to be authoritative forces the domain controller to rebuild its database based on the current contents of the system volume. When that task is completed, the Sysvol and Netlogon shares are shared. All the other domain controllers can then start synchronizing from the online replica

(See - KB316790)

Posted by Paul Bergson | 0 Comments

Windows 2000/2003 Replication through a Firewall

Configuring Domain Controller Ports

 

To establish secure communications between DC’s defined and variable ports (High Ports) need to be able to communicate.  In the scenario defined below the internal dc’s have no outbound restrictions, inbound is restricted to a need to have with the restriction of 200 RPC ports are set for on demand need.

 

The following port definitions should be defined on ALL DC's within the DMZ that could be replicating to external DC’s.  These define which ports will be made available to there requesting DC's.

 

Start Registry Editor (Regedt32.exe).

 

Restrict FRS Traffic to a Specific Static Port - KB319553

Locate and then click the following key in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters

New     =          Reg_DWORD

Name   =          RPC TCP/IP Port Assignment

Value   =          10000              (Decimal)

 

Restricting AD replication traffic to a single port - KB224196

Locate and then click the following key in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

New     =          REG_DWORD

Name   =          TCP/IP Port

Data     =          10001              (Decimal)

 

RPC dynamic port allocation - KB154596
     (Only allow ports 10002 - 10200 for RPC from other machines)

 

Locate and then click the following key in the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\

Create a New Key = Internet

Locate and then click the following key in the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\

Add the values

"Ports" (MULTI_SZ)                            =          10002-10200

"PortsInternetAvailable" (REG_SZ)       =          Y

"UseInternetPorts" (REG_SZ)               =          Y

 

Configure 2003 Firewall Ports – KB179442

 

135

TCP

RPC

RPC Connector Helper (Machines connect to find out what high port to use)

137

TCP

UDP

NetBIOS Name

138

 

UDP

NetBIOS Netlogon and Browsing

139

TCP

 

NetBIOS Session

123

 

UDP

NTP

389

TCP

UDP

LDAP

636

TCP

 

LDAP SSL

3268

TCP

 

LDAP GC

3269

TCP

 

LDAP GC SSL

42

TCP

 

WINS Replication

53

TCP

UDP

DNS

88

TCP

UDP

Kerberos

445

TCP

UDP

SMB over IP (Microsoft-DS)

123

 

UDP

NTP

10000

TCP

 

RPC NTFRS

10001

TCP

 

RPC NTDS

10002 –10200

TCP

 

RPC – Dynamic High Open Ports

 

ICMP

 

 

 

 

If you would like to test connectivity to validate FRS communication

            NTFRSUTL version server_name

                        If the two can communicate through the firewall via FRS the response will provide the current version number

 

If you would like to validate connectivity between DC’s use the tool PortQryUI

            Download PortQryUI and run the tool

            Select the destination DC or PDC

            Select Domains and Trusts

                        Validate the ports that should be open in fact are via the output provided by the tool.

                                    For additional info on this tool see PortQry features, this is the backend tool for PortQryUI

 

 

How to Remotely Promote Server Core to a Read Only Domain Controller (RODC)

If you would like to promote a Windows 2008 server core o/s to a RODC but the server is at a remote location, you can run into multiple road blocks. Firewall ports need to be opened, remote management needs to be enabled plus you need configuration information configured. The following text should help assist you in building this remote installation.

By default Server core has the firewall enabled. To open up the ports on the Firewall requires either setting up group policy if a domain machine or logging locally and configuring. By default, when a server role is installed, the correct ports are automatically configured to allow the role to function as well as to allow remote management, so no additional work is required.

Configuring the firewall:
To open the firewall for remote management, as a local admin from a command prompt on server core, key in the following:
netsh advfirewall firewall set rule group="Remote Administration" new enable=yes

Enabling Remote Management:
To enable remote management via the Remote Shell, as a local admin from a command prompt on server core key in the following:
Winrm quickconfig

If you want to run this on a secure channel you can open an HTTPS listener, as a local admin from a command prompt on server core key in the following:
winrm quickconfig -transport:https

Installing the DNS role:
To install DNS, from a command prompt on the remote workstation key in the following (Be sure to replace servercore = Remotely Managed Server):
Winrs -r:servercore start /w ocsetup DNS-Server-Core-Role

Promoting to an RODC: (Performing a Staged RODC Installation)

Start by pre-creating the server account (From Microsoft’s pre-staged deployment):

Save the text below and execute the following command to pre-create the RODC account (Note: Be sure to replace DomainName with your Domain Name)
dcpromo.exe /CreateDCAccount /ReplicaDomainDNSName:DomainName.com /unattend:\\longhorn\netlogon\precreate.txt

The next line is the start of pre-create RODC unattended text file
; DCPROMO unattend file
; Usage:
; dcpromo.exe /CreateDCAccount /ReplicaDomainDNSName:pbbergs.com /unattend:\\longhorn\netlogon\precreate.txt
;
[DCInstall]
; Read-Only Replica DC promotion (stage 1)
DCAccountName=servercore
; RODC Password Replication Policy
PasswordReplicationDenied="BUILTIN\Administrators"
PasswordReplicationDenied="BUILTIN\Server Operators"
PasswordReplicationDenied="BUILTIN\Backup Operators"
PasswordReplicationDenied="BUILTIN\Account Operators"
PasswordReplicationDenied="PBBERGS\Denied
RODC Password Replication Group"
PasswordReplicationAllowed="PBBERGS\Allowed RODC
Password Replication Group"
SiteName=Default-First-Site-Name
InstallDNS=Yes
ConfirmGc=Yes
ReplicationSourceDC=Longhorn.pbbergs.com

The end of the pre-create RODC unattended file

To install the Domain Services role and promote the server core to a Domain Controller, from a command prompt on the remote workstation key in the following:
Winrs -r:servercore dcpromo /unattend:c:\unattended\promote.txt

The next line is the start of the dcpromo RODC unattended text file

; DCPROMO unattend file (automatically generated by dcpromo)
; Usage:
; dcpromo.exe /unattend: \\longhorn\netlogon\answer.txt
;
[DCInstall]
;
ReplicaOrNewDomain=Replica
ReplicationSourceDC:"pbbergs.com"
InstallDNS=Yes
ConfirmGc=Yes
CriticalReplicationOnly=Yes
DatabasePath="C:\Windows\NTDS"
LogPath="C:\Windows\NTDS"
SYSVOLPath="C:\Windows\SYSVOL"
; Set SafeModeAdminPassword to the correct value prior to using the unattend file
SafeModeAdminPassword=pa$$w0rd
; Run-time flags (optional)
RebootOnCompletion=Yes

The end of the dcpromo RODC unattended text file

Hopefully this article has helped you to get started, it is not trivial, and it took me multiple attempts on many steps to get it correct and working.

I would love to hear feedback on your success or problems that may have arisen in your attempt to remotely promote a server core to a RODC. You can write to me at pbbergs@msn.com.

External Forest Trust Configuration with a Firewall - Windows 2003 and NT4

An external forest trust relies on NetBIOS name resolution, dns is not involved.

All trust communication traffic flows between the Windows 2003 PDCe and the PDC.  It doesn’t matter how you have your LMHosts table setup or your firewall setup the trust is only going to work with these two being able to talk to one another. 

WINS Configuration

Using the web site LMHost Creator create the lmhost files for the trust for name resolution. (Per KB180094)

                        I highly recommend using this site to generate the LMHosts file!!!

Windows 2003

10.0.0.1                       NT4_Server     #PRE #DOM:NT4_Domain                 ß The name NT4_Server should be your PDC
10.0.0.1                       "NT4_DOMAIN     \0x1b" #PRE  

NT4

10.0.0.1                       2003_Server    #PRE #DOM:2003_Domain                ßThe name 2003_Server should be your PDCe
10.0.0.1                       "2003_DOMAIN    \0x1b" #PRE

Note The domain name in this entry is case sensitive. Make sure that you use uppercase characters for the domain name. If you use lowercase characters for the domain name, NetBT does not recognize the name.

Note Make sure that you space these entries correctly. Replace 10.0.0.1 with the IP address of your primary domain controller (PDC). Replace PDCName with the NetBIOS name of your PDC, and replace domain with your Windows NT domain name. There must be a total of 20 characters within the quotations (the domain name plus the appropriate number of spaces to pad up to 15 characters, plus the backslash, plus the NetBIOS hex representation of the service type).

To help determine where the sixteenth character is, copy the following line to your Lmhosts file:
# IP Address "123456789012345*7890"

Line up the double quotation marks (") by adding or removing spaces from the comment line, and put the \ on the sixteenth column (the column marked with the asterisk). You must use spaces after the name and before the \, not a tab.                   

Name Resolution Tests

Windows 2003

Nbtstat –R       -           Purges and reloads the remote cache name table
Nbtstat  -c        -           Lists NBT's cache of remote [machine] names and their IP addresses

NT4

Nbtstat –R       -           Purges and reloads the remote cache name table
Nbtstat  -C       -           Lists NBT's cache of remote [machine] names and their IP addresses

Note The -c is case sensitive and must be lowercase (Uppercase for NT4). After you type this text, you should receive a display that is similar to the following:

 Node IpAddress: [10.0.0.5] Scope Id: []

      NetBIOS Remote Cache Name Table

             Name Type Host Address Life [sec] ----------------------------------------------------------

             PDCName <03> UNIQUE 10.0.0.1 -1

             PDCName <00> UNIQUE 10.0.0.1 -1

             PDCName <20> UNIQUE 10.0.0.1 -1

             Domain  <1B> UNIQUE 10.0.0.1 -1

 Configuring Domain Controller Ports

The following port definitions should be defined on ALL DC's within the DMZ that could be replicating to external DC’s.  These define which ports will be made available to there requesting DC's.

Start Registry Editor (Regedt32.exe).

Restrict FRS Traffic to a Specific Static Port - KB319553

Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters
New     =          Reg_DWORD
Name   =          RPC TCP/IP Port Assignment
Value   =          10000              (Decimal)

Restricting Active Directory replication traffic to a specific port - KB224196
Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
New     =          REG_DWORD
Name   =          TCP/IP Port
Data     =          10001              (Decimal)

RPC dynamic port allocation - KB154596 (Only allow ports 10002 - 10200 for RPC from other machines)
Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\
Create a New Key = Internet

Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\
Add the values
"Ports" (MULTI_SZ)                            =          10002-10200
"PortsInternetAvailable" (REG_SZ)       =          Y
"UseInternetPorts" (REG_SZ)               =          Y 

If you would like to test connectivity to validate FRS communication (This communication is for Windows 2003 to Windows 2003 communications only)

 NTFRSUTL version server_name

 If the two can communicate through the firewall via FRS the response will provide the current version number

 If you would like to validate connectivity between the NT4 and PDCe use the tool PortQryUI

Download PortQryUI and run the tool
Select the destination DC or PDC
Select Domains and Trusts
Validate the ports that should be open in fact are via the output provided by the tool.

For additional info on this tool see PortQry features, this is the backend tool for PortQryUI

 Configure 2003 Firewall Ports – KB179442 (This is between a dmz’d DC and an internal DC, these settings are for AD replication as well) 

135

TCP

RPC

RPC Connector Helper (Machines connect to find out what high port to use)

137

TCP

UDP

NetBIOS Name

138

 

UDP

NetBIOS Netlogon and Browsing

139

TCP

 

NetBIOS Session

123

 

UDP

NTP

389

TCP

UDP

LDAP

636

TCP

 

LDAP SSL

3268

TCP

 

LDAP GC

3269

TCP

 

LDAP GC SSL

42

TCP

 

WINS Replication

53

TCP

UDP

DNS

88

TCP

UDP

Kerberos

445

TCP

UDP

SMB over IP (Microsoft-DS)

123

 

UDP

NTP

10000

TCP

 

RPC NTFRS

10001

TCP

 

RPC NTDS

10002 –10200

TCP

 

RPC – Dynamic High Open Ports

 

ICMP

 

 

Configure NT4 Firewall Ports (If there is only an NT4 box outside the firewall than the previous is unneeded)

135

TCP

UDP

RPC Connector Helper

137

TCP

UDP

NetBIOS Name

138

 

UDP

NetBIOS Netlogon and Browsing

139

TCP

 

NetBIOS Session

42

TCP

 

WINS Replication

123

 

UDP

NTP

10000 – 10200

TCP

 

RPC – Dynamic High Open Ports

Made following Changes in Default Domain Controller Group Policy

Computer Configuration \ Windows Settings \ Security Settings \ Security Options     
     
Microsoft network client: Digitally sign communications (always) DISABLED  (Default ENABLED)
     
Microsoft network client: Digitally sign communications (if server agrees) ENABLED  (Default ENABLED) 
    
Microsoft network server: Digitally sign communications (always) DISABLED  (Default ENABLED)
   
Microsoft network server: Digitally sign communications (if client agrees) ENABLED  (Default ENABLED)
   
Domain member: Digitally encrypt or sign secure channel data (always) DISABLED  (Default ENABLED)
   
Domain member: Digitally encrypt secure channel data (when it is possible) ENABLED  (Default ENABLED)
   
Domain member: Digitally sign secure channel data (when it is possible) ENABLED  (Default ENABLED)
   
Network access: Restrict anonymous access to Named Pipes and shares DISABLED (Default ENABLED)
   
Network access: Do not allow anonymous enumeration of SAM accounts and shares DISABLED (Default ENABLED)
   
Network access: Do not allow anonymous enumeration of SAM accounts  DISABLED (Default ENABLED)
   
Network access: Allow anonymous SID/Name translation  ENABLED (Default DISABLED)
   
Domain member: Digitally encrypt or sign secure channel data (always) DISABLED  (Default ENABLED)
   
Domain member: Require strong (Windows 2000 or later) session key DISABLED (Default ENABLED) 

Made following Changed in Registry of 2003 PDCe  
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\EveryoneIncludesAnonymous 1 (default 0)HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters\restrictnullsessaccess 0 (default 1) 

Once all these steps have been completed the Trust can now be established

          How to establish trusts with a Windows NT-based domain in Windows Server 2003

There is a complete set of troubleshooting options available on KB889030

User Account Lockout Troubleshooting

Do any of these symptoms sound familiar?

·         A users account keeps getting locked out, even though they haven’t even had to enter their credentials except to maybe unlock their screensaver
·         A scheduled task quit working, such as a night backup job
·         Services that used to start up at boot up will no longer start even if attempted manually

These are typical symptoms of a recently changed password where other resources are using this same account but are unaware of the recent password change.  Things to check to assist in this troubleshooting are:
·         Is the account logged onto more than one machine
    o   A user could have mapped drives to a resource from one machine, on a different machine he changes his password and then the first machine attempts to stay mapped to a drive and the password is no longer correct and eventually locks the user out.
·   If a service is running that is attempting to authenticate and has an invalid password, it may attempt multiple times and lockout the account

Also ensure to review any mobile devices that your user might be using.  If they have a cell phone/tablet with an embedded password the handheld maybe attempting to authenticate.  This error will show up in the event logs and may the hardware may show up as a router or switch.

To help try and track down where the account is getting locked out use eventcombMT.exe from the Account Lockout tools found out Microsoft's website.  Use the built in search AccountLockouts.  Once the Event logs have been inspected and a new text file has been created, search within this text file for the locked account in question.

 You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."

http://support.microsoft.com/kb/189541
http://support.microsoft.com/kb/109626

 

Configuring IPv4 as Default over IPv6

Starting with Windows Vista and Server 2008, IPv6 is the default over IPv4.  This can be annoying if your enterprise network isn’t prepared to support this.  You can modify this default behavior by OR’ing and registry setting on your machine.

The registry setting is the DisabledComponents registry value and it controls a series of bit flags as defined below:

·         Bit 0 Set to 1 to disable all IPv6 tunnel interfaces, including ISATAP, 6to4, and Teredo tunnels. Default value is 0

·         Bit 1 Set to 1 to disable all 6to4-based interfaces. Default value is 0

·         Bit 2 Set to 1 to disable all ISATAP-based interfaces. Default value is 0

·         Bit 3 Set to 1 to disable all Teredo-based interfaces. Default value is 0

·         Bit 4 Set to 1 to disable IPv6 over all non-tunnel interfaces, including LAN interfaces and Point-to-Point Protocol (PPP)-based interfaces. Default value is 0

·         Bit 5 Set to 1 to modify the default prefix policy table to prefer IPv4 to IPv6 when attempting connections. Default value is 0

Note Bits beyond Bit 5 are not used at this time

 

A single byte consists of 8 bits, these bits can have a value of 1 or 0.  In the DisabledComponents instance each of the first five bits refer to a switch, with 1 being on a 0 being off.  This can also be thought of as either true/false or on/off.

The zero bit refers to 0 or 1
The one bit refers to 0 or 2
The two bit refers to 0 or 4
The three bit refers to 0 or 8
The four bit refers to 0 or 16
The five bit refers to 0 or 32
The six bit refers to 0 or 64
The seven bit refers to 0 or 128

If you add all the bits up when set to a one the maximum value is 255.  Why do I bring this up?  In order to modify a bit you need to not modify the bits around it.  So first off you realize that the last three bits aren’t used so the maximum value will be – 1 + 2 + 4 + 8 + 16 + 0 + 0 + 0 = 31.  So the largest this key can ever be (Barring disabling IPv6 which will be set to the DWord of 0xFFFFFFFF).

So on to setting the default of IPv4 over IPv6 is to examine the fifth bit if it is zero then you need to modify the value by adding 16.  If the current value is equal to or greater than 16 than you know that the fifth bit is already set.

To take an example:

If the key is equal to 10, then you can see that:

·          6to4-based interfaces is disabled

·          Teredo-based interfaces is disabled

By adding (Or’ing 00010000) 16 to the key you end up with 26 which says, bits 1, 3 and 4 are all set to a 1 (Or are true).

For additional details refer to the technet article:
http://technet.microsoft.com/en-us/library/bb878057.aspx

I have a seperate Blog on disabling IPv6
http://blogs.dirteam.com/blogs/paulbergson/archive/2009/03/19/disabling-ipv6-on-windows-2008.aspx

 

How to Create an Active Directory User Provisioning System

This blog will detail how I created an Active Directory (AD) user provisioning tool with PowerShell.  It probably won’t be what you expect; the amount of front end entry is almost non-existent. The key to consistency within your enterprise is to take as much of the human element out of the picture as possible.  Without proper edit and control, organizations will find two user objects created by the same employee won’t hold to a standard of entry.  There in lies the key to this project. 

  

Although the code and the process in this endeavor is new, the original project itself is a rewrite.  Previous team members Steve Laskowski, Richard Narum and Dale Peterson have all written Perl or VB.Net in different forms to create an user object.  This newest process was created in Powershell.  The GUI was developed using Primal Forms by Sapien.  There is both a freeware tool as well as a full version, I opted for the full version.  Primal Forms generated all the lines of code for me, I am by no means a .Net developer but this development tool allowed me to create a tool rather quickly.

 

The jr admin running this front end script does not have to have any special permissions within AD.  The user just needs the ability to run the script and be able to save an XML file created by the script to a pre-defined location (Queue).  Once this file has been saved, a backend scheduled task (I execute it every minute from 6:00 am to 6:00 pm) to inspect the folder for a new file specially named as defined below.  The file has a random number built into the system to ensure that duplicate names can be created (Even though you can’t create duplicates) and multiple users can create files at the same time, so as you will see the real power is being able to have a secondary process drop XML files into the queue and the process can process them as required.  This will allow an administrator to run a script and drop all the users they need into a folder and generate as many users as needed.  That was the emphasis behind this project, our Human Resources (HR) synchronization process currently when a user is discovered missing within AD a report is generated, with this new process the user can be created without any intervention on the AD side.  One this is complete, we can then examine synchronizing other LDAP systems such as secondary Oracle db’s.

 

I have provided the Primal Forms so you can modify the form and the attirbutes passed within the xml.  So whatever you want to pass, you can but we went to the absolute minimums so as to keep things consistents as possible.

 

All of the scripts, xml files and cmd file all reside in the same location.

When the GUI is started, there is a cmd file which verifies that PowerShell has been loaded.  The code is displayed below.

As you can see the check is to see if the Powershell executable exists, if not a message is displayed, if so then call frontEndForm.ps1

 

########################################################################

@echo off

Rem Verify that Powershell is loaded on this desktop before proceeding

 

if not exist "%systemroot%\system32\Window~1\v1.0\powershell.exe" goto noPowershell

 

Rem Start up the GUI

net use v: \\server\share\newADUser

v:

cd \

powershell -ExecutionPolicy Unrestricted -command .\frontEndForm.ps1

c:

net use v: /del /y

 

Goto End

 

Rem Can't Proceed, Powershell needs to exist to run the front end script

:NoPowershell

Echo.

Echo.

Echo Powershell not loaded on this workStation

Echo Script aborted

Echo.

Echo.

Pause

 

:End

########################################################################

 

Once the newUser script is called the form has to be built.  There are several drop down boxes that need to be populated, two by XML files and a third by the user objects within AD.

 

 

 

Front End:

There are only four fields for user data entry; User Id, First Name, Middle Initial and Last Name.  Along with this there are eight additional selections; three drop downs and five check boxes.  The drop down boxes Business Unit and Account Type are built from xml files.

 

Business Unit:

The drop down box is populated by the attribute businessUnitNameX and the attribute businessUnitDNX will be used in the backend process to place the new user object in the defined OU.  A partially defined XML file is shown below:

 

<?xml version="1.0"?>

<!-- Below is the configuration settings for the newuser Powershell Script

businessUnitX     - Company the new user is defined to work for

businessUnitNameX - Complete Company Name

businessSMTPX     - E-Mail Domain Name

businessUnitDNX   - Distinguished Name of the OU where the new user will be placed

-->

 

<Configuration>

            <row>

       <businessUnitX>acme</businessUnitX>

       <businessUnitNameX>Acme</businessUnitNameX>

       <businessSMTPX>acme.com</businessSMTPX>

       <businessUnitDNX>OU=Acme,OU=Employees,OU=Users,DC=acme,DC=com</businessUnitDNX>

            </row>

            <row>

       <businessUnitX>apu</businessUnitX>

       <businessUnitNameX>Acme Pencil Unit</businessUnitNameX>

       <businessSMTPX>acme.com</businessSMTPX>

       <businessUnitDNX>OU=APU,OU=Employees,OU=Users,DC=acme,DC=com</businessUnitDNX>

            </row>

 

Account Type:

The drop down box is populated by the attribute accountTypeX which will be used in the backend process to prepend the value, along with other values discussed later, on the user account description attribute.  A defined XML file is shown below:

 

<?xml version="1.0"?>

<!-- Below is the configuration settings for the newuser Powershell Script

accountTypeX     - Descriptive value used for association the user type being created

-->

 

<Configuration>

            <row>

       <accountTypeX>Local Administrator</accountTypeX>

            </row>

            <row>

       <accountTypeX>Permanent Employee</accountTypeX>

            </row>

            <row>

       <accountTypeX>Service Account</accountTypeX>

            </row>

            <row>

       <accountTypeX>Temporary Employee</accountTypeX>

            </row>

</Configuration>

 

Account Requested By:

This drop down box is populated by all the user accounts, within AD, that exist from a base defined in the XML configuration file.  This leads me into the XML Configuration file, my goal was to allow this script to be installed by just modifying the four XML files.  The values within the Configuration file are

 

Configuration.xml

<?xml version="1.0"?>

<!-- Below is the configuration settings for the newuser Powershell Script

Description           - Description to be placed in user attribute

OrganizationalUnit - Distinguished name where to place newly created user

Description           - Value to be placed in the new user's description attribute

Root                    - Root location of where share is to be created for the new user

ScriptPath            - Executable for the logon script for the new user

HomeDrive          - Drive letter for the home drive for the new user

xmlLocation         - Location of xml files that contain the request for the new user .\ = same location as configuration files (Must end with a \)

expirationLength   - Length of time in days, before the account is expired

sqlServerX           - Optional SQL Server Database, if populated then script expects to write to sqlDataBaseX audit details

sqlDataBaseX      - SQL database

-->

 

<Configuration>

   <row>

        <descriptionX>User Account Created by Powershell Script</descriptionX>

        <rootX>\\usera\useradmin$\user</rootX>

        <scriptPathX>logonScript.cmd</scriptPathX>

        <homeDriveX>z</homeDriveX>

        <xmlLocationX>\\server\share\newADUser\queue\</xmlLocationX>

        <userBaseX>OU=Employees,OU=Users,DC=acme,DC=com</userBaseX>

        <expirationLengthX>90</expirationLengthX>

        <smtpServerX>smtp.acme.com</smtpServerX>

        <emailFromX>adAdmin@acme.com</emailFromX>

        <emailToX>NewActiveDirectoryUserDL@acme.com</emailToX>

        <sqlServerX>sqlServer</sqlServerX>

        <sqlDatabaseX>adAuditDB</sqlDatabaseX>

   </row>

</Configuration>

 

StorageGroups.xml

<?xml version="1.0"?>

<!-- Below are the server/storage group/Database's that are randomly selected to where a new user will be created

     By duplicating targets you can weight updates to go more often to those if so needed

     Pattern is ExchangeServer\StorageGroup\Database

     To list out all db's in you enterprise bring up the Exchange Management shell as an admin and key in the following

     get-mailboxDatabase

-->

 

<Databases>

            <target>

        <xmlSGX>exchangeServer\StorageGroup1\MailBox1</xmlSGX>

            </target>

            <target>

        <xmlSGX>exchangeServer\StorageGroup2\MailBox1</xmlSGX>

            </target>

</Databases>

 

After “Ok” is selected, the xml file NewUser_UserName_RandomNumber.xml is built via userTemplate.xml from data entered by the jr admin running the gui script.

 

            userTemplate.xml

            <?xml version="1.0"?>

<!-- Below is the configuration settings for the newuser Powershell Script form that is created

aliasX                 - UserId                                                                                                 (Free form entered)

firstNameX        - First name of newly created user                                                           (Free form entered)

mInitialX            - Middle initial of newly created user                                                        (Free form entered)

lastNameX         - Last name of newly created user                                                           (Free form entered)

createdByX        - Computer and User running this tool that created this file                       (From WMI call)

requestedByX     - Person who requested this new user be created                                     (From Drop Down)

businessUnitX     - Business Unit the new user belongs to                                                    (From Drop Down)

accountTypeX     - Type of account this new user is                                                            (From Drop Down)

emailFlgX            - Should this new user not be given an email mailbox                                (Check box - True or False)

postiniFlgX          - Should this new user not be added to Postini for external email inbound (Check box - True or False)

enableAcctFlg     - Should this new user's account be enabled                                             (Check box - True or False)

expireAcctFlg     - Should this new user's account expire after 90 days                                (Check box - True or False)

folderFlgX          - Should this new user not be given an home folder                                   (Check box - True or False)

 

<employee>

            <row>

               <aliasX></aliasX>

               <firstNameX></firstNameX>

               <mInitialX></mInitialX>

               <lastNameX></lastNameX>

               <createdByX></createdByX>

               <requestedByX></requestedByX>

               <businessUnitNameX></businessUnitNameX>

               <accountTypeX></accountTypeX>

               <emailFlgX></emailFlgX>

               <postiniFlgX></postiniFlgX>

              <enableAcctFlgX></enableAcctFlgX>

              <expireAcctFlgX></expireAcctFlgX>

              <folderFlgX></folderFlgX>

           </row>

   </employee>

           

 

Example:

            newUser_pbbergs_1175854108.xml 

            <?xml version="1.0"?>

<!-- Below is the configuration settings for the newuser Powershell Script form that is created

aliasX                 - UserId                                                                                                 (Free form entered)

firstNameX        - First name of newly created user                                                           (Free form entered)

mInitialX            - Middle initial of newly created user                                                        (Free form entered)

lastNameX         - Last name of newly created user                                                           (Free form entered)

createdByX        - Computer and User running this tool that created this file                       (From WMI call)

requestedByX     - Person who requested this new user be created                                     (From Drop Down)

businessUnitX     - Business Unit the new user belongs to                                                    (From Drop Down)

accountTypeX     - Type of account this new user is                                                            (From Drop Down)

emailFlgX            - Should this new user not be given an email mailbox                                (Check box - True or False)

postiniFlgX          - Should this new user not be added to Postini for external email inbound (Check box - True or False)

enableAcctFlg     - Should this new user's account be enabled                                             (Check box - True or False)

expireAcctFlg     - Should this new user's account expire after 90 days                                (Check box - True or False)

folderFlgX          - Should this new user not be given an home folder                                   (Check box - True or False)

 

-->

<employee>

  <row>

    <aliasX>pbbergs</aliasX>

    <firstNameX>Paul</firstNameX>

    <mInitialX>B</mInitialX>

    <lastNameX>Bergson</lastNameX>

    <createdByX>Computer:pbbergsDesktop  User:acme\adminpbbergs</createdByX>

    <requestedByX>Joe Smith</requestedByX>

    <businessUnitNameX>Acme Pencil Unit</businessUnitNameX>

    <accountTypeX>Permanent Employee</accountTypeX>

    <emailFlgX>False</emailFlgX>

    <postiniFlgX>False</postiniFlgX>

    <enableAcctFlgX>True</enableAcctFlgX>

    <expireAcctFlgX>False</expireAcctFlgX>

    <folderFlgX>False</folderFlgX>

  </row>

</employee>

 

Now that the form is loaded the user can begin to enter data.  The first field is the User Id, once entered the script will verify that the Id doesn’t currently exist.  Both the First and Last Name field are required and once landing on the field a value is required before you can exit.  Middle Initial is an optional field.

 

The rest of the fields are:

 

Business Unit drop down allows you to select the company or business unit within the company the new user works for.  This field is associated with an OU, which points to the location where the new user will be placed.

Account Type drop down allows you to define the type of account being created.  This value is used to populate part of the description field for human documentation.

Requested By drop down allows you to select who was the manager that requested the account be created, this also is used to help populate the description field for human documentation.

Create Mailbox check box allows you to choose whether or not to create a mailbox with the new user

Add Account to Postini check box is a field that prompts a manual process that notifies whether or not the account is to be allowed to receive external e-mail

Enable Account check box allows you to choose whether or not to enable account

Expire Account After 90 Days check box allows you to choose whether or not to expire account after 90 days

Create Home Folder check box allows you to choose whether or not to create a home folder for the user

 

When the form entry is completed and the OK button is selected, edit checks are rerun against the forms entered values.  The first, middle and last names first character are capitalized and all the drop down boxes have had a value populated in them, the user created xml file is created and dropped into the location defined by the

 

Once the file has been dropped (xmlLocationL) there is the backend process that will use these same xml files to process the dropped file.  The powershell process is setup to run every minute, via a scheduled task.  If no file exists the process quits, else edit checks are run and if passed the user is created.

 

The scheduled task is just a basic, per minute task defined in the photos below:

 

 

 

 

 

 

 

 

Once the task has been created the service account running the task needs to have enough permissions to create the user account, the mailbox (If selected) and the home folder (If selected).

 

The location to store the code can be anywhere but the folder structure will need to be as illustrated below (Note: Disregard the colored green and orange circles they are part of Carbonite, my cloud based backup system).

 

The users that will be running the gui will require read only permissions for the folder newADUser since this is where the code repository resides.  The only elevated permissions needed for the folder will be read/write for the queue folder.  This is where the gui drops the xml file for processing.

With the storage of the files, as follows:

To download the content (In zipped format), click on the zipped link below. I don't like to present zip'd files but I have too many files to be downloaded individually plus I want to ensure the folder structure is properly configured.  Just remember to limit access to this structure.

https://skydrive.live.com/?cid=3B55FC84ED3C1576#cid=3B55FC84ED3C1576&id=3B55FC84ED3C1576%21655

 

In order to allow the task to run properly you will need to load Powershell v 2.0, this will depend on what o/s you are going to run the scheduled task on. I run it on Windows 2008 R2 which was installed through "Features". To learn how to install this you will need to do a Bing search for your o/s.

 

Next you will need the Active Directory module, again since I am running the script on a 2008 R2 box it is handled via Active Directory Web Services (ADWS). If not using 2008 R2 then you will need to use the Active Directory Management Gateway Service.

Active Directory Administration with Windows Powershell
http://technet.microsoft.com/en-us/library/dd378937(WS.10).aspx

 

Finally, you will need to install the Exchange Management tools. When this was written I used Exchange 2007, so the link below references this version:

http://technet.microsoft.com/en-us/library/bb232090(EXCHG.80).aspx

More Posts Next page »