Active Directory Domain Services Command Fu, Part 3
As some systems administrators have already found out, on Microsoft Windows Servers some tasks cannot be performed using the Graphical User Interface (GUI). Although multiple vendors have released graphical tools to make these tasks
even more tedious easier for the typical click-on-through Windows Admin, these tasks can easily be performed using the built-in command tools. Also, some queries for information using the built-in graphical tools can result in numerous clicks, ending with information scattered throughout management consoles.
In the first part of this series I looked at three command-line tools for Active Directory environments, running on all current Domain Controllers, Domain Functional Levels and Forest Functional Levels. In the second part I focused on the ds* family of commands.
Today, I’m sharing three handy command-line tools, you can use with Windows Server 2003, Windows Server 2003 R2, Windows Server 2008 and Windows Server 2008 R2 Domain Controllers.
Command-line tool to use:
For these commands to work, the Forest Functional Level (FFL) needs to be at least Windows Server 2003.
In a default Active Directory environment, new user objects are created in the Users Organizational Unit (OU) and new computer objects are created in the Computers OU.
One of the disadvantages of this default situation is these OUs cannot be used to apply Group Policy Objects (GPOs). This, especially, is an inconvenience in environments with lavish applications of Delegation of Control. Luckily, you can change the default locations where new user objects and new computer objects are created.
To change the default location for new user objects to an Organization Unit (OU) called employees inside the OU you created for your company, use the following command:
redirusr "OU=Employees,OU=Company, DC=DomainName,DC=Tld"
To redirect newly created computers, use the following command:
redircmp "OU=Desktops,OU=Company, DC=DomainName,DC=Tld"
Command-line tool to use:
For these commands to work, The Domain Controller on which you perform the command needs to run Windows Server 2003 with Service Pack 1 or up.
Although Windows Server 2008 R2 really delivers on the promise of undeleting an object from Active Directory with the Active Directory Recycle Bin, the possibility to undelete an object (and reanimate a tombstoned object) has been in Active Directory a long time.
When you delete an object from the Graphical User Interface (GUI) of Active Directory Users and Computers (ADUC) or the Active Directory Administrative Console (ADAC) it is gone from the interface. It’s not gone entirely from Active Directory though. The object is merely tombstoned and held in a hidden (by default) Organizational Unit called Deleted Objects, until the tombstone period has passed. To keep the Active Directory consistent, the object’s (for instance a user) references to other objects (for instance a group) are deleted. These references are called backlinks.
A couple of (3rd party) tools have been released to undelete an object by reanimating it. These programs however do not recreate the backlinks, so when using some of these programs you, for instance, will have to recreate group memberships manually. (other tools will populate the attributes for you) Jorge has a list of programs you can use.
In Pre-Windows Server 2008 R2 Active Directory environments, you can restore an object with its backlinks only when booted into Active Directory Services Restore Mode (DSRM) you can undelete an object using the following command:
ntdsutil "authoritative restore" "restore object CN=JosHaarbos,OU=Employees,OU=Company,DN=Domain,DN=tld" q q
Command-line tool to use:
You will need the Windows Server 2003 domain functional level.
Additionally,on Windows Server 2003 and Windows Server 2003 R2 you will need the Windows 2003 Support Tools, since netdom.exe is not included by default with these versions of Windows Server.
It is unsupported to change the hostname of a Windows 2000 Server-based Domain Controller as this would break the Active Directory functionality of the system. You will need to demote and repromote it to achieve a rename.
In Windows Server 2003, Microsoft introduced functionality that allows system administrators to change the hostname of the Domain Controller, unless the Domain Controller also doubles as a Certificate Authority. (CA)
When you rename the Domain Controller using the Graphical User Interface (GUI) you receive the following message:
You are warned for temporary downtime for the Domain Controller, because renaming a Domain Controller typically requiores a reboot.This is due to the fact that a Windows box needs a reboot to change its hostname.
Instead you can use the command below to add a hostname to the Domain Controller from the command line:
netdom computername localhost /add:newname.domain.tld
The command will take care of the Service Principal Name (SPN) attributes in Active Directory and the registration of DNS resource records for the alternative name for your Domain Controller. Also, the msDS-AdditionalDnsHostName for the object for the Domain Controller in Active Directory is filled with the new name.
After the object and DNs zone has replicated throughout your forest you can issue the following command to swap the old name and new name:
netdom computername localhost /makeprimary:newname.domain.tld
Then you can reboot the machine to make this change effective. Since your users, computers and other Domain Controllers already know the Domain Controller by its new name, you can perform the reboot whenever you want. After the reboot it’s cleanup time. Issue the following command:
netdom computername localhost /remove:oldname.domain.tld
Of course, you will need to check the proper replication of this last change too, to make sure you’re completely done.
Command-line tool to use:
One of the new features of Active Directory in Windows Server 2003 is the ability to rename Active Directory domains.
This feature requires the Windows Server 2003 domain functional level and forest functional level. All Domain Controllers must be running Windows Server 2003 or newer.
While the domain rename functionality is something a lot of admins sought after and is achieved by simply issuing a single-line command, a whole lot of caveats exist around this process. The complete list of caveats goes beyond the scope of this blogpost, but can be found (partly) in the links below.
The first caveat is using the correct tools. As with all Microsoft products, it helps to use the latest version. While the Domain Rename tools can be on the Windows Server 2003 CD-rom in the VALUEADD directory, the most recent version of the tools can be found here. After downloading, the domainrename.exe package can be extracted to get rendom.exe and gpfixup.exe.
A typical domain rename is comprised of the following eight commands, issued from a member computer, as an Enterprise Admin:
- run rendom.exe /list
With this command a list of all naming contexts for the domain is generated in a file named domainlist.xml. This file typically contains the DNS information and NETBIOS information of the domain.
- edit the domainlist.xml file and verify it
Using your favorite text editor the naming contexts in the domainlist.xml file can be edited to reflect the changes. Using find and replace (Ctrl+H in notepad) this can be achieved quite easily. Afterwards you can verify the file using rendom.exe /showforest.
- run rendom.exe /upload
After manually creating a new (Active Directory integrated) DNS Zone, this command populates the zone with the proper DNS records for your Domain Controllers.
- run rendom.exe /prepare
- run rendom.exe /execute
This command renames the domain name, according to the changes you’ve made in the domainlist.xml file.
- run rendom.exe /clean
This command will delete any references to the old domain name.
- run rendom.exe /end
Where rendom.exe /prepare freezes the domain configuration, this command will thaw the domain configuration, which will make your Active Directory infrastructure operate normally.
- run gpfixup.exe
After a succesfull domain rename, any Group Policy Objects (GPOs) need to be altered to accomodate the new domain name. Use the following command:
gpfixup.exe /olddns:olddomain.tld /newdns:newdomain.tld
The above commands will actually rename the Active Directory domain, but of course you will need to perform additional steps, depending on your environment. An excellent set of Microsoft TechNet pages exists to assist you with the whole process.