Written by The ASK PFE Platform blog provides more insight into Read-Only Domain Controllers (RODCs) and why they are so special.
Read the blog post: MailBag: RODCs – krbtgt_#####, Orphans, and Load Balancing RODC Connection Objects
Posts tagged Domain Controller
Domain Controller Virtual Cloning
One of the best new features of Windows Server 2012 is virtual cloning.
The ASKPFE blog has an excellent article covering this new feature:
Tom Moser here with a post on one of the new ADDS features in Windows Server 2012; Virtual Domain Controller Cloning.
Until now, cloning, snapshotting, copying, or pretty much doing anything but rebuilding from scratch to a virtual domain controller wasn’t just unsupported; it had the potential to be really bad for your directory. Cloning or restoring snapshots of DCs could result in USN rollbacks or lingering objects, just to name a couple of problems.
Starting in Windows Server 2012, we now support DC cloning as well as snapshot restoration of domain controllers. With the RTM bits available, I found myself rebuilding my lab and took the opportunity to document the process to demonstrate just how easy it is to clone virtual domain controllers with Windows Server 2012.
Requirements
There are a few base infrastructure requirements to take advantage of DC cloning.
- The hypervisor must support VM-GenerationID. Hyper-V running on Windows Server 2012 supports this feature. Other virtualization vendors will have the ability to implement this as well, so check with your vendor to see if it’s supported.
- The source virtual DC must be running Windows Server 2012.
- The PDC emulator role holder must be online and available to the cloned DC and must be running Windows Server 2012.
There are a few other steps and requirements and I’ll take you through those now.
Read the rest of the article here.
Introducing the first Windows Server 2012 Domain Controller
The AskPFE blog has another great Windows Server 2012 article describing how to best rollout new 2012 DCs.
Greg Jaworski here again to discuss introducing the first Windows Server 2012 Domain Controller. We will discuss things such as extending the schema, enhancements to the Domain Controller promotion process (it is no longer called dcpromo), and things you should be doing to ensure a smooth upgrade and minimal issues. This will be a two part blog post. In the first part we will cover the GUI way of introducing the first Windows Server 2012 Domain Controller. In the second post we will cover the PowerShell way of doing this and also how you can take a look at your environment before introducing that first Windows Server 2012 Domain Controller.
Premier Field Engineering has significant experience in the area of AD upgrades. Many times we are onsite during various parts of the upgrade process. We also have discussions about upgrades during Active Directory Risk Assessments (ADRAP) and have an entire offering called the Active Directory Upgrade Assessment (ADUA) to assist with the upgrade process. We understand the concerns of upgrades. Many managers and IT people do not like the words irreversible, forest recovery, and no back-out plan. People also tend to not like mission critical applications breaking.
Read the rest of the article here.
Windows Server 2012 Domain Controller Recommendations
The AskPFE Blog has some useful suggestions for Windows Server 2012 Domain Controller placement.
Following up on Greg Jaworski’s great post from last week where he talked about how to promote a domain controller in Windows Server 2012, today we will cover some thoughts around where to place your first Windows Server 2012 DCs and how many to plan on rolling out at once. This blog post is meant to be used as high level guidance as every environment is different, so your mileage most likely will vary. If you are interested in a more detailed recommendation specific to your environment, I encourage you to speak with your Microsoft account team contact(s) to get you hooked up with the right resources at Microsoft to assist.
- Where you place your first 2012 DCs and how many you need greatly depends on two things:
- What new 2012 features you plan on using right out of the gate.If you have multiple domains and/or multiple forests with trusts in place.
Let’s break these down a bit more with some specific examples. For those of you who have not looked into the new Windows Server 2012 features Dynamic Access Control (DAC), Kerberos FAST (AKA armoring), and DC cloning, some of this content may be a bit confusing. We plan on covering these topics in greater detail in future blog posts. In the interim, I encourage you to review the following links on TechNet for a quick review before and/or after reading the next section.
Read the rest of the article here.
Checklist Before Running Promoting a Domain Controller with DCPromo
The Ask PFE Blog recently posted a great post with a checklist to follow before and during the promotion a new Domain Controller.
Here’s a sample:
Prior to DCPROMO
Before we yell BANZAI! and kick off a DCPROMO, what should we check?
- Are we providing this server’s IP address as a DNS server for DHCP clients?
- Are we pointing any systems to this server for DNS, LDAP, etc?
- SCCM is an awesome tool to inventory these sorts of settings, but if you don’t have SCCM, another great way to inventory the IP configurations for your systems is via script. PowerShell has some handy ‘export to CSV’ functions built right in. A peer PFE and PowerShell wiz is putting the final polish on a post with some script code samples to do just that…stay tuned!
- Are there startup/logon/other scripts that hard-code this system and need to be modified/edited beforehand?
- Those may or may not be affected after you remove AD from a server
- If the goal is to decommission the server, those services may need to be moved or decommissioned with the target server
- Beware that by default, the username will be “Administrator” but if you’ve redirected the default COMPUTERS container in AD to another OU, there might be a GPO that renames the local Administrator account
- “Who knows the DSRM password? I’ve tried the 8 that I thought it might be and none of them work.”
- On 2008 and newer versions, this can be sync’d to a domain account to make it a bit more easily managed.
- Obtain and verify ILO/DRAC/KVM/VM console or other ‘out of band’ access to the system in the event the system doesn’t reboot properly (sitting at an F1 prompt because someone unplugged the keyboard to a server across the country on a Sunday at 2:00 am is no fun).
- That still needs to be manually removed even in Server 2012 (at least in the Release Candidate)
- Make sure you have your approved and communicated Change Control Request
- Make sure the Helpdesk is aware
- From CMD: DCDIAG /TEST:FSMOCHECK <enter>
Read the rest here:
First, Do No Harm
Windows 2012 RID Management
While “1 Billon RIDs should be enough for anyone,” there are scenarios where a domain could run out of RIDs. This is a “very bad thing” since every security principal requires a RID for creation (Domain SID + RID = security principal SID). One can check the number of RIDs remaining in a domain through many different tools (PowerShell).
DCDIAG:
Dcdiag.exe /TEST:RidManager /v | find /i “Available RID Pool for the Domain”
PowerShell
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | ####################### # Get Domain RID Info # ####################### ## Based on code From https://blogs.technet.com/b/askds/archive/2011/09/12/managing-rid-pool-depletion.aspx Import-Module ActiveDirectory Write-Verbose “Get RID Information from AD including the number of RIDs issued and remaining `r “ $RIDManagerProperty = Get-ADObject “cn=rid manager$,cn=system,$ADDomainDistinguishedName” -property RIDAvailablePool -server ((Get-ADDomain $DomainDNS).RidMaster) $RIDInfo = $RIDManagerProperty.RIDAvailablePool [int32]$TotalSIDS = $RIDInfo / ([math]::Pow(2,32)) [int64]$Temp64val = $TotalSIDS * ([math]::Pow(2,32)) [int32]$CurrentRIDPoolCount = $RIDInfo – $Temp64val $RIDsRemaining = $TotalSIDS – $CurrentRIDPoolCount $RIDsIssuedPcntOfTotal = ( $CurrentRIDPoolCount / $TotalSIDS ) $RIDsIssuedPercentofTotal = “{0:P2}” -f $RIDsIssuedPcntOfTotal $RIDsRemainingPcntOfTotal = ( $RIDsRemaining / $TotalSIDS ) $RIDsRemainingPercentofTotal = “{0:P2}” -f $RIDsRemainingPcntOfTotal Write-Output “RIDs Issued: $CurrentRIDPoolCount ($RIDsIssuedPercentofTotal of total) `r “ Write-Output “RIDs Remaining: $RIDsRemaining ($RIDsRemainingPercentofTotal of total) `r “ |
Windows Server 2012 provides the capability to expand the RID pool to 2 billion RIDs by reclaiming the 31st bit (through SidCompatibilityVersion). Of course, this is a last resort scenario since a domain of all 2012 DCs is highly recommended (though 2003 and newer have a hotfix for supporting this “feature”).
Windows 2012 provides several RID protection mechanisms:
- Artificial RID ceiling of 10% of maximum (107,374,183 RIDs remaining) preventing new RIDs from being delivered from the RID Master.
- Constant warnings at 1% of maximum – Events are logged whenever a DC request RIDs and on the RID Master when providing RID blocks.
- Block size cap – sets a maximum valid value for DC RID pool request size (default: 500 RIDs). Note that 2012 introduces a max RID pool request of 15,000.
All of the details at the ASKDS Blog:
ASKDS covers Windows Server 2012 RID Expansion
Powershell Code: Discover a Local Global Catalog for Forest Queries
Sometimes it is necessary to query a Global Catalog (port 3268) for forest-wide data (such as checking for a ServicePrincipalName). Finding a local online GC is the best method for this. The script method prefers 2008 DCs.
Here’s the code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | Import-Module ActiveDirectory IF ($TargetGC) { ## OPEN IF TargetGC has a value $GCInfo = Get-ADDomainController $TargetGC IF ($GCInfo.OperatingSystemVersion -lt 6.0) { ## OPEN IF TargetGC is not running Windows 2008 or higher $LocalSite = (Get-ADDomainController -Discover).Site $NewTargetGC = Get-ADDomainController -Discover -Service 6 -SiteName $LocalSite IF (!$NewTargetGC) { $NewTargetGC = Get-ADDomainController -Discover -Service 6 -NextClosestSite } $LocalGC = $NewTargetGC.HostName + ":3268" } ## CLOSE IF TargetGC is not running Windows 2008 or higher ELSE { $LocalGC = $GCInfo.HostName + ":3268" } } ## CLOSE IF TargetGC has a value ELSE { ## OPEN ELSE TargetGC is not set Write-Output "Discover Local GC running ADWS `r " $LocalSite = (Get-ADDomainController -Discover).Site $NewTargetGC = Get-ADDomainController -Discover -Service 6 -SiteName $LocalSite IF (!$NewTargetGC) { $NewTargetGC = Get-ADDomainController -Discover -Service 6 -NextClosestSite } $LocalGC = $NewTargetGC.HostName + ":3268" } ## CLOSE ELSE TargetGC is not set |
Powershell Code: Discover local DC running ADWS
Often it is necessary to use the same DC to perform updates or errors will occur.
Here’s a way to do this which provides connection testing (is the DC online) that you don’t get with Get-ADDomainController.
This method finds a local DC running ADWS (Active Directory Powershell Web Service that runs on a DC) first, then checks a nearby site, then rolls through all the DCs (operating as GCs) until one is found.
Here’s the code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | import-module activedirectory Write-Output "Discovering local DC running Powershell ADWS `r " $TargetDC = (Get-ADDomainController -Discover -ForceDiscover -Service 6 ).HostName TRY { $DCCheck = Test-Path "\\$TargetDC\SYSVOL" } CATCH { Write-Output "Unable to connect to $TargetDC - Discovering a new DC `r " ; $DCCheck = $False } IF ($DCCheck -eq $False) { ## OPEN IF TargetGC is not set Write-Output "Discover DC running ADWS `r " $LocalSite = (Get-ADDomainController -Discover).Site $LocalDCs = Get-ADDomainController -Filter { (Site -eq $LocalSite) } ForEach ($DC.HostName in $LocalDCs) { ## OPEN ForEach DCHostName in LocalDCs $DCHostName = $DC.HostName $DCCheck = Test-Path "\\$DCHostName\SYSVOL" IF ($DCCheck -eq $True) { $TargetDC = $DCHostName ; break } } ## CLOSE ForEach DCHostName in LocalDCs } ## CLOSE IF TargetGC is not set IF (!$TargetDC) { ## OPEN IF TargetGC is not set Write-Output "Discover DC running ADWS `r " $AllDCs = Get-ADDomainController -Filter { IsGlobalCatalog -eq $True } ForEach ($DC.HostName in $AllDCs) { ## OPEN ForEach DCHostName in LocalDCs $DCHostName = $DC.HostName $DCCheck = Test-Path "\\$DCHostName\SYSVOL" IF ($DCCheck -eq $True) { $TargetDC = $DCHostName ; break } } ## CLOSE ForEach DCHostName in LocalDCs } ## CLOSE IF TargetGC is not set Write-Output "Setting DC target to $TargetDC `r " |
Powershell Code: Fix Journal Wrap
One of my customers has an issue with DCs in far flung locations impacted by older hardware and power instability. For this (and other reasons) there are many, many Journal Wrap issues.
Here’s a script that will fix a local DC’s Journal Wrap issue by performing a D2 (nonauthoritative restore).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 | Param ( [switch] $Fix ) Import-Module activedirectory $Today = Get-Date -uformat "%m/%d/%y" ############### # Get DC Info # ############### $DCInfo = Get-ADDOmainController -Identity $DCName $DCHostName = $DCInfo.HostName $DCOS = $DCInfo.OperatingSystem ########################## # Check for Journal Wrap # ########################## ## Write-Output "Restarting NTFRS Service to verify that the DC is in Journal Wrap `r " Restart-Service "NTFRS" ## Write-Output "Check the FRS event log for Journal Wrap events on $DCHostName... `r" IF ($DCOS -like "*2008*") { ## OPEN IF DC OS is 2008 or newer, use Get-WinEvent $DCEvents = Get-WinEvent -LogName "File Replication Service" -MaxEvents 25 $DCFRSEvents = $DCEvents | Select-Object TimeCreated,ID,ProviderName,Message | Where { $_.TimeCreated -like "*$Today*" } } ## CLOSE IF DC OS is 2008 or newer, use Get-WinEvent ELSE { ## OPEN ELSE DC OS is not 2008 or newer, use Get-EventLog $DCEvents = Get-EventLog -LogName "File Replication Service" -after (get-date).AddHours(-1) $DCFRSEvents = $DCEvents | Select-Object TimeGenerated,EventID,Source,Message | Where { $_.TimeCreated -like "*$Today*" } } ## CLOSE ELSE DC OS is not 2008 or newer, use Get-EventLog [switch]$DCJournalWrap = $False ForEach ($Event in $DCFRSEvents) { ## OPEN ForEach Event in DCFRSEvents IF ($Event.ID -eq "13568") { ## OPEN IF Event.ID = "13568" aka "Journal Wrap" $Event13568 = $True $EventDateTime = $Event.TimeCreated $EventID = $Event.ID [array]$JournalWrapEvents += $EventDateTime $DCJournalWrap = $True Write-Host "$DCHostName has logged a Journal Wrap in the event log. `r " -fore Red } ## CLOSE IF Event.ID = "13568" aka "Journal Wrap" IF ($Event.EventID -eq "13568") { ## OPEN IF Event.EventID = "13568" aka "Journal Wrap" $Event13568 = $True $EventDateTime = $Event.TimeGenerated $EventID = $Event.EventID [array]$JournalWrapEvents += $EventDateTime $DCJournalWrap = $True Write-Host "$DCHostName has logged a Journal Wrap in the event log. `r " -fore Red } ## CLOSE IF Event.EventID = "13568" aka "Journal Wrap" } ## CLOSE ForEach Event in DCFRSEvents IF ( ($DCInJournalWrap -eq $True) -AND ($Fix -eq $True) ) { ## OPEN IF $DCInJournalWrap = $True AND $Fix = $True ################################### # Perform Journal Wrap Resolution # ################################### ## Write-Output "Discovered the DC is currently in Journal Wrap. Performing Resolution Steps... `r " Write-Output "Stopping the NTFRS service `r " Stop-Service "NTFRS" Write-Output "Setting the NTFRS BurFlags to D2 (nonauthoritative restore) on $DCHostName `r " $key = "System\CurrentControlSet\Services\NTFRS\Parameters\Backup/Restore\Process at Startup" $valuename = "BurFlags" $reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $DCHostName) $regkey = $Reg.opensubkey($key,$true) $RegKeyValue = $regkey.getvalue($valuename) $regkey.SetValue("BurFlags","D2") Write-Output "Stopping the NTFRS service `r " Start-Service "NTFRS" ## Write-Output "Waiting for the NTFRS service to start on $DCHostName `r " Start-Sleep -seconds 30 ## Write-Output "Checking event log for FRS NonAuthoritative Restore `r " IF ($DCOS -like "*2008*") { ## OPEN IF DC OS is 2008 or newer, use Get-WinEvent $DCEvents = Get-WinEvent -ComputerName $DCHostName -LogName "File Replication Service" -MaxEvents 25 $DCFRSEvents = $DCEvents | Select-Object TimeCreated,ID,ProviderName,Message | Where { $_.TimeCreated -like "*Today*" } } ## CLOSE IF DC OS is 2008 or newer, use Get-WinEvent ELSE { ## OPEN ELSE DC OS is not 2008 or newer, use Get-EventLog $DCEvents = Get-EventLog -ComputerName $DCHostName -LogName "File Replication Service" -after (get-date).AddHours(-1) $DCFRSEvents = $DCEvents | Select-Object TimeGenerated,EventID,Source,Message | Where { $_.TimeCreated -like "*Today*" } } ## CLOSE ELSE DC OS is not 2008 or newer, use Get-EventLog [switch]$DCD2Event = $False ForEach ($Event in $DCFRSEvents) { ## OPEN ForEach Event in DCFRSEvents IF ($Event.ID -eq "13565") { $DCD2Event = $True } IF ($Event.EventID -eq "13565") { $DCD2Event = $True } } ## CLOSE ForEach Event in DCFRSEvents IF ($DCD2Event -eq $True) { Write-Output "The FRS D2 NonAuthoritative Restore was Initiated on $DCHostName and this can take anywhere from 5 minutes up to several hours. You can check in later on the status. `r " } ELSE { Write-Output "No event was found in the FRS log for the FRS D2 NonAuthoritative Restore. Check this log for event ID #13565 `r " } ## |
Windows 2008 NSPI Connection Changes
Windows 2008 changed the NSPI from unlimited to 50 connections. This can affect a number of applications including Symantec , Blackberry , and others.
The real issue involves 3rd party (non-Microsoft) products (again, like Symantec & Blackberry) .
While Symantec may recommend setting this value to 0xffffffff (~4 billion) effectively rolling back this setting (to be fair, they do state it may not be desirable to set the max limit and provide a formula). I would not recommend setting NSPI to such a high value. Set it to 100 or 150 to see if that resolves the issue first. Then gradually increase the number by about 100.
The real issue is the application needs to be tweaked to handle the connection limit.
From Microsoft KB 949469:
To resolve this issue, check all NSPI connections that processes on the client create for connection leaks. For example, a call to the NspiBind function must have a corresponding call to the NspiUnbind function when an NSPI connection is no longer required. This operation may require that you debug any custom scripts or applications that are using NSPI. If this issue affects external applications, contact the software vendors for updates.
Note The Outlook NSPI MAPI provider that is installed with Microsoft Outlook is only intended for use with Microsoft Outlook. External scripts and applications that rely on the Outlook NSPI MAPI provider are not supported.
References:
- How to troubleshoot connectivity issues that are caused by RPC client protocol registry entries
- NSPI connections to a Windows 2008-based domain controller may cause MAPI client applications to fail with an error code: “MAPI_E_LOGON_FAILED”
- Raising Your NSPI Connection Limit
- Admin Tips: Windows Server 2008 Changes in BlackBerry Environments