Using PowerShell to Transfer FSMO Roles

You may be familiar with the traditional ways to transfer FSMO roles but how about by using PowerShell?  By now you should just know that PowerShell can do everything the GUI can do…well at least that is the way it feels to me. 

If you want to use PowerShell to transfer any of your five FSMO roles (PDC Emulater, RID Master, Infrastructure Master, Domain Naming Master and Schema Master) then you will first need to import the Active Directory Module into PowerShell.

ipmo activedirectory

Now that you have the AD module loaded the cmdlet you will use for this is quite large – Move-ADDirectoryServerOperationMasterRole.  Thankfully we have the Get-help cmdlet to help us remember that.  All I need to do is remember move-ad and then I press tab to complete the rest.  There is only one other cmdlet that is similar to it and you just have to remember you are trying to move the FSMO role and not the sever.

When entering the cmdlet you need to specify the operation master roles to move. the syntax for the five roles are as follows – PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster, or DomainNamingMaster. To specify more than one role just separate each role with a comma.

An example of me moving the RID Master and PDC Emulater to DC2 is as follows:

Move-ADDirectoryServerOperationMasterRole -Identity "DC2" -OperationMasterRole RIDMaster,PDCEmulator

A feature that I just love in PowerShell is the –WhatIf parameter.  By adding this to your code it will do a dry run and let you know what is going to change if you did the command without that parameter.

One key thing to note here is that I am NOT seizing the FSMO role.  For that you will need to use NTDSUtil as defined here.

Must Have Active Directory Commands

I’ve pulled together a list of commands that can be used to help gather information from Active Directory.  Sure there are plenty of commands out there but the following are the ones that I use and stored into my own mental memory banks…no jokes on the lack of memory banks either  :,,)

Viewing local and remote FSMO roles:
local – netdom query fsmo remote – netdom query /domain:%domainname% fsmo

List of your Domain Controllers:
Nltest /dclist:%userdnsdomain%

Cool stuff with groups
Determine the current group scope of a security group dsget group %GroupDN% -scope –secgrp Change a group”s scope to universal dsmod group %GroupDN% -scope u Change a universal group”s scope to global or local dsmod group %GroupDN% -scope l | g

Active Directory Domain Services Resources

I pulled together a few links to help point people in the right direction on resources for AD in Windows Server 2008.  You’ll find all kinds of goodies, from virtual labs to videos by some of your favorite public speakers and of course what I think are the must have…the Guides!


Links and Documents:
AD DS Operations Guide


AD DS Design Guide


AD DS Deployment Guide


Server 2008 Auditing AD DS Changes Step-by-Step Guide


Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration


Step-by-Step Guide for Read-Only Domain Controllers



Free Virtual Labs:
Managing Active Directory – Directory Services


Fine Grained Password Settings in Windows Server 2008 (Beta 3)


Videos:
AD in Server 2008


Fine Grained Password Policies


Prepare for RODCs


Install a RODC from IFM


Group Policy in 2008

How to Remove a Failed or Offline DC

I’ve seen this issue come up time and time again.  Some administrator decided to remove an old DC from the network but forgot to remove it from Active Directory or the DC has entered a failed state and cannot be recovered from.  In a perfect world DCPROMO is all you have to do to remove a DC from the environment.  However, if that DC was already shutdown or DCPROMO is giving you problems you will have to remove it the manual way.  That method involves using a command called NTDSUTIL.  NTDSUTIL is a command line tool that allows you to perform some of the more advanced Active Directory maintenance tasks.

Below are the steps needed to remove a failed or offline Domain Controller from your environment.
TIP: NTDSUTIL does not require the full command to be entered…you only have to enter enough of the command that is unique.  For Example, instead of typing metadata cleanup you could just type met cle…or better yet m c

  1. Open the Command Prompt
  2. Type ntdsutil (all the commands will be entered via this command prompt)
  3. Type metadata cleanup
  4. Type connections
  5. Type connect to server <ServerName> and replace <ServerName> with the name of a functional DC in your environment…even if you are logged in locally.  This step is not needed post W2K3 SP1.
  6. Type quit
  7. Type select operations target
  8. Type lists sites
  9. Type select site <#> where <#> is the site where the failed or offline DC resided
  10. Type list servers in site
  11. Type select server <#>  where <#> is the DC that is failed or offline
  12. Type list domains
  13. Type select domain <#>  where <#> is the domain where the failed or offline DC resided (at this point you should verify that the site, server and domain are all selected)
  14. Type quit (this should set you back to the metadata cleanup menu)
  15. Type remove selected server ( a warning message will pop up…verify that this is the correct DC…in fact get a peer to verify it for you too)
  16. Click Yes
  17. Open Active Directory Sites and Services
  18. Expand out the site that the failed or offline DC resided in
  19. Verify the DC cannot be expanded out (no connection objects and such)
  20. Right Click the DC and select Delete
  21. Close Active Directory Sites and Services
  22. Open Active Directory Users and Computers
  23. Expand the Domain Controllers OU
  24. Delete the failed or offline DC from the OU (if it even exists)
  25. Close Active Directory Users and Computers
  26. Open DNS Manager
  27. Expand the zones where this DC was also a DNS server and perform the following steps
  28. Right click the zone and select Properties
  29. Click the Name Servers tab
  30. Remove the failed or offline DC from the Name Servers tab
  31. Click OK to also remove the HOST (A) or Pointer (PTR) record if asked
  32. Verify the zone no longer has a DNS record for the failed or offline DC

You can also find more info located on Microsoft site here and here for removing orphaned domains.

Must Have Group Policy Setting!

I recently blogged about time and how critical it is in a domain environment. Just this morning I read a post from the Directory Services Team that shows how to configure WMI Filtering through Group Policy to ensure that the PDC Emulator always has the right time configuration.  You need to read through this post really consider implementing a similar policy into your environment.

The only portion that is missing from that post is the location of the W32Time settings in Group Policy.  The policy you will be configuring is located under the Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime ProvidersConfigure Windows NTP Client

 

After you enable it you will want to change the default setting from NT5DS (which means find and sync with the PDCe) to NTP.  This is because we are configuring this for our PDCe which should be pointing to a reliable time source (internal or external).  You will also configure the location to that reliable source in the NTPServer dialog box.

I haven’t seen a great tip like this in some time.  This is one of those great little finds and I hope you enjoy it.

What W32tm is it anyway?

My daughter Alyssa and I play a game…well she might not consider it a game but she is constantly  asking me “What time is it without looking”.  I’ve actually gotten pretty good at it and can usually get within a few minutes.  Not sure why she likes to play but perhaps time is something they recently talked about at school but she seems obsessed with it.  I keep telling her that at 6 she really shouldn’t worry to much about time.

Although time may not be important for my daughter, it is immensely important for Active Directory.  Most AD admins know that domain controllers and clients need to be within 5 mins of each other to work correctly.  If your time was out by 5 or more minutes the client would not be able to authenticate.  What most AD admins might not know is that time just doesn’t affect AD, it also can affect certain time sensitive applications.   I don’t know of any out of the box ones from Microsoft but organizations have plenty of custom built apps that may use time syncs.  I’ve seen custom applications that need to be accurate within less than a second.

Let’s take a look at how time synchronization works in an Active Directory forest.  The magic all starts in the root domain (I always wanted to use that in my blog).  The PDC Emulator (PDCe) is solely responsible for time synchronization and uses the Network Time Protocol (NTP) on port UDP 123.  You will want to sync the PDCe with a reliable source, either internal (perhaps a router) or external.  The problem with going external is that there is less security because of the lack of authentication and verifiable authenticity. 

Clients and servers in your forest root domain will sync their time with any DC in the forest root.  This is all configured in the registry at the following location: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParameters.  Domain members have Nt5DS set for the TYPE key which configures them to use the domain hierarchy for time.  Some people change this to NTP which means it will go to a specific time source besides the PDCe but I prefer to keep the default here because it works!  If you’re crazy enough you could configure it so that it relies on the CMOS clock…I just don’t have enough faith in the batteries for that.

If you have child domains or other tree roots in your forest realize that the forest root PDCe is STILL the authority for forest wide time synchronization.  The PDCe for the child domains will sync their time with the forest root PDCe or any DC in the root (but those root DCs get their time from the PDCe).  The clients and servers in the child domain will always go to a DC in their domain, so they should never go up to the forest root domain.  Clients poll the time every 45 minutes by default.  After three successful synchronizations it will increase that polling time to 8 hours.  Below is a great illustration of how time works in a multi domain forest.

image

To configure your forest root PDCe with a valid time source you should use the w32tm command:
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update
You can and I recommend adding multiple peers but simply putting a space between them.  Please don’t forget to run this command on the DC that you have designated as the DC to fail the PDCe role over to during downtime (for example, patching).

To test how close your time is synced you can use the w32tm command again, except this time we can get a really cool command prompt chart…hey its the simple things in life that get me.
w32tm /stripchart /computer:target /samples:n
Replace target target with the name of the forest root PDCe.  I prefer to get 10 samples but you can go for whatever amount you like.  This will tell you the difference between the clocks.   More info can be found on the w32tm here.

The Microsoft Directory Services team has a great blog that talks about high accuracy in w32tm and why they don’t support it.  This is a must read for all AD admins.  Don’t forget to set up an RSS feed to the Windows Time Service blog as well.

I would recommend baseline the time difference in your environment so that if an issue does occur you will know what the norm state is for your time differential.  You may also want to include some monitoring that can alert you of time drift using the baseline numbers you’ve collected.  I would also recommend talking to your developers and ensure they understand how time works in the environment.

Hopefully this sheds some light on how time works in an Active Directory forest but also how you can control and tweak it.  Oh and if you’re bored try playing the time game…its a great exercise for your mind and internal clock! :,,)

Windows Server 2008 Component Posters

Back in January of 2007 I posted that TechNet Magazine had a really cool poster that showed Active Directory as a Jigsaw puzzle. I noticed in my latest copy of TechNet Magazine that it included two new posters. One of them was another Active Directory poster that showed all the cool new stuff in Windows Server 2008 and the other was one of the Windows Server 2008 Components. I just saw that the both of these are now available to download from Microsoft. This is something you will want to get your hands on and if you don”t get TechNet the magazine this is a great way to print it out too.

TechNet”s Active Directory Jigsaw

At last year’s Tech-Ed TechNet Magazine gave away a really cool Active Directory Jigsaw puzzle.  I just saw that it is now available online to download.  I think it is a great resource for everyone who interacts with Active Directory to look at.  Check out the full version here in PDF format.  Just a warning the full files is almost 9Mbs.

AD Jigsaw

Where are my FSMO roles?

I have seen so many Active Directory Admins use so many methods to find out who and where their FSMO role holders are. Some will use the old fashion way of going through the AD tools and viewing the roles there.  Others that have experience scripting have written some elaborate script on how to view these roles. 


Either way, I have hands down the quickest and easiest way to view who your FSMO role holders are.  All you need to have is the Support Tools installed on the system you are using this on.  Go to the Support Tools CMD Prompt and type:


netdom query fsmo


That is all that is needed.  It is quick, short and as clean as possible.


ENJOY.

Dissecting the Active Directory Infrastructure Master Role

Dean Wells has a very interesting and in-depth look at this FSMO role.  This will actually be an 8 part series that looks into this DC role.  Teaching AD for years this was always a mystery to students on what this role really did.  For those that love the nitty gritty details this is what you have been looking for all along.


Article 1, Article 2, Article 3,Article 4, Article 5, Article 6