I’ve seen this issue come up time and time again.  Some administrator decided to remove an old DC from the network but forgot to remove it from Active Directory or the DC has entered a failed state and cannot be recovered from.  In a perfect world DCPROMO is all you have to do to remove a DC from the environment.  However, if that DC was already shutdown or DCPROMO is giving you problems you will have to remove it the manual way.  That method involves using a command called NTDSUTIL.  NTDSUTIL is a command line tool that allows you to perform some of the more advanced Active Directory maintenance tasks.

Below are the steps needed to remove a failed or offline Domain Controller from your environment.
TIP: NTDSUTIL does not require the full command to be entered…you only have to enter enough of the command that is unique.  For Example, instead of typing metadata cleanup you could just type met cle…or better yet m c

1. Open the Command Prompt
2. Type ntdsutil (all the commands will be entered via this command prompt)
3. Type metadata cleanup
4. Type connections
5. Type connect to server <ServerName> and replace <ServerName> with the name of a functional DC in your environment…even if you are logged in locally.  This step is not needed post W2K3 SP1.
6. Type quit
7. Type select operations target
8. Type lists sites
9. Type select site <#> where <#> is the site where the failed or offline DC resided
10. Type list servers in site
11. Type select server <#>  where <#> is the DC that is failed or offline
12. Type list domains
13. Type select domain <#>  where <#> is the domain where the failed or offline DC resided (at this point you should verify that the site, server and domain are all selected)
14. Type quit (this should set you back to the metadata cleanup menu)
15. Type remove selected server ( a warning message will pop up…verify that this is the correct DC…in fact get a peer to verify it for you too)
16. Click Yes
17. Open Active Directory Sites and Services
18. Expand out the site that the failed or offline DC resided in
19. Verify the DC cannot be expanded out (no connection objects and such)
20. Right Click the DC and select Delete
21. Close Active Directory Sites and Services
22. Open Active Directory Users and Computers
23. Expand the Domain Controllers OU
24. Delete the failed or offline DC from the OU (if it even exists)
25. Close Active Directory Users and Computers
26. Open DNS Manager
27. Expand the zones where this DC was also a DNS server and perform the following steps
28. Right click the zone and select Properties
29. Click the Name Servers tab
30. Remove the failed or offline DC from the Name Servers tab
31. Click OK to also remove the HOST (A) or Pointer (PTR) record if asked
32. Verify the zone no longer has a DNS record for the failed or offline DC

You can also find more info located on Microsoft site here and here for removing orphaned domains.

The following code can be run to display the group membership of an Active Directory group and also let you know each member’s LDAP Distinguished Name.  The output will name the text file the group name and will include all the members and their location in Active Directory.  Just copy this into a txt file and rename to .vbs  Enjoy!

Set objGroup = GetObject(“LDAP://cn=GroupName,ou=OUName,DC=DomainName,DC=local“)
Set objFileSystem = CreateObject(“Scripting.FileSystemObject”)
Set objFile = objFileSystem.OpenTextFile(objGroup.Get(“name”) & ” – Members.txt“, 2, True, 0)
For Each objMember in objGroup.Members
  objFile.WriteLine objMember.Get(“sAMAccountName”) & VbTab & _
    objMember.Get(“cn”) & VbTab & _
    objMember.Parent
Next
Set objFile = Nothing
Set objFileSystem = Nothing
Set objGroup = Nothing

From time to time I’ve had to figure out which user account has a specific email address.  Actually its more like finding who has the “reallycoolemailaccount@company.com” so another “more senior” person can get it.  Well if you work in a smaller company this can be kind of easy…but if your directory has thousands of accounts it becomes more difficult and time consuming.

What you will want to do is open up Active Directory Users and Computers and right-click the domain and select Search.  Select the drop-down arrow in the Find field to select Custom Search.  If you have multiple domains make sure to select Entire Directory on the In field.  Now just click on the Advanced tab and put the following text in the LDAP Query – proxyaddresses=smtp:<whatever the email is you’re looking for>.  Now all you have to do is click on Find Now and if the email is in use it will show the user account that is using it.

Repost from AdminPrep.com…I will be moving several of the articles over to this blog.

Before all this starts, credit must go where credit is due.  I did not come up with all of the info within this article.  A lot of people have felt my pain and have contributed in their own ways.  One place you should know about is the Official Server Core Blog, as it is where I learned my all time favorite command which embeds the time into the Command Prompt (read on to see that one!).  As I”ve collected my own list internally and blogged on for about a year now I see a lot of the same commands there.  The Windows Server 2008 Administrator”s Companion has a nice chapter on Server Core but by far the best resource are the scripts that accompany the book.  They allow you to very easily configure common settings.  One last area you should look into is of course Guy Teverovsky”s Server Core Configurator…if you haven”t see it check it out now!

Server Core is a version of Windows Server 2008 that has a minimal Graphical User Interface (GUI).  I say minimal when most say command-line only because there are GUI tools available such as Notepad and Task Manager.  One thing that definitely doesn”t run on Server Core is the Explorer process.  If you”re unaware of what that process does, just end the explorer.exe process in Task Manager from your client and look what happens…don”t freak out, all you need to do is then go back to Task Manager and select File -> New Task (Run…) and then type explorer.exe.

The purpose of this article is not to give you every last detail to Server Core but to provide you with what you need to know it get it up and running in your environment.

Server Core has a limited amount of roles that can be installed on it, which include:

• Active Directory Domain Services (AD DS) and AD Lightweight Directory Services (AD LDS)
• DNS Server
• Internet Information Services (IIS) (No ASP.NET support)
• DHCP Server
• File Services
• Print Services
• Streaming Media Services
• Hyper V

Now that doesn”t mean that Server Core can”t do other things.  In fact it can, but Microsoft calls those other items Features and not Roles.

• Microsoft Failover Cluster (not available in Standard Edition)
• Network Load Balancing
• Subsystem for UNIX-based applications
• Backup
• Multipath IO
• Removable Storage Management
• Bitlocker Drive Encryption
• Simple Network Management Protocol (SNMP)
• WINS
• Telnet

Later on in the article I will explain how to install these services.  But first its time to go over what I believe to be the most commonly requested commands for administrating a Server Core environment.

Server Core Common Networking and Firewall Commands

Here is the start of you Networking and Firewall related commands for Server Core:

Server Core Common Networking Commands

To configure the IP address we will have to remember (or learn) Netsh.

Configure a Static IP Address on Server Core:
Netsh int ipv4 set address “Local Area Connection” static 10.1.1.10 255.255.255.0 10.1.1.1
Netsh int ipv4 set dnsserver “Local Area Connection” static 10.1.1.5 primary
Netsh int ipv4 set winsserver “Local Area Connection” static 10.1.1.6 primary

Configure a Dynamic (DHCP) IP Address on Server Core:
Netsh int ipv4 set address “Local Area Connection” source=dhcp

Change the name of the network interface on Server Core:
Netsh int set interface name = “Local Area Connection” newname = “Primary Network”

Server Core Common Windows Firewall Commands:

The Windows Firewall is a blessing to some and a curse to others. Either way it is installed by default and you have to understand the commands that are needed to configure the basics and in some cases some advanced commands.

Disable firewall:
netsh firewall set opmode disable

Server Core can be managed by using MMCs from a remote server. However with the firewall being on by default you will have to allow these tools to work remotely.  The first thing to note here is how to translate the MMC Snap-in to Windows Firewall Rule Group.

MMC Snap-in – Event Viewer
Windows Firewall Rule Group – Remote Event Log Management

MMC Snap-in – Services
Windows Firewall Rule Group – Remote Services ManagementMMC Snap-in – Shared Folders
Windows Firewall Rule Group – File and Printer Sharing

MMC Snap-in – Task Scheduler
Windows Firewall Rule Group – Remote Scheduled Tasks Management

MMC Snap-in – Reliability and Performance
Windows Firewall Rule Group – Performance Logs and Alerts
Windows Firewall Rule Group – File and Printer Sharing

MMC Snap-in – Disk Management
Windows Firewall Rule Group – Remote Volume Management

MMC Snap-in – Windows Firewall with Advanced Security
Windows Firewall Rule Group – Windows Firewall Remote Management

To enable all of these rules follow use this command:
Netsh advfirewall firewall set rule group=“remote administration” new enable=yes

To enable specific commands follow this format:
Netsh advfirewall firewall set rule group=“” new enable=yes

Server Core Common Domain Management Commands

Join a domain:
netdom join ComputerName /domain:DomainName /userd:UserName /passwordd:*
Yes, /passwordd:*
needs to have that second d at the end of it.

Remove from domain:
netdom remove

Rename a Domain Member:
netdom renamecomputer %computername% /NewName: /userd: /passwordd:*

Rename Administrator:
wmic UserAccount where Name=”Administrator” call Rename Name=”new-name”

Add User to a Local Group
net localgroup GroupName /add

Remove User from a Local Group
net localgroup GroupName /delete

Confirm Domain and/ New Computer name
Set

Update User Passwords:
Net user [/domain] *

Server Core Common Server Management Commands

Toggle Remote Desktop on and off:
Cscript windowssystem32scregedit.wsf /ar 0

Enable reduced security for RDP connections:
Cscript windowssystem32scregedit.wsf /cs 0

Active Server Core:
Local method – Slmgr.vbs –ato
Remote method – Cscript windowssystem32slmgr.vbsServerName UserName password:-ato

Rename a Stand-Alone Member:
netdom renamecomputer /NewName:

List of installed patches:
wmic qfe list

Install Updates:
wusa .msu /quiet

Configure for AutoUpdates:
cscript scregedit.wsf /AU /4

Disable AutoUpdates:
cscript scregedit.wsf /AU /1

View AutoUpdate Setting:
cscript scregedit.wsf /AU /v

Configure the Page File:
wmic pagefileset where name=”” set InitialSize=,MaximumSize=

Configure a Proxy Server: (Server Core cannot use a proxy that requires a proxy)
netsh Winhttp set proxy :

All your favorite TCP/IP commands work including the following:
IPConfig
ARP
Ping
PathPing
TraceRT
Route
NSLookup
NetStat
NBTStat

List Running Services:
sc query

Start and/or Stop a Service:
sc start
sc stop

Task Manager: (Ctrl+Shift+Esc)
taskmgr

Manage Disk Volumes:
Diskpart /?

Defrag a Volume:
defrag /?

Change Time and Time Zone:
control timedate.cpl

Change the Desktop Resolution: (requires you to log off and back on)
Regedit – HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlVideo
000DefaultSettings.XResolution
000DefaultSettings.YResolution

Display the Time in the Command Prompt:
prompt [$t]$s$p$g

Log off:
shutdown /l

Restart Now:
shutdown /r /t 0

To get the Roles and Features installed you are going to need to use the ocsetup.exe command.  The OC is short for Optional Components.  The most important thing to remember about this command is that IT IS CASE SENSITIVE!!! As a best practice you should always use the /w switch with ocsetup.exe as this will hold the Command Prompt from being active (when you can type again) until the setup is complete.  Below you will find a list of the commands that are required to install Roles and Features on Server Core.

DNS
start /w ocsetup DNS-Server-Core-Role

DHCP
start /w ocsetup DHCPServerCore

File Services (Server service is installed by default) but there are other role features

File Replication Service
start /w ocsetup FRS-Infrastructure

Distributed File System
start /w ocsetup DFSN-Server

Distributed File System Replication
start /w ocsetup DFSR-Infrastructure-ServerEdition

Services for Network File System (NFS)
start /w ocsetup ServerForNFS-Base
start /w ocsetup ClientForNFS-Base

Hyper V
start /w ocsetup Microsoft-Hyper-V

Print Server feature
start /w ocsetup Printing-ServerCore-Role

Line Printer Daemon (LPD) service
start /w ocsetup Printing-LPDPrintService

Active Directory Lightweight Directory Services
start /w ocsetup DirectoryServices-ADAM-ServerCore

Active Directory Domain Services
dcpromo /unattend:

Streaming Media Services
Follow directions found in Article ID 934518

IIS
start /w pkgmgr /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel
To uninstall IIS use the following command
start /w pkgmgr /uu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel

NOTE: If you need to install a Role that you installed with ocsetup all you need to do is to append the commands above with /uninstall.

Now let”s take a look at how we install Features on Server Core:

Microsoft Failover Clustering
start /w ocsetup FailoverCluster-Core

Network Load Balancing
start /w ocsetup NetworkLoadBalancingHeadlessServer

Subsystem for UNIX-based applications
start /w ocsetup SUACore

Multipath IO
start /w ocsetup MultipathIo

Removable Storage
start /w ocsetup Microsoft-Windows-RemovableStorageManagementCore

Bitlocker Drive Encryption
start /w ocsetup BitLocker

Backup
start /w ocsetup WindowsServerBackup

Simple Network Management Protocol (SNMP)
start /w ocsetup SNMP-SC

Windows Internet Name Service (WINS)
start /w ocsetup WINS-SC

Telnet client
start /w ocsetup TelnetClient

NOTE: If you need to install a Feature that you installed with ocsetup all you need to do is to append the commands above with /uninstall.

Having the Role or Feature installed doesn”t do much without going in and configuring the service.  The quick and easy way to manage these Roles and Features is to have either a dedicated Terminal Server have the AdminPak or Remote Server Administrative Tools (RSAT) installed or just install those same tools on XP or Vista. 

Take a look here for more info on how to manage DNS with DNSCMD and then head over here for installing Active Directory via an answer file on Server Core.

I know this isn”t a complete listing of the commands but I really believe this should help you get started in the right direction.  One of the best resources out there is from the Windows Server 2008 Step-by-Step Guides.. For this case you will want to download the Server_Core_Installation_Option_of_Windows_Server_2008_Step-By-Step_Guide.doc guide.

In my Administrator’s Guide to Server Core Commands article on AdminPrep I showed you how to display the time on the command prompt of your Server Core command window.  I just read that Daniel Petri has some other cool shortcuts on what you can display on the command window of Server Core.  The one that I really like is the computer name.  If manage multiple Server Core servers then you already know how difficult it can be to manage different sessions…especially since they all look the same.

To display the computer name (among other things listed on Daniel’s article) you need to modify the registry.  If you don’t already know please modify the registry carefully! 

1. Navigate to the HKLMSystemCurrentControlSetControlSession ManagerEnvironment key.

2. Create or Edit a key called Prompt (it should be an Expandable String Value)          

3. Add the the following for the data – $_Server:%computername%_$p$g

You will have to log off and log back on to see the change but once you do it is a pleasant addition to the command window.  Daniel’s example shows how you can the Date, Time and User…very cool so make sure you check it out.

One thing that really bugs me is there is no easy way to grab some email addresses from a distribution group.  Usually I end up expanded the group to list all the users and then I have to go to the Outlook properties of each user to view the email address.  Heck, I can’t even copy the email address from there…instead I have to write it down.  This can be a pain for companies that have long complex email addresses.

I’ve finally figured out a way to export this info into a text file…no one said I was quick.  :,,)  To do this you just need to use either CSVDE or LDIFDE.  I use mail as the attribute I pull from these commands but you could really use any AD attribute that you want to pull.

csvde -f c:tempreport.txt -r "memberOf=cn=group name,ou=ou name,dc=domain,dc=name" -l mail

ldifde -f c:tempreport.txt -r "memberOf=cn=group name,ou=ou name,dc=domain,dc=name" -l mail

This may not be the cleanest way to pull this data but at least now I can copy and paste the email addresses.

Server Core has been a popular topic for me over the last year as it is something completly different from what i”m used to working on.  I love the GUI but I know there are times when I have to do things via the command line.  Well if you are going to deploy Server Core in your environment then you will need to have the following guide to ensure that you know how to configure your new server.

 I”ve finally compiled a list of commands for Server Core into one article over at AdminPrep. I”ve sinced moved them to my blog here.  Swing back here when your done to comment on it.

I”ve just written a small article on the common steps that I perform when doing health checks on domain controllers.  AdminPrep is not up right now so I”ll post the health check stuff here.  I would love for you to come back here and let me know what else you do when you do health checks on domain controllers.

I get asked over and over about what I do when I”m performing a health check on a domain controller.  Below you will see some of the commands that I use when I need to ensure my domain controllers are still healthy after some sort of change…like patching.

The Event Viewer is always a must.  I look at all the logs before and after the update to the domain controller looking for abnormal events.  With the pre-check I usually go back a month of logs to get more historical data. I then run through a couple command line utilities.  One thing I always do is pipe my commands out to a text document.  This just makes it easier for me to read and also search for failed events.

Dcdiag.exe /v >> c:temppre_dcdiag.txt
This is a must and will always tell you if there is trouble with your DCs and/or services associated with it

Netdiag.exe /v >> c:temppre_Netdiag.txt
This will let me know if there are issues with the networking components on the DC.  This along with the post test also is a quick easy way to ensure the patch I just installed is really installed (just check the top of the log)

Netsh dhcp show server >> c:temppre_dhcp.txt
Some may not do this but I”ve felt the pain of a DHCP server somehow not being authorized after a patch.  This allows me verify the server count and names.

Repadmin /showreps >> c:temppre_rep_partners.txt
This shows all my replication and if it was successful or not.  Just be aware that Global Catalogs will have more info here than a normal domain controller.

repadmin /replsum /errorsonly >> c:temppre_repadmin_err.txt
This is the one that always takes forever but will let you know who you are having issues replicating with.

After I run and check the pre_ scripts I update my server.  When it is done I run post_ scripts which are the same thing but this allows me to verify them against the scripts earlier.

Hopefully this helps you when you troubleshoot your domain controllers but by no way is this an all encompassing list of things to do.  These are the standard steps I take but I would love to hear what you all do as well. 

Fellow Directory Services MVP Mark Minasi has a great table that shows a ton DNS commands using dnscmd. For those of you getting ready to use Server Core here is yet another list of commands that will come in handy. All I can say is WOW!!!

My friend Norm asked if I could post this sample Sysprep.xml file as he couldn”t find anything online yet to really help him with Server 2008 and Sysprep.  If you have any questions or feedback just leave it in the comments and I”ll be sure to have Norm review them.

Here”s a sample sysprep.xml that you can use to get your Server 2008 build going. It has some of the basic functions you”ll need if you are deploying Server 2008 in an enterprise environment. This example is for the 64-bit version, using KMS (no product key in the sysprep). We do most of our configuration post-image and this configuration allows us to take a completely generic image and prepare it for enterprise deployment. This .xml is ready to go. It took me several days of trial and error to get this and I”m sure there are some admins that would love to have this as a starting point instead of what I had to start with.

Some of the things I”m doing in here:

• Auto-generated computer name
  
• Organization and Owner Information
  
• Setting language and locale
  
• Setting the initial tasks screen not to show at logon
  
• Setting server manager not to show at logon
  
• Configuring the Administrator password
  
• Creating a 2nd administrative account and setting the password
  
• Running a post-image configuration script under the administrator account at logon
  
• Setting automatic updates to not configured (to be configured post-image)
  
• Configuring the network location
  
• Configuring screen color/resolution settings
  
• Setting the time zone


• Disables IE Enhanced Security Configuration

<?xml version=”1.0″ encoding=”utf-8″?>
<unattend xmlns=”urn:schemas-microsoft-com:unattend”>
  <settings pass=”specialize”>
    <component name=”Microsoft-Windows-Shell-Setup” processorArchitecture=”amd64″ publicKeyToken=”31bf3856ad364e35″ language=”neutral” versionScope=”nonSxS” xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance“>
      <ComputerName>*</ComputerName>
      <RegisteredOrganization>Company Name</RegisteredOrganization>
      <RegisteredOwner>Company Name</RegisteredOwner>
      <ShowWindowsLive>false</ShowWindowsLive>
    </component>
    <component name=”Microsoft-Windows-Security-Licensing-SLC-UX” processorArchitecture=”amd64″ publicKeyToken=”31bf3856ad364e35″ language=”neutral” versionScope=”nonSxS” xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance“>
      <SkipAutoActivation>true</SkipAutoActivation>
    </component>

    <component name=”Microsoft-Windows-IE-ESC” processorArchitecture=”amd64″ publicKeyToken=”31bf3856ad364e35″ language=”neutral” versionScope=”nonSxS” xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance“>
      <IEHardenAdmin>false</IEHardenAdmin>
      <IEHardenUser>false</IEHardenUser>

    </component>
  </settings>
  <settings pass=”oobeSystem”>
    <component name=”Microsoft-Windows-International-Core” processorArchitecture=”amd64″ publicKeyToken=”31bf3856ad364e35″ language=”neutral” versionScope=”nonSxS” xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance“>
      <InputLocale>0409:00000409</InputLocale>
      <SystemLocale>en-us</SystemLocale>
      <UILanguage>en-us</UILanguage>
      <UserLocale>en-us</UserLocale>
    </component>

    <component name=”Microsoft-Windows-Shell-Setup” processorArchitecture=”amd64″ publicKeyToken=”31bf3856ad364e35″ language=”neutral” versionScope=”nonSxS” xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance“>
      <RegisteredOrganization>Company Name</RegisteredOrganization>
      <RegisteredOwner>Company Name</RegisteredOwner>
      <UserAccounts>
        <AdministratorPassword>
          <Value>@bc!23</Value>
          <PlainText>true</PlainText>
        </AdministratorPassword>
        <LocalAccounts>
          <LocalAccount wcm:action=”add”>
            <Password>
              <Value>@bc!23</Value>
              <PlainText>true</PlainText>
            </Password>
            <Description>Administrative Installer</Description>
            <DisplayName>Admin2</DisplayName>
            <Group>Administrators</Group>
            <Name>Admin2</Name>
          </LocalAccount>
        </LocalAccounts>
      </UserAccounts>
      <AutoLogon>
        <Password>
          <Value>@bc!23</Value>

          <PlainText>true</PlainText>

        </Password>
        <Domain>WORKGROUP</Domain>
        <Enabled>true</Enabled>
        <LogonCount>2</LogonCount>
        <Username>Administrator</Username>
      </AutoLogon>
      <FirstLogonCommands>
        <SynchronousCommand wcm:action=”add”>

          <CommandLine>%WINDIR%POST_INSTALLERpost_installer.vbs</CommandLine>
          <Description>Post Install Script</Description>

          <Order>1</Order>
        </SynchronousCommand>
      </FirstLogonCommands>
      <OOBE>
        <HideEULAPage>true</HideEULAPage>
        <NetworkLocation>Work</NetworkLocation>
        <ProtectYourPC>3</ProtectYourPC>
      </OOBE>
      <Display>
        <ColorDepth>32</ColorDepth>
        <HorizontalResolution>1024</HorizontalResolution>
        <VerticalResolution>768</VerticalResolution>
      </Display>
      <TimeZone>Eastern Standard Time</TimeZone>
    </component>
  </settings>

  <settings pass=”generalize”>

    <component name=”Microsoft-Windows-ServerManager-SvrMgrNc” processorArchitecture=”amd64″ publicKeyToken=”31bf3856ad364e35″ language=”neutral” versionScope=”nonSxS” xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance“>
      <DoNotOpenServerManagerAtLogon>true</DoNotOpenServerManagerAtLogon>
    </component>
    <component name=”Microsoft-Windows-OutOfBoxExperience” processorArchitecture=”amd64″ publicKeyToken=”31bf3856ad364e35″ language=”neutral” versionScope=”nonSxS” xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance“>
      <DoNotOpenInitialConfigurationTasksAtLogon>true</DoNotOpenInitialConfigurationTasksAtLogon>
    </component>

  </settings>
</unattend>