Having a Custom Support Agreement (CSA) with Microsoft will give you the advantage for security updates for still used OS versions in your company that are out of support, as Windows XP for example. Of course this service is not for free and you have to pay for it.

If you have that agreement then you will be able to download the released updates from the Microsoft support page and can import them into your WSUS server and if required also add them into the System Center Configuration Manager.

In this article I will stick to the WSUS part itself, for System Center Configuration Manager I add some links at the end of this article, so you can follow them about required steps.

Having the agreement Microsoft will provide you the required tool, please do NOT ask me to give it to you, so you can import the CSA Updates. It is called WSUSImporttool.exe.

The tool must be used on the WSUS Server itself. Working with the tool requires a folder structure on the Server where the .cab file and the update files are stored. You may also create a working directory if you are not sure about the temp folder availability. For already used updates you can configure an archive but this is not a must for the WSUSImporttool.exe to work.

So basically this may look as shown here:

Microsoft will user the folder “Payload” for the update files, “ScanCab” for the catalog file, .cab, and “WorkingDir” if “TEMP” is not used. “_Archive” is created for already imported updates and is not required from the WSUSImporttool.

Inside the folders you will place the downloaded files from the Microsoft web site. The update files:

And the .CAB file.

The working directory will be empty.

With that preparation you can start importing the file with WSUSImporttool.exe.

The used syntax description is as follows:

WSUSImporttool.exe <WsusScan cab Location> <Payload Directory> [Working Directory]

So within my used folder structure from above it will be.

If you choose ENTER the following output will be displayed.

After a while, depending on the used Server hardware it will display this output. There may be, also shown here, an entry about missing files.

This may happen if the updates are not available yet and will be delivered later from Microsoft. So then you just have to wait and check the web site for the download files and import them later.

During the import from the updates the server will use high CPU for the sqlserver.exe for longer time, don’t worry about this, it should stop after importing. In my machine with Windows Server 2008 R2 it was roundabout 10-15 minutes for the above listed 13 updates.

There also will be a re-synchronization from the WSUS to the Microsoft download servers at the end of the process, so also nothing to care about. It will not again download all already existing updates; this just seems to compare the downloaded files with existing ones.

At the end the updates are shown in the WSUS Server as you already know in the unapproved updates view. You can identify them easy as CUSTOM SUPPORT is added at the end of the update name.

You will also see a Product group listed in the WSUS Server but I think that this is just created during the import process and will not download any files. But I have activated the option to control this and will update the article if it works.

If the sqlserver.exe will not stop using high CPU then you may run the “WsusDBMaintenance” (http://gallery.technet.microsoft.com/scriptcenter/6f8cde49-5c52-4abd-9820-f1d270ddea61) script within the SQL Server Management Studio or with sqlcmd, which must be installed/used on the WSUS Server.

Additional information:

http://kammaninfo.wordpress.com/category/microsoft/windows/windows-server-2012/

http://chadstech.net/microsoft-csa-patches/

!!!NEVER START BEFORE HAVING CREATED AND TESTED A BACKUP OF YOUR DOMAIN/DATA/MACHINE!!!

A new OS Domain Controller installation should always start with the support tools, to check the Domain and Domain Controllers for errors that must be resolved before. The following command line tools and programs will help you to verify if some problems exist within your Domain and the Domain Controllers.

Dcdiag /v /c /d /e /s:DCName >c:\dcdiag.log [please replace DCName with your Domain Controller name]

Repadmin /showrepl dc* /verbose /all /intersite >c:\repl.log [“dc* is a place holder for the starting name of the DCs if they all begin the same (if more than one DC exists)]

Dnslint /ad /s “DCipaddress” [use http://support.microsoft.com/kb/321045 for download and instructions]

ADREPLSTATUS: http://www.microsoft.com/en-us/download/details.aspx?id=30005

——————————————-

On the old server open DNS management console and check that you are running Active directory integrated zones, which is recommended also from Microsoft.

——————————————-

The schema must be updated for the new OS Domain Controller, so even if the update is done automatically you may check it before. Therefore you can use the following command:

“Dsquery * cn=schema,cn=configuration,dc=domain,dc=local -scope base -attr objectVersion” without the quotes in a command prompt [please replace “dc=domain,dc=local” with your Domain Name]. The output number is the Schema objectVersion:

13 = Windows 2000 Server

30 = Windows Server 2003

31 = Windows Server 2003 R2

44 = Windows Server 2008

47 = Windows Server 2008 R2

56 = Windows Server 2012

69 = Windows Server 2012 R2

——————————————–

If the first installed Domain Controller in the domain should be removed or replaced with another one, doesn’t matter if new or same OS version, assure that you export the recovery agents EFS certificate private key from the Domain Controller BEFORE you demote/retire it. Details on how to do this are listed in (http://support.microsoft.com/kb/241201) and (http://technet.microsoft.com/en-us/library/cc755157(WS.10).aspx). If you don’t save it, you will not be able to encrypt data in case of problems.

——————————————–

I recommend installing the new machine as a member server in your existing domain before promoting to Domain Controller. Configure a fixed ip address and set the preferred DNS server to one existing DC/DNS server only. Do not change anything with IPv6, as also recommended from Microsoft in http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx
Do NOT use the new server as DNS server on the NIC until all DNS information is replicated from one existing DC/DNS. If you do it with other DNS servers on the NIC I often have seen that the SYSVOL and NETLOGON shares are not correct created.

——————————————–

To install a new OS Domain Controller running adprep is required and it is located in the Windows server 2012 or Windows Server 2012 R2 installation disk …\support\adprep folder. Here you can also find the schema files. You will realize that there is ONLY adprep.exe and not adprep32.exe anymore. This belongs to the reason that adprep process on earlier OS domains is done automatically during promotion to a Domain Controller.

If you run adprep.exe on 32bit OS Domain Controllers you will see an error message:

——————————————–

The minimum functional level must be at least Windows Server 2003, so NO lower functional levels are allowed anymore.

Please control that the Domain functional level is set to Windows Server 2003, in AD Domains and Trusts right click the “Domain Name”.

Also control that the Forest functional level is set to Windows Server 2003, in AD Domains and Trusts right click “Active Directory Domains and Trusts”.

——————————————–

If you run as known before DCPROMO on a new Windows Server 2012 or Windows Server 2012 R2 you will get an error message, as this is not longer the way to promote a DC. Now the promotion to Domain Controller is done via Server Manager.

——————————————–

Assure to use an account that is member of the Enterprise Admins and install the new Windows Server 2012 or Windows Server 2012 R2 as Domain Member Server if not done already. Now start the Server Manager and choose “Add roles and features”, in “Before you begin” click next, in the “Installation Type” use “Role-based or feature-based installation” and click Next.

Choose the required Server and click Next.

Now check the Active Directory Domain Services and in the upcoming window click the “Add features” button.

Choose Next and add additional features if required.

Click Next.

Click Next and then choose Install.

It may take some time, depending on the hardware.

If the installation is done be aware of the “Promote this server to a domain controller” option in the result pane.

Again a new window opens to configure the DC with all requirements.

Here choose Change and provide the domain credentials or use the already shown account.

Select the domain from the list and click OK. Click Next.

The Domain controller Options appear and here choose DNS and GC and fill in the DSRM Restore mode password. Also see the Information on top in the yellow line (here already shown as pop up in the left down corner) and then choose Next.

In this step the DNS delegation warning can be ignored, as the Domain Controller is for the already existing domain.

Choose Next and either use the default or select a preferred DC to replicate from. Even IFM (Install from media) is possible at this step.

Do NOT store the Active Directory database, log files, or SYSVOL on a data volume formatted with Resilient File System (ReFS), this is new with Windows Server 2012 or Windows Server 2012 R2. Database, Log file and SYSVOL folder paths must be stored on NTFS data volumes in this window and then choose Next.

Information about forest, schema and domain update is shown where you also choose Next.

Review your settings, even possible to export as Windows PowerShell script for future use, and click Next.

Prerequisite checks will be done.

Review the Check and click Install.

Results are listed/shown.

The server will automatically reboot after installation/promotion.

——————————————–

After adding a Windows Server 2012 or Windows Server 2012 R2 Domain Controller to an existing domain you should also transfer the FSMO roles to the Domain Controller with the newest OS version.

In this case up to 10 new security groups are created/shown in the BUILTIN container in AD UC:

• Access Control Assistance Operators
• Certificate Service DCOM Access
• Cryptographic Operators
• Event Log Readers
• Hyper-V Administrators
• IIS_IUSRS
• RDS Endpoint Servers
• RDS Management Servers
• RDS Remote Access Servers
• Remote Management Users

And up to 6 new security group in the Users container in AD UC:

• Allowed RODC Password Replication Group
• Cloneable Domain Controllers
• Denied RODC Password Replication Group
• Enterprise Read-Only Domain Controllers
• Protected Users
• Read-Only Domain Controllers

——————————————–

You can see in the event viewer (Directory service log) that the FSMO roles are transferred, EVENT ID 1458 with the source ActiveDirectory_DomainService for each FSMO role.

——————————————–

After the transfer from the PDCEmulator FSMO it is required to reconfigure the time service on the old and new PDCEmulator, so a recommended external time source is used:

“w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update”

where PEERS will be filled with the ip address or server name (time.windows.com) and on the OLD PDCEmulator run:

“w32tm /config /syncfromflags:domhier /reliable:no /update”

and stop/start the time service on the old one. All commands run in an elevated command prompt without the quotes.

——————————————–

If not done on earlier OS version upgrades ONLY the adprep /domainprep /gpprep, to enable the RSOP planning mode, should be run manual as this is NOT involved in the automated process.

——————————————–

Reconfigure the DNS configuration on your NIC of the Windows Server 2012 or Windows Server 2012 R2 machine, preferred DNS to a partner DNS Server, secondary to its own ip address and as recommended from DNS BPA the loopback ip address(127.0.0.1) as 3^rd entry.

——————————————–

Related documents:

Adprep in Windows Server 2012 http://technet.microsoft.com/en-us/library/hh472161.aspx

View and transfer from FSMO Roles http://support.microsoft.com/kb/324801 this article still applies for Windows Server 2012 and higher.

Time configuration in a domain http://msmvps.com/blogs/mweber/archive/2010/06/27/time-configuration-in-a-windows-domain.aspx

ReFS in Windows Server 2012 http://blogs.msdn.com/b/b8/archive/2012/01/16/building-the-next-generation-file-system-for-windows-refs.aspx

!!!NEVER START BEFORE HAVING CREATED AND TESTED A BACKUP OF YOUR DOMAIN/DATA/MACHINE!!!

A new OS Domain Controller installation should always start with use from the support tools to check the Domain and Domain Controllers for errors that must be resolved before. The following command line tools and programs will help you to verify if some problems exist within your Domain and the Domain Controllers.

Dcdiag /v /c /d /e /s:DCName >c:\dcdiag.log [please replace DCName with your Domain Controller name]

Repadmin /showrepl dc* /verbose /all /intersite >c:\repl.log [“dc* is a place holder for the starting name of the DCs if they all begin the same (if more than one DC exists)]

Dnslint /ad /s “DCipaddress” [use http://support.microsoft.com/kb/321045 for download and instructions]

ADREPLSTATUS: http://www.microsoft.com/en-us/download/details.aspx?id=30005

——————————————–

On the old server open DNS management console and check that you are running Active directory integrated zones, which is recommended also from Microsoft.

——————————————–

The Schema must be updated for the new OS Domain Controller, so even if the update is done automatically you may check it before. Therefore you can use the following command:

“Dsquery * cn=schema,cn=configuration,dc=domain,dc=local -scope base -attr objectVersion” without the quotes in a command prompt [please replace “dc=domain,dc=local” with your Domain Name]. The output number is the Schema objectVersion:

13 = Windows 2000 Server

30 = Windows Server 2003

31 = Windows Server 2003 R2

44 = Windows Server 2008

47 = Windows Server 2008 R2

56 = Windows Server 2012

69 = Windows Server 2012 R2

——————————————–

If the first installed Domain Controller in the domain should be removed or replaced with another one, doesn’t matter if new or same OS version, assure that you export the recovery agents EFS certificate private key from the Domain Controller BEFORE you demote/retire it. Details on how to do this are listed in (http://support.microsoft.com/kb/241201) and (http://technet.microsoft.com/en-us/library/cc755157(WS.10).aspx). If you don’t save it, you will not be able to encrypt data in case of problems.

——————————————–

I recommend installing the new machine as a member server in your existing domain before promoting to Domain Controller. Configure a fixed ip address and set the preferred DNS server to one existing DC/DNS server only. Do not change anything with IPv6, as also recommended from Microsoft in http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx
Do NOT use the new server as DNS server on the NIC until all DNS information is replicated from one existing DC/DNS. If you do it with other DNS servers on the NIC I often have seen that the SYSVOL and NETLOGON shares are not correct created.

——————————————–

As this article applies in most steps to Windows Server 2008 32bit/64bit and Windows Server 2008 R2, I’ll start with the difference on Windows Server 2008 32bit preparation.

To install a new OS Domain Controller adprep is required and located in the Windows server 2012 or Windows server 2012 R2 installation disk …\support\adprep folder. Here you can also find the schema files. You will realize that there is ONLY adprep.exe and not adprep32.exe anymore. This belongs to the reason that adprep process on earlier OS domains is done automatically during promotion to DC.

If you run adprep.exe on the 32bit OS Domain Controller you will see an error message:

So on Windows Server 2008 32bit you have to prepare the forest/domain with the new way remote from Windows Server 2012 or Windows server 2012 R2.

With the 64bit version from adprep you can still work on Windows Server 2008 64bit and Windows Server 2008 R2 DCs for the Schema update.

So both options are possible, from the command line on Windows Server 2008 R2 or during promotion process from the Windows Server 2012 or Windows server 2012 R2.

——————————————–

The minimum functional level must be at least Windows Server 2003, so NO lower functional levels are allowed anymore.

Please control that the Domain functional level is set to Windows Server 2003, in AD Domains and Trusts right click the “Domain Name”.

Also control that the Forest functional level is set to Windows Server 2003, in AD Domains and Trusts right click “Active Directory Domains and Trusts”.

——————————————–

If you run as known before DCPROMO on a new Windows Server 2012 or Windows server 2012 R2 you will get an error message as this is not longer the way to promote a DC. Now the promotion to Domain Controller is done via Server Manager.

——————————————–

In this article I will focus on the new remote way with using the Windows Server 2012 or Windows server 2012 R2, as this is much more error free and comfortable to use.

Assure to use an account that is member of the Enterprise Admins and install the new Windows Server 2012 or Windows server 2012 R2 as Domain Member Server if not done already. Now start the Server Manager and choose “Add roles and features”, in “Before you begin” click next, in the “Installation Type” use “Role-based or feature-based installation” and click Next.

Choose the required Server and click Next

Now check the Active Directory Domain Services and in the upcoming window click the “Add features” button.

Choose Next and add additional features if required.

Click Next.

Click Next and then choose Install.

It may take some time, depending on the hardware.

If the installation is done be aware of the “Promote this server to a domain controller” option in the result pane

Again a new window opens to configure the DC with all requirements

Here choose Select and provide the domain credentials or use the already shown account. If you have the need using a smart card, then the server MUST be joined to the domain BEFORE.

Select the domain from the list and click OK.

Click Next.

The Domain controller Options appear and here choose DNS and GC and fill in the DSRM Restore mode password. Then choose Next.

In this step the DNS delegation warning can be ignored, as the Domain Controller is for the already existing domain.

Choose Next and either use the default or select a preferred DC to replicate from. Even IFM (Install from media) is possible at this step.

Do NOT store the Active Directory database, log files, or SYSVOL on a data volume formatted with Resilient File System (ReFS), this is new with Windows Server 2012 or Windows server 2012 R2 Database, Log file and SYSVOL folder paths must be stored on NTFS data volumes in this window and then choose Next.

Information about forest, schema and domain update is shown where you also choose Next.

Review your settings, even possible to export as Windows PowerShell script for future use and click Next.

Prerequisite checks will be done.

Review the Check and click Install.

Results are listed/shown

The server automatically reboots after installation/promotion.

——————————————–

After adding a Windows Server 2012 or Windows server 2012 R2 Domain Controller to an existing domain you should also transfer the FSMO roles to the newest Domain Controller

In this case 6 new security groups are created in the BUILTIN container in AD UC:

– Access Control Assistance Operators

– Hyper-V Administrators

– RDS Endpoint Servers

– RDS Management Servers

– RDS Remote Access Servers

– Remote Management Users

And 1 new security group in the Users container in AD UC:

– Cloneable Domain Controllers

——————————————–

You can see in the event viewer (Directory service log) that the FSMO roles are transferred, EVENT ID 1458 with the source ActiveDirectory_DomainService for each FSMO role.

——————————————–

After the transfer from the PDCEmulator FSMO it is required to reconfigure the time service on the old and new PDCEmulator, so a recommended external time source is used:

“w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update”

where PEERS will be filled with the ip address or server (time.windows.com) and on the OLD PDCEmulator run:

“w32tm /config /syncfromflags:domhier /reliable:no /update”

and stop/start the time service on the old one. All commands run in an elevated command prompt without the quotes.

——————————————–

If not done on earlier OS version upgrades run ONLY the adprep /domainprep /gpprep, to enable the RSOP planning mode, manual as this is NOT involved in the automated process.

——————————————–

Reconfigure the DNS configuration on your NIC of the Windows Server 2012 or Windows server 2012 R2 machine, preferred DNS to a partner DNS Server, secondary to its own ip address and as recommended from DNS BPA the loopback ip address(127.0.0.1) as 3^rd entry.

——————————————–

Related documents:

Adprep in Windows Server 2012 http://technet.microsoft.com/en-us/library/hh472161.aspx

View and transfer from FSMO Roles http://support.microsoft.com/kb/324801 this article still applies for Windows Server 2012.

Time configuration in a domain http://msmvps.com/blogs/mweber/archive/2010/06/27/time-configuration-in-a-windows-domain.aspx

ReFS in Windows Server 2012 http://blogs.msdn.com/b/b8/archive/2012/01/16/building-the-next-generation-file-system-for-windows-refs.aspx

Until now I have seen multiple error messages that are shown on Domain Controllers with the new OS versions. For some of them exist already a Hotfix from Microsoft and some belong to configuration settings, that have to be done manual.

Also the by default enabled built-in firewall requires additional configuration settings. Of course the firewall can be disabled but in case you are ordered to run them this maybe helps you. Some articles about the Windows Firewall within Domains you will find at the end of this article.

So starting with the major Active Directory support tool DCDIAG. The output can show the following error, especially on a fresh installed Domain Controller:

———————————————–

Starting test: Connectivity
* Active Directory LDAP Services Check
Message 0x621 not found.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
……………………. <DC Name> failed test Connectivity

FIX: The connectivity test that is run by the Dcdiag.exe tool fails together with error code 0x621

http://support.microsoft.com/kb/978387

———————————————–

Also the test VerifyEnterpriseReferences in the DCDIAG output fails, if not complete removed Domain Controllers exist or they are not correct registered.

Then the output always points to the highlighted Knowledge Base Article.

Update for the mentioned Knowledge Base Article: Q312862 is DONE on 14.03.2011 to contain also the replication technology DFS-R.

You can use the TechNet article “Update the FRS or DFS Replication Member Object” to verify or change or remove the Value.

Problem: Missing Expected Value
              Base Object: CN=NTSERVER,OU=Domain Controllers,DC=mw08,DC=loc
              Base Object Description: “DC Account Object”
              Value Object Attribute Name: frsComputerReferenceBL
              Value Object Description: “SYSVOL FRS Member Object”
              Recommended Action: See Knowledge Base Article: Q312862

failed test VerifyEnterpriseReferences

———————————————–

Another shown message in the DCDIAG output is:

WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS

Update 13.02.2011: As explained more detailed in the Friday MailSack from “Ask the Dicectory Services Team” use the following option not always:

This can be resolved with the following command in an elevated command prompt(RUNAS):

sc config rpcss type= share

You can run this command also against a remote located Domain Controller:

sc \\Servername config rpcss type= share

Really important is, that you take care about the space between (type= share)!!!

———————————————–

Update 11.05.2011: The KB Article 2512643 “DCDIAG.EXE /E or /A or /C expected errors” explains also some possible reason for here mentioned errors, so do not ignore them, because of the KB article, just compare them carefully to be sure it is safe to ignore them.

———————————————–

Your Active Directory forest has multiple Domain Controllers that are located at different sites. Because of this you use some switches to reduce the discovery scope of DCDIAG you realize that it takes a long time to run until the result is shown.

FIX: The Dcdiag.exe tool takes a long time to run in Windows Server 2008 R2 and in Windows 7

———————————————–

DCDIAG may show for the FRS, KCC and System Event log test the following error, when you run it against the Enterprise with “/e” from one Domain Controller:

“0x6ba The RPC server is unavailable”

The by default enabled firewall in Windows Server 2008 or higher is the reason. You can either disable the firewall complete (maybe not allowed in your network) or configure the Windows Firewall with Advanced Security as shown here for “Remote Administration” (RPC):

Open the console and choose the “Inbound Rules” and in the right pane scroll down to “Remote Administration” (RPC), which you set to enabled on the “General” tab

Add on the “Scope” tab the local and remote ip addresses of the Domain Controllers in the forest/domain where you need to have access

On the “Advanced” tab specify the profiles to that the rule will apply

allow the “Remote Administration” (RPC) in the firewall on the involved 2008 R2 DCs, the error is not shown

———————————————–

You use the command line tool DSGET together with Windows Server 2008 R2 and Windows 7 you will have incorrect results if used together with the –memberof switch and together with the –expand.

You expect only the output from the Group Information but also the User Information is shown. This is corrected with the following Hotfix:

FIX: The “dsget user -memberof -expand” command returns incorrect results in Windows Server 2008 R2 and in Windows 7

———————————————–

After the installation of the DHCP Server Role on a Windows Server 2008 R2 you see in the Application event log “Event ID 8193” from Source “VSS”.

This belongs to a permission change, the “NT AUTHORITY\NETWORK SERVICE” Security Principal is removed, on the following registry key and all sub keys during the DHCP Server role installation:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Diag

To resolve the error message you can use this KB article .

———————————————–

Using a Firewall in a Domain environment

Active Directory and Active Directory Domain Services Port Requirements

How to configure a firewall for domains and trusts

Active Directory in Networks Segmented by Firewalls

Active Directory Replication over Firewalls

In a domain one of the most important settings is the time. It has to be as close as possible for all domain machines, which is realized with the setup of the hierarchy how the domain time is prepared.

One important information to have is, that the Windows Time Service is NOT built to be a high accuracy NTP solution going down to 1-2 seconds. See High Accuracy W32time Requirements for details. If you have the need for high accurate time, you have to use a “Stratum One” device, which is capable of this. The support boundaries are listed here.

Also important to know is, that Domain Controllers use with NTP the UTC (Coordinated Universal Time), as this is the universal standard for current time. UTC is independent of time zones and enables NTP to be used anywhere in the world regardless of time zone settings. You will not realize the UTC time itself, as the time zone information which is stored in the computer’s registry, is added to the system time just before it is displayed to the user.

One Domain Controller, the DC with the PDC Emulator FSMO (Flexible Single Master Operations) role, is the time master in the domain. It uses it’s own BIOS time but should be changed to another time source like a NTP hardware device, routers, layer3 switches or external time servers, that are able to act as a time provider.

All other Domain Controllers synchronize with this machine and all domain member servers and domain workstations synchronize with one available DC. Therefore it is needed to open the UDP port 123 for NTP on all machines. In a domain, time synchronization takes place when Windows Time Service turns on during system startup and periodically while the system is running.In the default configuration, the Net Logon service looks for a Domain Controller that can authenticate and synchronize time with the client. When a Domain Controller is found, the client sends a request for time and waits for a reply from the Domain Controller. This communication is an exchange of Network Time Protocol (NTP) packets intended to calculate the time offset and round-trip delay between the two computers.

The correct time is needed from Kerberos V5 authentication to prevent “replay attacks,” Kerberos V5 uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the Domain Controller need to be in sync as much as possible. The default maximum time tolerance is 5 minutes and defined with a Group Policy setting and should not be changed.

If you have the need for changing the default tolerance, you have to choose the following GPO setting:

Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy\ “Maximum tolerance for computer clock synchronization”

So far with the basics about the domain time.

Let’s go on with some configurations on Windows Server 2003 or higher OS:

– to configure the Domain Controller with the PDC Emulator FSMO to another time source, run:

w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update

Please set for PEERS the time source as listed above, either with it’s ip address or DNS name. If more then one is needed separate them with a space in between and don’t forget the quotes: “time.domain.com time1.domain.com”

Internet Time servers you can find here: http://www.pool.ntp.org/

——————————————————————–

– to configure a domain computer for automatic domain time synchronization, run:

w32tm /config /syncfromflags:domhier /update

After that you have to run:
net stop w32time
net start w32time

——————————————————————–

– to reconfigure the previous PDC Emulator, in case of transferring/seizing the FSMO to another Domain Controller, run:

w32tm /config /syncfromflags:domhier /reliable:no /update

After that you have to run:
net stop w32time
net start w32time

——————————————————————–

If you have to reconfigure a Windows 2000 Server Domain Controller, the steps are different after transferring/seizing the PDC Emulator role to another Domain Controller:

– you have to modify the “Type” value to “Nt5Ds” without the quotes under this registry key:

HKLM\ SYSTEM\ CurrentControlSet\ Services\ W32Time\ Parameters\

——————————————————————–

If you have problems with the time service configuration, because too many changes where done in the registry or you like start fresh on a computer, then you can reset the time service to a default state the following way. Make sure to use an elevated command prompt, to have full administrative permissions. Then type in the following commands:

net stop w32time

w32tm /unregister

w32tm /register

net start w32time

——————————————————————–

To prevent large time jumps on DCs because of hardware errors or broken CMOS battery to the past or the future m0re then 48 hours you should implement some registry changes on Windows Server 2003 and Windows Server 2008 DCs. MaxPosPhaseCorrection and MaxNegPhaseCorrection with values of  that become important here. On newer OS versions this is already implemented. More details about the chosen 48 hours and how to configure it correct can be read in this article.

If you really still run Window 2000 Server SP4 Domain Controllers, hopefully not, then the following registry change should be made to avoid the time jump. Here the MaxAllowedClockErrInSecs has to be set in HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters as described in this article.

Thanks to Christoffer Anderssen pointing me to this important values.

——————————————————————–

For more detailed other configuration settings you have to use the registry, which isn’t recommended by Microsoft without special needs, you should always test it before applying. See “Windows Time Service Registry Entries” in this article.

In any case of time problems you can configure debug logging for the Windows Time Service according to How to turn on debug logging in the Windows Time Service, don’t forget to turn off after using, to avoid unnecessary logging and processor work.

Related articles:

Windows Time Service Technical Reference includes OS version up to Windows Server 2008 R2 and Windows 7

Kerberos tickets are issued even though the time difference between the client clock and the domain controller clock is greater than the “Maximum tolerance for computer clock synchronization” value

Configuring the Time Service: NtpServer and SpecialPollInterval from the Official Windows Time Service blog

How to configure an authoritative time server in Windows Server (this article contains two Microsoft FIX ITs, to make configuration easy for you)

The official blog site for the Windows Time Service

Kerberos V5

Operations master roles

Updated on 25.03.2013

This article should give an overview about the relationships with the different Exchange Server versions and the requirements for Windows server 2008/2008R2 and Windows Server 2012 Domain controllers. Even if some are NOT supported i will list them here as they should work.

Within the last years we’ve got several new Windows Server versions, 2008 and 2008 R2 and now Windows Server 2012, and also some new Exchange Server versions, 2007, 2010 and now 2013. They now maybe have to coexist even with Windows server 2003/2008/2008R2 and Exchange Server 2003/2007/2010 or should be upgraded to new versions.

Exchange Server 2000 and Windows Server 2008 Operating System/Domain Controllers

– Exchange 2000 can’t be installed on Windows Server 2008.

– Exchange 2000 SP3 isn’t supported when working together with Windows Server 2008 or higher DCs.

– for upgrading to Windows Server 2008 or higher you have to check that no Exchange Mangled Attributes exist, this applies also for Windows Server 2008.

– if there is no other option then it should be possible to use the Windows Server 2008 DCs in a different site then the Exchange 2000 SP3.     !!!Keep in mind this isn’t supported configuration!!!

– if you really must use both in the same site then some additional configuration should help to hardcode (default is automatic discovery) the DSAccess on the Exchange 2000 to DCs with Windows Server 2003 or Windows 2000 Server OS. Open ESM and choose the “Directory Access” tab of the Exchange server properties. See also Directory server detection and DSAccess usage and Revert DSAccess to default for details.     !!!Keep in mind this isn’t supported configuration!!!

Exchange Server 2003 and Windows Server 2008/2008 R2 and 2012 Operating System/Domain Controllers

– Exchange 2003 can’t be installed on Windows Server 2008.

– Exchange 2003 can’t be installed on Windows Server 2012.

– if you use Exchange 2003 and have the need for connectivity to Windows Server 2008 or higher OS DCs, you have to use at least Exchange 2003 SP2.

– Windows Server 2008 and 2008 R2 RODCs (Read Only Domain Controllers) are not supported to work with Exchange Servers (doesn’t matter which version, as Exchange requires a writable Domain Controller).

– Windows Server 2012 DCs do NOT work together with Exchange 2003, doesn’t matter which SP is used.

Exchange Server 2007 and Windows Server 2000 Operating System/Domain Controllers

– Exchange 2007 can be installed on Windows Server 2003 SP2 or Windows Server 2003 R2 SP2 or higher OS, not on Windows 2000 Server.

– Exchange 2007 can work with Windows Server 2003 SP1/2 Domain Controllers or higher, not with Windows 2000 Server Domain Controllers.

– Exchange 2007 requires Windows Server 2000 Domain Native Functional Level / Windows 2000 Forest Functional Level, if Forest-to-forest delegation and the ability for a user to select the type of free/busy information that will be available to users in another forest is not needed.

Exchange Server 2007 and Windows Server 2003 Operating System/Domain Controller

– Exchange 2007 can be installed on Windows Server 2003 SP2 or Windows Server 2003 R2 SP2.

– Exchange 2007 can work with Windows Server 2003 SP1 and SP2 Domain Controllers.

– Exchange 2007 requires Windows Server 2003 Forest/Domain Functional Level.

Exchange Server 2007 and Windows Server 2008 / Windows Server 2008 R2 Operating System/Domain Controllers

– Exchange 2007 must be at least SP1 to be installed on Windows Server 2008 and also to work with Windows Server 2008 Domain Controllers.

– Exchange 2007 can be installed on Windows Server 2008 R2 if Exchange 2007 SP3 is used with some restrictions as listed here.

– you have to install “Update Rollup 9 for Microsoft Exchange Server 2007 Service Pack 1” or later, to be able to work with Windows Server 2008 R2 Domain Controllers and also to use the Forest/Domain Functional Levels Windows Server 2008 R2 or use Exchange Server 2007 Service Pack 2.

– Windows Server 2008/2008R2 and 2012 RODCs (Read Only Domain Controllers) are not supported to work with Exchange Servers (doesn’t matter which version, as Exchange requires a writable Domain Controller).

Exchange Server 2010 and Windows Server 2003/2008 Operating System/Domain Controllers

– Exchange 2010 can be installed only on the 64bit edition from Windows Server 2008 SP2 or 2008 R2, FIPS compliant settings are NOT supported.

– Exchange 2010 will work together with 32/64 bit version of Windows Server 2003 Standard Edition/Enterprise Edition SP1 or later Schema Masters/Domain Controllers/Global Catalog Servers.

– Exchange 2010 requires Windows Server 2003 Forest/Domain Functional Level or higher.

– Exchange 2010 can coexist with Exchange 2003 and higher Exchange versions, also in mixed organizations.

– Exchange 2010 SP3 can be installed on Windows Server 2012.

– Windows Server 2008/2008R2 and 2012 RODCs (Read Only Domain Controllers) are not supported to work with Exchange Servers (doesn’t matter which version, as Exchange requires a writable Domain Controller).

Exchange Server 2013 and Windows Server 2008 R2 SP1/Windows Server 2012 Operating System/Domain Controllers

– Exchange 2013 can be installed on Windows Server 2008 R2 SP1(ONLY DataCenter Edition support RTM or later) or Windows Server 2012

– Exchange 2013 will work together with 32/64 bit version of Windows Server 2003 Standard Edition/Enterprise Edition SP2 or later Schema Masters/Domain Controllers/Global Catalog Servers.

– Exchange 2013 requires Windows Server 2003 Forest/Domain Functional Level or higher.

– Exchange 2013 (CU1) can coexist with Exchange 2007 SP3 and Update Rollup 10(on all Exchange servers in the organization, including Edge Transport servers) and Exchange 2010 SP3(on all Exchange servers in the organization, including Edge Transport servers), also in mixed organizations.

– Windows Server 2008/2008R2 and 2012 RODCs (Read Only Domain Controllers) are not supported to work with Exchange Servers (doesn’t matter which version, as Exchange requires a writable Domain Controller).

Upgrading of Exchange inside Domains

– in place upgrades to Exchange 2007 or higher aren’t possible, the needed process is Exchange Organization transitioning.

– the Planning Roadmap for Upgrade and Coexistence with Exchange 2010 from Exchange 2003 and Exchange 2007 contains all needed information.

– Exchange 2003 – Planning Roadmap for Upgrade and Coexistence.

– Exchange 2007 – Planning Roadmap for Upgrade and Coexistence.

– Active Directory is one requirement to install Exchange 2007, Exchange 2010 and Exchange 2013

Migration from Exchange to another Forest/Domain

– this can be achieved with Cross Forest Migration when MIIS is used, Single Forest to Cross Forest and Cross Forest to Cross Forest.

– it is possible to Move Mailboxes Across Forests in Exchange 2007 and Cross Forest Mailbox Move also works in Exchange 2010.

– another option is to export mailboxes from the existing Exchange Servers to .pst files and import them into the new Exchange organization with Powershell command lets.

– Exchange 5.5, 2000 and 2003 Mailboxes can be exported with EXMERGE from Exchange 2003 Servers or computers installed with Exchange 2003 Administrative tools installed.

– Exchange 2007 Export-Mailbox and Import-Mailbox, requires 32bit Exchange management tools and Outlook 2003 SP2 or later.

– Exchange 2010 Export-Mailbox and Import-Mailbox , requires Exchange Server 2010 and 64bit version of Outlook 2010.

– Exchange 2013 New-MailboxExportRequest and New-MailboxImportRequest, requires additional permissions so check the article for correct settings.

Related links:

The most important one Exchange Server Supportability Matrix for comparing the different versions

Exchange Server 2007

Exchange Server 2010

Exchange Server 2013

Common Mistakes When Upgrading Exchange 2000/2003 to Exchange 2007

How to configure the administrator account to use EXMERGE 2003 in Exchange 2003

How to configure an account to use the EXMERGE utility in Exchange 2000 Server and in Exchange Server 2003

Export and Importing Mailboxes to PST files in Exchange 2007

Exporting and Importing Mailboxes with Exchange Server 2010

Sometimes it can/will happen that a correct removal from a Domain Controller isn’t possible because of a hardware crash, you have to force the removal of a DC or the previous admin have left some “garbage” for you.

So you have to do a metadata cleanup, otherwise all other DCs will try to replicate with that machine, as they are “thinking” this Domain Controller still exists, which fills also the event viewer with not wanted error messages. Additional the support tools dcdiag and repadmin or replmon will report problems.

The metadata cleanup can be done with NTDSUTIL for the AD database part according to:

How to remove data in Active Directory after an unsuccessful domain controller demotion

The above article applies to all Windows versions starting with Windows 2000 Server up to Windows Server 2008 R2.

There can also be the situation that the FSMO roles must be seized as the not longer existing DC was the owner of them:

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

———————————————————————————————————

With the RSAT (Remote Server Administration Tools or DSA.MSC) coming with Windows Server 2008 or Windows Server 2008 R2, there is also the option to remove a DC from AD Users and Computers or AD Sites and Services which also triggers the metadata cleanup.

To remove a RWDC with AD UC:

– therefore right click the RWDC in question and choose the DELETE option

– an additional popup will inform you, that the DC isn’t demoted with dcpromo and you have to choose the checkmark to accept that normal removal isn’t possible anymore

– after accepting the above popup you will be informed if the Domain Controller is also Global catalog server, (make sure other GCs exist in the domain)

– you have again to accept the deletion message to go on

– now the last possible popup option can occur, if the DC is also FSMO roles holder you will be prompted to accept the move to another DC of the FSMO roles

– in AD sites and services remove the NTDS Settings, also cleanup all DNS zones from CNAME and server records and the DNS server properties, Name server tab.

To remove a RODC with AD UC:

– therefore right click the RODC in question and choose the DELETE option

– now the option will be offered to reset all user passwords (requires a new password for a user), computer passwords (requires to re-add the computer to the domain), additional you can view/export the on the RODC saved user accounts and computer accounts. This option will NOT be offered if you work with NTDSUTIL.

– you will see now an overview with the chosen options to accept

– after accepting the above popup you will be informed if the Domain Controller is also Global catalog server, (make sure other GCs exist in the domain)

– in AD sites and services remove the NTDS Settings, DNS cleanup isn’t needed for a RODC, this is done automatically

For removal of a RWDC or RODC from AD Sites and Services you have to choose the NTDS Settings object to delete and after this step delete the DC.

———————————————————————————————————

For an old Domain that should be removed or the last DC of a domain is demoted, the steps are a bit different, therefore you can follow this article:

How to remove orphaned domains from Active Directory

Related links:

Remove Active Directory Domain Controller Metadata with a script

NTDSUTIL Windows 2000 Server

NTDSUTIL Windows Server 2003 and higher

Clean Up Server Metadata Windows Server 2003 and Windows Server 2003 R2

Clean Up Server Metadata Windows Server 2008 and higher

If you run into problems in a Domain and have the need for more information, you have the option to enable an advanced logging of specific settings.

This can be done with changing a registry setting on a specific Domain Controller, keep in mind that this setting is not replicated to other Domain controllers.

Open the registry editor and browse to:

HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics

Here you will find available REG_DWORD options that can be changed to an advanced logging:

1 Knowledge Consistency Checker (KCC)
2 Security Events
3 ExDS Interface Events
4 MAPI Interface Events
5 Replication Events
6 Garbage Collection
7 Internal Configuration
8 Directory Access
9 Internal Processing
10 Performance Counters
11 Initialization/Termination
12 Service Control
13 Name Resolution
14 Backup
15 Field Engineering
16 LDAP Interface Events
17 Setup
18 Global Catalog
19 Inter-site Messaging

New options coming with Windows Server 2003:

20 Group Caching
21 Linked-Value Replication
22 DS RPC Client
23 DS RPC Server
24 DS Schema

With Windows Server 2008 and Windows Server 2008 R2 now new options where added.

You have different options to configure the amount of logging from NONE to INTERNAL:

Keep in mind that setting higher logging levels increases the number of entries recorded in the event log and you aren’t be able to parse them. Also high logging levels can/will have, mostly negative, impact on the server performance.

Additional resources:

How to configure Active Directory diagnostic event logging in Windows Server 2003 and in Windows 2000 Server KB314980

Directory Service Configuration Management Tasks

See “Set logging level” in Configuring a Computer for Troubleshooting

Directory Services Debug Logging Primer

Enabling debug logging for the Net Logon service

!!!This article is under review!!!

The latest ADMT version 3.2 and the Password Export Server (PES) as 32 and 64 bit version could be downloaded under the following Link.

ADMT 3.2 and PES 32 and 64 bit

Login with your Microsoft Account may be required.

When you have the need to migrate Windows Domains to a new named Domain or into a different forest, you can use the free Microsoft Active Directory Migration Tool, which exist in multiple versions.

When the source Domain is built with Windows NT4 (at least with SP4 on the PDC), Windows Server 2000 or Windows Server 2003, you have to use ADMT v3 which can migrate to a target Domain installed with Windows Server 2000 or Windows Server 2003.

ADMT v3 can be installed on any computer capable of running the Windows Server 2003 OS.

You can migrate the following OS versions with the ADMT agent:

• Windows NT Server 4.0 (with SP4 or higher)
• Windows 2000 Professional
• Windows 2000 Server
• Windows XP
• Windows Server 2003

For a detailed description and how to use ADMT see the ADMT v3.0 Migration Guide.

————————————————————————————-

When the source Domain is built with Windows Server 2000, Windows Server 2003, or Windows Server 2008, you have to use ADMT v3.1 which can migrate to a target Domain installed with Windows Server 2000 or Windows Server 2003 or Windows Server 2008 or Windows Server 2008 R2. This version will be the last one that will support Windows Server 2000 source or target Domains or Windows Server 2000 Domain controllers.

ADMT v3.1 can be installed on any computer capable of running the Windows Server 2008 OS, unless they are Read-Only domain controllers (RODCs) or in a Server Core configuration.

You can migrate the following OS versions with the ADMT agent:

• Windows 2000 Professional
• Windows 2000 Server
• Windows XP
• Windows Server 2003
• Windows Vista
• Windows Server 2008
• Windows 7
• Windows Server 2008 R2

For a detailed description and how to use ADMT see the ADMT v3.1 and 3.2 Migration Guide.

Additional you maybe need the Password Export Server (PES) version 3.1, either for 32bit or 64bit.

————————————————————————————-

When the source Domain is built with Windows Server 2003, or Windows Server 2008, you have to use ADMT v3.2 which can migrate to a target Domain installed with Windows Server 2003 or Windows Server 2008 or Windows Server 2008 R2.

ADMT v3.2 can be installed on any computer capable of running the Windows Server 2008 R2 OS, unless they are Read-Only domain controllers (RODCs) or in a Server Core configuration.

You can migrate the following OS versions with the ADMT agent:

• Windows XP
• Windows Server 2003
• Windows Vista
• Windows Server 2008
• Windows 7
• Windows Server 2008 R2

For a detailed description and how to use ADMT see the ADMT v3.1 and 3.2 Migration Guide

Additional you maybe need the Password Export Server (PES) version 3.1 for 64bit.

Here you’ll find some common installation issues from ADMT v3.2 listed from Ned Pyle at “Ask the Directory Services Team”

Related Documents about ADMT:

Restructuring Windows NT 4.0 Domains to an Active Directory Forest

Restructuring Active Directory Domains Within a Forest

Restructuring Active Directory Domains Between Forests

Error message when you use ADMT version 3 to migrate computer accounts from one Windows Server 2003 domain to another: “ERR3:7075 Failed to change domain affiliation” KB929493

How to use a SID mapping file with the ADMT tool to perform a resource domain migration to Windows Server 2003 KB835991

Known issues that may occur when you use ADMT 3.1 to migrate to a domain that contains Windows Server 2008 R2 domain controllers KB976659

You cannot uninstall ADMT 3.1 after you perform an in-place upgrade to Windows Server 2008 R2 KB974625

How To Use Visual Basic Script to Clear SidHistory KB295758

After an in place upgrade some folders are still on the system, which are needed for rollback in case of problems. Also you can copy needed data to the system if needed from the old installation.

The folders are $WINDOWS.~Q and $INPLACE.~TR which will be shown if you enable “Show hidden files folders and drives”.

If you choose  disk cleanup from Start, All Programs, Accessories, System tools and choose the disk drive

the normal view of disk cleanup will be shown.

If you now choose “Clean up system files” (only Windows 7) and after choosing again the disk drive you will see additional options in disk cleanup window, e.g.:

– Files discarded by Windows update
– Previous Windows installation files

and some more.

If you also choose them for cleanup the folders above will also be removed. Using the way with disk cleanup for removing also prevents you from take over permissions on each folder as these are protected from the system.