MWeber's Blog

!!!NEVER START BEFORE HAVING CREATED AND TESTED A BACKUP OF YOUR DOMAIN/DATA/MACHINE!!!

A new OS Domain Controller installation should always start with the support tools, to check the Domain and Domain Controllers for errors that must be resolved before. The following command line tools and programs will help you to verify if some problems exist within your Domain and the Domain Controllers.

Dcdiag /v /c /d /e /s:DCName >c:\dcdiag.log [please replace DCName with your Domain Controller name]

Repadmin /showrepl dc* /verbose /all /intersite >c:\repl.log [“dc* is a place holder for the starting name of the DCs if they all begin the same (if more than one DC exists)]

Dnslint /ad /s “DCipaddress” [use http://support.microsoft.com/kb/321045 for download and instructions]

ADREPLSTATUS: http://www.microsoft.com/en-us/download/details.aspx?id=30005

——————————————-

On the old server open DNS management console and check that you are running Active directory integrated zones, which is recommended also from Microsoft.

——————————————-

The schema must be updated for the new OS Domain Controller, so even if the update is done automatically you may check it before. Therefore you can use the following command:

“Dsquery * cn=schema,cn=configuration,dc=domain,dc=local -scope base -attr objectVersion” without the quotes in a command prompt [please replace “dc=domain,dc=local” with your Domain Name]. The output number is the Schema objectVersion:

13 = Windows 2000 Server

30 = Windows Server 2003

31 = Windows Server 2003 R2

44 = Windows Server 2008

47 = Windows Server 2008 R2

56 = Windows Server 2012

69 = Windows Server 2012 R2

——————————————–

If the first installed Domain Controller in the domain should be removed or replaced with another one, doesn’t matter if new or same OS version, assure that you export the recovery agents EFS certificate private key from the Domain Controller BEFORE you demote/retire it. Details on how to do this are listed in (http://support.microsoft.com/kb/241201) and (http://technet.microsoft.com/en-us/library/cc755157(WS.10).aspx). If you don’t save it, you will not be able to encrypt data in case of problems.

——————————————–

I recommend installing the new machine as a member server in your existing domain before promoting to Domain Controller. Configure a fixed ip address and set the preferred DNS server to one existing DC/DNS server only. Do not change anything with IPv6, as also recommended from Microsoft in http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx
Do NOT use the new server as DNS server on the NIC until all DNS information is replicated from one existing DC/DNS. If you do it with other DNS servers on the NIC I often have seen that the SYSVOL and NETLOGON shares are not correct created.

——————————————–

To install a new OS Domain Controller running adprep is required and it is located in the Windows server 2012 or Windows Server 2012 R2 installation disk …\support\adprep folder. Here you can also find the schema files. You will realize that there is ONLY adprep.exe and not adprep32.exe anymore. This belongs to the reason that adprep process on earlier OS domains is done automatically during promotion to a Domain Controller.

If you run adprep.exe on 32bit OS Domain Controllers you will see an error message:

——————————————–

The minimum functional level must be at least Windows Server 2003, so NO lower functional levels are allowed anymore.

Please control that the Domain functional level is set to Windows Server 2003, in AD Domains and Trusts right click the “Domain Name”.

Also control that the Forest functional level is set to Windows Server 2003, in AD Domains and Trusts right click “Active Directory Domains and Trusts”.

——————————————–

If you run as known before DCPROMO on a new Windows Server 2012 or Windows Server 2012 R2 you will get an error message, as this is not longer the way to promote a DC. Now the promotion to Domain Controller is done via Server Manager.

——————————————–

Assure to use an account that is member of the Enterprise Admins and install the new Windows Server 2012 or Windows Server 2012 R2 as Domain Member Server if not done already. Now start the Server Manager and choose “Add roles and features”, in “Before you begin” click next, in the “Installation Type” use “Role-based or feature-based installation” and click Next.

Choose the required Server and click Next.

Now check the Active Directory Domain Services and in the upcoming window click the “Add features” button.

Choose Next and add additional features if required.

Click Next.

Click Next and then choose Install.

It may take some time, depending on the hardware.

If the installation is done be aware of the “Promote this server to a domain controller” option in the result pane.

Again a new window opens to configure the DC with all requirements.

Here choose Change and provide the domain credentials or use the already shown account.

Select the domain from the list and click OK. Click Next.

The Domain controller Options appear and here choose DNS and GC and fill in the DSRM Restore mode password. Also see the Information on top in the yellow line (here already shown as pop up in the left down corner) and then choose Next.

In this step the DNS delegation warning can be ignored, as the Domain Controller is for the already existing domain.

Choose Next and either use the default or select a preferred DC to replicate from. Even IFM (Install from media) is possible at this step.

Do NOT store the Active Directory database, log files, or SYSVOL on a data volume formatted with Resilient File System (ReFS), this is new with Windows Server 2012 or Windows Server 2012 R2. Database, Log file and SYSVOL folder paths must be stored on NTFS data volumes in this window and then choose Next.

Information about forest, schema and domain update is shown where you also choose Next.

Review your settings, even possible to export as Windows PowerShell script for future use, and click Next.

Prerequisite checks will be done.

Review the Check and click Install.

Results are listed/shown.

The server will automatically reboot after installation/promotion.

——————————————–

After adding a Windows Server 2012 or Windows Server 2012 R2 Domain Controller to an existing domain you should also transfer the FSMO roles to the Domain Controller with the newest OS version.

In this case up to 10 new security groups are created/shown in the BUILTIN container in AD UC:

• Access Control Assistance Operators
• Certificate Service DCOM Access
• Cryptographic Operators
• Event Log Readers
• Hyper-V Administrators
• IIS_IUSRS
• RDS Endpoint Servers
• RDS Management Servers
• RDS Remote Access Servers
• Remote Management Users

And up to 6 new security group in the Users container in AD UC:

• Allowed RODC Password Replication Group
• Cloneable Domain Controllers
• Denied RODC Password Replication Group
• Enterprise Read-Only Domain Controllers
• Protected Users
• Read-Only Domain Controllers

——————————————–

You can see in the event viewer (Directory service log) that the FSMO roles are transferred, EVENT ID 1458 with the source ActiveDirectory_DomainService for each FSMO role.

——————————————–

After the transfer from the PDCEmulator FSMO it is required to reconfigure the time service on the old and new PDCEmulator, so a recommended external time source is used:

“w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update”

where PEERS will be filled with the ip address or server name (time.windows.com) and on the OLD PDCEmulator run:

“w32tm /config /syncfromflags:domhier /reliable:no /update”

and stop/start the time service on the old one. All commands run in an elevated command prompt without the quotes.

——————————————–

If not done on earlier OS version upgrades ONLY the adprep /domainprep /gpprep, to enable the RSOP planning mode, should be run manual as this is NOT involved in the automated process.

——————————————–

Reconfigure the DNS configuration on your NIC of the Windows Server 2012 or Windows Server 2012 R2 machine, preferred DNS to a partner DNS Server, secondary to its own ip address and as recommended from DNS BPA the loopback ip address(127.0.0.1) as 3^rd entry.

——————————————–

Related documents:

Adprep in Windows Server 2012 http://technet.microsoft.com/en-us/library/hh472161.aspx

View and transfer from FSMO Roles http://support.microsoft.com/kb/324801 this article still applies for Windows Server 2012 and higher.

Time configuration in a domain http://msmvps.com/blogs/mweber/archive/2010/06/27/time-configuration-in-a-windows-domain.aspx

ReFS in Windows Server 2012 http://blogs.msdn.com/b/b8/archive/2012/01/16/building-the-next-generation-file-system-for-windows-refs.aspx

!!!NEVER START BEFORE HAVING CREATED AND TESTED A BACKUP OF YOUR DOMAIN/DATA/MACHINE!!!

A new OS Domain Controller installation should always start with use from the support tools to check the Domain and Domain Controllers for errors that must be resolved before. The following command line tools and programs will help you to verify if some problems exist within your Domain and the Domain Controllers.

Dcdiag /v /c /d /e /s:DCName >c:\dcdiag.log [please replace DCName with your Domain Controller name]

Repadmin /showrepl dc* /verbose /all /intersite >c:\repl.log [“dc* is a place holder for the starting name of the DCs if they all begin the same (if more than one DC exists)]

Dnslint /ad /s “DCipaddress” [use http://support.microsoft.com/kb/321045 for download and instructions]

ADREPLSTATUS: http://www.microsoft.com/en-us/download/details.aspx?id=30005

——————————————–

On the old server open DNS management console and check that you are running Active directory integrated zones, which is recommended also from Microsoft.

——————————————–

The Schema must be updated for the new OS Domain Controller, so even if the update is done automatically you may check it before. Therefore you can use the following command:

“Dsquery * cn=schema,cn=configuration,dc=domain,dc=local -scope base -attr objectVersion” without the quotes in a command prompt [please replace “dc=domain,dc=local” with your Domain Name]. The output number is the Schema objectVersion:

13 = Windows 2000 Server

30 = Windows Server 2003

31 = Windows Server 2003 R2

44 = Windows Server 2008

47 = Windows Server 2008 R2

56 = Windows Server 2012

69 = Windows Server 2012 R2

——————————————–

If the first installed Domain Controller in the domain should be removed or replaced with another one, doesn’t matter if new or same OS version, assure that you export the recovery agents EFS certificate private key from the Domain Controller BEFORE you demote/retire it. Details on how to do this are listed in (http://support.microsoft.com/kb/241201) and (http://technet.microsoft.com/en-us/library/cc755157(WS.10).aspx). If you don’t save it, you will not be able to encrypt data in case of problems.

——————————————–

I recommend installing the new machine as a member server in your existing domain before promoting to Domain Controller. Configure a fixed ip address and set the preferred DNS server to one existing DC/DNS server only. Do not change anything with IPv6, as also recommended from Microsoft in http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx
Do NOT use the new server as DNS server on the NIC until all DNS information is replicated from one existing DC/DNS. If you do it with other DNS servers on the NIC I often have seen that the SYSVOL and NETLOGON shares are not correct created.

——————————————–

As this article applies in most steps to Windows Server 2008 32bit/64bit and Windows Server 2008 R2, I’ll start with the difference on Windows Server 2008 32bit preparation.

To install a new OS Domain Controller adprep is required and located in the Windows server 2012 or Windows server 2012 R2 installation disk …\support\adprep folder. Here you can also find the schema files. You will realize that there is ONLY adprep.exe and not adprep32.exe anymore. This belongs to the reason that adprep process on earlier OS domains is done automatically during promotion to DC.

If you run adprep.exe on the 32bit OS Domain Controller you will see an error message:

So on Windows Server 2008 32bit you have to prepare the forest/domain with the new way remote from Windows Server 2012 or Windows server 2012 R2.

With the 64bit version from adprep you can still work on Windows Server 2008 64bit and Windows Server 2008 R2 DCs for the Schema update.

So both options are possible, from the command line on Windows Server 2008 R2 or during promotion process from the Windows Server 2012 or Windows server 2012 R2.

——————————————–

The minimum functional level must be at least Windows Server 2003, so NO lower functional levels are allowed anymore.

Please control that the Domain functional level is set to Windows Server 2003, in AD Domains and Trusts right click the “Domain Name”.

Also control that the Forest functional level is set to Windows Server 2003, in AD Domains and Trusts right click “Active Directory Domains and Trusts”.

——————————————–

If you run as known before DCPROMO on a new Windows Server 2012 or Windows server 2012 R2 you will get an error message as this is not longer the way to promote a DC. Now the promotion to Domain Controller is done via Server Manager.

——————————————–

In this article I will focus on the new remote way with using the Windows Server 2012 or Windows server 2012 R2, as this is much more error free and comfortable to use.

Assure to use an account that is member of the Enterprise Admins and install the new Windows Server 2012 or Windows server 2012 R2 as Domain Member Server if not done already. Now start the Server Manager and choose “Add roles and features”, in “Before you begin” click next, in the “Installation Type” use “Role-based or feature-based installation” and click Next.

Choose the required Server and click Next

Now check the Active Directory Domain Services and in the upcoming window click the “Add features” button.

Choose Next and add additional features if required.

Click Next.

Click Next and then choose Install.

It may take some time, depending on the hardware.

If the installation is done be aware of the “Promote this server to a domain controller” option in the result pane

Again a new window opens to configure the DC with all requirements

Here choose Select and provide the domain credentials or use the already shown account. If you have the need using a smart card, then the server MUST be joined to the domain BEFORE.

Select the domain from the list and click OK.

Click Next.

The Domain controller Options appear and here choose DNS and GC and fill in the DSRM Restore mode password. Then choose Next.

In this step the DNS delegation warning can be ignored, as the Domain Controller is for the already existing domain.

Choose Next and either use the default or select a preferred DC to replicate from. Even IFM (Install from media) is possible at this step.

Do NOT store the Active Directory database, log files, or SYSVOL on a data volume formatted with Resilient File System (ReFS), this is new with Windows Server 2012 or Windows server 2012 R2 Database, Log file and SYSVOL folder paths must be stored on NTFS data volumes in this window and then choose Next.

Information about forest, schema and domain update is shown where you also choose Next.

Review your settings, even possible to export as Windows PowerShell script for future use and click Next.

Prerequisite checks will be done.

Review the Check and click Install.

Results are listed/shown

The server automatically reboots after installation/promotion.

——————————————–

After adding a Windows Server 2012 or Windows server 2012 R2 Domain Controller to an existing domain you should also transfer the FSMO roles to the newest Domain Controller

In this case 6 new security groups are created in the BUILTIN container in AD UC:

– Access Control Assistance Operators

– Hyper-V Administrators

– RDS Endpoint Servers

– RDS Management Servers

– RDS Remote Access Servers

– Remote Management Users

And 1 new security group in the Users container in AD UC:

– Cloneable Domain Controllers

——————————————–

You can see in the event viewer (Directory service log) that the FSMO roles are transferred, EVENT ID 1458 with the source ActiveDirectory_DomainService for each FSMO role.

——————————————–

After the transfer from the PDCEmulator FSMO it is required to reconfigure the time service on the old and new PDCEmulator, so a recommended external time source is used:

“w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update”

where PEERS will be filled with the ip address or server (time.windows.com) and on the OLD PDCEmulator run:

“w32tm /config /syncfromflags:domhier /reliable:no /update”

and stop/start the time service on the old one. All commands run in an elevated command prompt without the quotes.

——————————————–

If not done on earlier OS version upgrades run ONLY the adprep /domainprep /gpprep, to enable the RSOP planning mode, manual as this is NOT involved in the automated process.

——————————————–

Reconfigure the DNS configuration on your NIC of the Windows Server 2012 or Windows server 2012 R2 machine, preferred DNS to a partner DNS Server, secondary to its own ip address and as recommended from DNS BPA the loopback ip address(127.0.0.1) as 3^rd entry.

——————————————–

Related documents:

Adprep in Windows Server 2012 http://technet.microsoft.com/en-us/library/hh472161.aspx

View and transfer from FSMO Roles http://support.microsoft.com/kb/324801 this article still applies for Windows Server 2012.

Time configuration in a domain http://msmvps.com/blogs/mweber/archive/2010/06/27/time-configuration-in-a-windows-domain.aspx

ReFS in Windows Server 2012 http://blogs.msdn.com/b/b8/archive/2012/01/16/building-the-next-generation-file-system-for-windows-refs.aspx

Until now I have seen multiple error messages that are shown on Domain Controllers with the new OS versions. For some of them exist already a Hotfix from Microsoft and some belong to configuration settings, that have to be done manual.

Also the by default enabled built-in firewall requires additional configuration settings. Of course the firewall can be disabled but in case you are ordered to run them this maybe helps you. Some articles about the Windows Firewall within Domains you will find at the end of this article.

So starting with the major Active Directory support tool DCDIAG. The output can show the following error, especially on a fresh installed Domain Controller:

———————————————–

Starting test: Connectivity
* Active Directory LDAP Services Check
Message 0x621 not found.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
……………………. <DC Name> failed test Connectivity

FIX: The connectivity test that is run by the Dcdiag.exe tool fails together with error code 0x621

http://support.microsoft.com/kb/978387

———————————————–

Also the test VerifyEnterpriseReferences in the DCDIAG output fails, if not complete removed Domain Controllers exist or they are not correct registered.

Then the output always points to the highlighted Knowledge Base Article.

Update for the mentioned Knowledge Base Article: Q312862 is DONE on 14.03.2011 to contain also the replication technology DFS-R.

You can use the TechNet article “Update the FRS or DFS Replication Member Object” to verify or change or remove the Value.

Problem: Missing Expected Value
              Base Object: CN=NTSERVER,OU=Domain Controllers,DC=mw08,DC=loc
              Base Object Description: “DC Account Object”
              Value Object Attribute Name: frsComputerReferenceBL
              Value Object Description: “SYSVOL FRS Member Object”
              Recommended Action: See Knowledge Base Article: Q312862

failed test VerifyEnterpriseReferences

———————————————–

Another shown message in the DCDIAG output is:

WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS

Update 13.02.2011: As explained more detailed in the Friday MailSack from “Ask the Dicectory Services Team” use the following option not always:

This can be resolved with the following command in an elevated command prompt(RUNAS):

sc config rpcss type= share

You can run this command also against a remote located Domain Controller:

sc \\Servername config rpcss type= share

Really important is, that you take care about the space between (type= share)!!!

———————————————–

Update 11.05.2011: The KB Article 2512643 “DCDIAG.EXE /E or /A or /C expected errors” explains also some possible reason for here mentioned errors, so do not ignore them, because of the KB article, just compare them carefully to be sure it is safe to ignore them.

———————————————–

Your Active Directory forest has multiple Domain Controllers that are located at different sites. Because of this you use some switches to reduce the discovery scope of DCDIAG you realize that it takes a long time to run until the result is shown.

FIX: The Dcdiag.exe tool takes a long time to run in Windows Server 2008 R2 and in Windows 7

———————————————–

DCDIAG may show for the FRS, KCC and System Event log test the following error, when you run it against the Enterprise with “/e” from one Domain Controller:

“0x6ba The RPC server is unavailable”

The by default enabled firewall in Windows Server 2008 or higher is the reason. You can either disable the firewall complete (maybe not allowed in your network) or configure the Windows Firewall with Advanced Security as shown here for “Remote Administration” (RPC):

Open the console and choose the “Inbound Rules” and in the right pane scroll down to “Remote Administration” (RPC), which you set to enabled on the “General” tab

Add on the “Scope” tab the local and remote ip addresses of the Domain Controllers in the forest/domain where you need to have access

On the “Advanced” tab specify the profiles to that the rule will apply

allow the “Remote Administration” (RPC) in the firewall on the involved 2008 R2 DCs, the error is not shown

———————————————–

You use the command line tool DSGET together with Windows Server 2008 R2 and Windows 7 you will have incorrect results if used together with the –memberof switch and together with the –expand.

You expect only the output from the Group Information but also the User Information is shown. This is corrected with the following Hotfix:

FIX: The “dsget user -memberof -expand” command returns incorrect results in Windows Server 2008 R2 and in Windows 7

———————————————–

After the installation of the DHCP Server Role on a Windows Server 2008 R2 you see in the Application event log “Event ID 8193” from Source “VSS”.

This belongs to a permission change, the “NT AUTHORITY\NETWORK SERVICE” Security Principal is removed, on the following registry key and all sub keys during the DHCP Server role installation:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Diag

To resolve the error message you can use this KB article .

———————————————–

Using a Firewall in a Domain environment

Active Directory and Active Directory Domain Services Port Requirements

How to configure a firewall for domains and trusts

Active Directory in Networks Segmented by Firewalls

Active Directory Replication over Firewalls

In a domain one of the most important settings is the time. It has to be as close as possible for all domain machines, which is realized with the setup of the hierarchy how the domain time is prepared.

One important information to have is, that the Windows Time Service is NOT built to be a high accuracy NTP solution going down to 1-2 seconds. See High Accuracy W32time Requirements for details. If you have the need for high accurate time, you have to use a “Stratum One” device, which is capable of this. The support boundaries are listed here.

Also important to know is, that Domain Controllers use with NTP the UTC (Coordinated Universal Time), as this is the universal standard for current time. UTC is independent of time zones and enables NTP to be used anywhere in the world regardless of time zone settings. You will not realize the UTC time itself, as the time zone information which is stored in the computer’s registry, is added to the system time just before it is displayed to the user.

One Domain Controller, the DC with the PDC Emulator FSMO (Flexible Single Master Operations) role, is the time master in the domain. It uses it’s own BIOS time but should be changed to another time source like a NTP hardware device, routers, layer3 switches or external time servers, that are able to act as a time provider.

All other Domain Controllers synchronize with this machine and all domain member servers and domain workstations synchronize with one available DC. Therefore it is needed to open the UDP port 123 for NTP on all machines. In a domain, time synchronization takes place when Windows Time Service turns on during system startup and periodically while the system is running.In the default configuration, the Net Logon service looks for a Domain Controller that can authenticate and synchronize time with the client. When a Domain Controller is found, the client sends a request for time and waits for a reply from the Domain Controller. This communication is an exchange of Network Time Protocol (NTP) packets intended to calculate the time offset and round-trip delay between the two computers.

The correct time is needed from Kerberos V5 authentication to prevent “replay attacks,” Kerberos V5 uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the Domain Controller need to be in sync as much as possible. The default maximum time tolerance is 5 minutes and defined with a Group Policy setting and should not be changed.

If you have the need for changing the default tolerance, you have to choose the following GPO setting:

Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy\ “Maximum tolerance for computer clock synchronization”

So far with the basics about the domain time.

Let’s go on with some configurations on Windows Server 2003 or higher OS:

– to configure the Domain Controller with the PDC Emulator FSMO to another time source, run:

w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update

Please set for PEERS the time source as listed above, either with it’s ip address or DNS name. If more then one is needed separate them with a space in between and don’t forget the quotes: “time.domain.com time1.domain.com”

Internet Time servers you can find here: http://www.pool.ntp.org/

——————————————————————–

– to configure a domain computer for automatic domain time synchronization, run:

w32tm /config /syncfromflags:domhier /update

After that you have to run:
net stop w32time
net start w32time

——————————————————————–

– to reconfigure the previous PDC Emulator, in case of transferring/seizing the FSMO to another Domain Controller, run:

w32tm /config /syncfromflags:domhier /reliable:no /update

After that you have to run:
net stop w32time
net start w32time

——————————————————————–

If you have to reconfigure a Windows 2000 Server Domain Controller, the steps are different after transferring/seizing the PDC Emulator role to another Domain Controller:

– you have to modify the “Type” value to “Nt5Ds” without the quotes under this registry key:

HKLM\ SYSTEM\ CurrentControlSet\ Services\ W32Time\ Parameters\

——————————————————————–

If you have problems with the time service configuration, because too many changes where done in the registry or you like start fresh on a computer, then you can reset the time service to a default state the following way. Make sure to use an elevated command prompt, to have full administrative permissions. Then type in the following commands:

net stop w32time

w32tm /unregister

w32tm /register

net start w32time

——————————————————————–

To prevent large time jumps on DCs because of hardware errors or broken CMOS battery to the past or the future m0re then 48 hours you should implement some registry changes on Windows Server 2003 and Windows Server 2008 DCs. MaxPosPhaseCorrection and MaxNegPhaseCorrection with values of  that become important here. On newer OS versions this is already implemented. More details about the chosen 48 hours and how to configure it correct can be read in this article.

If you really still run Window 2000 Server SP4 Domain Controllers, hopefully not, then the following registry change should be made to avoid the time jump. Here the MaxAllowedClockErrInSecs has to be set in HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters as described in this article.

Thanks to Christoffer Anderssen pointing me to this important values.

——————————————————————–

For more detailed other configuration settings you have to use the registry, which isn’t recommended by Microsoft without special needs, you should always test it before applying. See “Windows Time Service Registry Entries” in this article.

In any case of time problems you can configure debug logging for the Windows Time Service according to How to turn on debug logging in the Windows Time Service, don’t forget to turn off after using, to avoid unnecessary logging and processor work.

Related articles:

Windows Time Service Technical Reference includes OS version up to Windows Server 2008 R2 and Windows 7

Kerberos tickets are issued even though the time difference between the client clock and the domain controller clock is greater than the “Maximum tolerance for computer clock synchronization” value

Configuring the Time Service: NtpServer and SpecialPollInterval from the Official Windows Time Service blog

How to configure an authoritative time server in Windows Server (this article contains two Microsoft FIX ITs, to make configuration easy for you)

The official blog site for the Windows Time Service

Kerberos V5

Operations master roles

Updated on 25.03.2013

This article should give an overview about the relationships with the different Exchange Server versions and the requirements for Windows server 2008/2008R2 and Windows Server 2012 Domain controllers. Even if some are NOT supported i will list them here as they should work.

Within the last years we’ve got several new Windows Server versions, 2008 and 2008 R2 and now Windows Server 2012, and also some new Exchange Server versions, 2007, 2010 and now 2013. They now maybe have to coexist even with Windows server 2003/2008/2008R2 and Exchange Server 2003/2007/2010 or should be upgraded to new versions.

Exchange Server 2000 and Windows Server 2008 Operating System/Domain Controllers

– Exchange 2000 can’t be installed on Windows Server 2008.

– Exchange 2000 SP3 isn’t supported when working together with Windows Server 2008 or higher DCs.

– for upgrading to Windows Server 2008 or higher you have to check that no Exchange Mangled Attributes exist, this applies also for Windows Server 2008.

– if there is no other option then it should be possible to use the Windows Server 2008 DCs in a different site then the Exchange 2000 SP3.     !!!Keep in mind this isn’t supported configuration!!!

– if you really must use both in the same site then some additional configuration should help to hardcode (default is automatic discovery) the DSAccess on the Exchange 2000 to DCs with Windows Server 2003 or Windows 2000 Server OS. Open ESM and choose the “Directory Access” tab of the Exchange server properties. See also Directory server detection and DSAccess usage and Revert DSAccess to default for details.     !!!Keep in mind this isn’t supported configuration!!!

Exchange Server 2003 and Windows Server 2008/2008 R2 and 2012 Operating System/Domain Controllers

– Exchange 2003 can’t be installed on Windows Server 2008.

– Exchange 2003 can’t be installed on Windows Server 2012.

– if you use Exchange 2003 and have the need for connectivity to Windows Server 2008 or higher OS DCs, you have to use at least Exchange 2003 SP2.

– Windows Server 2008 and 2008 R2 RODCs (Read Only Domain Controllers) are not supported to work with Exchange Servers (doesn’t matter which version, as Exchange requires a writable Domain Controller).

– Windows Server 2012 DCs do NOT work together with Exchange 2003, doesn’t matter which SP is used.

Exchange Server 2007 and Windows Server 2000 Operating System/Domain Controllers

– Exchange 2007 can be installed on Windows Server 2003 SP2 or Windows Server 2003 R2 SP2 or higher OS, not on Windows 2000 Server.

– Exchange 2007 can work with Windows Server 2003 SP1/2 Domain Controllers or higher, not with Windows 2000 Server Domain Controllers.

– Exchange 2007 requires Windows Server 2000 Domain Native Functional Level / Windows 2000 Forest Functional Level, if Forest-to-forest delegation and the ability for a user to select the type of free/busy information that will be available to users in another forest is not needed.

Exchange Server 2007 and Windows Server 2003 Operating System/Domain Controller

– Exchange 2007 can be installed on Windows Server 2003 SP2 or Windows Server 2003 R2 SP2.

– Exchange 2007 can work with Windows Server 2003 SP1 and SP2 Domain Controllers.

– Exchange 2007 requires Windows Server 2003 Forest/Domain Functional Level.

Exchange Server 2007 and Windows Server 2008 / Windows Server 2008 R2 Operating System/Domain Controllers

– Exchange 2007 must be at least SP1 to be installed on Windows Server 2008 and also to work with Windows Server 2008 Domain Controllers.

– Exchange 2007 can be installed on Windows Server 2008 R2 if Exchange 2007 SP3 is used with some restrictions as listed here.

– you have to install “Update Rollup 9 for Microsoft Exchange Server 2007 Service Pack 1” or later, to be able to work with Windows Server 2008 R2 Domain Controllers and also to use the Forest/Domain Functional Levels Windows Server 2008 R2 or use Exchange Server 2007 Service Pack 2.

– Windows Server 2008/2008R2 and 2012 RODCs (Read Only Domain Controllers) are not supported to work with Exchange Servers (doesn’t matter which version, as Exchange requires a writable Domain Controller).

Exchange Server 2010 and Windows Server 2003/2008 Operating System/Domain Controllers

– Exchange 2010 can be installed only on the 64bit edition from Windows Server 2008 SP2 or 2008 R2, FIPS compliant settings are NOT supported.

– Exchange 2010 will work together with 32/64 bit version of Windows Server 2003 Standard Edition/Enterprise Edition SP1 or later Schema Masters/Domain Controllers/Global Catalog Servers.

– Exchange 2010 requires Windows Server 2003 Forest/Domain Functional Level or higher.

– Exchange 2010 can coexist with Exchange 2003 and higher Exchange versions, also in mixed organizations.

– Exchange 2010 SP3 can be installed on Windows Server 2012.

– Windows Server 2008/2008R2 and 2012 RODCs (Read Only Domain Controllers) are not supported to work with Exchange Servers (doesn’t matter which version, as Exchange requires a writable Domain Controller).

Exchange Server 2013 and Windows Server 2008 R2 SP1/Windows Server 2012 Operating System/Domain Controllers

– Exchange 2013 can be installed on Windows Server 2008 R2 SP1(ONLY DataCenter Edition support RTM or later) or Windows Server 2012

– Exchange 2013 will work together with 32/64 bit version of Windows Server 2003 Standard Edition/Enterprise Edition SP2 or later Schema Masters/Domain Controllers/Global Catalog Servers.

– Exchange 2013 requires Windows Server 2003 Forest/Domain Functional Level or higher.

– Exchange 2013 (CU1) can coexist with Exchange 2007 SP3 and Update Rollup 10(on all Exchange servers in the organization, including Edge Transport servers) and Exchange 2010 SP3(on all Exchange servers in the organization, including Edge Transport servers), also in mixed organizations.

– Windows Server 2008/2008R2 and 2012 RODCs (Read Only Domain Controllers) are not supported to work with Exchange Servers (doesn’t matter which version, as Exchange requires a writable Domain Controller).

Upgrading of Exchange inside Domains

– in place upgrades to Exchange 2007 or higher aren’t possible, the needed process is Exchange Organization transitioning.

– the Planning Roadmap for Upgrade and Coexistence with Exchange 2010 from Exchange 2003 and Exchange 2007 contains all needed information.

– Exchange 2003 – Planning Roadmap for Upgrade and Coexistence.

– Exchange 2007 – Planning Roadmap for Upgrade and Coexistence.

– Active Directory is one requirement to install Exchange 2007, Exchange 2010 and Exchange 2013

Migration from Exchange to another Forest/Domain

– this can be achieved with Cross Forest Migration when MIIS is used, Single Forest to Cross Forest and Cross Forest to Cross Forest.

– it is possible to Move Mailboxes Across Forests in Exchange 2007 and Cross Forest Mailbox Move also works in Exchange 2010.

– another option is to export mailboxes from the existing Exchange Servers to .pst files and import them into the new Exchange organization with Powershell command lets.

– Exchange 5.5, 2000 and 2003 Mailboxes can be exported with EXMERGE from Exchange 2003 Servers or computers installed with Exchange 2003 Administrative tools installed.

– Exchange 2007 Export-Mailbox and Import-Mailbox, requires 32bit Exchange management tools and Outlook 2003 SP2 or later.

– Exchange 2010 Export-Mailbox and Import-Mailbox , requires Exchange Server 2010 and 64bit version of Outlook 2010.

– Exchange 2013 New-MailboxExportRequest and New-MailboxImportRequest, requires additional permissions so check the article for correct settings.

Related links:

The most important one Exchange Server Supportability Matrix for comparing the different versions

Exchange Server 2007

Exchange Server 2010

Exchange Server 2013

Common Mistakes When Upgrading Exchange 2000/2003 to Exchange 2007

How to configure the administrator account to use EXMERGE 2003 in Exchange 2003

How to configure an account to use the EXMERGE utility in Exchange 2000 Server and in Exchange Server 2003

Export and Importing Mailboxes to PST files in Exchange 2007

Exporting and Importing Mailboxes with Exchange Server 2010

Sometimes it can/will happen that a correct removal from a Domain Controller isn’t possible because of a hardware crash, you have to force the removal of a DC or the previous admin have left some “garbage” for you.

So you have to do a metadata cleanup, otherwise all other DCs will try to replicate with that machine, as they are “thinking” this Domain Controller still exists, which fills also the event viewer with not wanted error messages. Additional the support tools dcdiag and repadmin or replmon will report problems.

The metadata cleanup can be done with NTDSUTIL for the AD database part according to:

How to remove data in Active Directory after an unsuccessful domain controller demotion

The above article applies to all Windows versions starting with Windows 2000 Server up to Windows Server 2008 R2.

There can also be the situation that the FSMO roles must be seized as the not longer existing DC was the owner of them:

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

———————————————————————————————————

With the RSAT (Remote Server Administration Tools or DSA.MSC) coming with Windows Server 2008 or Windows Server 2008 R2, there is also the option to remove a DC from AD Users and Computers or AD Sites and Services which also triggers the metadata cleanup.

To remove a RWDC with AD UC:

– therefore right click the RWDC in question and choose the DELETE option

– an additional popup will inform you, that the DC isn’t demoted with dcpromo and you have to choose the checkmark to accept that normal removal isn’t possible anymore

– after accepting the above popup you will be informed if the Domain Controller is also Global catalog server, (make sure other GCs exist in the domain)

– you have again to accept the deletion message to go on

– now the last possible popup option can occur, if the DC is also FSMO roles holder you will be prompted to accept the move to another DC of the FSMO roles

– in AD sites and services remove the NTDS Settings, also cleanup all DNS zones from CNAME and server records and the DNS server properties, Name server tab.

To remove a RODC with AD UC:

– therefore right click the RODC in question and choose the DELETE option

– now the option will be offered to reset all user passwords (requires a new password for a user), computer passwords (requires to re-add the computer to the domain), additional you can view/export the on the RODC saved user accounts and computer accounts. This option will NOT be offered if you work with NTDSUTIL.

– you will see now an overview with the chosen options to accept

– after accepting the above popup you will be informed if the Domain Controller is also Global catalog server, (make sure other GCs exist in the domain)

– in AD sites and services remove the NTDS Settings, DNS cleanup isn’t needed for a RODC, this is done automatically

For removal of a RWDC or RODC from AD Sites and Services you have to choose the NTDS Settings object to delete and after this step delete the DC.

———————————————————————————————————

For an old Domain that should be removed or the last DC of a domain is demoted, the steps are a bit different, therefore you can follow this article:

How to remove orphaned domains from Active Directory

Related links:

Remove Active Directory Domain Controller Metadata with a script

NTDSUTIL Windows 2000 Server

NTDSUTIL Windows Server 2003 and higher

Clean Up Server Metadata Windows Server 2003 and Windows Server 2003 R2

Clean Up Server Metadata Windows Server 2008 and higher

If you run into problems in a Domain and have the need for more information, you have the option to enable an advanced logging of specific settings.

This can be done with changing a registry setting on a specific Domain Controller, keep in mind that this setting is not replicated to other Domain controllers.

Open the registry editor and browse to:

HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics

Here you will find available REG_DWORD options that can be changed to an advanced logging:

1 Knowledge Consistency Checker (KCC)
2 Security Events
3 ExDS Interface Events
4 MAPI Interface Events
5 Replication Events
6 Garbage Collection
7 Internal Configuration
8 Directory Access
9 Internal Processing
10 Performance Counters
11 Initialization/Termination
12 Service Control
13 Name Resolution
14 Backup
15 Field Engineering
16 LDAP Interface Events
17 Setup
18 Global Catalog
19 Inter-site Messaging

New options coming with Windows Server 2003:

20 Group Caching
21 Linked-Value Replication
22 DS RPC Client
23 DS RPC Server
24 DS Schema

With Windows Server 2008 and Windows Server 2008 R2 now new options where added.

You have different options to configure the amount of logging from NONE to INTERNAL:

Keep in mind that setting higher logging levels increases the number of entries recorded in the event log and you aren’t be able to parse them. Also high logging levels can/will have, mostly negative, impact on the server performance.

Additional resources:

How to configure Active Directory diagnostic event logging in Windows Server 2003 and in Windows 2000 Server KB314980

Directory Service Configuration Management Tasks

See “Set logging level” in Configuring a Computer for Troubleshooting

Directory Services Debug Logging Primer

Enabling debug logging for the Net Logon service

If you have the need to keep the name of a domain controller (DC) you have 2 options, an in place upgrade of the DC in question or choosing a “temporary” DC to free the name of it (only one DC exist in the domain).

The following applies only if the DC is NOT running additional applications, e.g. Microsoft Exchange server, Microsoft SQL server or any other one. For a Certification Authority (CA) see at the end.

I don’t prefer an in place upgrade, especially if there is a major change in the OS architecture like from Windows server 2003 to Windows server 2008.

Option 1:

Depending on the OS version, you can do in place upgrades:

+ Windows server NT4 (SP6a) to Windows server 2000 or Windows server 2003 is possible

+ Windows server 2000 to Windows server 2003 or Windows server 2003 R2 is possible

+ Windows server 2000 to Windows server 2008 or higher is NOT possible

+ Windows server 2003 SP1/SP2 or Windows server 2003 R2 SP1/SP2 to Windows server 2008 or Windows server 2008 R2 is possible, only if NO cluster services are installed

+ Windows server 2008 to Windows server 2008 R2 is possible

see this articles for a more detailed explanation of supported upgrade paths (http://support.microsoft.com/kb/810613/en-us) and  (http://support.microsoft.com/?kbid=951041)

Option 2:

If you must use different hardware depending on the OS requirements, the old one, let’s call it “DCKeep”, is over it’s lifetime or you have only one DC in the domain, you can work with a “temporary” DC, let’s call it “DCTemp”, either as VM or physical machine (even a laptop if the hardware is capable of the OS).

+ therefore install an additional DC “DCTemp” to the domain, make it DNS server (i prefer always Active directory integrated zones on DC’s), make it Global catalog server ([http://support.microsoft.com/?id=313994] applies also for 2008)

+ move all 5 FSMO roles to “DCTemp” (if the DC you like to keep the name is the FSMO roles holder). ([http://support.microsoft.com/kb/324801] applies also for 2008)

+ check replication with the support tools dcdiag /v, netdiag (not included in Windows server 2008, but works {not supported} if copied from the Windows server 2003 support tools [not on Windows server 2008 R2]) and repadmin /showrepl (or /showreps if Windows server 2000 support tools). Also replmon, Replication monitor GUI version, will help to check the correct replication between all DC’s.

+ if all steps above are error free you can demote “DCKeep” to a member server and rename it or remove it complete from the domain, that way the domain has still a running DC with all needed roles and you can now use the name “DCKeep” again on a new OS version server with the same ip address.

If “DCKeep” has the CA role installed you have to do a backup BEFORE demoting or removing, to restore it on the new server, therefore follow this articles depending on the OS version:

+ Windows server 2000 to Windows server 2003 (http://support.microsoft.com/kb/298138)

+ Windows server 2003 to Windows server 2008 (http://technet.microsoft.com/en-us/library/cc742515(WS.10).aspx)

+ upgrading a CA from Windows server 2000 to Windows server 2008 should be done in a 2 step way over Windows server 2003 to be supported from Microsoft

!!!NEVER START BEFORE HAVING CREATED AND TESTED A BACKUP OF YOUR DATA/MACHINE!!!

If you have installed Exchange 2003 in the domain see the following article first, Exchange requirements otherwise follow the steps below

– On the old server open DNS management console and check that you are running Active directory integrated zone (easier for replication, if you have more then one DNS server)

– run replmon from the run line or repadmin /showrepl(only if more then one DC exist), dcdiag and netdiag from the command prompt on the old machine to check for errors, if you have some solve them first. For this tools you have to install the support\tools\suptools.msi from the 2003 installation disk.

– run adprep /forestprep and adprep /domainprep and adprep /rodcprep from the 2008 installation disk against the 2003 schema master(forestprep) / infrastructure master(domainprep/rodcprep), with an account that is member of the Schema/Enterprise/Domain admins, to upgrade the schema to the new version (44) or 2008 R2 (47). On the Windows Server 2008 R2 disk are adprep32.exe (32bit) and adprep.exe (64bit) located, so make sure to use the correct version.

– see here about adprep in detail (http://technet.microsoft.com/en-us/library/cc731728(WS.10).aspx)

– you can check the schema version with “schupgr” or “dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion” without the quotes in a command prompt

– if the first installed DC in the domain should be removed or replaced with another one, doesn’t matter if new or same OS version, then make sure that you export the recovery agents EFS certificate private key from the DC BEFORE you demote/retire it. Details how to do this are listed in (http://support.microsoft.com/kb/241201) and (http://technet.microsoft.com/en-us/library/cc755157(WS.10).aspx) if you do not save the it, you will not be able to encrypt data in case of problems.

– Install the new machine as a member server in your existing domain

– configure a fixed ip and set the preferred DNS server to the old DNS server only, if you think about disabling IPv6 as you are not using it or it was recommended to you, keep attention to the UPDATE. Follow (http://blogs.dirteam.com/blogs/paulbergson/archive/2009/03/19/disabling-ipv6-on-windows-2008.aspx) to disable it, if really required

UPDATE for IPv6 02.06.2011: Keep in mind that IPv6 will become the future protocol and you should get familiar with it. Also the recommendation from Microsoft is to let IPv6 enabled, as some new features/services or applications already require IPv6 to be enabled. Exchange 2010 and DirectAccess are some examples.

– run dcpromo and follow the wizard to add the 2008 server to an existing domain, make it also Global catalog and DNS server.

– for DNS give the server time for replication, at least 15 minutes. Because you use Active directory integrated zones it will automatically replicate the zones to the new server. Open DNS management console to check that they appear

– if the new machine is domain controller and DNS server run again replmon, dcdiag and netdiag (copy the netdiag from the 2003 to 2008, will work) on both domain controllers

– Transfer, NOT seize the 5 FSMO roles to the new Domain controller (http://support.microsoft.com/kb/324801) applies also for 2008), FSMO should always be on the newest OS DC

– after transfer of the PDCEmulator role, configure the NEW PDCEmulator to an external timesource and reconfigure the old PDCEmulator to use the domainhierarchie now. Therefore run on the NEW “w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update” where PEERS will be filled with the ip address or server(time.windows.com) and on the OLD one run “w32tm /config /syncfromflags:domhier /reliable:no /update” and stop/start the time service on the old one. All commands run in an elevated command prompt without the quotes.

– you can see in the event viewer (Directory service) that the roles are transferred, also give it some time

– reconfigure the DNS configuration on your NIC of the 2008 server, preferred DNS itself, secondary the old one

– if you use DHCP do not forget to reconfigure the scope settings to point to the new installed DNS server

– if needed move the DHCP database to the Windows server 2008 machine, follow (http://support.microsoft.com/kb/962355), for more details see (http://technet.microsoft.com/en-us/library/cc772372.aspx)

Demoting the old DC (if needed)

– reconfigure your clients/servers that they not longer point to the old DC/DNS server on the NIC

– to be sure that everything runs fine, disconnect the old DC from the network and check with clients and servers the connectivity, logon and also with one client a restart to see that everything is ok

– then run dcpromo to demote the old DC, if it works fine the machine will move from the DC’s OU to the computers container, where you can delete it by hand. Can be that you got an error during demoting at the beginning, then uncheck the Global catalog on that DC and try again

– check the DNS management console, that all entries from the machine are disappeared or delete them by hand if the machine is off the network for ever

– also you have to start AD sites and services and delete the old servername under the site, this will not be done during demotion

For more detailed information also about Exchange 2007 and Exchange 2010 see “Exchange Server and it’s relationship to Active Directory“

To upgrade an Active directory forest/domain to a newer OS version you have to check some prerequisites.

If Exchange 2000 is running in the existing Windows domain, then first check with the following article that no mangled attributes exist, applies also to Windows Server 2008. http://support.microsoft.com/?id=314649

If Exchange 2000 Service pack 3 is installed, it can be used in an Active Directory Forest that contains Windows Server 2008 DCs but the Windows server 2008 DCs shouldn’t be in the same site as the Exchange 2000 server. If Windows Server 2008 DCs MUST run in an AD site that has Exchange 2000 servers, you have to configure the Directory Service Access (DSAccess) on the Exchange 2000 Server servers in the site, to use a DC that is running either Windows server 2003 or Windows server 2000. Configuring DSAccess manual will NOT provide any fallback to another Domain controller or Global catalog server. http://support.microsoft.com/kb/250570

UPDATE: Exchange 2000 isn’t supported to be used with Windows server 2008 DCs according to the “Exchange Server Supportability Matrix” but should work according to the article from the Exchange specialists “Exchange Server and Windows Server 2008“.

If Exchange 2003 is used, make sure that Exchange 2003 Service pack 2 is installed.

RODCs can be used without any problem in the forest but each Exchange server version requires a writeable Domain controller and a writeable Global catalog server.

UPDATE: According to the “Exchange Server Supportability Matrix” it is also supported to use Windows server 2008 R2 Dcs, when Exchange 2003 SP2 is installed.