Installing Active Directory on Windows Server 2008

4:15 AM | Posted by Srinivas

Microsoft Active Directory provides the structure to centralize the network management and store information about network resources across the entire domain. Active Directory uses Domain Controllers to keep this centralized storage available to network users. In order to configure a Windows Server 2008 machine to act as Domain Controller, several considerations and prerequisites should be taken into account, and several steps should be performed. In this article I will guide you through these prerequisites and steps of creating a new Windows Server 2008 Domain Controller for a new Active Directory domain in a new forest.

Considerations when Installing a new Windows Server 2008 forest

When you install AD to create the first domain controller in a new Windows Server 2008 forest, you must keep the following considerations in mind:
  • You must make forest and domain functional level decisions that determine whether your forest and domain can contain domain controllers that run Windows 2000 Server, Windows Server 2003, or both. To read more about forest and domain functional levels please refer to the links below.
  • Domain controllers running the Microsoft Windows NT Server 4.0 operating system are NOT supported with Windows Server 2008.
  • Servers running Windows NT Server 4.0 are NOT supported by domain controllers that are running Windows Server 2008, meaning you MUST have additional DCs running Windows 2000/2003 to support older NT 4.0 servers.
  • The first Windows Server 2008 domain controller in a forest must be a global catalog server and it cannot be an RODC.

Considerations when Installing a new Windows Server 2008 domain in an existing Windows 2000/2003 forest

When you install AD to create the first domain controller in a new Windows Server 2008 domain, you must keep the following considerations in mind:
  • Before you create a new Windows Server 2008 domain in a Windows 2000/2003 forest, you must prepare the forest for Windows Server 2008 by extending the schema (that is, by running ADPREP /forestprep). To read more about ADPREP please refer to the links below or my "Windows Server 2008 ADPREP" article.
  • You must make domain functional level decisions that determine whether your domain can contain domain controllers that run Windows 2000 Server, Windows Server 2003, or both. To read more about forest and domain functional levels please refer to the links below.
  • I recommend that you host the PDC emulator operations master role in the forest root domain on a domain controller that runs Windows Server 2008. For more information about FSMO Roles, please read my "Understanding FSMO Roles in Active Directory" and "Transferring FSMO Roles" articles.

General considerations

Make sure you read and follow the requirements described in my "Active Directory on Windows Server 2008 Requirements" article.

Installing Active Directory Domain Services (AD-DS)

In Windows Server 2008, unlike previous server operating Systems, there is an additional step that needs to be taken before running DCPROMO to promote the server to Domain Controller and installing Active Directory on it. This step is the installation of Active Directory Domain Services (AD-DS) role on the server. In fact, the AD-DS role is what enables the server to act as a Domain Controller, but you will still need to run DCPROMO the regular way.
AD-DS can be installed in one of 3 methods:

Method 1 – Server Manager/Initial Configuration Tasks

Roles can and should be added from Server Manager (but they can also be initiated from the Initial Configuration Tasks wizard that auto-opens the first time you log on to the server).
    1. Open Server Manager by clicking the icon in the Quick Launch toolbar, or from the Administrative Tools folder.
    2. Wait till it finishes loading, then click on Roles > Add Roles link.
    1. In the Before you begin window, click Next.
    1. In the Select Server Roles window, click to select Active Directory Domain Services, and then click Next.
    1. In the Active Directory Domain Services window read the provided information if you want to, and then click Next.
    1. In the Confirm Installation Selections, read the provided information if you want to, and then click Next.
    1. Wait till the process completes.
    1. When it ends, click Close.
    1. Going back to Server Manager, click on the Active Directory Domain Services link, and note that there's no information linked to it, because the DCPROMO command has not been run yet.
    1. Now you can click on the DCPROMO link, or read on.
      1. To run DCPROMO, enter the command in the Run command, or click on the DCPROMO link from Server Manager > Roles > Active Directory Domain Services.
      1. Depending upon the question if AD-DS was previously installed or not, the Active Directory Domain Services Installation Wizard will appear immediately or after a short while. Click Next.
      Note: The Advanced features of DCPROMO will be discussed in a future article.

Read Users' Comments (0)

How to Install a Replica DC in an Existing AD Domain on Windows 2000

4:14 AM | Posted by Srinivas


How do I install a second Domain Controller in my Active Directory domain on my Windows 2000 Server?
First make sure you read and understand Active Directory Installation Requirements. If you don't comply with all the requirements of that article you will not be able to set up your AD (for example: you don't have a NIC or you're using a computer that's not connected to a LAN).

Note: This article is only good for understanding how to install the SECOND DC in an EXISTING DOMAIN in and EXISTING AD FOREST.
Note: For the installation of the FIRST DC in the AD Domain read How to Install Active Directory on Windows 2000.
Lamer Note: For the installation of the FIRST DC in the AD Domain read How to Install Active Directory on Windows 2000 (for idiots).
Here is a quick list of what you must have:
  • An NTFS partition with enough free space
  • The Domain Admin's username and password
  • The correct operating system version
  • A NIC
  • Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)
  • A network connection (to a hub or to another computer via a crossover cable)
  • A persistent and un-interrupted connection with the domain's existing DC
  • An operational DNS server which holds the relevant SRV Record information for the AD domain and forest
  • The Domain name for the domain that you want to join
  • The Windows 2000 CD media (or at least the i386 folder)
  • Brains (recommended, not required...)
This article assumes that all of the above requirements are fulfilled.
For a Windows 2000 version of this article please read How to Install a Replica DC in an Existing AD Domain on Windows Server 2003.

Step 1: Configuring the computer's TCP/IP settings

You must configure the would-be Domain Controller to use the IP address of the DNS server, so it will point to it when registering SRV records and when querying the DNS database.

Configure TCP/IP

  1. Click Start, point to Settings and then click Control Panel.
  2. Double-click Network and Dial-up Connections.
  3. Right-click Local Area Connection, and then click Properties.
  1. Click Internet Protocol (TCP/IP), and then click Properties.
  1. Assign this server a static IP address, subnet mask, and gateway address (optional). Enter the DNS server's IP address in the Preferred DNS server box.
Note: You MUST have an operational DNS server that already serves as the DNS server of the domain/forest.
  1. Click Advanced.
  2. Click the DNS Tab.
  3. Select "Append primary and connection specific DNS suffixes"
  4. Check "Append parent suffixes of the primary DNS suffix"
  5. Check "Register this connection's addresses in DNS". If this Windows 2000-based DNS server is on an intranet, it should only point to its own IP address for DNS; do not enter IP addresses for other DNS servers here. If this server needs to resolve names on the Internet, it should have a forwarder configured.
  6. Click OK to close the Advanced TCP/IP Settings properties.
  7. Click OK to accept the changes to your TCP/IP configuration.
  8. Click OK to close the Local Area Connections properties.

Step 2: Running DCPROMO

After completing all the previous steps and after double checking your requirements you should now run Dcpromo.exe from the Run command.
Note: In Windows Server 2003, unlike Windows 2000, you can choose to install the Replica DC from a backed-up media thus saving considerable amounts of time and bandwidth. ReadInstall DC from Media in Windows Server 2003 for more info.
  1. Click Start, point to Run and type "dcpromo".
  1. The wizard windows will appear. Click Next.
  1. Choose Additional Domain Controller for an existing domain and click Next.
  1. In the Network Credentials window enter the username and password for a Domain Admin in the domain you're trying to join. also enter the full DNS domain name. Click Next.
This step might take some time because the computer is searching for the DNS server.
Note: Although the wizard will let you get to the last window and begin to attempt to join the domain, if you enter the wrong username and/or password, because of the wrong credentials you'll get an error message like this one:
If you get the domain name wrong you'll get this warning:

The wizard will not be able to continue past the domain name window.
If you have wrong DNS settings, i.e. the computer "thinks" that it should be "talking" to one DNS server, while in fact it should be using another DNS server, you'll get an error message like this one:
  1. Accept the Database and Log file location dialog box (unless you want to change them of course). The location of the files is by default %systemroot%\NTDS, and you should not change it unless you have performance issues in mind. Click Next.
  1. Accept the Sysvol folder location dialog box (unless you want to change it of course). The location of the files is by default %systemroot%\SYSVOL, and you should not change it unless you have performance issues in mind. This folder must be on an NTFS v5.0 partition. This folder will hold all the GPO and scripts you'll create, and will be replicated to all other Domain Controllers. Click Next.
  1. Enter the Restore Mode administrator's password. You can leave it blank but whatever you do - remember it! Without it you'll have a hard time restoring the AD if you ever need to do so. Click Next.
  1. Review your settings and if you like what you see - Click Next.
  1. See the wizard going through the various stages of installing AD. Whatever you do - NEVER click Cancel!!! You'll wreck your computer if you do. If you see you made a mistake and want to undo it, you'd better let the wizard finish and then run it again to undo the AD.
  1. If all went well you'll see the final confirmation window. Click Finish.
  1. You must reboot in order for the AD to function properly. Click Restart now.

Step 3: Checking the AD installation

You should now check to see if the AD installation went well.
  1. First, see that the Administrative Tools folder has all the AD management tools installed.
  1. Run Active Directory Users and Computers (or type "dsa.msc" from the Run command). See that all OUs and Containers are there. See that your DC is listed in the Domain Controllers Container.
  1. Run Active Directory Sites and Services. See that you have a site named Default-First-Site-Name, and that in it your server is listed along with the other DC in the domain/forest.
  1. Open the DNS console. See that your new DC has registered itself in the 4 SRV Record folders.
One reason for the lack of registration of SRV records is the fact the net NETLOGON service has somehow failed to register the SRV Records in the DNS zone.
You should try to restart the NETLOGON service to force the SRV registration.
From the command prompt type "net stop netlogon", and after it finishes, type "net start netlogon".
Let it finish, go back to the DNS console, click your zone and refresh it (F5). If all is ok you'll now see the 4 SRV record folders.
  1. Check the NTDS folder for the presence of the required files.
  1. Check the SYSVOL folder for the presence of the required subfolders.
  1. Check to see if you have the SYSVOL and NETLOGON shares, and their location.
If all of the above is ok, I think it's safe to say that your AD is properly installed.

Read Users' Comments (0)

How can I prevent users from using USB removable disks (USB flash drives) by using Group Policy (GPO)?

4:13 AM | Posted by Srinivas


I have seen this question several times at different message boards, so I've decided to write an article about it.
USB removable disks (also known as flash drives or "Disk on Key" and other variations) are quickly becoming an integral part of our electronic life, and now nearly everybody owns one device or another, in forms of small disks, external hard drives that come enclosed in cases, card readers, cameras, mobile phones, portable media players and more.

Free Tool to Simplify IP Address Management
Toss your spreadsheets into the recycling bin! SolarWinds Free Tool, IP Address Tracker, lets you track an unlimited number of IP addresses for a unified, at-a-glance view of our entire IP address space.
  • See which IP addresses are in use, and which aren't
  • Eliminate manual errors, while ensuring that IP addresses are listed in the right place
  • Determine the last time an IP address was used
  • Pre-populate key statistics like DNS and response time
Download FREE IP Address Tracker from SolarWinds Now!
Portable USB flash drives are indeed very handy, but they can also be used to upload malicious code to your computer (either deliberately or by accident), or to copy confidential information from your computer and take it away.
As a variation to Disable USB Disks, you can prevent users from using any portable USB removable disk or flash drive by using a custom .ADM file that can be imported into the Local Group Policy (thus effecting only the local computer) or by using Active Directory-based Group Policy Objects (also known as GPOs).
Follow the steps outlined in the Adding New Administrative Templates to a GPO article on general instructions on how to add or remove an .ADM file from the Administrative Templates section in GPO.
Note: This tip will allow you to block usage of USB removable disks, but will continue to allow usage of USB mice, keyboards or any other USB-based device that is NOT a portable disk.
Windows Azure Infrastructure Services. Scalable on-demand infrastructure.
It's worth mentioning that in Windows Vista Microsoft has implemented a much more sophisticated method of controlling USB disks via GPO. If you have Windows Vista client computers in your organization you can use GPO settings edited from one of the Vista machines to control if users will be able to install and use USB disks, plus the ability to control exactly what device can or cannot be used on their machines.
Needless to say, as with any GPO setting, this option will only work on Windows 2000 operating systems or higher.
In KB 555324 written by fellow MVP Simon Geary he has provided a nice sample .ADM file that can do just that, and also added other removable storage media to it. You can effectively block usage of any drives containing removable media, such as USB ports, CD-ROM drives, Floppy Disk drives and high capacity LS-120 floppy drives.
However, the original .ADM was pretty simple, so I added a must-have explanation and changed some of the wording in it. By using the file provided below you will also be able to understand the exact settings and scenarios in which the blocking will or will not be successful.
After downloading the .ADM file, read Adding New Administrative Templates to a GPO.
You might also be interested in reading Disable Writing to USB Disks with GPO.
Note: In order to successfully view and configure the new .ADM file settings you will need to change the default filtering view for the GPO Editor (or GPedit.msc). Unless you change these settings, the right pane will appear empty, even though it has the settings in it.
Follow these steps:
  1. In GPEdit.msc (or any other GPO Editor window you're using) click on View > Filtering.
  1. Click to un-select the "Only show policy settings that can be fully managed" check-box. Click Ok.
  1. Now you will be able to see the new settings in the right pane:
  1. You can now configure any of the above settings:
An additional step that needs to be performed before the above tip will work has to do with modifying the file access permissions for 2 files. You need to remove the SYSTEM access permissions from the usbstor.sys and usbstor.inf files.
You can do so by right clicking these files > Properties, then going to the Security tab. There you need to remove the line for the SYSTEM account.
Note: Under some circumstances, the SYSTEM should have write access to these files during Service Pack installation. For example, when the SP is installed via GPO or SMS, the installation runs under the SYSTEM Account.
Service Pack needs to replace the files to a new version and without proper write access to the file, installation will fail... Therefore, before each SP deployment we need to allow access to the SYSTEM account for these files.

Read Users' Comments (0)

Defragmenting an Active Directory Database

4:12 AM | Posted by Srinivas


Performing an Offline Defragmentation

Before you attempt an offline defragmentation, I strongly recommend making a full, system state backup of the domain controller. I have never had an offline defragmentation go belly up on me, but since there is at least a potential for database corruption to occur, I recommend starting with a backup.
Once you have created a backup of your domain controller, the next thing that you should do is to make note of the existing Active Directory database’s size. By default, the Active Directory database is located at C:\Windows\NTDS, although the DCPROMO process does allow you to choose a different location. The name of the actual database file is NTDS.DIT.  A freshly installed Active Directory database on a Windows Server 2008 domain controller is about 12 MB in size, but the database can grow to be several GB in size, depending on the amount of data that is stored in the Active Directory.
Once you have noted the database’s size, you will have to create a directory that you can use as a temporary repository for a copy of the Active Directory database. When you perform an offline defragmentation, Windows does not alter the original Active Directory database. Instead it creates a defragmented copy database. I recommend creating a folder named TEMPbeneath the \Windows\NTDS folder.
The next step in the process is to stop the Active Directory Domain Service. Unlike previous versions of Windows, Windows Server 2008 offers the ability to start and stop the Active Directory just as you would any other service. Depending on how your server is configured, there may be dependency services that Windows will also have to shut down.
When the Active Directory Domain Service finishes shutting down, open a Command Prompt window, and enter the NTDSUTIL command. The command prompt will now display an NTDSUTIL prompt. Now enter the following command:
Activate Instance NTDS
At this point, NTDSUTIL will display a message stating that activate instance has been set to “NTDS”.  Now enter the Files command. This will cause NTDSUTIL to switch to the File Maintenance prompt. You should now enter the Info command. This will cause NTDSUTIL to display information about the size and location of the Active Directory database, as shown in Figure A.
Figure A You should double check the database size against the size that you recorded earlier.
You should make sure that the information that is displayed coincides with the size that you recorded earlier. Otherwise, some corruption may exist. Assuming that everything looks good, you can launch the defragmentation process by entering the following command:
Compact to c:\Windows\NTDS\temp
The command shown above assumes that you have created a folder named Temp beneath the c:\windows\ntds folder.
The amount of time that the defragmentation process will take varies depending on the speed of your server, and on the size of the Active Directory database. You can see what a successful defragmentation looks like in Figure B.
Figure B This is what a successful defragmentation looks like.
When the process completes, enter the Q command at the NTDSUTIL prompt to close NTDSUTIL. Next, verify that Windows has created a copy of the Active Directory database in the C:\Windows\NTDS\Temp folder. This copy is the defragmented version of the database. To use it, you must either delete or rename the original database (the one in C:\Windows\NTDS), and then copy the defragmented database from C:\Windows\NTDS\Temp to C:\Windows\NTDS. You must also either rename or delete the log files located in the C:\Windows\NTDS folder.
You can now restart the Active Directory. The easiest way to do this is to simply start the Active Directory Domain Service that you shut down earlier. If a bunch of dependency services were also shut down too though, it may be easier to just reboot the server.

Conclusion

In this article, I have shown you how to perform an offline defragmentation of the Active Directory database. It is important to remember though, that you should always perform a full, system state backup prior to attempting this procedure.
Got a question? Post it on our Active Directory Forums!

Read Users' Comments (0)

Grant DNSAdmins the Right to View DNS Event Log Entries Remotely on Windows Server 2008 R2

4:11 AM | Posted by Srinivas


This is an issue we’ve struggled with in the past day or so. An organization running Windows Server 2008 R2 is delegating control of their DNS servers to specific people, and in order to do so, they added these users to the DNSAdmins built-in group in Active Directory. However, since these users are not members of any administrative groups, while they can view the DNS Event Logs and manage them locally, on the DNS server(s), they cannot do so remotely from another Windows Server 2008 R2 or Windows 7 management workstation.

The Problem: Access Denied when Viewing Event Logs Remotely

To demonstrate this in our lab environment, we created a user called DNSManager, and added him to the DNSAdmins group. Once the user logs on to their management workstation and opens Event Viewer, they connect to a remote computer.
Connecting to a Remote Computer
Figure 1: Connecting to a Remote Computer
In the “Another Computer” area, they type the name of the remote machine. In this case, it’s a remote Domain Controller that is called DC1, which also hosts the DNS service.
Select Computer to View Event Logs on
Figure 2: Select Computer to View Event Logs on
Once connected, they attempt to open one of the Event Logs, but get an “Access is Denied (5)” message:
Access Denied Error Message when Viewing Event Logs Remotely
Figure 3: Access Denied Error Message when Viewing Event Logs Remotely

The Solution: Granting DNSAdmins to the Event Log Readers Group

This can be easily fixed by adding these users (or group of users) to the “Event Log Readers” built-in group on the servers that you need to have remote access to.
Adding DNSAdmins to the Event Log Readers Group
Figure 4: Adding DNSAdmins to the Event Log Readers Group
Now, if the DNSManager user logs off and logs back on to the remote management machine, he can view the relevant event logs.
Access Granted to DNSAdmins
Figure 5: Access Granted to DNSAdmins

The Problem: Access Denied to DNS Event Logs

However, while this trick works for most Event Logs, it does NOT work for the DNS Event Log, as can be seen from this screenshot below.
Access Denied Error
Figure 6: Access Denied error when Viewing DNS Event Logs
This problem persists even if the user opens up the DNS management console, while they CAN manage the DNS properties, zones and records, as shown below.
DNS Management Console works find
Figure 7: DNS Management Console works find
Yet when they attempt to view the remote DNS Event Log, they still get the “Access is denied” error.
Unable to Access DNS Event Logs
Figure 8: Unable to Access DNS Event Logs

The Solution: Granting Remote Access to DNS Event Logs

The fix lies in a somewhat complex Microsoft knowledgebase: How to set event log security locally or by using Group Policy in Windows Server 2003
But the trick is that in Windows Server 2008 R2, the procedure is a lot simpler. Here are the steps:
  1. Open Command Prompt with elevated permissions (Run as Administrator), and run the following command:
    wevtutil gl "DNS Server" > C:\Temp\DNS_Server.txt
    Note: Change the path to fit your needs.
    By the way, if you need to perform the same trick on other custom or application logs, you can find out the name of the log by running the following command and examining the resulting text file for the exact name syntax:
    wevtutil el > C:\Temp\All_Logs.txt
  2. Next open the text file from the above path, and look for the channelAccess: entry.
    ChannelAccess entry
    Figure 9: ChannelAccess entry
  3. Now we need to find the SID of the DNSAdmins group. To do so, if the logged on user is a member of that group, you can find the SID by typing the following command (assuming this is Windows Server 2008 R2 or Windows 7):
    whoami /groups | find /i "dnsadmins"
    The result should look something like this:
    PETRI-LAB\DnsAdmins                    Alias            S-1-5-21-3903327414-3371247034-3746192915-1102 Mandatory group, Enabled by default, Enabled group
    Naturally, the domain name and SID will differ, but you get the point…
    You can also use other tools such as PSGetsid from Sysinternals.
    Copy the SID, we’ll need it in a moment.
  4. Going back to the text file, append the following text string to that long line:
    (A;;0x1;;;XXX)
    Where XXX is the SID you’ve copied from above.
    In this case, I will append the following line:
    (A;;0x1;;;S-1-5-21-3903327414-3371247034-3746192915-1102)
    Adding Your SID
    Figure 10: Adding Your SID
  5. Next, copy the entire text from the O:BAG… part till the end of the line (including your recent addition):
    O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-21-3903327414-3371247034-3746192915-1102)
  6. And finally, run the following command in the Command Prompt, pasting the above string just after the /ca: parameter:
    wevtutil sl "DNS Server" /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-21-3903327414-3371247034-3746192915-1102)
    Run The Command
    Figure 11: Run the command
    You can now close the text file, we don’t need it anymore. No need to save it.
    Going back to the management workstation, open Event Viewer or open DNS management console as the DNSManager user, and behold, you can now view the DNS Event Logs:
    Problem solved, the DNS Event Logs show up
    Figure 12: Problem solved, the DNS Event Logs show up
    Problem Solved
    Figure 13: Problem solved, the DNS Event Logs show up

    7. Summary

    In our next blog post, we will show you how to add these settings to Group Policy in order to configure them for multiple servers.

Read Users' Comments (0)

Subscribe to: Posts (Atom)