By default you will not find Active Directory schema snap-in, if you want to work with active directory schema editor.
To install this snap-in
Microsoft’s focus on PowerShell is enormous nowadays. Moreover, in the latest release of Windows 2012, all administrative tasks uses PowerShell in background.
For those who are still using Windows Server 2008 R2 as domain controller you can install this PowerShell module by adding Active Directory module for Windows PowerShell feature from Add Features wizard.
For those who are still using Windows 2003 or Windows 2008 domain controller please follow the below steps to configure your domain controller
1. Install .Net Framework 3.5 Sp1
2. Install KB969166 from http://support.microsoft.com/kb/969166
3. Install NDP35SP1-KB969166 from http://connect.microsoft.com/VisualStudio/Downloads/DownloadDetails.aspx?DownloadID=20556
4. Install Active directory management gateway service (Windows6.0-KB968934) from http://www.microsoft.com/en-us/download/details.aspx?id=2852 . You must restart your dc after installing this KB
After installing this KB please check whether Active Directory Web Services is running in your domain controller
Windows 7 Configuration
To use Windows PowerShell Active Directory module in Windows 7 please follow the below steps
1. Install Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1) (http://www.microsoft.com/en-us/download/details.aspx?id=7887)
2. From your windows 7 pc go to Control Panel\All Control Panel Items\Programs and Features
2. Click on Turn Windows features on or off from the left bar
3. Select Active Directory Module for Windows PowerShell and click OK
4. Now you can access the module from your Administrative tools
5. Now you are ready to run AD commandlets as below
Error initializing default drive: ‘unable to find a default server with active directory web services running’
If you see such error please check whether your ADWS (Active directory web services) service is running in domain controller or not.
In this article I’ll talk about the new and enhanced feature for Managing accounts in WIN 2012 Active Directory.
The new interface for creating User Account is really cool. Now there are two ways to play with this task, you can use the traditional Active Directory Users and Computers or you can use the new Active Directory Administrative center. Rather using the tab mode dialog boxes in Active Directory Administrative center you will find a single interface to add detail of a user account, which is really handy.
When you are creating hundreds of account with similar account properties and group membership you can use template account which will reduce some repetitive tasks. Creating template account is actually the same way you follow to create a real account. What you can do is – on that template account enter the common properties (Office, web page, department, company) and assign appropriate group membership and don’t forget to disable this account. Otherwise such account may mishandle.
After creating that template account, right click on that account and click on copy. The system will show you the new user account dialog box and will create account with the same properties you updated on that template account earlier.
By the way, I don’t know why but to do this you need to use the Active Directory Users and Computers only which is not available in Active Directory Administrative Center.
Normally a domain join is a manual and local process. Offline domain join is the new process that computer that run Windows 2007, Windows Server 2008 R2 or higher can be joined to a domain without connecting a domain controller. It will save time and effort for larger deployments.
Steps for performing an offline domain join
The offline domain join process includes the following steps:
1. Run the djoin /provision /domain abc.com /machine win8Clinet01 /savefile c:\blob.txt command to create computer account metadata for the destination computer (the computer that you want to join to the domain). As part of this command, you must specify the name of the domain that you want the computer to join.
2. Run the djoin /requestODJ /loadfile C:\blob.txt /windowspath %systemroot% /localos command to insert the computer account metadata into the Windows directory of the destination computer.
3. When you start the destination computer, either as a virtual machine or after a complete operating system installation, the computer will be joined to the domain that you specify.
Though LDAP query is very handy and powerful tools to search accounts by specifying several criteria but in Active Directory Administrative Center you can do it more easily by using menu.
Go to Active Directory Administrative Center and Select an OU of your domain. From the right portion of that window click on Search Under this node
Expand the search criteria
For example if you want to search those users account which are not logged in for a given days – Click on Add criteria button and select the option as below. Click on Add button
Specify the days and click on search
In the search result you can then disable all those account at a time by selecting multiple rows.
You can also check the LDAP query which executed in background for the search criteria you have selected from GUI. By the way it search’s from January 1601 year, I don’t know why Microsoft did that may be British East India Company was using MS technology from that time. 😉
Open PowerShell and execute the below command
Install-WindowsFeature -name AD-Domain-Services
To install Active Directory Forest
install-ADDSForest -domainname “abc.com”
It will prompt you to enter the restore mode password and will do the same prerequisite check which perform by GUI installation also and it will install the domain controller. It will install the DNS and also Group Policy Management Console.
If you are in a large enterprise where thousands of domain controllers exists and the database size is hundred or thousand GB, install from media (IFM) method is the best choice. It will reduce the replication traffic that is initiated during the installation of an additional domain controller in an Active Directory domain. Reducing the replication traffic reduces the time that is necessary to install the additional domain controller.
Later on after installing from media (that could be an external drive, pen drive or DVD), the DC will only synchronizes the difference.
The Ntdsutil is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS). You can use this tool to create installation media for a domain controller. Installation from media does not work across different operating system versions. In other words, you must use a Windows Server 2008 domain controller to generate installation media to use for another Windows Server 2008 domain controller installation.
Type of installation media parameter:
Sample command
create sysvol full
It will store the necessary files and folders as below
To promote a Server as AD from media, from the Server Manager select the Server and click on Promote this server to a domain controller.
Select Add a Domain Controller to an existing domain option and click next
Select The domain controller options and click next
Click next in DNS options
In the Additional Options window check Install from media and select the appropriate path of media and click next
The wizard will now install the domain controller using installation media without connecting to network.
To demote a domain controller, from the Server Manager go to Removes roles and features and click next in the wizard
Uncheck Active Directory Domain Services from roles
Click on Remove Features button
Click on Demote this domain controller link
Specify the Credential to execute the command and click next
Check Proceed to removal and click next
Check Remove DNS delegation and click next
Enter the new administrator password for your local computer account and click next
Click on Demote button
You can also demote a DC using PowerShell
Open command prompt
The domain controller which was decommissioned it has to be removed manually from Active Directory Sites and Services. To do this go to Active directory sites and services from Server Manager. Expand your site and right click on that DC which was demoted earlier and click Delete.
Though there is no change in the function level but it is still required to upgrade to the newest forest functional level to upgrade from W2K8 to 2012. Run the below command:
adprep /forestprep
You need to do this only one domain controller in your forest. Because, it will replicate all the changes to all other domain controllers in your network automatically. To execute the forestprep command you need to have installation media and you should be the enterprise Administrator to run this command.
For domain functional level you need to have at least windows server 2003 function level or greater.
To check domain functional level go to Active Directory Users and Computes and Right Click on your domain name and click on Raise domain functional level menu. It will show you the current functional level of your domain.
Upgrade
As I have mentioned in my earlier article, there is no way to upgrade from full GUI to core. You have to use the same mode.
The Global Catalog Service
Before updating you should have some idea about the Global Catalog Services (GC).
If you want to make a Domain Controller as a Global Catalog go to Active Directory Sites and Services
Expand the domain control and right click on NTDS settings. Check Global Catalog option to make it GC.
To upgrade a existing Domain Controller insert the Windows 2012 Server OS media and Click on Install Now
Ignore latest update check option. This function actually don’t install the drivers you needed on that server, it will only update whether any known drivers issue fixed by Microsoft.
Select the appropriate installation mode
Accept license agreement and click Next and Click on Upgrade
Ignore the warning and click next
The wizard will start upgrading you existing domain controller (win 2003/2008) to Windows 2012.
The DNS SRV (Service Record) entries are critical for proper function of AD. It is a specification of data in the Domain Name System defining the location, i.e. the hostname and port number, of servers for specified services. This records are so important that if you delete any record accidently you domain service will not work properly.
So what can be done if any record deleted accidently?
Please note that, the netdiag /fix will not work anymore in Windows Server 2012 which use to work in the previous versions.
You can use below command which is very handy to restore all SRV records.
nltest /dsregdns
I think Microsoft Active Directory is one of the successful products from Microsoft family which is widely used by most of the organization around the world. The topic is very old and known to all sys admins. That is why I’ll only discuss about what’s new and interesting in Windows Server 2012 for Active Directory Installation.
If you don’t have the active directory, you may have to have the world best memory!!
You may have password for email, file services, database and for network Login and the requirement of password may differ from one service to another. You can’t even use the same password for all of those services if the password policies are not same and they may expire in separate dates. You need to have photographic memory to memories all those things.
Microsoft Active Directory can simplify all of this. You can use SSO (Single sign on) and a mechanism called kerberos tickets –a security mechanism can be used to gain access to all of those services by using a single account.
You can use same account to use services from partners organization, by establishing trust relationship or federation to have two way trust relationship so that resources from other domain can be used. The Kerberos tickets doesn’t transfer password over the network, so it is secured on that aspect. It will generate a ticket which will be used in other services or domains.
The Active Directory database name is NTDS.DIT (NT Directory Services, Directory Information Tree). It is based on LDAP protocol (Light weight directory access protocol).
In the older version of Windows you would go to command prompt and use dcpromo command to install Active Directory Domain Services but that does not work anymore. This installation is now relocated in Server Manager.
Now you need to go to the Server Manager and use Add Roles and Features to install this Role. And also you don’t need to run forestprep and domainprep command which were previously used in older server OS version if we want to migrate from windows server 2003 to windows server 2008 domain controller which actually modify the active directory schema from old 2003 active directory to 2008 active directory. We had to do that because schema is the skeleton structure of the active directory. Now in Windows 2012 it is all included in an automated process.
To install Active Directory domain services go to Server Manager and Click on Manager menu and click on Add Roles and Features
Click Next
Select Role-based or feature based installation and click next
Select the server to which you want to install the AD Services and click next
Select Active Directory Domain Services role
Click on Add Features button
Click Next
Click Install
It will take some time to install the roles
But the server is not yet being promoted as Domain Controller. To promote it as DC go to Server Manager and Click on AD DS
Click on the warning sign
From the Action column Click on Promote this server to a domain controller.
Now you should choose whether this is the first domain controller in your domain or you want to add a new DC in your existing domain.
To add a new forest select add new forest option and give it an unique name. The wizard will check the given name is unique or not in your network.
You can choose the functional level. For existing domain this is important to choose the appropriate functional level in case of, you have several Windows 2003 and Windows 2008 domain controllers. And you will also find the option to promote this DC as Global Catalog Server (GC) or a Read Only Domain Controller (RODC).
The Global catalog is the distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.
A read-only domain controller (RODC) is a new type of domain controller. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory® Domain Services (AD DS) database.
In this wizard you should also assign a directory service restore mode password which will be needed in case of your domain controller failure to login to the server.
Ignore the DNS delegation warning and click next
The wizard will prompt you the NetBIOS name. Click on next
You need to specify the location for database, log files and SYSVOL folder in this stage. It is strongly recommend to use different volume to store the Database and log files. Please do not store it in the default location, which is C: drive.
In the review options window you can check the PowerShell script which was written in background to perform the operation you have chosen. You can copy that script to use it in another DC deployment.
The wizard will verify the prerequisite. Click on install if there is no error.
Your domain controller will be ready within a few minutes.
Sayem's Blog 