Category Archives: Domain Controller

Active Directory, Domain Controller

Upgrade Sysvol Replication to DFS (Distributed File System Replication) Guide through

Leave a comment

Upgrade FRS to DFS:

You might be searching on how to do this due to many reasons, Migrating your DCs to Windows 2016 or Windows 2019, The steps to do this type of migration is pretty easy and straightforward.

First Let’s explain a bit about what does FRS and DFS do and what is the difference?

Windows Server 2003 and 2003 R2 uses File Replication Service (FRS) to replicate SYSVOL folder content to other domain controllers.

SYSVOL is a folder shared by domain controller to hold its logon scripts, group policies and other items related to AD.

All the domain controllers in the network will replicate the content of SYSVOL folder. The default path for SYSVOL folder is %SystemRoot%\SYSVOL. This folder path can be defined when you install the active directory.

How does DFS Works?

In Windows server 2008 and later Active Directory uses Distributed File System (DFS) for the replication.  DFS Replication uses a compression algorithm known as remote differential compression (RDC). RDC detects changes to the data in a file and enables DFS Replication to replicate only the changed file blocks instead of the entire file.

Although FRS has been deprecated Since Windows server 2008 most people still looking to migrate to latest version.

Migration Starts Here

In this guide, I am going to explain how to do this kind of migration step by step.

I am going to run the migration on Windows 2008 R2 Servers. however the process is exactly the same on Windows 2012 R2.

To start, I need to check the service console to see which services are running the replication. From run type services.msc and enter

As you can see there, File Replication Service is running

clip_image001

In the same manner DFS service is also started and functioning, But that doesn’t mean that RFS is not being used.

clip_image002

Health Check

Before starting any migration, I prefer to do a check on Eventviewer just to make sure nothing critical is being reported. In the same way I would like to see if there any warning being reported.
Below you can see errors are being reported from File Replication Service by the Domain Controller SRV01, So the time is convenient to start this kind of migration as this would fix the errors being reported.

clip_image003

Prerequirements:

The first part of the process for migrating SYSVOL replication from File Replication Service (FRS) to Distributed File System (DFS) Replication is to raise the functional level of the domain to Windows Server 2008 and to set the global migration state to Prepared.

Make sure your Domain Function Level is raised to 2008 at least for this process to work.

Migration:

To start migration, Run Powershell as an administrator from the DC And type the following command to prepare DCs for the migration.

dfsrmig /getglobalstate

clip_image004

Preparing to migrate

dfsrmig /setglobalstate 1

When this is done, you might have to wait sometime (5 mins or less for small environments). When done waiting type dfsrmig /getglobalstate to verify that the global migration state is Prepared. The following output appears if the global migration state is Prepared.

clip_image005

clip_image006

You will be able to see an event ID 8014 showing you the success of this command.  Which means you can move to the next stage.

clip_image007

clip_image008

Migrate the domain to the Redirected state

From a command prompt or PowerShell window on a writeable domain controller (not a read-only domain controller) in the domain that you want to migrate, type dfsrmig /setglobalstate 2 to set the global migration state to Redirected.

clip_image009

2. Type dfsrmig /getglobalstate to verify that the global migration state is Redirected. The following output appears if the global migration state is Redirected.

clip_image010

After doing this, Checking event viewer you can see event ID 8017 showing you the current state, in my case it’s showing DFSR has successfully Migrated the DC to “Redirected” state. so it means we are good to go to the next step.

clip_image011

clip_image012

Migrating to the Eliminated State

Log on to a writeable domain controller (if you are not logged on already).

Open a command prompt window and then type dfsrmig /setglobalstate 3 to set the global migration state to Eliminated.

clip_image013

2. At a command prompt, type dfsrmig /getmigrationstate to verify that all the domain controllers are at the Redirected state. The following output appears when all domain controllers are at the Redirected state.

clip_image014

In the event viewer you can see the state of the DCs reporting that DC will now migrate to the “Eliminated” state. with event ID 8018

clip_image015

clip_image016

Once everything is finished, You will be able to confirm by two things, First on the Service console the File Replication Service should be disabled since it’s no longer going to be used.

clip_image017

Second thing is by using Command line or Powershel, Type Net Share an you can see the new Shares being published with new names “Sysvol_DFSR”.

clip_image018

Ref:

https://docs.microsoft.com/en-us/windows-server/storage/dfs-replication/migrate-sysvol-to-dfsr

https://docs.microsoft.com/en-us/windows/win32/win7appqual/file-replication-service–frs–is-deprecated-in-windows-server-2008-r2

Active Directory, Domain, Domain Controller

Installing child domain in Windows 2012 R2 RTM causes replication failure

Leave a comment

 

After Installing child domain in Windows 2012 R2 RTM causes the replication to fail.

Symptoms : Event ID 1202, 1126 and 1645

Evet ID 1202

clip_image001[6]

Event ID 1126

Event ID 1645

clip_image002[4]

After installing new child domain and join it to the Root domain

To show the child domain’s DNS partition enlisting use

Dnscmd /enumdirectorypartitions

clip_image003[4]

Add child domain’s DNS to the forest

dnscmd /enlistdirectorypartition

First Solution

Make sure windows is full updated, After you apply Windows update the problem should be gone.

clip_image004[4]

If not check the second solution:

Second: Make sure that your Child administrator and root administrator’s passwords are not identical.

Third: Make sure trust is set properly using the following command

clip_image005[4]

clip_image006[4]

Active Directory, Domain Controller

Replication after tombstone life expired

Leave a comment

 

As I was preparing for Exchange migration from 2010 to 2013 I had two DCs, one of those two DCs was off for about 8 months and has already passed the default tomb stone life so it was not authorized for replication in the forest.

Whenever I try to replicate the server I get the following error

 

image

 

image

“The following error occurred during the attempt to syncronize naming context CN=Configuration,DC=Domain,DC=Local from Domain Controller AD to Domain Controller AD2; The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime. This operation will not continue.”

 

My FSMO roles holder and PDC is the demotesas.local domain so on this DC I will run the following command

W32tm /config /manualpeerlist:time.windows.com,0x1 /syncfromflags:manual /reliable:yes /update

 

clip_image001

 

And this

 

w32time & net start w32time & W32tm /resync /rediscover

 

clip_image002

 

On the additional DC

 

w32tm /config /syncfromflags:domhier /update

w32time & net start w32time & W32tm /resync /rediscover

 

If the above doesn’t work then I will go ahead and force replication to the tomb stoned DC by using the following command.

 

repadmin /regkey * +allowDivergent

 

clip_image003

 

Now we’ll replicate and see what happens

 

clip_image004

 

Problem solved

image

 

 

REF:

http://www.techieshelp.com/active-directory-replication-issues-after-timesync-problems/

https://social.technet.microsoft.com/Forums/windowsserver/en-US/893b09d8-636e-4f87-8260-11613a2a4e43/unable-to-replicate-between-2-dcs-error-message-exceeded-the-tombstone-lifetime?forum=winserverDS>

Active Directory, ADMT, Domain Controller

Domain Controller Cross Forest migration Part 3 (ADMT Installation)

Leave a comment

ADMT 3.2 installation

 

Requirements

  1. SQL express/full 2008 sp2
  2. Windows 2012/R2 / Windows 2008 R2 for ADMT
  3. Install PES on Source DC for Migrating Passwords

http://blogs.technet.com/b/askds/archive/2010/07/09/admt-3-2-common-installation-issues.aspx

  • The server where you install ADMT can run any supported version of Windows Server, including Windows Server 2012 R2 and Windows Server 2012.
  • The source and destination domain controllers must be writeable, but they can run any supported version of Windows Server with a user interface (not Server Core), including Windows Server 2012 R2 and Windows Server 2012.
  • The source and destination domains must be at Windows Server 2003 domain functional level or higher.
  • The computers that can be migrated can run any supported version of Windows, including Windows 8.1.
  • You can use any version of SQL Server for the ADMT database.

From <https://technet.microsoft.com/en-us/library/active-directory-migration-tool-versions-and-supported-environments(v=ws.10).aspx>

 

ADMT user permissions:

image

From <https://social.technet.microsoft.com/Forums/windowsserver/en-US/fe44cdd4-ef11-4d73-801d-f37939d756bd/minimum-permissions-needed-for-admt-32-when-doing-an-interforest-migration-with-sid-history?forum=winserverMigration>

 

ADMT Migration Account

The account you run ADMT under will need to have administrative rights in both the source and destination domain. You may decide to create a user specifically for the ADMT Migration, or you may use an existing user e.g. the default administrator account. I will create a user called ADMT and assign this user the correct permissions. This is the account we will use for the entire migration.

It is recommended that you make the user account in the destination domain and make it a member of the domain administrators group.

destination Domain:

clip_image001

 

In the source domain add the same user to the builtin administrators group (you will be unable to add it to the domain administrators group).

Source Domain:

 

clip_image002

 

Installing ADMT

You should install ADMT and SQL onto a member server in the destination forest. Use the ADMT service account explained in the previous post to install SQL and ADMT.

ADMT requires a preconfigured instance of SQL Server for its underlying data store, so we’ll go ahead and install SQL 2008 SP1 Express on ADMT.contoso.com

 

Installing SQL Express 2008 SP2

SQL Express download here: https://www.microsoft.com/en-us/download/details.aspx?id=30438

clip_image003

clip_image004

clip_image005

clip_image006

Cause

This error is purely within SQL Express 2008 and is not really to do with ADMT 3.2. The issue is fixed in “Cumulative update package 4 for SQL Server 2008”.

Unhelpfully, this error is identified in KB975055 as being only for Windows 7 and that it was fixed by SP1 – both incorrect. The issue does affect Win2008 R2 and is only fixed by the cumulative update.

Resolution

Before installing SQL Server Express 2008 with SP1 (which will fail), first install:

Cumulative update package 4 for SQL Server 2008 

http://support.microsoft.com/kb/963036

clip_image007

clip_image008

clip_image009

clip_image010

clip_image011

clip_image012

clip_image013

clip_image014

Set an account for the SQL service to run under (use your ADMT Service Account).

clip_image015

Set a SQL administrator, choose the user account you plan to run ADMT under- be aware that this user account will need to have local administrative rights in the source domain (this will be discussed further in the series).

clip_image016

clip_image017

Download ADMT 3.2

https://onedrive.live.com/redir?resid=82488EABA4ACDB15!33497&authkey=!AF3kLtU8fl2_B0I&ithint=file{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}2cexe

Installing ADMT

For this series I will be using ADMT 3.2, which is the supported version for Server 2008 R2. Use ADMT 3.1 for installation on a Server 2008 non-R2 server, or ADMT 3.0 for Server 2003. If you need to migration a Server 2000 Domain, you will need to use ADMT version 3.1 or earlier.

Update Junes 2014 – ADMT 3.2 now supports Windows Server 2012 / 2012 R2.

clip_image018

clip_image019

clip_image020

clip_image021

clip_image022

clip_image023

clip_image024

clip_image025

 

 

Hope this helps, please stay tuned for the next part. Winking smile 

 

Active Directory, Domain Controller, Exchange 2010, Microsoft Exchange

Upgrade Microsoft Domain Controller 2008 R2 to DC 2012 R2 with Exchange 2010 in the current environment.

Leave a comment

Upgrade Microsoft Domain Controller 2008 R2 to DC 2012 R2 with Exchange 2010 in the current environment.

Prerequisites:
1- Windows 2012 R2 fully patches
2- New Windows 2012 R2 server should be joined to the Domain controller 2008r2

After you get all the prerequisites ready, start the Server manager and click on Add roles then add the ADDS role and follow the following instructions
Install the role and the n configure it as following
clip_image001
Add it to the existing DC
clip_image002

clip_image003
clip_image004
clip_image005
clip_image006
clip_image007
clip_image008
clip_image009
clip_image010
to migrate the AD Operations Master roles.  The simplest way to move these roles is via PowerShell.  On Server 2012 AD PowerShell modules, this can be done from anywhere.  Simply run the following command to view you current configuration, and change them:
PS C:> netdom query FSMO
clip_image011
Move-ADDirectoryServerOperationMasterRole -identity “dc1” -OperationMasterRole 0,1,2,3,4
clip_image012
clip_image013
Making sure that all the roles have been migrated :
netdom query FSMO
clip_image014
clip_image015
Adding second DC
clip_image016
Reference:
https://technet.microsoft.com/en-us/library/ee617229.aspx?f=255&MSPPError=-2147217396
Source: Default-First-Site-NameDC2
******* 1 CONSECUTIVE FAILURES since 2015-03-23 19:37:45
Last error: 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failu
re.
Naming Context: CN=Configuration,DC=kibtek,DC=local
Source: Default-First-Site-NameDC2
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: CN=Schema,CN=Configuration,DC=kibtek,DC=local
Source: Default-First-Site-NameDC2
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=kibtek,DC=local
Source: Default-First-Site-NameDC2
******* WARNING: KCC could not add this REPLICA LINK due to error.
clip_image017
Resolution:
After joining new DC you will see this error until the replication with the PDC and schema master is finished.
Use the repadmin /syncall to hasten the sync process.
clip_image018
After we changed the PDC and Schema master role server to the new DC and shut down the old DC for test. On Exchange 2010 server you might get the following error
Exchange Console
clip_image019
Current deployment

  1. Exchange 2010
  2. New DC 2012 R2 with another Additional DC installed newly.
  3. Two DC 2008R2 but have been shut down for testing.

Problem:
After you shutdown or demote the old PDC or Schema master Demote Domain Controller role, Microsoft Exchange Management Console fails to retrieve any Exchange information with error message “An error caused a change in the current set of Active Directory Server settings. Restart Exchange Management console.”
Cause
Microsoft Exchange management console caches the data in the user’s profile for quick access, So whenever you try to open EMC from an existing Exchange admin profile you will get the same error.
Resolution:
Navigate to the following folder and delete the Exchange Management Console file.
{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}userprofile{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}appdataroamingMicrosoftMMCExchange Management Console
clip_image020

Hope this was useful Winking smile

Active Directory, Domain Controller

Prepare Active Directory Domain Service with 2012 R2 Powershell Script

Leave a comment
If you’re planning to Install Active directory on multiple DCs for backup, you can speed up this process by using the following script which is provided by Microsoft. but you’ll have to copy and paste it in notepad and save it in .ps1 extension after editing the Domain Name and Domain Netbios name.


You may also wanna change the forest mode to match the one in your environment if you already have an old DC. 


# Windows PowerShell script for AD DS Deployment
#

Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath “C:WindowsNTDS” `
-DomainMode “Win2012” `
-DomainName “moh10ly.com” `
-DomainNetbiosName “Moh10ly” `
-ForestMode “Win2012” `
-InstallDns:$true `
-LogPath “C:WindowsNTDS” `
-NoRebootOnCompletion:$false `
-SysvolPath “C:WindowsSYSVOL” `
-Force:$true

Note: If you want to have a different Computer name, you will need to change that manually before you start the process below and restart after changing the computer name.
You will need to install the AD Domain Service management tools before you are able to run the powershell

Install-windowsfeature -name AD-Domain-Services –IncludeManagementTools

clip_image001

When the management tools are installed you can drag and drop the powershell file to powershell window and press Enter and as soon as you do that it will ask you for the SafeModeADministratorPassword.

clip_image002

After you press Enter it will start the installation process

clip_image003

When finished it will let you know that server is going to be restarted automatically.

clip_image004

After restarting the server, this is how the Full computer name became.

clip_image005

del.icio.us Tags: ,,