Friday, January 31, 2014

How to Check and Migrate the FSMO Owners in Microsoft Active Directory

This post will describe an easy method to determine who currently holds the FSMO roles in Windows Server.

This post will also describe how to migrate the roles by using the GUI tools for Active Directory.

Check All FSMO Roles from Powershell or from Command Prompt

My preferred method is a simple netdom command that is run from command line or from PowerShell.

The command to determine the FSMO roles in your Active Directory domain is netdom /query:fsmo

The output will look like this:


In the example above you see that the Domain Controller AZ-DC1.testlab.local holds all of the FSMO roles.

Check and Migrate RID Master, PDC, and Infrastructure Master Roles

  • From Active Directory Users and Computers (ADUC) right-click on the domain name and select Operations Masters...

  • This will bring up the Operations Masters dialog box.  
    •  If you want to migrate these roles from here, you will need to launch it from the DC that you want to hold the roles.  In our example we are launching the menu from TX-DC1 since this is the central office in our lab.
  • Select each tab for the appropriate FSMO role you would like to migrate and click the Change button to move the role to the DC listed in the lower text box.

  • Are you sure you want to transfer the operations master role? Click Yes to transfer the role to the target DC and click OK on the successful message.
  • Repeat for each FSMO role


Check and Migrate Domain Naming Master Role

  • Launch Active Directory Domains and Trusts
  • Right click Active Directory Domains and Trusts and select Operations Master
    • If the target DC is not the DC you are currently logged into you will need to close the Operations Master dialog box and Right Click Active Directory Domains and Trusts and select Change Active Directory Domain Controller...

    • Change Directory Server: Select the This Domain Controller or AD LDS instance radio button and double-click the DC you want to transfer the role to.
    • Now when you launch the Operations Master dialog box, you will see the correct target DC.
  • Click Change to move the operations master to the target DC
  • Are you sure you want to transfer the operations master role? Click Yes to transfer the role to the target DC and click OK on the successful message.

Check and Migrate the Schema Master Role

The Schema Master MMC is not available by default and must be unlocked by running the following command.
  • From command prompt or PowerShell, run regsvr32 scmmgmt.dll and click OK when it has registered successfully

  • Once the DLL is registered, you need to load the Active Directory Schema MMC 
    • From the run menu, command prompt or PowerShell type mmc to launch a blank MMC console
    • Select the File menu and click Add/Remove Snap-in
    • Double click the Active Directory Schema snap-in from the Available snap-ins menu and click OK

  • Right click Active Directory Schema and select Operations Master...

  • Click Change to move the operations master to the target DC
  • Are you sure you want to transfer the operations master role? Click Yes to transfer the role to the target DC and click OK on the successful message.

Confirm the FSMO Roles have been Migrated to the Correct DC

Re-run the command netdom /query:fsmo


You can now see that all of the FSMO roles are on the TX-DC1 domain controller.

This concludes How to Check and Migrate the FSMO Owners in Microsoft Active Directory.

I hope this was helpful and informative to you and I would appreciate any feedback you may have.


Posted by at No comments:

Sunday, January 12, 2014

Create and Assign Subnets to Each Site in Active Directory Sites and Services

Adding subnets to a site helps Active Directory know where a computer or domain joined device lives within your Active Directory infrastructure.  By adding the appropriate subnets for each site to Active Directory Sites and Services you are telling Active Directory that traffic for COMPUTER1 is coming from IP 10.100.x.x and that IP is in site FloridaSite so COMPUTER1 is in FloridaSite.  This will help the computer know which Domain Controller to try to authenticate with first and will help AD integrated services know where the closest Global Catalog server is in the domain.
  • We will continue from where we left off and begin in the Active Directory Sites and Services MMC.




  • Expand the Sites folder and right-click Subnets then click New subnet

  • New Object – Subnet: Type in the network in CIDR format inf the Prefix text box then select the site that has this subnet.  Click OK

  • You will now see the new subnet in the Active Directory Sites and Services MMC under the Subnets folder.
  • To edit the existing subnet simply double-click the object and change any parameters you need to

  • I have created the remaining subnets needed for my test lab and am now ready to create Inter-Site transports for replication traffic.
    This concludes how to Create and Assign Subnets to Each Site in Active Directory Sites and Services.

    I hope this was helpful and informative to you and I would appreciate any feedback you may have.
Posted by at No comments:

How to Create Active Directory Sites in Active Directory Sites and Services

This post will describe how to create a new site in Active Directory. Sites are used in Active directory to determine the best path for replication traffic and for many services that you will implement in your domains.  Services include Microsoft Exchange server, AD Rights Management Services, and DFS. 

When building your sites you want to create them in such a way so that Active Directory can determine the best path for replication.  In our example, we will create three sites.  There will be one central office providing replication to both sites and a second site link for replication traffic in case the main site is unavailable.

Because the central office has the best connection to the internet and WAN links, it will have the lowest cost for replication whereas the branch sites have a slower WAN link that we do not want the primary replication traffic to cross unless there is an issue with the central office.

Creating new sites in Active Directory Sites and Services


  •  First, launch Active Directory Sites and Services from the Tools menu in Server Manager


  • This will bring up the window above

  • Right-Click the Sites folder and select New Site…

  • New Object – Site: Fill in the name of the new site and select the DEFAULTIPSITELINK for inter-site transport. Click OK

  • The above informational window will appear stating that you will need to move DCs into the site, add subnets for the site, and ensure site links exist before the site is fully functional.

  • After creating the ArizonaSite and the TexasSite I renamed the Default-First-Site to TexasSite since this will be our central office.  After completing the site creation, your Active Directory Sites and Services will look similar to the window above.

Assigning DCs to a Site in Active Directory Sites and Services

  • Within Active Directory Sites and Services expand the Default-First-Site-Name (TexasSite) and expand the Servers folder.

  • Within the folder, you will see all of the Domain Controllers in the domain that are assigned to this site.

  • Right-click the AZ-DC1 object and select Move from the menu to launch the Move Server wizard.

  • Select the ArizonaSite for AZ-DC1 and click OK

  • I repeated the above tasks for the FloridaSite and FL-DC1 to show that we now have one DC in each site.
This concludes How to Create Active Directory Sites in Active Directory Sites and Services.

Create and Assign Subnets to Each Site in Active Directory Sites and Services

I hope this was helpful and informative to you and I would appreciate any feedback you may have.

73NWPGEGNJCV
Posted by at No comments:

Saturday, January 11, 2014

How to Add a New Domain Controller to an Existing Windows Server 2012 Forest or Domain

This post will discuss how to add a new domain controller to an existing Windows Server 2012 Domain Services infrastructure.  This is a continuation of my previous post on How to Install Active Directory from Windows Server 2012 Server Manager which discussing installing a new Active Directory forest.

Adding a second domain controller to a domain is highly recommended for any infrastructure because it adds much more resiliency, up time, and maintainability to your infrastructure and helps replicate the Active Directory data to another system.

We sill start this guide from the Active Directory Domain Services Configuration Wizard. To get to this point, please follow the Installing Active Directory from Windows Server 2012 Server Manager section of my previous post.

Run Active Directory Domain Services Configuration Wizard


  • After the role installation completes, you will notice a notification in the Notifications window.  Click the flag and click the link Promote the server to a domain controller


  • Deployment Configuration: Select Add a domain controller to an existing domain. Under the Specify the domain information for this operation type in the FQDN of the domain you would like to add this server to.  In this case we are using testlab.local. Finally, Supply the username and password of a domain admin in the domain.  We are using TESTLAB\Administrator.  Click Next
    • NOTE:  In our test lab we have each DC in a separate VLAN to represent a different site.  If you are doing this, you may not pick up the domain name automatically and can be presented with an error that the domain cannot be contacted.  To overcome this, set the primary DNS server of the new system to the IP of the existing DC in the domain.

  • Domain Controller Options: Select the options you want this DC to have.  We are selecting DNS and GC and for now are adding it to the Default-First-Site-Name site.  We will discuss sites in a later post.  Also add the recovery password for the DC and click Next.

  • DNS Options: Click Next

  • Additional Options:  You can choose to install the AD database from media but we will choose to replicate the database from our first DC AZ-DC1.testlab.local.  You can also select Any Domain Controller and AD will use sites and and site links to determine the best domain controller to replicate from.  Click Next

  • Paths: Verify the paths for the AD database, Log files and SYSVOL share and click Next
    • The AD database and SYSVOL location can be changed but is usually left as default.  Personally, I install all DCs with a single partition and keep the system very trim so I never change the path of the database or SYSVOL share.

  • Prerequisites Check: 
  • This will validate that the server is ready for Domain Services and will show a couple warnings about NT 4.0 compatibility and the same warning from the DNS delegation screen.  These are expected.  Click Install to begin the installation of the first DC in the forest.
  • If you checked the  Restart the destination server automatically if required when installing domain services role the server will reboot automatically after the installation is complete.

  • After a reboot and you login to the domain, you will now be able to see the new DC in Active Directory Administrative Center.
This concludes How to Add a New Domain Controller to an Existing Windows Server 2012 Forest or Domain.

I hope this was helpful and informative to you and I would appreciate any feedback you may have.
Posted by at No comments:

How to Install Active Directory from Windows Server 2012 Server Manager

This post will go over the initial installation process of Active Directory in a Windows Server 2012 environment.  We will go over creating a new forest and domain.  Later posts will discuss installing a new domain controller in the forest.

Active Directory today is a cornerstone of permission and access management in many businesses and is critical to the infrastructure of many businesses.  We will discuss the installation process and some basic configuration of a multi-site infrastructure over the next few posts.

I will cover some best practice information regarding sites and OU structure but ultimately the design and implementation of your Active Directory infrastructure is dependent on your business needs.

Installing Active Directory from Windows Server 2012 Server Manager

To start, we want a clean installation of Windows Server 2012 with minimal configuration on the system to keep our Active Directory services separate from other services in the network.  IT is recommended to maintain a stand alone Active Directory system so there is minimal downtime and interruption to this critical service.
  • Start Server Manager and Select Add roles and features from the Dashboard 

  • Before you begin: Click Next
  • Select installation type: Select Role-based or feature-based installation and Click Next
  • Select destination server: Choose Select a server from the server pool and be sure the local server is highlighted in the Server Pool list box, then Click Next

  • Select server roles: Select Active Directory Domain Services 
  • This will launch the Add features that are required for Active Directory Domain Services? window.  Select Add features then click Next
  • Select features: Click Next

  • Confirm installation selections: Click the Restart the destination server automatically if required check box and click Install

Run Active Directory Domain Services Configuration Wizard


  • After the installation completes, you will notice a notification in the Notifications window.  Click the flag and click the link Promote the server to a domain controller

  • This will launch the Active Directory Domain Services Configuration Wizard
  • Deployment Configuration: Select Add a new forest radio button and enter the new Root domain name.  In this case we are calling the new forest testlab.local. Click Next
NOTE: Using the .local extension for the domain will ensure that the namespace will not interfere with any public DNS zones that we will be using later down the road for e-mail services and will make it easier to segregate internal versus external services.  I highly recommend using disjointed namespaces for any environment so you can better control data traffic in the domain.  To do this simply avoid the common extensions of .com, .edu, .gov, net, .biz, .org, etc...
  • Domain Controller Options: Select the Forest functional level and the Domain functional level.  We will not be adding any domain controllers older than Windows Server 2012 so we will choose Windows Server 2012 for both Domain and Forest functional levels.
  • Domain Controller Options: If this is the first server in the domain, be sure to select both the Domain Name System (DNS) server and  Global Catalog (GC) check boxes.
  • Domain Controller Options: Finally, type in the password for restoring the Directory Services database and be sure to save the password in a safe place.  When you need it, you will really need it so it should be documented. Then click Next

  • DNS Options: You will notice a warning at the top of the page with the above error.  Basically, it is stating that the zone testlab.local cannot be found so delegation cannot be setup.  This is expected since the zone has not been created yet.  Go ahead and acknowledge the warning and click Next

  • Additional Options:  Verify the NETBIOS name of the domain and click Next
    • The NETBIOS name is what I call the short name of the domain and is what is referenced when logging into the domain with a user. ie. TESTLAB\Administrator instead of the FQDN testlab.local\Administrator.
    • Microsoft is working on phasing out NETBIOS names and has removed the functionality from DNS as a default in Server 2012 but it still remains and can help make name lookup a little easier.  For now, understand that it exists and that it is essentially the domain name from before without the extension.

  • Paths: Verify the paths for the AD database, Log files and SYSVOL share and click Next
    • The AD database and SYSVOL location can be changed but is usually left as default.  Personally, I install all DCs with a single partition and keep the system very trim so I never change the path of the database or SYSVOL share.
  • Review Options:  Look over all of the settings and verify they match what you expect and click Next
    • You can also click View Script to see the Powershell command being sent to the system. The script can be seen above.

  • Prerequisites Check: This will validate that the server is ready for Domain Services and will show a couple warnings about NT 4.0 compatibility and the same warning from the DNS delegation screen.  These are expected.  Click Install to begin the installation of the first DC in the forest.
  • If you checked the  Restart the destination server automatically if required when installing domain services role the server will reboot automatically after the installation is complete.

  • When you get to the login screen you will see the NETBIOS name pre-populated and will now be logging in to the domain whenever accessing this server.
This concludes the installation of Active Directory from Windows Server 2012 Server Manager.

I hope this was helpful and informative to you and I would appreciate any feedback you may have.


Posted by at No comments:
Subscribe to: Posts (Atom)