How to promote Server Core to be a RODC

Standard

The Windows Server 2008 Server Core installation does support Read Only Domain Controllers (RODC). This support makes Server Core ideal for brance office scenarios. To make a Server Core part of your domain as RODC, you use the unattended answer file with the following text with your settings and passwords

[DCInstall]
InstallDNS=Yes
ConfirmGC=Yes
RebootOnCompletion=Yes
ReplicaDomainDNSName=2008.lab
ReplicaOrNewDomain=readonlyreplica
ReplicationSourceDC=dc3.2008.lab
SafeModeAdminPassword=
SiteName=Default-First-Site-name
UserDomain=2008.lab
UserName=admin08
Password=
CreateDNSDelegation=No

You can place the text file on the root of your C drive on the server core and run the following command

dcpromo /unattend:unattend.txt where unattend.txt is the text file you created above

Later on we will discuss other embedded command line structures and built-in programs such as OCSETUP which will allow you to add roles and features to your server core. Keep in mind that making the domain controller is the only setup you must not use OCSETUP for, and you must utilize DCPROMO for it, otherwise your server may not function properly.

After running the above process, you will notice that from a Windows Server 2008 full installation, using ADUC we can readily confirm that our DC is RODC.

How to setup IP configuration of Windows Server 2008 Server Core

Standard

In order to add your Server Core to a domain you must assign an IP and DNS server to the current IP Configuration and you do that using NETSH tool, otherwise using the answer file your setup will fail complaining about its inability to contact the source DC.

Netsh.exe is a tool an administrator can use to configure and monitor Windows-based computers at a command prompt. With the Netsh.exe tool, you can direct the context commands you enter to the appropriate helper, and the helper then carries out the command. A helper is a Dynamic Link Library (.dll) file that extends the functionality of the Netsh.exe tool by providing configuration, monitoring, and support for one or more services, utilities, or protocols. The helper may also be used to extend other helpers.

You will first check the index assigned to your NIC by running this at command line,

netsh interface ipv4 show interfaces

You can then using this syntax to assign your server an IP address. Note that my NIC index ID is 2.

netsh interface ipv4 set address name="2" source=static address=192.168.100.202 mask=255.255.255.0 gateway=192.168.100.1

And then you can use the following NETSH command to add your primary DNS server, in my case also the source DC.

netsh interface ipv4 add dnsserver name="2" address=192.168.100.201 index=1

Run Ipconfig /all to verify your configuration.

In a future post, I will show you how to setup Server Core to be a Read-Only Domain Controller in a Windows Server 2008 domain.

More on NETSH can be found on http://support.microsoft.com/kb/242468

How to disable Windows Firewall in Windows Server 2008 Server Core

Standard

So in Server Core the built-in Windows firewall comes on by default. You can choose to disable it completely to get all the networking components working by using this NETSH command,

netsh firewall set opmode disable

You can use the enable switch to turn it back on. However, completely disabling it may be a bad idea, and you should choose the following commands to specifically open up gates for certian ports and applications. For example to open up port 3389 for RDP use,

netsh firewall set portopening TCP 3389 "AnyNameHereSuchasRDP"

or

netsh firewall set allowedprogram FullPathToExecutable name=AnyNameHere

Note that above commands should be entered in one line, and are overlapped due to the page format in this post.

For more information on advanced firewall functionalty, please go here.

How to enable RDP for Windows Server 2008 Server Core

Standard

Even though the Server Core option of Windows Server 2008 does not have shell, you can still RDP (Terminal Services) into it by using RDC from a Windows Client. To do that, you have to first enable the RDP on Server Core by using the following cscript command.

Cscript \windows\system32\scregedit.wsf /ar 0

In order to use TS from a pre-vista OS you have to turn off the on by default high security by using the following command

Cscript \windows\system32\scregedit.wsf /cs 0

While terminal serviced into the Server Core, you can logoff.exe command line to terminate your session.

How can I rename Windows Server 2008 Server Core

Standard

Once again, with no GUI your Windows Server 2008 Server Core can easily be renamed using Windows Management Instrumentation Command-line (WMIC), and here is how,

wmic computersystem where name="%computername%" rename name="new-name"

As result, you will get ‘Method execution successful’ message. However if your machine is domain-joined, you can use NETDOM to accomplish the same task. Here is the query.

Netdom renamecomputer %computername% /NewName:new-name /UserD:domain-username /PasswordD:*

How to activate Windows Server 2008 Server Core

Standard

As we know there is no GUI in Windows Server 2008 Server Core option, here is how you can activate your copy. Following was done on an eval. copy, and here is the cscript command to run.

Cscript C:\Windows\System32\slmgr.vbs -ato

You can run -xpr switch to tell how much time you have left, mine shows permanently activated. So these are out-of-box scripts that aid in Licensing Management.

Read my previous post on how to install VM additions in your lab environment (based on VS 2005 R2) to tinker with the Server Core.

Initial Configuration for the Windows Server 2008 Server Core

Standard

In a full version of Windows Server 2008 there is Initial Configuration Tasks that allows you to configure various things after a fresh install. However since Server Core is GUI-less or more like Shell-less and not entirely GUI-less, the various initial configuration tasks are to be done from the command-line or thru the few built-in cpls.

In next few posts, I will be showing you the basic configuration of out-of-box Server Core. Lets start with changing the Administrator’s password which does not happen during the installation. You may use the good-old net command to do that,

net user administrator *

or change it by pressing CTRL+ALT+DEL and click Change Password.

You may also need to set the date, time and time zone, and there is a left-behind GUI cpl available for it.

control timedate.cpl

Above cpl will launch the normal Date and Time control panel for you to change the settings. The only other cpl included in Server Core is intl.cpl which allows you to change the keyboard layouts

How to find out your server uptime

Standard

Using Uptime utility from Microsoft you can get your server uptime (i.e time since the last reboot) which can come in handy particularly when you are trying to troubleshoot a server’s unexpected reboot and failures.

Uptime.exe can be used to display the current uptime of the local or remote system. Optionally, it can also scan the Event log for key system events such as system restart or computers that are not responding (hanging). Where possible, it also calculates system availability. It is primarily intended for Windows NT Server 4.0 Service Pack 4 or later, though it operates in limited fashion on earlier versions.

You can download it from the link below and drop it on the root of the c:\ or where you wish and the command line to run is simply uptime

http://support.microsoft.com/kb/232243

Find out the available RIDs on your DC

Standard

In a previous post we discussed the FSMO Roles and we know that one of the FSMO Roles is RID Master. What a RID Master does and whats its significant, let’s recap. RID Master – Each object must have a globally unique number (GUID). The RID master makes sure each domain controller issues unique numbers when you create objects such as users or computers. For example DC one is given RIDs 1-4999 and DC two is given RIDs 5000 – 9999.

In this post I will be showing you the command which you can run to check the available Relative Identifiers (RID) pool on one of your DCs.

You should have the Windows Server 2003 Support tools installed and the command to run is as follows:

dcdiag /v /test:ridmanager

/v is for verboselogging and the /test:ridmanager is to define the specific test and to avoid the other dcdiag test runs. Take a look at the attached screenshot above, It shows the current RID Allocation Pool and the Previous Allocation Pool. 500 RIDs are assigned from the RID Master and after 50% of the pool has been consumped, another request for pool refill is made to the RID Master.

How to rename a Windows Server 2008 domain

Standard

Previously you have been able to use RENDOM utility provided by Microsoft to rename your Window 2000 and Windows Server 2003 domains. However in Windows Server 2008 domain you don’t have to separately install Rendom utility. It gets installed as part of “Active Directory Domain Services” role when you promote a server to the DC role. And It can be found here : %windir%\system32\rendom.exe.

I used it to rename a Windows Server 2008 domain in my test lab environment. The process was pretty straightforward but it may require more tasks if you have multiple DCs in a multi domain environment.

The Forest and Domain Functional Level should be Windows Server 2008 to proceed with the following task.

From the command prompt, I started out by running rendom /list which outputs an XML file (Domainlist.xml) to the directory where rendom resides. You edit that file to change your domain configuration to the new domain name. i.e ForestDNSZones, DomainDNSZones, Netbios name. See referenced link for details.

After you have modified the file you can run rendom /showforest which shows you the future configuration, verify and make changes if necessary.

Upload the changes you have made in the XML file: Run rendom /upload

Verify readiness of Domain Controller(s): Run rendom /prepare

Execute domain rename instructions: Run rendom /execute

After thats finishes up successfully, you should also run GPFIXUP tool to fix up GPO references to your old domain name. See Step 12 of this document.

Here is an example :

C:\Users\Administrator>gpfixup /olddns:08r2.lab /newdns:mcts.lab
Group Policy fix up utility Version 1.1 (Microsoft)

Start fixing group policy (GroupPolicyContainer) objects:
……..

Start fixing site group policy links:
.

Start fixing non-site group policy links:
….
gpfixup tool executed with success.

C:\Users\Administrator>gpfixup /oldnb:08r2 /newnb:mcts
Group Policy fix up utility Version 1.1 (Microsoft)

Start fixing group policy (GroupPolicyContainer) objects:
..
gpfixup tool executed with success.

Lastly, run rendom /clean

The identity (domain GUID) of the renamed domain does not change during a domain rename operation. Thus a computer’s domain membership does not change as a result of the holding domain being renamed.

However, every member computer joined to the renamed domain needs to be rebooted twice. Please refer to “How Domain Rename works” technical reference for more info.

How Domain Rename Works : Microsoft Technet

Other References:

http://dsg.port.ac.uk/~hx/rename_domain/index.php

http://www.msexchange.org/tutorials/Domain-Rename.html (for domains with Exchange)