Shariq Sheikh | Port 389

A question was raised on ActiveDir, and I learned about an old TechNet Jigsaw on AD’s interworking.

Along with that, there was a new Windows Server 2008 AD Feature Components which I received at Tech-Ed 2007 and it illustrates the new and improved AD pieces introduced with Windows Server 2008. This poster covers ADLDS, ADFS, ADRMS, and RODCs.

And an additional poster on general new Windows Server 2008 Feature Components that covers TS, NAP, IIS 7.0, Virtualization, Server Core and BitLocker.

Both of the above illustrations and very good quality large size posters (30x20in) and are good to hang in your office/cube. Printing them on regular printer may distort the quality, so you may try the plotter . All three can be downloaded from the following links :

TechNet Magazine Active Directory Component Jigsaw Poster

Windows Server 2008 Component Posters (both)

P.S This is my first test post using WLW.

As named “domain modes” in Windows 2000 time, Domain Functional Level and Forest Functional Level (introduced in Windows Server 2003) list has grown with the inception of two new Windows Server 2008 functional levels. While Domain Functional Level limits the OS of the DCs, a raise to the Forest Functional Level (in a multi-domain environment) can only be achieved after all child domains’ DFL have been met. Both Functional Levels do not dictate the type of OS you can run on your member servers. They dictate which OS can run on a DC and introduce new functionality to AD as you move up the ladder. Such as, to be able to take advantage of AD Recycle Bin functionality all your DCs must be running Windows Server 2008 R2 and the FFL must be at 2008 R2.

There are now 6 different types of Domain Functional Levels;

1. Windows 2000 Mixed (supports NT4/2000/2003 DCs)
2. Windows 2000 Native (supports 2000/2003 DCs)
3. Windows Server 2003 Interim (supports NT4/2003 DCs)
4. Windows Server 2003 (supports only 2003 DCs)
5. Windows Server 2008 (supports only 2008 DCs)
6. Windows Server 2008 R2 (supports only 2008 R2 DCs)

And five forest functional levels:

1. Windows 2000 (supports NT4/2000/2003 DCs)
2. Windows 2003 Interim (supports NT4/2003 DCs)
3. Windows Server 2003 (supports only 2003 DCs)
4. Windows Server 2008 (supports only 2008 DCs)
5. Windows Server 2008 R2 (supports only 2008 R2 DCs)

See this for list of features for different Functional Levels.

You can get an evaluation copy here.

Scott Schnoll had a great post on how to install the beta, with all the gotchas and a long list of pre-reqs.

http://blogs.technet.com/scottschnoll/archive/2009/04/15/how-to-install-exchange-server-2010.aspx

As Exchange 2010 will only run on Windows Server 2008 (64bit only), there were some known issues with the beta version with the Windows Server 2008 R2 (mainly newer builds than 7000), due to PowerShell and WinRM stacks being incompatible. That issues is well discussed here and hopefully those issues are now resolved with the RC.

http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/e73ec63f-d5f6-4c2d-8d96-51537493a0ff

And here is the system requirements list.

http://technet.microsoft.com/en-us//library/aa996719(EXCHG.140).aspx

Says the RID Master FSMO to a RODC. If you recall the RID Master’s sole job is to make sure that duplicate SIDs are not issued by domain controllers. Whenever a DC needs to create a SID, it takes the next available value from its own RID pool to create the SID with a unique value. The default pool size is 500 RIDs. When we run the RID pool test on a RODC, the test skips due to the DC being RODC and not having anything to do with the creation of the new objects.

dcdiag /v /test:ridmanager

Here is how the test is supposed to report back with the remaining pool of the allocated RIDs.

Creating an additional Password Policy (known as Password Settings Object) in Windows Server 2008 is very easy with QAD Cmdlets. Create a PSO with New-QADPasswordSettingsObject for example as shown below,

[PS] C:\Windows\System32>New-QADPasswordSettingsObject -name "Traders-Password-Policy" `
>> -passwordhistorylength 9 `
>> -passwordcomplexityenabled $true `
>> -minimumpasswordlength 7 `
>> -minimumpasswordage 1 `
>> -maximumpasswordage 15
>>
...

Name Type DN
---- ---- --
Traders-Password-Policy msDS-Passwor... CN=Traders-Password-Policy,CN=Password Settings Container,CN=System,D...

To check what other password’s attributes can be defined, see help for New-QADPasswordSettingsObject. The -appliesto parameter lets you define the PSO for a Group or individual user as well from right within the cmdlet shown above, but you can also do this.

[PS] C:\Windows\System32>Add-QADPasswordSettingsObjectAppliesTo 'traders-password-policy' -AppliesTo joe.blow

Name Type DN
---- ---- --
Joe Blow user CN=Joe Blow,OU=Users,OU=Chicago,DC=techevan,DC=lab

Unfortunately, there is no Set-QADPasswordSettingsObject cmdlet yet that lets you modify an existing PSO. You can use ADSIEDIT.msc to do that. Launch ADSIEDIT, and go to \domain node\System\Password Settings Container. Find the relevant PSO and go to its properties and make your modifications.

If you log on as the user who we just applied this PSO to in our above example, you will be notified that your password expires in 14 days. Its a great feature in Windows 7.

For more information see these links :

http://technet.microsoft.com/en-us/library/cc753481.aspx#BKMK_2

http://windowsitpro.com/article/articleid/99929/use-powershell-to-manage-fine-grained-password-policies-in-windows-server-2008.html

Here is a useful 55 page white-paper that describes the changes in Functionality From Windows Server 2008 to Windows Server 2008 R2

As expected, and just like its counterpart you can’t run guest OS, (child partitions) within Hyper-V when Hyper-V itself is installed as a guest VM. Of course there are several tweaks out there that let you modify VMkernel and supposedly let you run guest VMs in ESX environment. I have yet to come across one that does the trick for Hyper-V. Perhaps its not possible due to some substantial differences how hypervisor of Hyper-V is different than hypervisor of ESX(i) that of VMware. Greg Sheilds recently wrote in length regarding correctly explaining the difference between two products.

Rich Brambley on the other hand installed Hyper-V R2 under VMware Workstation but didn’t proceed to install VM as a guest on it, which in my opinion was against the whole purpose. You can’t really begin to play around with its feature set until you have a hand full of workloads running on it.

I gave it a spin, and I came across the “No, No, you can’t do this” issue. I have Hyper-V R2 installed as a guest on VMware Workstation 6.5.2. As posted in last post, Hyper-V is being managed via Windows Server 2008′s Hyper-V Management feature.

A long awaited PowerShell version 2 will be released with Windows Server 2008 R2 and Windows 7 (currently both in beta). As Microsoft intends to push PoSH as the management/interactive/command driven shell, you will find the PoSH short-cut in your quick launch toolbar. In addition to what PoSH v2 has to offer such as remote management capabilites, a notable difference is the number cmdlets over version 1. PoSH v2 will have total of 235 native cmdlets where version 1 only had 129.

Watch a quick (first) screencast I did on this.

With Windows Server 2008 having role specific snap-ins installed for each role, if you have to demote a Windows Server 2008 DC thru normal “dcpromo” command. You will notice that the DC specific roles from within the Server Manager will not be uninstalled. Even though the DC has been fully demoted,  Active Directory has been uninstalled, the Server has been rebooted but the snap-ins for roles such as AD and DNS are still there (in case your DC was also a DNS). It causes a bit of nuisance as its not as if these snap-ins will serve you like “adminpak” and you could manage AD from other DCs from this member server now. As of course for that you will need the RSAT tools. See the screenshots below to see the problem and error if you try to use the snap-in, and finally see the wizards to remove the lingering roles.

We are all aware how helpful the repadmin tool has become (available thru Windows Support Tools in Windows Server 2003 and earlier) for troubleshooting the replication issues. In Windows Server 2008, this tool along with others come pre-packaged within the OS. You no longer have to install the Support Tools to rein in the benefits of handy command line tools such as, dcdiag, netdiag, rendom and many others.

Here is one repadmin syntax I have become used to as it gives me a snapshot of source DCs and the Destination DCs and their replication status. The command is repadmin /replsum

In above scenario there are two DCs (both Windows Server 2008) showing their latest largest delta times. The Source DC is one that changes have gone out from, where as Destination DC is one who adopted changes from other DC, hence replicated.

What needs to be noticed here is under normal circumstances both DCs would show up under Source and Destination, but since the VM08-02 is a read-only domain controller it can only grab changes from other DC and can’t replicate changes out from it. It only shows up under Destination DC and shows that it was at the receiving end of applying changes to it in terms of Active Directory replication. While read-write domain controller (RWDC) shows changes replicated out from it i.e VM08-01.

The fail/total %% and error column comes very handy when somewhere out there one of your DC has stopped talking to others or hasn’t been talked to due to an issues such is incorrect firewall settings.

Repadmin is one handy tool that all AD Admins should invest a little time learning. For more information on repadmin /showrepl command, click here.

Sounds like a no-brainer, but there is catch. I installed DHCP role on my Server Core that I had previously set up as Read-only Domain Controller, using this command.

start /w ocsetup DHCPServerCore

And then I went ahead and set the service configuration to “auto” with this command,

sc config dhcpserver start= auto (note the space between the equal sign and auto)

And then finally when I tried to start the DHCP service with the following command, it failed with these errors.

net start dhcpserver

A system error has occured

System error 50 has occured

The request is not supported

So the catch was, that since RODC can’t write back to the AD to create the needed DHCP security groups i.e DHCP Administrators and DHCP Users, the service would fail.

After creating those domain local security groups on another Windows Server 2008 RWDC, the service does run successfully and you can manage the DHCP Server (that is running on Server Core) from another server using RSAT.

Yes there is. Inevitable as it was, we the System Admins like to accomplish easy tasks from the tip of our fingers, and do things in a graphical click-ing environment. You might have heard of this utility, which came out few months back called ‘Server Core Configurator’ by Guy Teverovsky. I had been reading about the bugs and fixes at Guy’s site and hadn’t given a try. I have now downloaded a copy thats has been fixed up and fine tuned per the request of other readers and users who tried out this utility. I installed it on my Server Core copy and I haven’t been disappointed, it lets you do a lot of common tasks such as adding the machine to the domain, running DCPROMO on it, changing NIC settings, changing display and time zone etc. which would otherwise require you know the command line or registry edit.

While this utility will come in very handy (until Microsoft perhaps comes out of their own), remember its Microsoft’s attempt to offer a small footprint OS of Core features with the likes of Linux based DHCP, and DNS system such Infoblox, and they have tried to persuade the System Admins to learn the powerful capabilities of Cscripts, WMI and Netsh. This does take us the other way a little bit. But I sure am happy to see an option that allows to me do all those initial configuration tasks GUI-ily.

You be the judge and give it a try, download it from here,

http://blogs.microsoft.co.il/files/folders/guyt/entry68860.aspx

P.S You can only launch the application from the folder where it was installed, i.e change the directory to the C:\Program Files\Server Core Configurator where it installs by default.

Its pretty simple to turn the automatic updates in Server Core by using scregedit to modify the registry, simply type in this command :

cscript c:\Windows\system32\scregedit.wsf /au 4

After that, you do have to stop and start the Windows Update service

net stop wuauserv
net start wuauserv

The swtich /au 4 sets the time for checking the updates at 3am. It also sets the server to reboot if the updates require it to. You can disable automatic updates by using /au 1 switch or /v to view the current settings. To force an immediate check for updates, run the following command:

wuauclt /detectnow

You can use Windows Remote Shell (WinRS) in Vista and Windows Server 2008 to remotely manage and administer Server Core. The WinRS client passes the commands to a WinRS listener on Server Core, which passes the commands to a prompt, captures the output and returns it to the WinRS client. To do this, you have to enable Windows Remote Managment (WinRM) on Server Core, you will run the following command :

winrm quickconfig

You can then run for example this command to see the license status on the Server Core remotely from Vista or the full installation on Windows Server 2008

winrs -r:NameofServerCore "cscript c:\Windows\System32\slmgr.vbs -dli"

Note that you can also use tools such as Windows Management Instrumentation command line (WMIC) and PowerShell thru WMI calls to manager Server Core. At this time Server Core does not support PowerShell directly since it relies on .NET Framework which is not there in Windows Server without Windows

So In Windows Server 2008, there are roles such as AD Domain Services, DHCP, DNS, the roles services pertaining to roles such as AD Certificate Services, DFS, and finally there are optional features such as .NET Framework Services, Network Load Balancine (NLB), etc. With the exception of the Active Directory Domain Services role, you install server roles and features by using the ocsetup command. The syntax for ocsetup is the same for roles and features. The command is case sensitive, and you need to know the correct capitalization for a server role or feature, you can get that by running oclist command.

For instance, the following command installs Windows Server Backup, which is a feature

start /w ocsetup WindowsServerBackup

Using the /w switch indicates when ocsetup has finished installing the new role of feature. It also stops user from initiating another command while it’s running.

You can also find out what is already installed by running following oclist syntax

oclist | find "installed"

The Windows Server 2008 Server Core installation does support Read Only Domain Controllers (RODC). This support makes Server Core ideal for brance office scenarios. To make a Server Core part of your domain as RODC, you use the unattended answer file with the following text with your settings and passwords

[DCInstall]
InstallDNS=Yes
ConfirmGC=Yes
RebootOnCompletion=Yes
ReplicaDomainDNSName=2008.lab
ReplicaOrNewDomain=readonlyreplica
ReplicationSourceDC=dc3.2008.lab
SafeModeAdminPassword=
SiteName=Default-First-Site-name
UserDomain=2008.lab
UserName=admin08
Password=
CreateDNSDelegation=No

You can place the text file on the root of your C drive on the server core and run the following command

dcpromo /unattend:unattend.txt where unattend.txt is the text file you created above

Later on we will discuss other embedded command line structures and built-in programs such as OCSETUP which will allow you to add roles and features to your server core. Keep in mind that making the domain controller is the only setup you must not use OCSETUP for, and you must utilize DCPROMO for it, otherwise your server may not function properly.

After running the above process, you will notice that from a Windows Server 2008 full installation, using ADUC we can readily confirm that our DC is RODC.

In order to add your Server Core to a domain you must assign an IP and DNS server to the current IP Configuration and you do that using NETSH tool, otherwise using the answer file your setup will fail complaining about its inability to contact the source DC.

Netsh.exe is a tool an administrator can use to configure and monitor Windows-based computers at a command prompt. With the Netsh.exe tool, you can direct the context commands you enter to the appropriate helper, and the helper then carries out the command. A helper is a Dynamic Link Library (.dll) file that extends the functionality of the Netsh.exe tool by providing configuration, monitoring, and support for one or more services, utilities, or protocols. The helper may also be used to extend other helpers.

You will first check the index assigned to your NIC by running this at command line,

netsh interface ipv4 show interfaces

You can then using this syntax to assign your server an IP address. Note that my NIC index ID is 2.

netsh interface ipv4 set address name="2" source=static address=192.168.100.202 mask=255.255.255.0 gateway=192.168.100.1

And then you can use the following NETSH command to add your primary DNS server, in my case also the source DC.

netsh interface ipv4 add dnsserver name="2" address=192.168.100.201 index=1

Run Ipconfig /all to verify your configuration.

In a future post, I will show you how to setup Server Core to be a Read-Only Domain Controller in a Windows Server 2008 domain.

More on NETSH can be found on http://support.microsoft.com/kb/242468

So in Server Core the built-in Windows firewall comes on by default. You can choose to disable it completely to get all the networking components working by using this NETSH command,

netsh firewall set opmode disable

You can use the enable switch to turn it back on. However, completely disabling it may be a bad idea, and you should choose the following commands to specifically open up gates for certian ports and applications. For example to open up port 3389 for RDP use,

netsh firewall set portopening TCP 3389 "AnyNameHereSuchasRDP"

or

netsh firewall set allowedprogram FullPathToExecutable name=AnyNameHere

Note that above commands should be entered in one line, and are overlapped due to the page format in this post.

For more information on advanced firewall functionalty, please go here.

Even though the Server Core option of Windows Server 2008 does not have shell, you can still RDP (Terminal Services) into it by using RDC from a Windows Client. To do that, you have to first enable the RDP on Server Core by using the following cscript command.

Cscript \windows\system32\scregedit.wsf /ar 0

In order to use TS from a pre-vista OS you have to turn off the on by default high security by using the following command

Cscript \windows\system32\scregedit.wsf /cs 0

While terminal serviced into the Server Core, you can logoff.exe command line to terminate your session.

Once again, with no GUI your Windows Server 2008 Server Core can easily be renamed using Windows Management Instrumentation Command-line (WMIC), and here is how,

wmic computersystem where name="%computername%" rename name="new-name"

As result, you will get ‘Method execution successful’ message. However if your machine is domain-joined, you can use NETDOM to accomplish the same task. Here is the query.

Netdom renamecomputer %computername% /NewName:new-name /UserD:domain-username /PasswordD:*

As we know there is no GUI in Windows Server 2008 Server Core option, here is how you can activate your copy. Following was done on an eval. copy, and here is the cscript command to run.

Cscript C:\Windows\System32\slmgr.vbs -ato

You can run -xpr switch to tell how much time you have left, mine shows permanently activated. So these are out-of-box scripts that aid in Licensing Management.

Read my previous post on how to install VM additions in your lab environment (based on VS 2005 R2) to tinker with the Server Core.

In a full version of Windows Server 2008 there is Initial Configuration Tasks that allows you to configure various things after a fresh install. However since Server Core is GUI-less or more like Shell-less and not entirely GUI-less, the various initial configuration tasks are to be done from the command-line or thru the few built-in cpls.

In next few posts, I will be showing you the basic configuration of out-of-box Server Core. Lets start with changing the Administrator’s password which does not happen during the installation. You may use the good-old net command to do that,

net user administrator *

or change it by pressing CTRL+ALT+DEL and click Change Password.

You may also need to set the date, time and time zone, and there is a left-behind GUI cpl available for it.

control timedate.cpl

Above cpl will launch the normal Date and Time control panel for you to change the settings. The only other cpl included in Server Core is intl.cpl which allows you to change the keyboard layouts

Previously you have been able to use RENDOM utility provided by Microsoft to rename your Window 2000 and Windows Server 2003 domains. However in Windows Server 2008 domain you don’t have to separately install Rendom utility. It gets installed as part of “Active Directory Domain Services” role when you promote a server to the DC role. And It can be found here : %windir%\system32\rendom.exe.

I used it to rename a Windows Server 2008 domain in my test lab environment. The process was pretty straightforward but it may require more tasks if you have multiple DCs in a multi domain environment.

The Forest and Domain Functional Level should be Windows Server 2008 to proceed with the following task.

From the command prompt, I started out by running rendom /list which outputs an XML file (Domainlist.xml) to the directory where rendom resides. You edit that file to change your domain configuration to the new domain name. i.e ForestDNSZones, DomainDNSZones, Netbios name. See referenced link for details.

After you have modified the file you can run rendom /showforest which shows you the future configuration, verify and make changes if necessary.

Upload the changes you have made in the XML file: Run rendom /upload

Verify readiness of Domain Controller(s): Run rendom /prepare

Execute domain rename instructions: Run rendom /execute

After thats finishes up successfully, you should also run GPFIXUP tool to fix up GPO references to your old domain name. See Step 12 of this document.

Here is an example :

C:\Users\Administrator>gpfixup /olddns:08r2.lab /newdns:mcts.lab
Group Policy fix up utility Version 1.1 (Microsoft)

Start fixing group policy (GroupPolicyContainer) objects:
……..

Start fixing site group policy links:
.

Start fixing non-site group policy links:
….
gpfixup tool executed with success.

C:\Users\Administrator>gpfixup /oldnb:08r2 /newnb:mcts
Group Policy fix up utility Version 1.1 (Microsoft)

Start fixing group policy (GroupPolicyContainer) objects:
..
gpfixup tool executed with success.

Lastly, run rendom /clean

The identity (domain GUID) of the renamed domain does not change during a domain rename operation. Thus a computer’s domain membership does not change as a result of the holding domain being renamed.

However, every member computer joined to the renamed domain needs to be rebooted twice. Please refer to “How Domain Rename works” technical reference for more info.

How Domain Rename Works : Microsoft Technet

Other References:

http://dsg.port.ac.uk/~hx/rename_domain/index.php

http://www.msexchange.org/tutorials/Domain-Rename.html (for domains with Exchange)

Installing VMAdditions on Windows Server 2008 Core can be tricky. In my virtual lab I have Virtual Server 2005 R2 SP1, I recently decided to test drive the much hyped Server Core from the Windows Server 2008 lineup. For those of you who don’t know what Server Core is and what it will cater to;

Server Core is a minimal server installation option for computers running on the Windows Server 2008 operating system. Server Core provides a low-maintenance server environment with limited functionality. Server Core is an installation option that is capable of five well-known server roles: File Server, DHCP Server, DNS Server, Media Services, and Active Directory. Server Core is not a development platform for new server applications. Although Server Core is not an application platform, it does support the development of management tools, utilities, and agents.

Server Core management tools, utilities, and agents fall into two categories: those that manage a server remotely, and those that run locally to manage the server or return data to a centralized management tool. Remote management tools should not require any changes to support Server Core, as long as the tool uses one of the remote protocols supported in Server Core, such as RPC. Local management agents and utilities may require changes to run properly on Server Core. There is no Windows shell and very limited GUI functionality (the Server Core interface is a command prompt).

The installation of Server Core was pretty straightforward, and GUI based but when it finished I was left with command prompt where the rest of the configuration and setup would be run from. Like in any other Micrsoft VMs, VMAdditions are must as you don’t have a smooth control of your keyboard and mouse, and video is pretty bad.

I started out by mounting the VMadditions ISO from the web interface of VS2005. (Note that this ISO has been updated with the SP1 of VS2005 R2 and provides better results now). But since the Core does not auto-launch the CDs nor does it understand what ISO images are, it failed to kick-off the installation.

The trick was to change the directory to D:\ and by going to Windows\Setup folder and running the Setup.exe file manually, that immediately started the installation and successfully installed the latest Virtual Machine Additions version 13.813 .

Server Core does provide us the ability to run a DC like infrastructure server on a low end machine with the littler foot print on other network resources.

Time to learn the CScripts, WMIC, Netsh etc. to better manage it however !

You can extend the Windows Server 2008 Evaluation copy you have running for trial/demo/testing purpose for up to 240 days now.

“Evaluating Windows Server 2008 software does not require product activation. Any edition of Windows Server 2008 may be installed without activation, and it may be evaluated for 60 days. Additionally, the 60-day evaluation period may be reset (re-armed) three times. This action extends the original 60-day evaluation period by up to 180 days for a total possible evaluation time of 240 days. Note: Although you can reset the 60-day evaluation period, you cannot extend it beyond 60 days at any time. When you reset the current 60-day evaluation period, you lose whatever time is left on the previous 60-day evaluation period. Therefore, to maximize the total evaluation time, wait until close to the end of the current 60-day evaluation period before you reset the evaluation period.”

Download your Eval Copy here

More info on extending the evaluation period