Domain Controller cloning in Windows Server 8 beta

Virtualized domain controller cloning in Windows Server “8” Beta enables administrators to easily and safely deploy cloned domain controllers by copying an existing virtual domain controller. In a virtual environment, administrators no longer have to repeatedly deploy a sysprepped server image, promote the server to a domain controller and then complete additional configuration requirements for deploying each additional domain controller.

Reference from Microsoft Technet

http://technet.microsoft.com/en-us/library/hh831734.aspx

To perform Domain Controller cloning, there are some platform requirements.

• PDC emulator FSMO role transferred to a Windows Server 8 beta DC
• PDC emulator available during cloning operations
• The HyperV host must be joined the same domain
• The source Windows Server 8 Beta domain controller cannot have been previously migrated from FRS to DFSR for SYSVOL.

Lab environment

There are 2 domain controllers named DC01, DC02 which are installed Windows Server 8 beta in HyperV host named HV1. The domain name is contoso.com. The forest and domain functional level of contoso.com is Windows Server 2003. I  will deploy DC03 in HyperV host named HV2.

The Goals

Cloning a new domain controller named DC03 from DC02

1. On DC01, log in as Domain Administrator.

2. Launch "Command Prompt".

3. Perform "netdom query fsmo".

Make sure the PDC role on DC01.

4. Launch "Active Directory Users and Computers".

5. Expand "contoso.com > Users".

6. Double-click "Cloneable Domain Controllers".

This is a new group for cloning domain controllers. I will add the source domain controller, DC02, in this group.

7. Select "Members" tab.

8. Add "DC02".

9. Click "OK".

10. Go to DC02, log in as Domain Administrator.

11. Launch "Windows Explorer", navigate to "C:\Windows\System32".

12. Open "SampleDCCloneConfig.xml" by Notepad.

13. Save the file as "DCCloneConfig.xml" in "Windows\NTDS".

14. Edit "DCCloneConfig.xml" in "Windows\NTDS".

15. Modify "ComputerName, SiteName, Address, SubnetMask, DefaultGateway and DNSResolver" in the file.

16. Save and exit the file.

Remark: Cloning does not support using static IPv6 entries in Windows Server 8 beta. You must use IPv6 DHCP or IPv6 Stateless address auto-configuration (SLAAC)

17. Launch "PowerShell".

18. Perform "Get-ADDCCloningExcludedApplicationList | format-list" to detect incompatible programs and services on the source domain controller.

Examine the output for any returned Services or Programs. By default, the only application returned in Windows Server 8 Beta is the "PrintNotify" service. Any installed applications not included as part of the operating system - such as anti-virus software - show here as well as any incompatible Windows services, like the DHCP Server service.

19. Launch "Notepad", edit the XML to include an <Allow></Allow> rule for each service or program returned by the "Get-ADDCCloningExcludedApplicationList" cmdlet.

20. Save the file as "CustomDCCloneAllowList.xml" in "Windows\NTDS".

21. Shut down DC02.

Then we can export the VM DC02.contoso.com or copy the VHD or VHDX to HV2 for Domain Controllers cloning. I will create a new VM named DC03.contoso.com in HV2. Copy the vhdx file to the new vm.

22. On HV2, log in as Domain Administrator.

23. Launch "Hyper-V Manager".

24. Create a new VM named DC03.contoso.com without hard disk.

25. Copy the vhdx file of DC02.contoso.com to the folder of DC03.contoso.com in HV2.

26. Add the copied hard disk in DC03.contoso.com's VM.

27. Power on DC02 in HV1.

28. Power on DC03 in HV2.

The domain controller, DC03, is cloning.

29. On DC03, log in as Domain Administrator.

30. Launch "Active Directory Users and Computers".

31. Expand "contoso.com > Domain Controllers".

32. Launch "Command Prompt".

33. Perform "repadmin /replsum" to verify the replication.

As a result, Domain Controllers cloning is successful.

Reference:

Understand and Troubleshooting AD DS Simplified Administration in Windows Server 8 Beta

http://www.microsoft.com/download/en/details.aspx?id=29019

Test Lab Guide: Demonstrate Windows Server 8 Beta Virtualized Domain Controller (VDC)

http://www.microsoft.com/download/en/details.aspx?id=29027

This posting is provided “AS IS” with no warranties, and confers no rights!

Adprep.exe in Windows Server 2012

Beginning with Windows Server 2012, there is only one version of "Adprep.exe" (there is no 32-bit version, adprep32.exe). Adprep commands are run automatically as needed when you install a domain controller that runs Windows Server 2012 to an existing Active Directory domain or forest.

Reference from Microsoft Technet:

What's new for Adprep.exe?

http://technet.microsoft.com/en-us/library/hh472161.aspx

If you run "Adprep.exe" in Windows Server 2003 environment, you get the following error message.

To add a Windows Server 2012 domain controller in Windows Server 2003 environment, make sure the forest and domain functional level is Windows Server 2003. You also provide the Enterprise Administrator account for dcpromo.

The Goals

Promoting a Windows Server 2012 domain controller in Windows Server 2003 environment.

Prerequisites

• Raise the domain and forest functional level to Windows Server 2003

Assuming that there is 1 domain controller named DC01.fabrikam.com which is installed Window Server 2003 in fabrikam.com. I would like to add DC02.fabrikam.com which is installed Windows Server 2012 in this domain.

1. At DC01, log in as Domain Administrator.

2. Launch "ADSI Edit".

3. Expand "Schema [DC01.fabrikam.com] > CN=Schema, CN=Configuration, DC=fabrikam, DC=com".

4. Right-click "CN=Schema, CN=Configuration, DC=fabrikam, DC=com", select "Properties".

5.  Under "Attribute", next to "objectVersion".

Now, the Active Directory schema version of this domain is 31, Windows Server 2003 R2.

6. At DC02, log in as local administrator.

7. Launch "Server Manager".

8. Click "Add roles and features".

9. On "Before You Begin" screen, click "Next".

10. On "Installation Type" screen, select "Role-based or feature-based installation".

11. Click "Next".

12. On "Server Selection" screen, click "Next".

13. On "Server Roles" screen, check "Active Directory Domain Services", then click "Add Features".

14. Click "Next" three times.

15. On "Confirmation" screen, click "Install".

16, When installation finished, click "Promote this server to a domain controller".

17. On "Deployment Configuration" screen, select "Add a domain controller to an existing domain".

18. Next to "Domain", type "fabrikam.com".

19. Click "Change".

20. Provide the  Enterprise Administrator user name and password of "fabrikam.com".

21. Click "Next".

Remark: I find that the credentials format is "<NetBIOS>\Administrator". If you type "administrator@<domain name>". You cannot do the further action.

22. On "Domain Controller Options" screen, check "Domain Name System (DNS) server" and "Global Catalog (GC)".

23. Provide the password for DSRM.

24. Click "Next" four times.

25. On "Preparation Options" screen, the wizard will perform "Forest and schema preparation" and "Domain preparation"

26. Click "Next" twice.

27. On "Prerequisites Check" screen, click "Install".

Then, DC02 will restart automatically.

28. Back to DC01, check the schema version again.

The Active Directory schema version is updated to 52.

29. Go to DC02, log in as Domain Administrator.

30. Insert Windows Server 2012 DVD.

31. Launch "Command Prompt".

32. Navigate to "D:\support\adprep", preform "adprep.exe /domainprep /gpprep".

The adprep /domainprep /gpprep command is not run as part of AD DS installation. This command sets permissions that are required for Resultant Set of Policy (RSOP) planning mode functionality.

Reference from Microsoft Technet:

Adprep /domainprep /gpprep command is not run atuomatically

http://technet.microsoft.com/en-us/library/hh472161.aspx

This posting is provided “AS IS” with no warranties, and confers no rights!

Enabling Active Directory Recycle Bin in Windows Server 8 beta

Active Directory Recycle Bin started in Windows Server 2008 R2. it can help administrator to recover the Active Directory deleted item without down time. As a before, when administrators delete an item on Active Directory, administrators need to restore system state backup and perform "ntdsutil authoritative restore" command to recover the deleted items. It will take a down time for restore. On Windows Server 8 beta, administrators can manage the Active Directory Recycle Bin by GUI interface. On Windows Server 2008 R2, Active Directory Recycle Bin only manages by PowerShell.

If you plan to enable Active Directory Recycle Bin in Windows Server 8 beta, consider the following"

• By default, Active Directory Recycle Bin in Windows Server 8 beta is disabled". To enable it, you must first raise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2 or higher.This in turn requires that all domain controllers in the forest or all servers that host instances of AD LDS configuration sets be running Windows Server 2008 R2 or higher.
• The process of enabling Active Directory Recycle Bin is irreversible. After you enable Active Directory Recycle Bin in your environment, you cannot disable it.
• To manage the Recycle Bin feature through a user interface, you must install the version of Active Directory Administrative Center in Windows Server 8 beta

Reference from Microsoft Technet

http://technet.microsoft.com/en-us/library/hh831702.aspx

The goal

Enable and test the Active Directory Recycle Bin in Windows Server 8 beta

I will enable the Active Directory Recycle Bin in Windows Server 8 beta in my test lab. There is 1 domain controller named dc01.fabrikam.com which is installed Windows Server 8 beta with Windows Server 2003 forest functional level in the test lab.

1. At DC01, log in as Domain Administrator.

2. Launch "Active Directory Administrative Center".

3. Click "fabrikam (local)".

Now, the "Active Directory Recycle Bin" cannot be enabled because the forest functional level is mismatch and there is no "Deleted Objects" folder in the Active Directory.

4. Close "Active Directory Administrative Center".

5. Launch "Active Directory Domains and Trusts".

6. Right -click "fabrikam.com", select "Raise Domain Functional Level".

7. Next to "Select an available domain functional level", select "Windows Server 2008 R2".

8. Click "Raise", then click "OK" twice.

9. Right-click "Active Directory Domains and Trusts", select "Raise Forest Functional Level".

10. Next to "Select an available forest functional level", select "Windows Server 2008 R2".

11. Click "Raise", then click "OK" twice.

12. Close "Active Directory Domains and Trusts".

13. Launch "Active Directory Administrative Center".

14. Click "fabrikam (local)".

15. Click "Enable Recycle Bin".

16. Click "OK" to enable the "Active Directory Recycle Bin".

After you enable Active Directory Recycle Bin in your environment, you cannot disable it.

17. Click "OK".

18 . Press "Refresh" button.

The "Deleted Objects" was created automatically.

This folder is used to storing the deleted objects.

19. Right-click "fabrikam (local)", select "New > Organization Unit".

20. Next to "Name" type "Sales".

21. Uncheck "Protect from accidental deletion".

22. Click "OK".

23. Double-click "Sales".

24. Next to "Tasks", click "New > User".

25. Create a user named, Peter.

26. Next to "Tasks", click "New > Group". 

27. Create a group named, "Manager".

28. Select "fabrikam (local)".

29. Right-click "Sales" OU, select "Delete".

30. Click "Yes".

31. Because there are some objects in Sales OU, check "Use delete subtree server control", then click "Yes".

32. Double-click "Deleted Objects".

33. Right-click "Peter", select "Restore".

"Restore" is used to restoring objects to original location.

34. You will get the following error.

Because the OU was deleted, Peter cannot be restored to original location. To restore Peter to original location, we need to restore the OU first.

35. Right-click "Peter", select "Restore to".

"Restore to" is used to restoring objects to other location.

36. Select "Users", click "OK".

37. Navigate to "Users" folder.

Peter has been restored in "Users" folder.

38. Navigate to "Deleted Objects", select and right-click "Sales" OU and "Manager" group, click "Restore".

39. Navigate to "Sales" OU.

As a result, all objects were restored.

This posting is provided “AS IS” with no warranties, and confers no rights!