Windows Server 2012 Step by Step Book

Windows Server 2012 Step by Step

This is my first book published on December 2 2012. The following is the chapters available in detailed in the book titled “Windows Server 2012 Step by Step”

Chapter 1: Introduction to windows server 2012

Chapter 2: Installing and navigating windows server 2012

Chapter 3: Server Roles and Features

Chapter 4: Active Directory Domain Services

Chapter 5: Active Directory Certificate Services

Chapter 6: Active Directory Federation Services

Chapter 7: Active Directory Rights Management Services

Chapter 8: Networking Infrastructure

Chapter 9: Failover Clustering

Chapter 10: Remote Desktop Services

Chapter 11: Security, Protection and protection

Chapter 12: Building Private Cloud with Hyper-V

Chapter 13: Web Server (IIS)

Chapter 14: BranchCache Server configuration

Chapter 15: Routing and Remote Access Server Configuration

Chapter 16: Windows Deployment Services

Chapter 17: Windows Server Update Services

Chapter 18: Volume Activation

Chapter 19: File and Storage Services

Chapter 20: Print and Document Services

Chapter 21: Network Policy and Access Server

Chapter 22: Group Policy Object

Chapter 23: Migrating from Server 2008 to Server 2012

Chapter 24: Supporting Windows Server 2012

 

Fix Powershell Warning and Enhance Active Directory by installing Active Directory Web Service

Microsoft AD Management Gateway Service provides a Web service interface to Active Directory domains and instances of Active Directory LDS or Active Directory Application Mode that are running on a Domain controller as the Active Directory Management Gateway Service. You can install the Active Directory Management Gateway Service on domain controllers running on Windows Server 2003 R2 SP2, Windows Server 2003 SP2, Windows Server 2008 and Windows Server 2008 SP2.

You also need AD web service to remedy following Powershell error.  

 

  

Installing System pre-requisites:

  • Active Directory Domain Services installed
  • .NET Framework 3.5 SP1
  • Hotfix KB969166 for NetFx3.5SP1 System.DirectoryServices QFE Roll-Up for AD Web
  • Service from
  • Hotfix KB969429 for windows server 2003
  • Hotfix for KB967574 for windows server 2008
  • Download Active Directory Web Services

Installing Active Directory Web Services:

  • Based on your DC’s operating system version, simply double click on Windows5.2-KB968934-x64.exe or Windows5.2-KB968934-x86.exe or Windows6.0-KB968934-x64.msu or Windows6.0-KB968934-x86.msu, accept EUAL and install AD Web services.
  • Reboot domain controller

Bug fix for the following error:

C:WINDOWSAssemblyGAC_MSILSystem.DirectoryServices.AccountManagement

3.5.0.0__b77a5c561934e089System.DirectoryServices.AccountManagement.dll is Less Than 3.5.30729.4126

0.188: Second Condition in Prereq.CheckSDSAMQFEInstalled.Section Failed

0.188: Condition Check for Line 4 of PreRequisite returned FALSE

0.188: ReadStringFromInf: UpdSpGetLineText failed: 0xe0000102

0.188: KB968934 Setup encountered an error:  Setup cannot continue because one or more prerequisites required to install KB968934 failed. For More details check the Log File c:windowsKB968934.log

0.204: ReadStringFromInf: UpdSpGetLineText failed: 0xe0000102

Fix: Download and install NetFx3.5SP1 System.DirectoryServices QFE Roll-Up for AD Web Service from KB969166

Bug Fix if the following error occurred

When attempting to start the service they got “Error 1067: The process terminated unexpectedly.”  When rebooting, they saw ADWS Event ID 1002 in the ADWS Logs that said: “Active Directory Web Services could not initialize its endpoints. A networking error could have occurred.”

To fix this we need to modify the Microsoft.ActiveDirectory.WebServices.exe.config file found in the %Windir%ADWS directory. You’ll need to add the following lines into the <AppSettings> section. Be sure that its between the <appSettings> and </appSettings> section boundaries…

<add key=”DebugLevel” value=”Info” />

<add key=”DebugLogFile” value=”c:windowsdebugadws.log” />

Valid values for the DebugLevel value are:

0 – No logging

1 – Error (this logs critical errors only)

2 – Warn (this logs warning events as well as error events) – Recommended value to use unless you need full tracing

3 – Info (verbose)

Use strings rather than numbers, so just to be clear, type “Info” between the quotes instead of “3” for example. Once this is done, you’ll see some new events trigger in the ADWS Event log, and then you’ll see the ADWS.log start to populate with diagnostics info.

Finalize installation:

  • Check %Windir% KB969429.log for any error
  • Check Event log for any warning, error or info. After successful installation, you will find the following event in AD web services event log.
  •  Re-run PowerShell AD comdlet to test that warning has gone.

An Overview of Active Directory Certificate Services (AD CS)

Certificate services provide public key infrastructure (PKI) for organization. There are lot of benefits to have a PKI infrastructure in Active Directory infrastructure. One of the biggest advantage of deploying certificate is to identify requestor requesting information a server. This can be a web server, exchange web mail or an windows client requesting authentication from an active directory. The server holding the role of approving certificate and delivering certificate called certificate authority in short CA. Microsoft CA provides heaps of options for diverse customer to deploy certificate from security point of view, organizational structure and  also geographical location. That is certificate can be deployed in hierarchical manner. Top of Certificate hierarchy is called Enterprise root CA. There can be more than one subordinate CA depending your need. Certificate Authority can be standalone or Enterprise CA. Standalone offline Root CA can be used to provide PKI infrastructure for internal users. Standalone root CA is put offline to provide an extra layer of security to authentication. A subordinate CA placed under standalone root can work as usual. In this case, your root CA aren’t compromised. when you request a certificate from subordinate CA, you have to approve this request manually. Again this type of deployment provide extra layer of security  as you can see who’s requesting for a certificate. 

Installation of Root CA:

To install an Enterprise Root CA, build a windows server 2008 and join domain. Log on as domain admin. Add and install Web server (IIS) role in that server as pre-requisite. Once finish, add active directory certificate services role. Select Enterprise root CA while installing CA. More detailed installation guides are in these screen shots.

To install a standalone root CA, follow the similar steps with just one exception that standalone CA isn’t part of Active Directory domain. You have manually import certificate request to standalone CA server which I will explain later part of this article.

Segregating CA Management Role:

To secure CA management and delegating management authority, you can segregate roles in certificate authority. There five roles available to manage CA. They are CA Administrator, CA Manager, CA Auditor, Backup operator and enrollees. To assign these roles, you need to log on CA as an administrator and open CA Management Console. Right mouse click on CA server name>Click on property. Go to security Tab and add specific groups to this windows and assign desired roles. The following screen shots are illustrate these options.

11

12

https or secure Certificate Enrollment using :

before you can enroll certificate, install an SSL certificate for CA itself and provide an FQDN for users and computer to request certificates.

Open IIS management console in CA authority Server. Click on CA server>Click on Create a Domain certificate on right hand side Action pan. 

18

19

13

15

Click Finish to complete request.

Click on Sites>click Bindings

16

Click Add>Select SSL>Select IP & Port 443

17

Select Certificate you just created.

Now Create a CNAME in DNS server such as CA.microsoftguru.com.au

Open IE browser to test SSL certificate request.

20

Managing Templates:

There are default certificate templates in CA. The templates are stored in Active Directory for use by every CA in the forest. When deploying certificates duplicate a template (by right click on certificate template>Manage) similar to your purpose, name the template, setup certificate period, publish in Active Directory, setup security on the security tab. Now right click on certificate template>Click New>Click on Certificate Template to Issue. You must select appropriate group in the security tab of certificate property to safeguard this certificate from different group of users. 

Installation of Subordinate CA:

Prepare a Windows Server 2008. Depending on your deployment topology, Open Server Manager, click Add Roles, click Next,and click Active Directory Certificate Services. Click Next two times. Now select following in the next steps.

Setup Type: Standalone or Enterprise

CA Type: Subordinate

Private key: Create a New Private Key

1

On the Request a certificate step, you have have two options. If your Enterprise root CA is part of domain, you can request a subordinate CA automatically or manually. However if your enterprise root CA is standalone or subordinate CA is standalone then you have generate a request for certificate and submit this request to root CA. In this article, I am requesting certificate manually because you can perform automated request.

2

Click Next and Finish installation.

3

Open Requested Certificate and copy entire content in the notepad. Open IE browser and browse Root CA cert enroll page such as https://ca.microsoftguru.com.au/certsrv

4

Click on Request a certificate, Click on Advanced certificate request.

5

Click on submit a certificate request..

6

Paste the certificate request on Base 64 encoded box and select subordinate CA. Click submit.

7

Now download requested certificate and save it on subordinate CA.

8

9

Log on to subordinate CA and open CA management console>Click All Tasks>Click Start CA. You will be prompted to import subordinate certificate from root CA. Browse the location of certificate you exported/saved in previous steps and select certificate. Your subordinate CA will start now.

10

Start Menu>run>Services.msc>Check Active Directory Certificate Services set to automatic. Now Manage and secure CA as mentioned in this article.

If your root CA is standalone than you can take your root CA offline now. Open Event Viewer by simply, typing eventvwr.exe on Start menu>run. Check AD CS is functioning properly.

image

To setup auditing in AD CS, right click on AD CS server>property>Auditing Tab>Select preferred Auditing for CA Server.

image

To restrict an enrollment agent in CA, Open CA Console>Right Click on subordinate CA Server>Property>Click on Enrollment Agent Tab Click on restrict Enrollment Agent. here you can add groups or users that are allowed to request certificate on behalf of another client and remove everyone. similarly you can disallow everybody to request an agent enrollment. Note that Enrollment agent can only request certificate but can not approve or revoke certificate.

image

To setup pending request in CA, log on to CA and open CA console. Right mouse click on CA server>Click property>Click Policy Module>Click Properties>Click Set certificate request status to pending.

image

image

Restart AD CS services.

Requesting Certificate from standalone CA:

Create a text file and rename this file such as newrequest.inf and copy and paste inside the file following contents

;…………………………………………

[Version]
Signature=”$Windows NT$
[NewRequest]
Subject = “CN=<DC fqdn>” ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

;……………………………..

OR

;……………………………..

[NewRequest]

Subject=”CN=<FQDN of computer you are creating the certificate, for example, the gateway server or management server.>”

Exportable=TRUE

KeyLength=2048

KeySpec=1

KeyUsage=0xf0

MachineKeySet=TRUE

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1

OID=1.3.6.1.5.5.7.3.2

;……………………………………….

Here, CN= FQDN of server where requested certificate will be installed.

Now type following command, and then press ENTER:

CertReq –New –f  NewRequest.inf NewCert.req

To submit new request type the following command, and then press ENTER:

certreq -submit -config “FQDN of the YourCAYour CA Name” certnew.req certnew.cer

Now approve the certificate from CA management console and retrieve certificate using following command

certreq -retrieve RequestID certnew.cer

type the following command to accept certificate, and then press ENTER:

certreq -accept newcert.cer

Removing Certificate Authority: Log on to the system as the user who installed the certification authority. Server Manager>Roles>Remove Roles>Select AD CS and Remove CA. Restart Decommissioned CA Server. To Remove remaining information about this CA from Active Directory, type following from elevated command prompt

certutil.exe -dsdel CAName and press ENTER

Dealing with Event ID 100, 7024, 48 :

Issue new certificate revocation list by issuing certutil.exe –crl command from elivated command prompt.

Type certutil.exe -setreg CALogLevel 2  and press enter to change log level registry.

Disable revocation list checkup type following from command prompt and press enter.

certutil –setreg caCRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

How to create an external trust between two separate domains/forests

A trust is a relationship established between two different domains that enables users in one domain to be authenticated by a domain controller in the other domain. There are different type of trust in Microsoft Active Directory domain such as External, Realm, Forest and shortcut. External trust is necessary when users of two different domains of two different business units wants to utilize resources such as printers and file server of trusted domains. This article can be applied in Windows Server 2003, Windows Server 2008/R2, Windows Server 2012/R2 and Windows Server 2016 domain using same principle written below.

Authentication Consideration

Authentication Setting Inter-forest Trust Type Description
Domain-wide Authentication External Permits unrestricted access by any users. Default authentication setting for external trusts.
Forest-wide Authentication Forest Permits unrestricted access by any users. Default authentication setting for forest trusts.
Selective Authentication External and Forest Restricts access over an external. Authentication setting must be manually enabled.

Administrative Privilege

To create trust you have to be a member of Domain Admins & Enterprise Admin in both Domains.

Transitive trusts

  • Shortcut trust. A transitive trust between domains in the same domain tree or forest that is used to shorten the trust path in a large and complex domain tree or forest.
  • Forest trust. A transitive trust between one forest root domain and another forest root domain.
  • Realm trust. A transitive trust between an Active Directory domain and a Kerberos V5 realm.

Non-transitive trusts

  • External trust. A non-transitive trust created between a Windows Server 2003 domain and Windows 2000 or Windows Server 2003 domain in another forest.
  • Realm trust. A non-transitive trust between an Active Directory domain and a Kerberos V5 realm.

You have to fulfill few requirements before you can activate external trust. For example: Both domain controller must ping each other by IP address. If both domain controllers are placed in different subnet then proper routing is required. If there is a firewall between domain controllers then proper firewall rules should be in place allowing LDAP, DNS and resources port to be accessible from both sites. Forest and domain functional level must be Windows Server 2003 or later version.

Example:

DC1.DomainA.com  IP address: 192.168.100.2

DC1.DomainB.com  IP address: 192.168.200.2

Step1: Port requirement

If you are using MPLS/IP VPN/VPN make sure inbound and outbound routing are in correct order. If you have firewall between organisation make sure Active Directory ports are open in both sides. Further info on port requirement visit  Active Directory and Active Directory Domain Services Port Requirements

Step2: Add DNS Record in TCP/IP Properties of Domain Controllers

Open TCP/IP Properties of DC1.DomainA.com and add IP address of DC1.DomainB.com in the secondary DNS record.

Open TCP/IP Properties of DC1.DomainB.com and add IP address of DC1.DomainA.com in the secondary DNS record.

Step3: Ping DomainA from DomainB and vice versa

Log on to each domain and ping each other by IP address. Resolve IP without any delay or timed out ping.

Step4: Test AD DS Ports

Telnet to port 389, 636 & 53 from both sides of domain to test whether you can access Active Directory & DNS

Step5: Health Check

Run a quick AD health check in both sides using this Link

Step6: Create PTR Record in both organisation

Add Reverse Lookup Zone of 192.168.200.2 into DC1.DomainA.com. To do this, Right Click on Reverse Lookup Zone>New Zone>Click Next>Primary Zone>Click Next>IPV4 reverse Lookup Zone>Type 192.168.200>Click Next>Finish.

Repeat the step to add 192.168.100.2 PTR into DC1.DomainB.com. To do this, Right Click on Reverse Lookup Zone>New Zone>Click Next>Primary Zone>Click Next>IPV4 reverse Lookup Zone>Type 192.168.100>Click Next>Finish.

Step7: Create Forward Lookup Zones in both organisation

In some DNS environment where DNS have constrained access (situation specific only), you may have to create Forward Lookup Zone for DomainA.com into DomainB.com and Forward Lookup Zone for DomainB.com into DomainA.com. But there is no harm creating a forward lookup zone in both sides as both forests are going to trust each other once trust is activated.

To do this, log on to DomainA.com >Open DNS Manager>Expand Forward Lookup Zone> Right click on Forward Lookup Zones>New Zones>primary Zones>Type FQDN of forest e.g. DomainB.com. >Select Default or select “To all domain controllers in this forest”> Type Zone Name DomainB.com>Allow Secure Dynamic Update>Follow the Wizard.

To do this, log on to DomainB.com >Open DNS Manager>Expand Forward Lookup Zone> Right click on Forward Lookup Zones>New Zones>primary Zones>Type FQDN of forest e.g. DomainA.com. >Select Default or select “To all domain controllers in this forest”> Type Zone Name DomainA.com>Allow Secure Dynamic Update>Follow the Wizard.

Step8: Create Host (A) record in both organisation

Create Host (A) record of Domain Controller of DomainA.com into Domain Controller of DomainB.com. Create Host (A) record of Domain Controller of DomainB.com into Domain Controller of DomainA.com. To do this Log on to DC1.DomainA.com>Right click on Forward Look Up Zone you created in step 7 which is DomainB.com>Click New Host (A)>Leave the Name Blank> Type IP Address of DC1.DomainB.com & Select Associated PTR Record> Click Add Host.

Repeat the Steps in DomainB.com. To do this log on to DC1.DomainB.com>Right click on Forward Look Up Zone you created in step7 which is DomainA.com>Click New Host (A)>Leave the Name Blank> Type IP Address of DC1.DomainA.com & Select Associated PTR Record> Click Add Host.

Step9: Add Name Server (NS) in both organisation

You must add Name Server of DC1.DomainA.com into the Name Servers Property of DC1.DomainB.com. Repeat the step to add Name Server of DC1.DomainB.com into the Name Servers Property of DC1.DomainA.com.

To do this log on to DC1.DomainA.com>Open DNS Manager>Right click on Forward Look Up Zone of DomainB.com>Click Properties>Click Name Servers Tab>Click Add>Type the IP Address of DC1.DomainB.com.

Repeat the Steps in DomainB.com. To do this log on to DC1.DomainB.com>Open DNS Manager>Right click on Forward Look Up Zone of DomainA.com>Click Properties>Click Name Servers Tab>Click Add>Type the IP address of DC1.DomainA.com.

Step10: Test DNS Record

Ping FQDN of DomainA.com from DomainB.com

Ping FQDN of DomainB.com from DomainA.com

Ping DC1.DomainA.com from DC1.DomainB.com

Ping DC1.DomainB.com from DC1.DomainA.com

Step11: Create External Trust

Example: One way trust allows users from DC1.DomainB.com (outgoing) get access into DC1.DomainA.com (incoming) but DC1.DomainA.com doesn’t get access to DC1.DomainB.com).

Note : if you want both sides get access to both sides then change that configure to two way trusts and set incoming and outgoing in both sides.

Creating incoming trust in DC1.DomainA.com

1. Open Active Directory Domains and Trusts.

2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.

3. On the Trusts tab, click New Trust, and then click Next.

4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next.

5. On the Trust Type page, click External trust, and then click Next.

6. On the Direction of Trust page, click One-way: incoming, and then click Next.

7. On the Sides of Trust page, click This domain only, and then click Next.

8. On the Trust Password page, type the trust password twice, and then click Next.

With the administrator of the other domain, agree on a secure channel password to be used in establishing the trust.

9. On the Trust Selections Complete page, review the results, and then click Next.

10. On the Trust Creation Complete page, review the results, and then click Next.

11. On the Confirm Incoming Trust page, do one of the following

  • If you do not want to confirm this trust, click No, do not confirm the incoming trust
  • If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain.

12. On the Completing the New Trust Wizard page, click Finish.

 Creating outgoing trust in DC1.DomainB.com
1. Open Active Directory Domains and Trusts.

2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.

3. On the Trusts tab, click New Trust, and then click Next.

4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next.

5. On the Trust Type page, click External trust, and then click Next.

6. On the Direction of Trust page, click One-way: outgoing, and then click Next.

7. On the Sides of Trust page, click This domain only, and then click Next.

8. On the Outgoing Trust Authentication Level page, do one of the following, and then click Next:

  • Click Domain-wide authentication.
  • Click Selective authentication.

9. On the Trust Password page, type the trust password twice, and then click Next.

10. On the Trust Selections Complete page, review the results, and then click Next.

11. On the Trust Creation Complete page, review the results, and then click Next.

12. On the Confirm Outgoing Trust page, do one of the following:

  • If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users.
  • If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain.

13. On the Completing the New Trust Wizard page, click Finish.

 Step12: Test a Trust Relation

  1. Virtualize two Windows clients
  2. Join them to DomainA and DomainB
  3. Create two test folders in DomainA and DomainB
  4. Share and assign permission to users of DomainA and DomainB for both folders.
  5. Log on to a Windows client in DomainA using credential of DomainB>Access folder of DomainA
  6. Log on to a Windows client in DomainB using credential of DomainA>Access folder of DomainB

Optimizing Microsoft Active Directory FSMO roles

There are five Active Directory Flexible Single-Master (FSMO) roles in the domain and forest. The Active Directory Installation Wizard defines five FSMO roles: schema master, domain master, RID master, PDC emulator, and infrastructure. The schema master and domain naming master are per-forest roles (eg. www.A.com). The remaining three, RID master, PDC emulator, and infrastructure master, are per-domain roles.

A forest with one domain (eg www.A.com) has five roles. Every additional domain in the forest adds three domain-wide roles. The number of FSMO roles in a forest and potential FSMO role owners can be determined using the formula ((Number of domains * 3)+2). A forest with three domains (A.com, with child and grandchild domains of B.A.com and C.B.A.com) has eleven FSMO roles:

Schema master – forest-wide A.COM
Domain naming master – forest-wide A.COM
PDC emulators (A.com, B.A.com, and C.B.A.com)
RID masters (A.com, B.A.com, and C.B.A.com)
Infrastructure masters for each respective domain. (A.com, B.A.com, and C.B.A.com)

FSMO scenario:

  • In a Single domain with only one domain controller: holds all five FSMO roles.
  • If a domain has more than one domain controller, use Active Directory Sites and Services Manager to select direct replication partners with persistent. You may select specific roles to specific domain controller and distribute it.
  • The standby server may be in the same site as the primary FSMO server for faster replication convergence consistency over a large group of computers, or in a remote site in the event of a site-specific disaster at the primary location.
  • Where the standby domain controller is in a remote site, ensure that the connection is configured for continuous replication over a persistent link. (support tools> replmon.exe to check replication)
  • FSMO placement:

  • Place the RID and PDC emulator roles on the same domain controller. It is also easier to keep track of FSMO roles if you host them on fewer machines. If the load on the primary FSMO load justifies a move, place the RID and primary domain controller emulator roles on separate domain controllers in the same domain and active directory site that are direct replication partners of each other. Example, I have four domain controllers and two of them holds FSMO roles. rest are stand by in case of failure I can move them.
  • Infrastructure master must not be a Global Catalog (GC). Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not hold. Two exceptions to the “do not place the infrastructure master on a global catalog server” rule are:
  • Single domain forest: In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.
  • Multidomain forest where every domain controller in a domain holds the global catalog:  If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain.
  • the schema master and domain naming master roles should be placed on the same domain controller. Additionally, the domain naming master FSMO should also be a global catalog server. Certain operations that use the domain naming master, such as creating grand-child domains, will fail if this is not the case. In a forest at the Forest Functional Level Windows Server 2003, you do not have to place the domain naming master on a global catalog.
  • You may use the Ntdsutil.exe utility to transfer or to seize Flexible Single Master Operations (FSMO) roles.

    Transfer FMSO Roles: It is recommend that you transfer FSMO roles in the following scenarios:

  • The current role holder is operational and can be accessed on the network by the new FSMO owner.
  • You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to a specific domain controller in your Active Directory forest.
  • The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance and you need specific FSMO roles to be assigned to a “live” domain controller. This may be required to perform operations that connect to the FSMO owner. This would be especially true for the PDC Emulator role but less true for the RID master role, the Domain naming master role and the Schema master roles.
  • Log on to a Admin PC or domain controller that is located in the forest where FSMO roles are being transferred as a Enterprise Admin and Schema Admin rights. Microsoft recommend that you log on to the domain controller that you are assigning FSMO roles to. However, its not necessary if you know what you are doing.

  • Click Start, click Run, type ntdsutil.exe in the Open box, and then click OK.
  • Type roles, and then press ENTER.
  • Type connections, and then press ENTER.
  • Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to assign/transfer the FSMO role to.
  • At the server connections prompt, type q, and then press ENTER.
  • Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, Syntax Example,
  • transfer rid master

    Transfer PDC

    Transfer Schema Master

    transfer domain naming master

    transfer infrastructure master

    At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

    Seize FSMO roles: Seizing FSMO roles is a critical decision. Perform Seizure operation if you fail to demot a domain controller gracefully that holds FSMO roles or if one of domain controller (holds FSMo roles) is completely failed to communicate with another domain controller in a forest. In this case you have no option but to seize FSMO roles.

  • Click Start, click Run, type ntdsutil in the Open box, and then click OK.
  • Type roles, and then press ENTER.
  • Type connections, and then press ENTER.
  • Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
  • At the server connections prompt, type q, and then press ENTER.
  • Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, Syntax are:
  • seize rid master

    seize PDC

    seize Schema Master

    seize domain naming master

    seize infrastructure master

  • At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
  • Global Catalog: Double check, schema master and naming master is a GC. To check whether a domain controller is also a global catalog server:

  • Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
  • Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available.
  • Open the Servers folder, and then click the domain controller.
  • In the domain controller’s folder, double-click NTDS Settings.
  • On the Action menu, click Properties.
  • On the General tab, view the Global Catalog check box to see if it is selected.
  • Metadata Clean up: Perform this operation if you fail to demot a DC from a forest otherwise not.

    1. Click Start, point to Programs, point to Accessories, and then click Command Prompt.
    2. At the command prompt, type ntdsutil, and then press ENTER.
    3. Type metadata cleanup, and then press ENTER.
    4. Type connections and press ENTER.
    5. Type connect to server servername, and then press ENTER.
    6. Type quit, and then press ENTER. The Metadata Cleanup menu appears.
    7. Type select operation target and press ENTER.
    8. Type list domains and press ENTER. A list of domains in the forest is displayed, each with an associated number.
    9. Type select domain number and press ENTER, where number is the number associated with the domain the server you are removing is a member of. The domain you select is used to determine whether the server being removed is the last domain controller of that domain.
    10. Type list sites and press ENTER. A list of sites, each with an associated number, appears.
    11. Type select site number and press ENTER, where number is the number associated with the site the server you are removing is a member of. You should receive a confirmation listing the site and domain you chose.
    12. Type list servers in site and press ENTER. A list of servers in the site, each with an associated number, is displayed.
    13. Type select server number, where number is the number associated with the server you want to remove. You receive a confirmation listing the selected server, its Domain Name System (DNS) host name, and the location of the server’s computer account you want to remove.
    14. Type quit and press ENTER. The Metadata Cleanup menu appears.
    15. Type remove selected server and press ENTER. You should receive confirmation that the removal completed successfully. If you receive the following error message, the NTDS Settings object may already be removed from Active Directory
    16. Type quit, and then press ENTER
    17. In the DNS console, use the DNS MMC to delete the A record in DNS. The A record is also known as the Host record. To delete the A record, right-click the A record, and then click Delete. Also, delete the cname record in the _msdcs container. To do this, expand the _msdcs container, right-click cname, and then click Delete. Important If this is a DNS server, remove the reference to this DC under the Name Servers tab. To do this, in the DNS console, click the domain name under Forward Lookup Zones, and then remove this server from the Name Servers tab.
    18. If the deleted computer is the last domain controller in a child domain, and the child domain was also deleted, use ADSIEdit to delete the trustDomain object for the child. To do this, follow these steps:
    • Click Start, click Run, type adsiedit.msc, and then click OK
    • Expand the Domain NC container.
    • Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
    • Expand CN=System.
    • Right-click the Trust Domain object, and then click Delete.

       19.  Use Active Directory Sites and Services to remove the domain controller. To do this, follow these steps:

    • Start Active Directory Sites and Services.
    • Expand Sites. Expand the server’s site. The default site is Default-First-Site-Name.
    • Expand Server.  Right-click the domain controller, and then click Delete.

    Verifying Flexible Single Master Operations (FSMO)

    %Program File%>Windows Resource Kits>Tools>Replmon

    netdom command syntax 

     netdom query fsmo /domain:yourdomain.com.au

     dsquery command syntax

     dsquery server -hasfsmo schema

    dsquery server -hasfsmo name

    dsquery server -hasfsmo infr

    dsquery server -hasfsmo rid

    dsquery server -hasfsmo pdc

     DCDiag Command Syntax

     dcdiag /test:knowsofroleholders /v

     dumpfsmos.cmd Command  Syntax

     dumpfsmos.cmd yourdomain.com.au

    Further Study:

    Microsoft Active Directory

    Keywords: Microsoft Active Directory, FSMO roles.

    Install and configure Microsoft Active Directory Certificate Services (AD CS) using Windows Server 2008 R2

    Microsoft Active Directory Certificate Services (AD CS) in the Windows Server 2008 provides customizable services for creating and managing public key (PKI) certificates. You can use AD CS to enhance and implement security by binding the identity of a person, device, computers or services to a corresponding private key. AD CS also includes features that allow you to manage certificates enrolment and revocation if necessary. Applications supported by AD CS include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private network (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.

    Standard hardware works for windows 2008 AD CS server. Depending on individual needs and capacity of spending, you may virtualise or use separate AD CS server. If you have more then one domain controller, you can configure one of them as CS server. It doesn’t hurt anybody. AD CS requires Windows Server 2008/2003 and Active Directory 2008/2003 Domain Services (AD DS). Here, I am going to talk about Windows 2008 AD CS. Although AD CS can be deployed on a single server, many deployments will involve multiple servers configured as CAs, other servers configured as Online Responders, and others serving as Web enrollment portals.  Creating an optimal design will require careful planning and testing before you deploy AD CS in a production environment. Microsoft Windows XP, Windows 7 and Apple Mac OSX 10.5.x (Key Chain) can request and enrol in Microsoft Enterprise certificates.

     

    Features in AD CS

    By using Administrative Tool>Server Manager in windows server 2008, you can set up the following components of AD CS:

    Certification authorities (CA) Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage certificate validity.

    Web Enrollment Web enrolment (http://servername/certsrv) allows users to connect to a CA by means of a Web browser in order to request certificates.

    Online Responder. The Online Responder service decodes revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information.

    Network Device Enrollment Service. The Network Device Enrollment Service allows routers and other network devices that do not have domain accounts to obtain certificates.

     

    What’s new in Windows Server 2008 AD CS:

    Improved enrollment capabilities that enable delegated enrollment agents to be assigned on a per-template basis.

    Integrated Simple Certificate Enrollment Protocol (SCEP) enrollment services for issuing certificates to network devices such as routers.

    Scalable, high-speed revocation status response services combining both CRLs and integrated Online Responder services.

     

    Fresh Installation of Windows 2008 AD CS

     1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

    25

    Upgrading or Migrating Active Directory Certificate Services

    Individual will have different situation while upgrading or migrating certificate services to existing server or new server respectively. But there are common tasks involve during this process. they are:

  • CA backup
  • CA configuration backup
  • Uninstall services
  • Install CA
  • CA restore
  • Active Directory cleanup (If you change host name)upgrading Active Directory CS in existing server. Steps required:
  • Version/Edition upgrade
  • Upgrade templates in Active Directory Domain Services (perform this operation if you are upgrading from 2008 standard to 2008 enterprise otherwise not)DC+CA situation. If you intend to demote your domain controller, however existing Certificate Authority is installed in DC. you want to move CA in separate domain member. Steps required:
  • CA backup
  • CA configuration backup
  • Uninstall services
  • Demote domain controller
  • Install CA
  • CA restorePerforming a CA BackupTo use the Certification Authority snap-in to create a backup of the CA database and, optionally, the CA certificate and private key
  • Choose a backup location and attach media, if necessary.
  • Log on with local administrative credentials to the CA computer.
  • Open the Certification Authority snap-in.
  • Right-click the node with the CA name, point to All Tasks, and then click Back Up CA.
  • On the Welcome page of the CA Backup wizard, click Next.
  • On the Items to Back Up page, select the Private key and CA certificate and Certificate database and certificate database log check boxes, enter the backup location, and then click Next.
  • On the Select a Password page, enter a password to protect the CA private key, and click Next.
  • On the Completing the Backup Wizard page, click Finish.
    Exporting Registry Configuration
  • Click Start, point to Run, and type regedit to open the Registry Editor.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc, right-click Configuration, and then click Export.
  • Enter a location and file name, and then click Save. This creates a .reg file with the registry configuration information for your CA.Migrating CA to a Windows  2008 Server
  • Log on with local or enterprise administrator permissions to the CA computer.
  • Click Start, click Run, type servermanager.msc, and then press ENTER to open Server Manager.
  • In the console tree, click Roles.
  • On the Action menu, click Add Roles.
  • If the Before you Begin wizard appears, click Next.
  • In the list of available server roles, select the Active Directory Certificate Services check box, and click Next twice.
  • Make sure that Certification Authority is selected, and click Next.
  • Choose if you are migrating to an enterprise or stand-alone CA, and click Next.
  • Specify either Root or Subordinate CA, depending on the source CA, and click Next.
  • At this stage, you have a choice between creating a new private key or using an existing private key. Use the second option for a migration.
    • To create a new CA certificate and key, select Create a new private key.
    • For a migration, on the Set Up Private Key page, select Use existing private key.
    • Migrate
    •  
  • Click Select a certificate and use its associated private key, and click Next.
  • If the CA certificate has been installed on the computer, it will be listed in the Certificates box. Otherwise, click Import to import a certificate from the .pfx file created by exporting the CA certificate and private key from the source CA.
  • Click Browse, and locate and select the file containing the certificate and private key exported from the source CA.
  • Enter the password you selected when exporting the CA certificate and key from the source CA, and click OK.
  • Complete the rest of the installation wizard to finish installing AD CS.
  • Click Yes to accept the warning to overwrite AD DS. (This appears only if you are installing an enterprise CA.)
  • If the CA is installed on a workgroup computer or an existing private key was reused, optionally set the distinguished name suffix, and click Next.
  • If the CA is a new root CA, set the validity period for the certificate generated on the CA, and click Next. Otherwise, skip this step.
  • If required, configure the database location paths, and click Next.
  • If you are installing a subordinate CA, select whether to save the certificate request or submit it directly to the CA, and click Next.
  • To install AD CS, click Install.
    Restoring the CA Database

    To import the CA database from the source CA to the target CA by using the Certification Authority snap-in

  • Log on with administrative credentials to the target CA computer.
  • Open the Certification Authority snap-in.
  • Right-click the node with the CA name, point to All Tasks, and then click Restore CA. Click OK to confirm stopping the CA service.
  • In the CA Restore wizard, on the Welcome page, click Next.
  • On the Items to Restore page, select Certificate database and certificate database log. Click Browse, and navigate to the location of the Database folder that contains the CA database export files created when you previously exported the CA database.
  • Enter the password you used to export the CA database from the source CA, if a password is requested.
  • Click Finish, and then click Yes to confirm restarting the CA.
  • To import the registry settings from the .reg file to the target CA
  • On the target CA, use the Certification Authority snap-in to stop the CA service.
  • Double-click the .reg file previously edited to open the Registry Editor.
  • Confirm that the registry keys were imported, and close the Registry Editor.
  • Restart the CA.
  • Use the Registry Editor to verify any settings that were changed or edited in the .reg file in the previous steps
  • Additionally, use the Certification Authority snap-in to verify the following settings. Right-click the node with the CA name, and click Properties.
  • Managing AD CS

    AD CS role services are managed by using Microsoft Management Console (MMC) snap-ins.

    · To manage a CA, use the Certification Authority snap-in. To open Certification Authority, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certification Authority, click Add, click OK, and then double-click Certification Authority.

    · To manage certificates, use the Certificates snap-in. To open Certificates, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certificates, click Add, click OK, and then double-click Certificates.

    · To manage certificate templates, use the Certificate Templates snap-in. To open Certificate Templates, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certificate Templates, click Add, click OK, and then double-click Certificate Templates.

    · To manage an Online Responder, use the Online Responder snap-in. To open Online Responder, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Online Responder, click Add, click OK, and then double-click Online Responder.

    Certificate Services Command References

    To run all these you must log on to CA as administrator and open command prompt

    Backup Cert database certutil –backupdbBackupDirectory

    backup private key certutil -f –backupkeyBackupDirectory

    determine the CSP and hash algorithm certutil -getreg ca\csp\*

    Query the list of serial numbers of all certificates that have an archived key associated with them.

    certutil -view -restrict “KeyRecoveryHashes>0” -outSerialNumber | findstr /C:”SerialNumber: ” >sn.txt

    To convert the binary large object files created in the step above into .pfx files

    for %i in (*.bin) do certutil -p YourPassword -recoverkey %i %i.pfx

    Disable web enrolment after uninstalling cert srv

    certutil -vroot delete

    Shutdown CA    certutil –shutdown

    Find Database location certutil -databaselocations

    restore db certutil –F –restoredbBackupDirectory

    Assign templete certutil –setcatemplates +templatelist

    enable the use of version 2 and version 3 certificates on an upgraded enterprise CA

    certutil -setreg ca\setupstatus +512

    net stop certsvc

    net start certsvc

    Resetting the CRL Publishing Period

    certutil –delreg CA\CRLNextPublish

    certutil –delreg CA\CRLDeltaNextPublish

    restore encryption keys

    certutil –setreg ca\KRAFlags +KRAF_ENABLEFOREIGN

    Certificate database and log file location

    %WINDIR%\system32\certlog and %WINDIR%\system32\certsrv

    References:

    Microsoft Public Key Infrastructure

    Microsoft Certificate Services

    Windows Server® 2008 PKI and Certificate Security

    Active Directory health check

    Events View

    Check event log in all DCs to find everything ok specifically DNS, system and Application events.

    Dcdiag.exe

    This is a must and will always tell you if there is trouble with DCs and/or services associated with it

    Netdiag.exe

    This will let me know if there are issues with the networking portion on the DC.

    Netsh dhcp show server

    This command identify DHCP in in AD infrastructure.

    Repadmin /showreps

    This shows all replication among DCs.

    repadmin /replsum /errorsonly

    reapadmin /syncall /AdeP

    This will identify any issues with replication among DCs.

    Active Directory DNS Check

    Dnslint /ad domain_controller_ip_address /s dns_server_ip_address

    third-party tools

    Manage Engine AD Manager Plus, Wise Soft Bulk user Admin, Solarwinds Engineer’s toolset, Active Directory Cleaner are very handy tools to monitor and manage Active Directory.

    These are little things that give me peace of mind. I reckon “assume nothing, believe nothing, check everything…..” is the best way to prevent disaster.