Migrate a SQL Server database to Azure SQL Database

Gallery

This gallery contains 1 photo.

Azure Database Migration Service partners with DMA to migrate existing on-premises SQL Server, Oracle, and MySQL databases to Azure SQL Database, Azure SQL Database Managed Instance or SQL Server on Azure virtual machines.     Moving a SQL Server database … Continue reading

Migrating VMware Virtual Workloads to Microsoft Azure Cloud

Gallery

This gallery contains 3 photos.

Overview Migrating to the cloud doesn’t have to be difficult, but many organizations struggle to get started. Before they can showcase the cost benefits of moving to the cloud or determine if their workloads will lift and shift without effort, … Continue reading

Windows Server 2008 R2 Active Directory Certificate Services Deep Dive

How to use the Certreq.exe utility to create and submit a certificate request that includes a SAN

Create a text file using notepad. copy the following content and paste inside the text file and save as request.inf.

;copy from here

[Version]

Signature=”$Windows NT$

[NewRequest]
Subject = “CN=myserver.microsoftguru.com.au” ; must be the FQDN of domain controller
EncipherOnly = FALSE ; only for Win2k3 & WinXP
Exportable = TRUE  ; TRUE = Private key is exportable
KeyLength = 2048    ; Common key sizes: 2048, 4096, 8192, 16384
KeySpec = 1             ; Key Exchange
KeyUsage = 0xA0     ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = CMC ; or PKCS10

; Omit entire section if CA is an enterprise CA
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

[Extensions]

; If your client operating system is Win2k8,Win Vista, Win7

; SANs can be included in the Extensions section by using the following text format.

;Note 2.5.29.17 is the OID for a SAN extension.

2.5.29.17 = “{text}”

_continue_ = “dns=Exchange1.microsoftguru.com.au&”

_continue_ = “dn=CN=Exchange1,OU=My Servers,DC=microsoftguru,DC=com,DC=au&”

_continue_ = “url=http://myserver.microsoftguru.com.au&”

_continue_ = “ipaddress=172.31.10.134&”

_continue_ = email=test@microsoftguru.com.au&

_continue_ = upn=test@microsoftguru.com.au&

_continue_ = “guid=f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39&”    

;Alternatively you create a SAN attribute using a script provided in KB

; use text format or encrypted format of SAN. 2.5.29.17=MCaCEnd3dzAxLmZhYnJpa2FtLmNvbYIQd3d3LmZhYnJpa2FtLmNvbQ==

[RequestAttributes]

; Multiple alternative names must be separated by an ampersand (&).

;In the example I have shown two different types of SAN. Use only one type of SAN.

;Asterisk *.yourdomainname.com.au is used for Wildcard certificates.

SAN=”dns=exchange1.microsoftguru.com.au&dns=www.microsoftguru.com.au&ipaddress=172.31.10.130″

SAN=”dns=webmail.microsoftguru.com.au&dns=*.microsoftguru.com.au&dns=autodiscover.microsoftguru.com.au”

CertificateTemplate = WebServer

; change template name depending on your environment.

; remove “;” from request.inf file. file ends here.

Important Note: Some third-party certification authorities (For examples ISPs who sell SSL certificate) may require additional information in the Subject parameter. Such information includes an e-mail address (E), organizational unit (OU), organization (O), locality or city (L), state or province (S), and country or region (C). You can append this information to the Subject name (CN) in the Request.inf file. For example: Subject=”E=test@microsoftguru.com.au, CN=<FQDN of server>, OU= My Servers, O=Microsoftguru, L=Perth, S=WA, C=AU.” Amend Request.inf as per your need. For a standard certificate request you can omit SAN, [Extensions] and[EnhancedKeyUsageExtension] section.

Open a command prompt. At the command prompt, type the following command, and then press ENTER:

certreq -new c:request.inf c:certnew.req

At the command prompt, type the following command, and then press ENTER:

certreq -submit c:certnew.req c:certnew.cer

If there is more than one CA in the environment, the -config switch can be used in the command line to direct the request to a specific CA. If you do not use the -config switch, you will be prompted to select the CA to which the request should be submitted.

certreq -submit -config “DC.microsoftguru.com.auMYCA” c:certnew.req c:certnew.cer

Use the Request ID number to retrieve the certificate. To do this, type the following command, and then press ENTER:

certreq -retrieve RequestID c:certnew.cer

You can also use the -config switch here to retrieve the certificate request from a specific CA.

At the command prompt, type the following command, and then press ENTER:

certreq -accept c:certnew.cer

This command imports the certificate into the appropriate store and then links the certificate to the private key that is created in previous step.

How to configure a CA to accept a SAN attribute from a certificate request

certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

To repair a certificate
  1. If you are using a network HSM, complete steps 8 through 10 to repair the association between the imported CA certificate and the private key that is stored in the HSM.

  2. In the console tree, double-click Personal Certificates, and click the imported CA certificate.

  3. On the Action menu, click Open. Click the Details tab, copy the serial number to the Clipboard, and then click OK.

  4. Open a Command Prompt window, type certutil –repairstore My “{Serialnumber}” and then press ENTER.

image

How to enable secure certificate enrolment in certificate authority

Step1: Create request.inf file using WebServer template

Step2: Generate a web server certificate request.req file using certreq.exe tools

certreq -new c:request.inf c:request.req

Step3: Submit the request.req file using certreq.exe or CA Management Console. Save certificate.cer

Open CA MMC>Select CA server>Right click on CA Server>Click All Task>Submit a new request

Point the location c:request.req and submit. you will be prompted to save certificate.

image

Step4: Import the certificate into certificate authority

Start Microsoft Management Console (MMC). Add the Certificates snap-in that manages certificates on the local computer.

Expand Certificates (Local Computer), expand Personal, and then expand Certificates. Right Click Import certificate you saved in previous steps.

Step5: Open IIS Management Console>Select Default Web Site>Click Bindings from Action Pan>Click Add>Select HTTPS>Select the certificate you just imported in previous step. Click OK.

image

image

image

Step6: Run iisreset /restart from command prompt

Step7: Test https://MYCA/certsrv

How to use secure Web enrollment pages to submit a certificate request to an enterprise CA

To submit a certificate request that contains a SAN to an enterprise CA, follow these steps:

  1. Open Internet Explorer. In Internet Explorer, connect to https://MYCA/certsrv.
  2. Click Request a Certificate.>Click Advanced certificate request.

image

  1. Click request a certificate
  2. In the Certificate Template list, click Web Server. Note The CA must be configured to issue Web Server certificates.
  3. Provide identifying information as required.
  4. In the Name box, type the fully qualified domain name FQDN of the server.
  5. Under Key Options, set the following options:
    • Create a new key set
    • CSP: Microsoft RSA SChannel Cryptographic Provider
    • Key Usage: Exchange
    • Key Size: 1024 – 16384
    • Automatic key container name
    • Store certificate in the local computer certificate store

Under Advanced Options, set the request format to CMC. In the Attributes box, type the desired SAN attributes. SAN attributes take the following form:

san:dns=dns.name[&dns=dns.name]

image

Multiple DNS names are separated by an ampersand (&). For example, if the name of the server is myserver.microsoftguru.com.au and the alias are autodiscover.microsoftguru.com.au and webamil.microsoftguru.com.au, these names must be included in the SAN attributes. The resulting attribute string appears as follows:

san:dns=myserver.microsoftguru.com.au&dns=myweb.microsoftguru.com.au&dns=mysite.microsoftguru.com.au

 

image

Click Submit. If you see the Certificate Issued Web page, click Install this Certificate.

My preferred way to request a certificate is to create a .req file shown in previous steps. open .req file in a notepad and copy the contents. click submit a certificate request by using base 64-encode

image

Paste the contents into base 64-encode. Select web server template. click submit.

image

Now obtain certificate click yes.

image

to download certificate with root CA CRL  click Download certificate chain in p7b format

to download only certificate click download certificate and save.

image

How to configure Private Key in Certificate Authority and Export Private Key

1. Open CA MMC from Administrative Tools>Right Click on Certificate Template>Click Manage

image

2. Select WebServer Template>Right Click on WebServer Template>Click Duplicate Template>Select Win2k3 or Win2k8 OS Version>Type Template Name as WebServer With Private Key in General Tab

3. Click Request Handling Tab>Check Allow private key to be exported

 image

4. Click Security Tab> Allow appropriate security for the person who will enroll and export the certificates

image

5. Click Ok. Close CA MMC.

6. Create a WebServer Request.inf. Create Request.req file

7. Submit WebServer request to https://myca/certsrv . Download and install certificate.

To export a certificate with the private key

1.Open Certificate Manager by clicking the Start button>Search Box>Type certmgr.msc, and then pressing ENTER.‌

2. Go to Certificates-Current UserPersonalCertificates>Select Certificate you would like to export.

3. On the Action menu, point to All Tasks, and then click Export. In the Certificate Export Wizard, click Yes, export the private key.

Note that this option will appear only if the private key is marked as exportable in request.inf file and you have access to the private key.

4. Under Export File Format, do one or all of the following, and then click Next.

  • To include all certificates in the certification path, select the Include all certificates in the certification path if possible check box.
  • To delete the private key if the export is successful, select the Delete the private key if the export is successful check box.

5. In Password, type a password to encrypt the private key you are exporting. In Confirm password, type the same password again, and then click Next.

6. In File name, type a file name and path for the PKCS #12 file that will store the exported certificate and private key, click Next, and then click Finish.

How to import Private Key

  1. Click Start Menu>Search Box>Click mmc.msc>Click Certificates>Add Computer Account>Click OK.

  2. Click a folder, click the Action menu, point to All Tasks, and then click Import.

image

3. Browse to the location where you exported certificates>Select Certificate>Provide password to import the certificate.

4. Click Next, and then follow the instructions.

Playing with AD CS Administration Cmdlets in Windows PowerShell

The following Windows PowerShell® cmdlets that are for use in administering the Active Directory Certificate Services (AD CS) certification authority (CA) role service in Windows Server® “8” Beta.

  • Import-Module ServerManager – Imports the Server Manager module that provides the Add-WindowsFeature cmdlet.
  • Add-WindowsFeature Adcs-Cert-Authority – Adds the Certification Authority role service binaries.
  • Add-WindowsFeature Adcs-Enroll-Web-Pol – Adds the Certificate Enrllment Policy Web Service binaries.
  • Add-WindowsFeature Adcs-Enroll-Web-Svc – Adds the Certificate Enrollment Web Service binaries.
  • Add-WindowsFeature Adcs-Web-Enrollment – Adds the Certification Authority Web Enrollment role service binaries.
  • Add-WindowsFeature Adcs-Device-Enrollment – Adds the Network Device Enrollment Service binaries.
  • Add-WindowsFeature Adcs-Online-Cert – Adds the Online Responder role service binaries.
  • Get-Command -Module AdcsDeployment – Displays all the cmdlets that are associated with AD CS Deployment.

Disaster recovery or Migrate procedure of Active Directory Certificate Authority:

Moving a CA from one computer to a second computer involves the following procedures:

  • Backing up the CA on the first computer
  • Restoring the CA on the second computer

You must be a member of domain admins security group to perform the following operation. To move a CA from a server that is running Windows Server 2003 to a server that is running Windows Server 2008, you can either complete the Windows upgrade first and then move the CA or move the CA first and then upgrade Windows.

  • To upgrade Windows first: Upgrade the first server from Windows Server 2003 to Windows Server 2008, back up the CA on this server, and then restore the CA on a second server running Windows Server 2008.
  • To move the CA first: Back up the CA on a computer running Windows Server 2003, restore the CA on a second computer running Windows Server 2003, and then upgrade the second server to Windows Server 2008.

To back up a CA

  1. Open the Certification Authority snap-in.

  2. In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Back up CA to start the Certification Authority Backup Wizard.

image

3. Click Next, and select the Private key and CA certificate and Certificate database and certificate database log check boxes. Specify the backup location, and then click Next.

image

4. Type a password for the CA private key backup file, and type it a second time to confirm the password. then click Finish

image

5. Click Start, click Run, type regedit, and then click OK. Locate and right-click the following registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvcConfiguration

 

image

6. Click Export. Save the registry file in the CA backup folder that you used for the Certification Authority Backup Wizard.

7. Backup the CA logs from the D:WinntSystem32Certlog folder, you must restore the backup to the D:WinntSystem32Certlog folder. After you restore the backup, you can move the CA database files to a different location.

image

8. In addition of above steps back up CAPolicy.inf . If your source CA is using a custom CAPolicy.inf file, you should copy the file to the same location as the source CA backup files. The CAPolicy.inf file is located in the %SystemRoot% directory, which is usually C:Windows.

To back up a CA database and private key by using Certutil.exe
  1. Log on with local administrative credentials to the CA computer.

  2. Open a Command Prompt window.

  3. Type Certutil.exe –backupdb <BackupDirectory> and press ENTER.

  4. Type Certutil.exe –backupkey <BackupDirectory> and press ENTER.

  5. Type a password at the prompt, and press ENTER. You must retain a copy of the password to access the key during CA installation on the destination server.

  6. Type net stop certsvc and press ENTER to stop the Active Directory Certificate Services service. The service must be stopped to prevent issuance of additional certificates.

  7. After the backup completes, verify the following files in the location you specified:

    • CAName.p12 containing the CA certificate and private key
    • Database folder containing files certbkxp.dat, edb#####.log, and CAName.edb
  8. Copy all backup files to a location that is accessible from the destination server; for example, a network share or removable media.

How to remove the CA role service from the source server

It is important to remove the CA role service from the source server after completing backup procedures and before installing the CA role service on the destination server. Enterprise CAs and standalone CAs that are domain members store in Active Directory Domain Services (AD DS) configuration data that is associated with the common name of the CA. Removing the CA role service also removes the CA’s configuration data from AD DS. Because the source CA and destination CA share the same common name, removing the CA role service from the source server after installing the CA role service on the destination server removes configuration data that is required by destination CA and interferes with its operation.

The CA database, private key, and certificate are not removed from the source server by removing the CA role service. Therefore, reinstalling the CA role service on the source server restores the source CA if migration fails and performing a rollback is required.

Highly Recommended Tasks. Staging a certificate restore is most import part before you decommission existing certificate server. Create a isolated environment similar to your Active Directory Domain Services. Add new Certificate Authority and restore the database and private key. test certificates, templates, registry and private key whether it is similar to your Production infrastructure. Once you happy and restoration tasks complete successfully you can decommission certificate authority. if source certificate authority is virtual than I would recommend you to take a snapshot before you remove the CA role.

  • To remove the CA on a computer running Windows Server 2003, use the Add/Remove Windows Components wizard.
  • To remove the CA on a computer running Windows Server 2008, use the Remove Roles Wizard in Server Manager.

To restore a CA on a new server from a backup copy

  1. Open Server Manager, and click Active Directory Certificate Services. Click Next two times.

  2. On the Select Role Services page, select the Certification Authority check box, and then click Next.

  3. On the Specify Setup Type page, click either Standalone or Enterprise, and then click Next.

    noteNote You must have a network connection to a domain controller in order to install an enterprise CA.

  4. On the Specify CA Type page, click the appropriate CA type, and then click Next.

  5. On the Set Up Private Key page, click Use existing private key, click Select a certificate and use its associated private key, and then click Next.

  6. On the Select Existing Certificate page, click Import, type the path of the .P12 file in the backup folder, type the password that you chose in the previous procedure to protect the backup file, and then click OK.

  7. In the Public and Private Key Pair dialog box, verify that Use existing keys is selected.

  8. Click Next two times.

  9. On the Configure Certificate Database page, specify the same location for the certificate database and certificate database log as on the previous CA computer. Click Next.  On the Confirm Installation Options page, review all of the configuration settings> click Install and wait until the setup process has finished.

  10. Locate the registry file that you saved in the backup procedure, and then double-click it to import the registry settings. If the path that is shown in the registry export from the old CA differs from the new path, you must adjust your registry export accordingly. Verify the registry in the following location. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvc

11. Open the Services snap-in to stop the Active Directory Certificate Services (AD CS) service.

12. Open the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Restore CA to open the Certification Authority Restore Wizard.

image

13 Click Next, and select the Private key and CA certificate and Certificate database and certificate database log check boxes. Type the backup folder location, and then click Next. Verify the backup settings. The Issued Log and Pending Requests settings should be displayed. Click Finish, and then click Yes to restart AD CS when the CA database is restored.

To restore the CA database by using Certutil.exe
  1. Log on to the destination server by using an account that is a CA administrator.

  2. Open a Command Prompt window.

  3. Type certutil.exe -f -restoredb <CA Database Backup Directory> and press ENTER.

To Restoring the certificate templates list

Log on with administrative credentials to the destination CA.

  1. Open a command prompt window.

  2. Type certutil -setcatemplates +<templatelist> and press ENTER.

ImportantImportant ! Some registry parameters should be migrated without changes from the source CA computer, and some should not be migrated. If they are migrated, they should be updated in the target system after migration because some values are associated with the CA itself, whereas others are associated with the domain environment, the physical host, the Windows version, or other factors that may be different in the target system.

Verify registry location and Configuration parameters are: 

HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicescertsvcConfiguration

  • DBDirectory
  • DBLogDirectory
  • DBSystemDirectory
  • DBTempDirectory
  • DBSessionCount

image

HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicescertsvcConfigurationCAname

  • CACertPublicationURLs
  • CRLPublicationURLs

image

 

Granting permissions on AIA and CDP containers

If the name of the destination server is different from the source server, the destination server must be granted permissions on the source server’s CDP and AIA containers in AD DS to publish CRLs and CA certificates. Complete the following procedure in the case of a server name change.

To grant permissions on the AIA and CDP containers
  1. Open Active Directory Sites and Services> In the console tree, click the top node.

  2. On the View menu, click Show services node. In the console tree, expand Services, expand Public Key Services, and then click AIA.

  3. In the details pane, right-click the name of the source CA, and then click Properties.

  4. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

  5. Type the name of the destination server, and click OK. In the Allow column, click Full Control, and click Apply.

  6. If the source server object is displayed in Group or user names, click the name of the source server, then click Remove, and then click OK.

  7. In the console tree, expand CDP, and then click the name of the source server.

  8. In the details pane, right-click the cRLDistributionPoint item at the top of the list, and then click Properties.

image

4. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

5. Type the name of the destination server, and click OK. In the Allow column, click Full Control, and click Apply. If the source server object is displayed in Group or user names, click the name of the source server, then click Remove, and then click OK.

6. Repeat steps 13 through 18 for each cRLDistributionPoint item.

Additional procedures for failover clustering

  • CA Role must be installed on both nodes

  • Stop Active Directory Certificate Services from Services.msc

  • Ensure shared storage is online.

  • certificate store and logs must be placed in shared storage.

To verify shared storage is online

  1. Log on to the destination server. Start Server Manager.

  2. In the console tree, double-click Storage, and click Disk Management.

  3. Ensure that the shared storage is online and assigned to the node you are logged on to.

To configure AD CS as a cluster resource

Follow Configure Microsoft Fail over Cluster URL to create and configure a cluster.

  1. Open Failover Cluster Manager from Administrative Tools> Right Click on newly created cluster node>click Configure a service or Application. If the Before you begin page appears, click Next.

  2. In the list of services and applications, select Generic Service, and click Next.

  3. In the list of services, select Active Directory Certificate Services, and click Next.

  4. Specify a service name, and click Next. Select the disk storage that is still mounted to the node, and click Next.

  5. To configure a shared registry hive, click Add, type SYSTEMCurrentControlSetServicesCertSvc, and then click OK. Click Next twice.

  6. Click Finish to complete the failover configuration for AD CS.

  7. In the console tree, double-click Services and Applications, and select the newly created clustered service.

  8. In the details pane, click Generic Service. On the Action menu, click Properties.

  9. Change Resource Name to Certification Authority, and click OK.

If you use a hardware security module (HSM) for your CA, complete the following procedure.

To create a dependency between a CA and the network HSM service
  1. Open the Failover Cluster Management snap-in. In the console tree, click Services and Applications.

  2. In the details pane, select the previously created name of the clustered service.

  3. On the Action menu, click Add a resource, and then click Generic Service.

  4. In the list of available services displayed by the New Resource wizard, click the name of the service that was installed to connect to your network HSM. Click Next twice, and then click Finish.

  5. Under Services and Applications in the console tree, click the name of the clustered services.

  6. In the details pane, select the newly created Generic Service. On the Action menu, click Properties.

  7. On the General tab, change the service name if desired, and click OK. Verify that the service is online.

  8. In the details pane, select the service previously named Certification Authority. On the Action menu, click Properties.

  9. On the Dependencies tab, click Insert, select the network HSM service from the list, and click OK.

To grant permissions on public key containers: If you are migrating to a failover cluster, complete the following procedures to grant all cluster nodes permissions to on the following AD DS containers:
  • The AIA container
  • The Enrollment container
  • The KRA container
To grant permissions on public key containers in AD DS
  1. Open Active Directory Sites and Services. In the console tree, click the top node.

  2. On the View menu, click Show services node. In the console tree, expand Services, then Public Key Services, and then click AIA.

  3. In the details pane, right-click the name of the source CA, and then click Properties.

  4. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

  5. Type the computer account names of all cluster nodes, and click OK. In the Allow column, select the Full Control check box next to each cluster node, and click OK.

  6. In the console tree, click Enrollment Services.  In the details pane, right-click the name of the source CA, and then click Properties.

  7. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK. Type the computer account names of all cluster nodes, and click OK.

  8. In the Allow column, select the Full Control check box next to each cluster node, and click OK.

  9. In the console tree, click KRA.

image

10. In the details pane, right-click the name of the source CA, then click Properties. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

11. Type the names of all cluster nodes, and click OK. In the Allow column, select the Full Control check box next to each cluster node, and click OK.

To check the DNS name for a clustered CA in AD DS
  1. Log on to the active cluster node as a member of the Enterprise Admins group.

  2. Open ADSI Edit. On the Action menu, click Connect to. click Configuration, and click OK.

  3. In the console tree, expand ConfigurationServicesPublic Key ServicesEnrollment Services.

  4. Double click on CN and check check dNSHostName mentioned same as Failover Cluster Management in the Failover Cluster Manager snap-in, and click OK. if not add proper FQDN DNS of cluster as shown on the screenshot. Click OK to save changes.

image

5. Open dnsmgmt.msc from the start menu>run. Verify a Host (A) DNS record has been added with the same name and IP address of the Cluster. 

Configuring CRL distribution points for failover clusters

When a CA is running on a failover cluster, the server’s short name must be replaced with the cluster’s short name in the CRL distribution point and authority information access locations. To publish the CRL in AD DS, the CRL distribution point container must be added manually.

The following procedures must be performed on the active cluster node.

To change the configured CRL distribution points
  1. Open registry edit and Locate the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvcConfiguration.

  2. Click the name of the CA. In the right pane, double-click CRLPublicationURLs.

image

3. In the second line, replace %2 with the service name specified in step 6 of the procedure “To configure AD CS as a cluster resource.”  The service name also appears in the Failover Cluster Management snap-in under Services and Applications. Restart the CA service.

4. Open a command prompt, type certutil -CRL, and press ENTER.

5. To create the CRL distribution point container in AD DS At a command prompt, type cd %windir%System32CertSrvCertEnroll, and press ENTER. The CRL file created by the certutil –CRL command should be located in this directory.

6. To publish the CRL in AD DS, type certutil -f -dspublish “CRLFile.crl” and press ENTER.

To setup Audit on CA. Open CA MMC>Select the Certificate Server>Right Click>Click Property

image

Check desired Events to audit>Click Ok. restart CA Services.

To deploy Enterprise root CRL using GPO. Create a new group policy or use and existing GPO. Click Edit. Expand to Computer ConfigurationWindows SettingsSecurity SettingsPublic Key Policies. Right Click on trusted Root Certificates>Click Import>Locate root certificate and import the certificate. Click Close.

image

To request Automatic Certificate request. Create a new group policy or use and existing GPO. Click Edit. Expand to Computer ConfigurationWindows SettingsSecurity SettingsPublic Key Policies. Right Click Automatic Certificate Request >Click New >Click Automatic certificate Request>Configure Certificate template and request. Follow the screenshot. Note that Auto Enroll must be allowed in the security tab of certificate template in CA.

image

Additional references

How to extend root certificate authority and subordinate CA

Configure Microsoft Fail over Cluster

Active Directory Certificate Services Overview

System Center Virtual Machine Manager 2012 Beta First Look

Systems Requirement:

  • Windows Server 2008 R2 x64 domain member
  • Windows Remote Management (WinRM) 2.0
  • Windows PowerShell 2.0
  • Microsoft .NET Framework 3.5 Service Pack 1 (SP1)
  • Windows AIK for Windows 7
  • SQL Server 2008 or SQL Server 2008 R2
  • WDS and WSUS roles installed 

Installation of System Center Virtual Machine Manager 2012:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

System Center Virtual Machine Manager 2012 Beta – Evaluation (VHD)

SCVMM 2012 Beta Download

Remove initial configuration wizard on Windows Server 2008 using GPO

Gallery

Open GPO management console using administrative privilege. Create and link a GPO with Enterprise Server OU. Right Click on Enterprise Server OU> Click on Property Expand and locate Server Manager section in the following section of GPO. Expand Computer Configuration>Expand … Continue reading

Configure Microsoft Fail over Cluster for DHCP services—step by step

Gallery

Microsoft Cluster Requirements:  Servers, NIC and Storage must validate Microsoft cluster requirements to configure MSCS using two or more independent computers . The objectives to create a cluster is to avoid a single point of failure that is to create … Continue reading

An Overview of Active Directory Certificate Services (AD CS)

Certificate services provide public key infrastructure (PKI) for organization. There are lot of benefits to have a PKI infrastructure in Active Directory infrastructure. One of the biggest advantage of deploying certificate is to identify requestor requesting information a server. This can be a web server, exchange web mail or an windows client requesting authentication from an active directory. The server holding the role of approving certificate and delivering certificate called certificate authority in short CA. Microsoft CA provides heaps of options for diverse customer to deploy certificate from security point of view, organizational structure and  also geographical location. That is certificate can be deployed in hierarchical manner. Top of Certificate hierarchy is called Enterprise root CA. There can be more than one subordinate CA depending your need. Certificate Authority can be standalone or Enterprise CA. Standalone offline Root CA can be used to provide PKI infrastructure for internal users. Standalone root CA is put offline to provide an extra layer of security to authentication. A subordinate CA placed under standalone root can work as usual. In this case, your root CA aren’t compromised. when you request a certificate from subordinate CA, you have to approve this request manually. Again this type of deployment provide extra layer of security  as you can see who’s requesting for a certificate. 

Installation of Root CA:

To install an Enterprise Root CA, build a windows server 2008 and join domain. Log on as domain admin. Add and install Web server (IIS) role in that server as pre-requisite. Once finish, add active directory certificate services role. Select Enterprise root CA while installing CA. More detailed installation guides are in these screen shots.

To install a standalone root CA, follow the similar steps with just one exception that standalone CA isn’t part of Active Directory domain. You have manually import certificate request to standalone CA server which I will explain later part of this article.

Segregating CA Management Role:

To secure CA management and delegating management authority, you can segregate roles in certificate authority. There five roles available to manage CA. They are CA Administrator, CA Manager, CA Auditor, Backup operator and enrollees. To assign these roles, you need to log on CA as an administrator and open CA Management Console. Right mouse click on CA server name>Click on property. Go to security Tab and add specific groups to this windows and assign desired roles. The following screen shots are illustrate these options.

11

12

https or secure Certificate Enrollment using :

before you can enroll certificate, install an SSL certificate for CA itself and provide an FQDN for users and computer to request certificates.

Open IIS management console in CA authority Server. Click on CA server>Click on Create a Domain certificate on right hand side Action pan. 

18

19

13

15

Click Finish to complete request.

Click on Sites>click Bindings

16

Click Add>Select SSL>Select IP & Port 443

17

Select Certificate you just created.

Now Create a CNAME in DNS server such as CA.microsoftguru.com.au

Open IE browser to test SSL certificate request.

20

Managing Templates:

There are default certificate templates in CA. The templates are stored in Active Directory for use by every CA in the forest. When deploying certificates duplicate a template (by right click on certificate template>Manage) similar to your purpose, name the template, setup certificate period, publish in Active Directory, setup security on the security tab. Now right click on certificate template>Click New>Click on Certificate Template to Issue. You must select appropriate group in the security tab of certificate property to safeguard this certificate from different group of users. 

Installation of Subordinate CA:

Prepare a Windows Server 2008. Depending on your deployment topology, Open Server Manager, click Add Roles, click Next,and click Active Directory Certificate Services. Click Next two times. Now select following in the next steps.

Setup Type: Standalone or Enterprise

CA Type: Subordinate

Private key: Create a New Private Key

1

On the Request a certificate step, you have have two options. If your Enterprise root CA is part of domain, you can request a subordinate CA automatically or manually. However if your enterprise root CA is standalone or subordinate CA is standalone then you have generate a request for certificate and submit this request to root CA. In this article, I am requesting certificate manually because you can perform automated request.

2

Click Next and Finish installation.

3

Open Requested Certificate and copy entire content in the notepad. Open IE browser and browse Root CA cert enroll page such as https://ca.microsoftguru.com.au/certsrv

4

Click on Request a certificate, Click on Advanced certificate request.

5

Click on submit a certificate request..

6

Paste the certificate request on Base 64 encoded box and select subordinate CA. Click submit.

7

Now download requested certificate and save it on subordinate CA.

8

9

Log on to subordinate CA and open CA management console>Click All Tasks>Click Start CA. You will be prompted to import subordinate certificate from root CA. Browse the location of certificate you exported/saved in previous steps and select certificate. Your subordinate CA will start now.

10

Start Menu>run>Services.msc>Check Active Directory Certificate Services set to automatic. Now Manage and secure CA as mentioned in this article.

If your root CA is standalone than you can take your root CA offline now. Open Event Viewer by simply, typing eventvwr.exe on Start menu>run. Check AD CS is functioning properly.

image

To setup auditing in AD CS, right click on AD CS server>property>Auditing Tab>Select preferred Auditing for CA Server.

image

To restrict an enrollment agent in CA, Open CA Console>Right Click on subordinate CA Server>Property>Click on Enrollment Agent Tab Click on restrict Enrollment Agent. here you can add groups or users that are allowed to request certificate on behalf of another client and remove everyone. similarly you can disallow everybody to request an agent enrollment. Note that Enrollment agent can only request certificate but can not approve or revoke certificate.

image

To setup pending request in CA, log on to CA and open CA console. Right mouse click on CA server>Click property>Click Policy Module>Click Properties>Click Set certificate request status to pending.

image

image

Restart AD CS services.

Requesting Certificate from standalone CA:

Create a text file and rename this file such as newrequest.inf and copy and paste inside the file following contents

;…………………………………………

[Version]
Signature=”$Windows NT$
[NewRequest]
Subject = “CN=<DC fqdn>” ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

;……………………………..

OR

;……………………………..

[NewRequest]

Subject=”CN=<FQDN of computer you are creating the certificate, for example, the gateway server or management server.>”

Exportable=TRUE

KeyLength=2048

KeySpec=1

KeyUsage=0xf0

MachineKeySet=TRUE

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1

OID=1.3.6.1.5.5.7.3.2

;……………………………………….

Here, CN= FQDN of server where requested certificate will be installed.

Now type following command, and then press ENTER:

CertReq –New –f  NewRequest.inf NewCert.req

To submit new request type the following command, and then press ENTER:

certreq -submit -config “FQDN of the YourCAYour CA Name” certnew.req certnew.cer

Now approve the certificate from CA management console and retrieve certificate using following command

certreq -retrieve RequestID certnew.cer

type the following command to accept certificate, and then press ENTER:

certreq -accept newcert.cer

Removing Certificate Authority: Log on to the system as the user who installed the certification authority. Server Manager>Roles>Remove Roles>Select AD CS and Remove CA. Restart Decommissioned CA Server. To Remove remaining information about this CA from Active Directory, type following from elevated command prompt

certutil.exe -dsdel CAName and press ENTER

Dealing with Event ID 100, 7024, 48 :

Issue new certificate revocation list by issuing certutil.exe –crl command from elivated command prompt.

Type certutil.exe -setreg CALogLevel 2  and press enter to change log level registry.

Disable revocation list checkup type following from command prompt and press enter.

certutil –setreg caCRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

Blogging year 2010—-what stats says

Gallery

Sharing stats of my blog https://araihan.wordpress.com with my visitors. I started this free wordpress before founding http://microsoftguru.com.au Team WordPress.com + Stats Helper MonkeysJanuary 2nd, 2011, 03:35pm Here’s a high level summary of my overall blog health: Wow Blog-Health-o-Meter™ “We think … Continue reading

Configure FAX server using Windows Server 2008 and Standard Fax Modem

Gallery

In this article, I am going to deploy a test fax server using windows Server 2008 Fax Server Role, Standard Fax Modem (Motorola or US Robotics) and Exchange Server Email Distribution Group. A fax server is comprised of four different … Continue reading

Forefront TMG and BranchCache Hosted Cache deployed on the same host

Gallery

BranchCache™ is a new feature in Windows® 7 and Windows Server® 2008 R2 that can reduce wide area network (WAN) or bandwidth utilization and enhance network application responsiveness when users access content in a central office from branch office locations. … Continue reading

How to configure Windows Server Update Services (WSUS) to use BranchCache

Gallery

What is branchCache? BranchCache™ is a new feature in Windows® 7 and Windows Server® 2008 R2 that can reduce wide area network (WAN) or bandwidth utilization and enhance network application responsiveness when users access content in a central office from … Continue reading

Step by Step: Volume Activation for Windows 7 and Windows Server 2008

Gallery

This gallery contains 36 photos.

What is Microsoft product activation? Activation is a method of verification that Microsoft Windows Product you have bought is genuine and comply with copyright laws i.e. it checks that you are not using a counterfeit product. Simply Microsoft wants to … Continue reading

Windows Server 2008: Install and configure windows media services 2008—step by step

Gallery

Windows Media Services 2008 is an industry standard platform for streaming or on-demand audio/video content for windows XP and Windows 7 clients over private or public networks. Windows Media Services 2008 manages one or more Windows Media servers running on … Continue reading

Windows Server 2008: Install and configure windows media services 2008—step by step

Gallery

This gallery contains 46 photos.

Windows Media Services 2008 is an industry standard platform for streaming or on-demand audio/video content for windows XP and Windows 7 clients over private or public networks. Windows Media Services 2008 manages one or more Windows Media servers running on … Continue reading

Windows Deployment Services: Create and deploy multicast images

Gallery

This gallery contains 12 photos.

I would like to explain a bit about IP Multicast before I start with WDS multicast image distribution because not all the organisation have existing multicast infrastructure. Still, I reckon it would be worthy to know bits and pieces of … Continue reading

Windows Deployment Services: How to create deployable bootable ISO using WDS and AIK

Gallery

This gallery contains 18 photos.

A bootable ISO is created from an existing WDS boot image and capture image that contains Windows PE and the WDS client can be stored on DVD or CD making it easier to deploy images to older systems or on … Continue reading

Windows Deployment Services: How to configure Legacy or Mixed Mode or Native Mode for legacy image and Windows 7

Gallery

This gallery contains 56 photos.

Windows Deployment Services (WDS) running on Windows 2008 provides many of the same features and functions of RIS, Automated Deployment Services, and Windows Server 2003 SP2 combined.  Two of the distinct features of Windows 2008 Windows Deployment Services are that … Continue reading

How to create an external trust between two separate domains/forests

A trust is a relationship established between two different domains that enables users in one domain to be authenticated by a domain controller in the other domain. There are different type of trust in Microsoft Active Directory domain such as External, Realm, Forest and shortcut. External trust is necessary when users of two different domains of two different business units wants to utilize resources such as printers and file server of trusted domains. This article can be applied in Windows Server 2003, Windows Server 2008/R2, Windows Server 2012/R2 and Windows Server 2016 domain using same principle written below.

Authentication Consideration

Authentication Setting Inter-forest Trust Type Description
Domain-wide Authentication External Permits unrestricted access by any users. Default authentication setting for external trusts.
Forest-wide Authentication Forest Permits unrestricted access by any users. Default authentication setting for forest trusts.
Selective Authentication External and Forest Restricts access over an external. Authentication setting must be manually enabled.

Administrative Privilege

To create trust you have to be a member of Domain Admins & Enterprise Admin in both Domains.

Transitive trusts

  • Shortcut trust. A transitive trust between domains in the same domain tree or forest that is used to shorten the trust path in a large and complex domain tree or forest.
  • Forest trust. A transitive trust between one forest root domain and another forest root domain.
  • Realm trust. A transitive trust between an Active Directory domain and a Kerberos V5 realm.

Non-transitive trusts

  • External trust. A non-transitive trust created between a Windows Server 2003 domain and Windows 2000 or Windows Server 2003 domain in another forest.
  • Realm trust. A non-transitive trust between an Active Directory domain and a Kerberos V5 realm.

You have to fulfill few requirements before you can activate external trust. For example: Both domain controller must ping each other by IP address. If both domain controllers are placed in different subnet then proper routing is required. If there is a firewall between domain controllers then proper firewall rules should be in place allowing LDAP, DNS and resources port to be accessible from both sites. Forest and domain functional level must be Windows Server 2003 or later version.

Example:

DC1.DomainA.com  IP address: 192.168.100.2

DC1.DomainB.com  IP address: 192.168.200.2

Step1: Port requirement

If you are using MPLS/IP VPN/VPN make sure inbound and outbound routing are in correct order. If you have firewall between organisation make sure Active Directory ports are open in both sides. Further info on port requirement visit  Active Directory and Active Directory Domain Services Port Requirements

Step2: Add DNS Record in TCP/IP Properties of Domain Controllers

Open TCP/IP Properties of DC1.DomainA.com and add IP address of DC1.DomainB.com in the secondary DNS record.

Open TCP/IP Properties of DC1.DomainB.com and add IP address of DC1.DomainA.com in the secondary DNS record.

Step3: Ping DomainA from DomainB and vice versa

Log on to each domain and ping each other by IP address. Resolve IP without any delay or timed out ping.

Step4: Test AD DS Ports

Telnet to port 389, 636 & 53 from both sides of domain to test whether you can access Active Directory & DNS

Step5: Health Check

Run a quick AD health check in both sides using this Link

Step6: Create PTR Record in both organisation

Add Reverse Lookup Zone of 192.168.200.2 into DC1.DomainA.com. To do this, Right Click on Reverse Lookup Zone>New Zone>Click Next>Primary Zone>Click Next>IPV4 reverse Lookup Zone>Type 192.168.200>Click Next>Finish.

Repeat the step to add 192.168.100.2 PTR into DC1.DomainB.com. To do this, Right Click on Reverse Lookup Zone>New Zone>Click Next>Primary Zone>Click Next>IPV4 reverse Lookup Zone>Type 192.168.100>Click Next>Finish.

Step7: Create Forward Lookup Zones in both organisation

In some DNS environment where DNS have constrained access (situation specific only), you may have to create Forward Lookup Zone for DomainA.com into DomainB.com and Forward Lookup Zone for DomainB.com into DomainA.com. But there is no harm creating a forward lookup zone in both sides as both forests are going to trust each other once trust is activated.

To do this, log on to DomainA.com >Open DNS Manager>Expand Forward Lookup Zone> Right click on Forward Lookup Zones>New Zones>primary Zones>Type FQDN of forest e.g. DomainB.com. >Select Default or select “To all domain controllers in this forest”> Type Zone Name DomainB.com>Allow Secure Dynamic Update>Follow the Wizard.

To do this, log on to DomainB.com >Open DNS Manager>Expand Forward Lookup Zone> Right click on Forward Lookup Zones>New Zones>primary Zones>Type FQDN of forest e.g. DomainA.com. >Select Default or select “To all domain controllers in this forest”> Type Zone Name DomainA.com>Allow Secure Dynamic Update>Follow the Wizard.

Step8: Create Host (A) record in both organisation

Create Host (A) record of Domain Controller of DomainA.com into Domain Controller of DomainB.com. Create Host (A) record of Domain Controller of DomainB.com into Domain Controller of DomainA.com. To do this Log on to DC1.DomainA.com>Right click on Forward Look Up Zone you created in step 7 which is DomainB.com>Click New Host (A)>Leave the Name Blank> Type IP Address of DC1.DomainB.com & Select Associated PTR Record> Click Add Host.

Repeat the Steps in DomainB.com. To do this log on to DC1.DomainB.com>Right click on Forward Look Up Zone you created in step7 which is DomainA.com>Click New Host (A)>Leave the Name Blank> Type IP Address of DC1.DomainA.com & Select Associated PTR Record> Click Add Host.

Step9: Add Name Server (NS) in both organisation

You must add Name Server of DC1.DomainA.com into the Name Servers Property of DC1.DomainB.com. Repeat the step to add Name Server of DC1.DomainB.com into the Name Servers Property of DC1.DomainA.com.

To do this log on to DC1.DomainA.com>Open DNS Manager>Right click on Forward Look Up Zone of DomainB.com>Click Properties>Click Name Servers Tab>Click Add>Type the IP Address of DC1.DomainB.com.

Repeat the Steps in DomainB.com. To do this log on to DC1.DomainB.com>Open DNS Manager>Right click on Forward Look Up Zone of DomainA.com>Click Properties>Click Name Servers Tab>Click Add>Type the IP address of DC1.DomainA.com.

Step10: Test DNS Record

Ping FQDN of DomainA.com from DomainB.com

Ping FQDN of DomainB.com from DomainA.com

Ping DC1.DomainA.com from DC1.DomainB.com

Ping DC1.DomainB.com from DC1.DomainA.com

Step11: Create External Trust

Example: One way trust allows users from DC1.DomainB.com (outgoing) get access into DC1.DomainA.com (incoming) but DC1.DomainA.com doesn’t get access to DC1.DomainB.com).

Note : if you want both sides get access to both sides then change that configure to two way trusts and set incoming and outgoing in both sides.

Creating incoming trust in DC1.DomainA.com

1. Open Active Directory Domains and Trusts.

2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.

3. On the Trusts tab, click New Trust, and then click Next.

4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next.

5. On the Trust Type page, click External trust, and then click Next.

6. On the Direction of Trust page, click One-way: incoming, and then click Next.

7. On the Sides of Trust page, click This domain only, and then click Next.

8. On the Trust Password page, type the trust password twice, and then click Next.

With the administrator of the other domain, agree on a secure channel password to be used in establishing the trust.

9. On the Trust Selections Complete page, review the results, and then click Next.

10. On the Trust Creation Complete page, review the results, and then click Next.

11. On the Confirm Incoming Trust page, do one of the following

  • If you do not want to confirm this trust, click No, do not confirm the incoming trust
  • If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain.

12. On the Completing the New Trust Wizard page, click Finish.

 Creating outgoing trust in DC1.DomainB.com
1. Open Active Directory Domains and Trusts.

2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.

3. On the Trusts tab, click New Trust, and then click Next.

4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next.

5. On the Trust Type page, click External trust, and then click Next.

6. On the Direction of Trust page, click One-way: outgoing, and then click Next.

7. On the Sides of Trust page, click This domain only, and then click Next.

8. On the Outgoing Trust Authentication Level page, do one of the following, and then click Next:

  • Click Domain-wide authentication.
  • Click Selective authentication.

9. On the Trust Password page, type the trust password twice, and then click Next.

10. On the Trust Selections Complete page, review the results, and then click Next.

11. On the Trust Creation Complete page, review the results, and then click Next.

12. On the Confirm Outgoing Trust page, do one of the following:

  • If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users.
  • If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain.

13. On the Completing the New Trust Wizard page, click Finish.

 Step12: Test a Trust Relation

  1. Virtualize two Windows clients
  2. Join them to DomainA and DomainB
  3. Create two test folders in DomainA and DomainB
  4. Share and assign permission to users of DomainA and DomainB for both folders.
  5. Log on to a Windows client in DomainA using credential of DomainB>Access folder of DomainA
  6. Log on to a Windows client in DomainB using credential of DomainA>Access folder of DomainB

Understanding Network Access Protection (NAP) in Windows Server 2008

Gallery

This gallery contains 10 photos.

Network Access Protection (NAP) is a platform you can install in Windows Server 2008 for enforcing computer system health requirements on Client machine before they are allowed to access network resources. NAP can ensure that the system complies with a … Continue reading

Understanding Windows Firewall for Windows Server 2008 and Windows 7

Gallery

This gallery contains 14 photos.

The best way to justify a local firewall in windows server 2008 and windows 7 is to put another layer of security in place and to make your computer happy to maintain communication with internet. In ordinary terms, windows firewall … Continue reading

Windows Server 2008: how to configure Network Policy Server or Radius Server –Step by Step Guide

Gallery

This gallery contains 76 photos.

  Step1: Prepare AAA Environment Windows Server 2008 SP2 or Windows Server 2008 R2 Active Directory Domain Services Active Directory Certificate Services DHCP Radius i.e. NPS must be a member of domain Computer certificate installed in Radius Server Windows 7, … Continue reading

Install and Configure System Centre Configuration Manager 2007 R2

Gallery

This gallery contains 52 photos.

System Centre Configuration Manager 2007 R2 is built with Microsoft Operation Framework and IT Information Library. Most common uses of System Centre Configuration Manager (SCCM) are software and operating systems deployment. But you can do more then these two common … Continue reading

Windows Server 2008: Windows Server Update Services Role–Step by Step Guide

Gallery

This gallery contains 56 photos.

Windows Server Update Services is now part of Windows Server 2008 Role. Installation made more easy for geeks and deployment technicians. Prerequisite and procedures are pretty same as before.  I have written in my previous blog how to deploy Microsoft … Continue reading

Optimizing Microsoft Active Directory FSMO roles

There are five Active Directory Flexible Single-Master (FSMO) roles in the domain and forest. The Active Directory Installation Wizard defines five FSMO roles: schema master, domain master, RID master, PDC emulator, and infrastructure. The schema master and domain naming master are per-forest roles (eg. www.A.com). The remaining three, RID master, PDC emulator, and infrastructure master, are per-domain roles.

A forest with one domain (eg www.A.com) has five roles. Every additional domain in the forest adds three domain-wide roles. The number of FSMO roles in a forest and potential FSMO role owners can be determined using the formula ((Number of domains * 3)+2). A forest with three domains (A.com, with child and grandchild domains of B.A.com and C.B.A.com) has eleven FSMO roles:

Schema master – forest-wide A.COM
Domain naming master – forest-wide A.COM
PDC emulators (A.com, B.A.com, and C.B.A.com)
RID masters (A.com, B.A.com, and C.B.A.com)
Infrastructure masters for each respective domain. (A.com, B.A.com, and C.B.A.com)

FSMO scenario:

  • In a Single domain with only one domain controller: holds all five FSMO roles.
  • If a domain has more than one domain controller, use Active Directory Sites and Services Manager to select direct replication partners with persistent. You may select specific roles to specific domain controller and distribute it.
  • The standby server may be in the same site as the primary FSMO server for faster replication convergence consistency over a large group of computers, or in a remote site in the event of a site-specific disaster at the primary location.
  • Where the standby domain controller is in a remote site, ensure that the connection is configured for continuous replication over a persistent link. (support tools> replmon.exe to check replication)
  • FSMO placement:

  • Place the RID and PDC emulator roles on the same domain controller. It is also easier to keep track of FSMO roles if you host them on fewer machines. If the load on the primary FSMO load justifies a move, place the RID and primary domain controller emulator roles on separate domain controllers in the same domain and active directory site that are direct replication partners of each other. Example, I have four domain controllers and two of them holds FSMO roles. rest are stand by in case of failure I can move them.
  • Infrastructure master must not be a Global Catalog (GC). Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not hold. Two exceptions to the “do not place the infrastructure master on a global catalog server” rule are:
  • Single domain forest: In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.
  • Multidomain forest where every domain controller in a domain holds the global catalog:  If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain.
  • the schema master and domain naming master roles should be placed on the same domain controller. Additionally, the domain naming master FSMO should also be a global catalog server. Certain operations that use the domain naming master, such as creating grand-child domains, will fail if this is not the case. In a forest at the Forest Functional Level Windows Server 2003, you do not have to place the domain naming master on a global catalog.
  • You may use the Ntdsutil.exe utility to transfer or to seize Flexible Single Master Operations (FSMO) roles.

    Transfer FMSO Roles: It is recommend that you transfer FSMO roles in the following scenarios:

  • The current role holder is operational and can be accessed on the network by the new FSMO owner.
  • You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to a specific domain controller in your Active Directory forest.
  • The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance and you need specific FSMO roles to be assigned to a “live” domain controller. This may be required to perform operations that connect to the FSMO owner. This would be especially true for the PDC Emulator role but less true for the RID master role, the Domain naming master role and the Schema master roles.
  • Log on to a Admin PC or domain controller that is located in the forest where FSMO roles are being transferred as a Enterprise Admin and Schema Admin rights. Microsoft recommend that you log on to the domain controller that you are assigning FSMO roles to. However, its not necessary if you know what you are doing.

  • Click Start, click Run, type ntdsutil.exe in the Open box, and then click OK.
  • Type roles, and then press ENTER.
  • Type connections, and then press ENTER.
  • Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to assign/transfer the FSMO role to.
  • At the server connections prompt, type q, and then press ENTER.
  • Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, Syntax Example,
  • transfer rid master

    Transfer PDC

    Transfer Schema Master

    transfer domain naming master

    transfer infrastructure master

    At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

    Seize FSMO roles: Seizing FSMO roles is a critical decision. Perform Seizure operation if you fail to demot a domain controller gracefully that holds FSMO roles or if one of domain controller (holds FSMo roles) is completely failed to communicate with another domain controller in a forest. In this case you have no option but to seize FSMO roles.

  • Click Start, click Run, type ntdsutil in the Open box, and then click OK.
  • Type roles, and then press ENTER.
  • Type connections, and then press ENTER.
  • Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
  • At the server connections prompt, type q, and then press ENTER.
  • Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, Syntax are:
  • seize rid master

    seize PDC

    seize Schema Master

    seize naming master

    seize infrastructure master

  • At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
  • Global Catalog: Double check, schema master and naming master is a GC. To check whether a domain controller is also a global catalog server:

  • Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
  • Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available.
  • Open the Servers folder, and then click the domain controller.
  • In the domain controller’s folder, double-click NTDS Settings.
  • On the Action menu, click Properties.
  • On the General tab, view the Global Catalog check box to see if it is selected.
  • Metadata Clean up: Perform this operation if you fail to demot a DC from a forest otherwise not.

    1. Click Start, point to Programs, point to Accessories, and then click Command Prompt.
    2. At the command prompt, type ntdsutil, and then press ENTER.
    3. Type metadata cleanup, and then press ENTER.
    4. Type connections and press ENTER.
    5. Type connect to server servername, and then press ENTER.
    6. Type quit, and then press ENTER. The Metadata Cleanup menu appears.
    7. Type select operation target and press ENTER.
    8. Type list domains and press ENTER. A list of domains in the forest is displayed, each with an associated number.
    9. Type select domain number and press ENTER, where number is the number associated with the domain the server you are removing is a member of. The domain you select is used to determine whether the server being removed is the last domain controller of that domain.
    10. Type list sites and press ENTER. A list of sites, each with an associated number, appears.
    11. Type select site number and press ENTER, where number is the number associated with the site the server you are removing is a member of. You should receive a confirmation listing the site and domain you chose.
    12. Type list servers in site and press ENTER. A list of servers in the site, each with an associated number, is displayed.
    13. Type select server number, where number is the number associated with the server you want to remove. You receive a confirmation listing the selected server, its Domain Name System (DNS) host name, and the location of the server’s computer account you want to remove.
    14. Type quit and press ENTER. The Metadata Cleanup menu appears.
    15. Type remove selected server and press ENTER. You should receive confirmation that the removal completed successfully. If you receive the following error message, the NTDS Settings object may already be removed from Active Directory
    16. Type quit, and then press ENTER
    17. In the DNS console, use the DNS MMC to delete the A record in DNS. The A record is also known as the Host record. To delete the A record, right-click the A record, and then click Delete. Also, delete the cname record in the _msdcs container. To do this, expand the _msdcs container, right-click cname, and then click Delete. Important If this is a DNS server, remove the reference to this DC under the Name Servers tab. To do this, in the DNS console, click the domain name under Forward Lookup Zones, and then remove this server from the Name Servers tab.
    18. If the deleted computer is the last domain controller in a child domain, and the child domain was also deleted, use ADSIEdit to delete the trustDomain object for the child. To do this, follow these steps:
    • Click Start, click Run, type adsiedit.msc, and then click OK
    • Expand the Domain NC container.
    • Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
    • Expand CN=System.
    • Right-click the Trust Domain object, and then click Delete.

       19.  Use Active Directory Sites and Services to remove the domain controller. To do this, follow these steps:

    • Start Active Directory Sites and Services.
    • Expand Sites. Expand the server’s site. The default site is Default-First-Site-Name.
    • Expand Server.  Right-click the domain controller, and then click Delete.

    Verifying Flexible Single Master Operations (FSMO)

    %Program File%>Windows Resource Kits>Tools>Replmon

    netdom command syntax 

     netdom query fsmo /domain:yourdomain.com.au

     dsquery command syntax

     dsquery server -hasfsmo schema

    dsquery server -hasfsmo name

    dsquery server -hasfsmo infr

    dsquery server -hasfsmo rid

    dsquery server -hasfsmo pdc

     DCDiag Command Syntax

     dcdiag /test:knowsofroleholders /v

     dumpfsmos.cmd Command  Syntax

     dumpfsmos.cmd yourdomain.com.au

    Further Study:

    Microsoft Active Directory

    Keywords: Microsoft Active Directory, FSMO roles.

    Group Policy for Windows 7 and Windows Server 2008 R2

    Gallery

    This gallery contains 6 photos.

    Microsoft Advanced Group Policy Management (AGPM) 4.0 advance control and management feature for computers running Windows 7 and Windows Server 2008 R2. Systems administrator will be able to do change control on each features deployed through GPO. AGPM 4.0 introduces … Continue reading

    How to configure L2TP IPSec VPN using Network Policy Server in Windows Server 2008 R2

    Gallery

    This gallery contains 81 photos.

    The virtual private network (VPN) technology allows users working outside the office premises connect to  their private network in a cost-effective and secure way. Creating this type of internetwork is call virtual private networking. VPN uses ordinary internet as a … Continue reading

    Install and configure Microsoft Active Directory Certificate Services (AD CS) using Windows Server 2008 R2

    Gallery

    This gallery contains 52 photos.

    Microsoft Active Directory Certificate Services (AD CS) in the Windows Server 2008 provides customizable services for creating and managing public key (PKI) certificates. You can use AD CS to enhance and implement security by binding the identity of a person, … Continue reading

    How to migrate Windows 2003 Active Directory to Windows 2008 Active Directory—–Step by Step guide

    Gallery

    This gallery contains 102 photos.

    Microsoft’s new baby in their server family is Windows Server 2008. The Windows Server® 2008 operating system ease operation of IT administrator and enterprise IT planner and designer. Windows 2008 Active Directory got improved roles, AD domain services, federation services, … Continue reading

    Backup, restore or migrate Print server in easy steps

    Gallery

    This gallery contains 22 photos.

    Have you added a print server to your DRP work sheet? It is absolutely necessary when you have hundreds of printers in your print server/servers. Here is a solution for backup/restore/migrate print server. Print migration 3.1 has been replaced with … Continue reading

    Understanding FSMO roles in windows 2003 AD

    Gallery

    Good preparation and correct planning are essential for Active Directory AD installation. Although it’s impossible to predict installation glitches precisely, you can at least minimize the possibility of AD installation problems if you carefully plan the procedure. Here’s what you … Continue reading

    How to create an external trust between two seperate domains/forests

    Gallery

    This gallery contains 8 photos.

    A trust is a relationship established between two different domains that enables users in one domain to be authenticated by a domain controller in the other domain. There are different type of trust in Microsoft Active Directory domain such as … Continue reading