Active Directory in Windows Server 2008
Content
Secure Active Directory Objects in Windows Server 2008/R2 ADUC
Who hasn't heard of "someone" who has accidentally deleted an entire Organizational Unit (OU) in Active Directory? If you're lucky, you've never had to explain a personal human error such as this, but I've heard of many horror stories of people who have accidentally deleted OUs filled with hundreds, and in one case, over 5000 users. It's true that by using a proper backup procedure it is possible to restore these objects. It's also true that you can use manual restore procedures such as the one in my Recovering Deleted Items in Active Directory article. However, I'm sure you'll gladly agree that it's best not to put yourself in that position in the first place. Luckily for us, in Windows Server 2008 and Windows Server 2008 R2, Microsoft has introduced a new option designed to protect Active Directory objects from being accidentally deleted. The option to protect objects from accidental deletion is available for all objects that are manageable through Active Directory Users and Computers (ADUC), and is enabled by default when you create a new OU. Let's see an example. I will create an OU and select the "Protect container from accidental deletion":
Next, I will attempt to delete the object:
As you can see, I failed to delete the object and received the following error message:
So how does this work? By selecting the Protect container from accidental deletion option, an Access Control Entry (ACE) is added to the Access Control List (ACL) on the object, protecting it from accidental deletion. In order to view the ACL for the protected object, we need to change the view in ADUC so that it shows the Advanced Features.
Look at the object's security tab:
Click on the Advanced button, then select the entry for "Everyone" and click "Edit":
The ACE that is added is a "Deny" entry for the Everyone group, and it denies the Delete and Delete Subtree permissions on ACL of the object. Important: Please note that by default, the accidental deletion protection is enabled by default ONLY for Organization Units (OUs), and NOT for user objects. This means that if you attempt to delete one or more user objects, even if you're located inside a protected OU, you will succeed:
In order to protect user, group or computer objects from accidental deletion, you must MANUALLY enable this option in the object's properties. Change the view in ADUC so that it shows the Advanced Features, open the object's properties window, and click on the "Object" tab. There you can select the accidental deletion protection option.
When selected, if you attempt to delete the object, you'll get this message:
In order to delete the object, you must first disable the accidental deletion protection by deselecting the "Protect object from accidental deletion" option. This is done on the Object
tab of the object in ADUC. If not enabled, change the view in ADUC so that it shows the Advanced Features, open the object's properties window, and click on the "Object" tab.
By deselecting this option, you are removing the previously mentioned Deny ACE from the ACL of the object, and by doing so you allow the deletion of the object. Note: You may consider enabling this setting on some of the most important existing AD DS objects, including certain AD DS groups, user accounts, and computer accounts. You can use this list as a reference:
• •
Built in Administrator and krbtgt accounts. Built in privileged groups including (Account Operators, Administrators, Allowed RODC Password Replication Group, Schema Admins, Backup Operators, Cert Publishers, Denied RODC Password Replication Group, DnsAdmins, DnsUpdateProxy, Domain Admins, Domain Computers, Domain Controllers, Domain Users, Enterprise Admins, Enterprise Read-only Domain Controllers, Group Policy Creator Owners, Incoming Forest Trust Builders, Read-only Domain Controllers, Server Operators, and Users. Built in Containers and OUs including Builtin, Computers, Domain Controllers, Foreign Security Principles, LostAndFound, Program Data, System, Users, and NTDS Quotas.
•
Error when Attempting to Remove Windows Server 2008 Server Core from Domain
by Daniel Petri - August 18, 2010 Printer Friendly Version
A few days ago I played around with some of my virtual machines and encountered an issue when attempting to remove a Windows Server 2008 R2 Server Core machine from a domain. Because both the core machine and the Domain Controller (DC) machine were virtual machines, when I reverted the DC back to a previous snapshot, the core machine could no longer access resources on the DC, and I couldn't log on to the machine by using the domain admin user account.
Test Drive: Exchange & Mobile Device Management Tool
Mailscape is an award-winning Exchange and mobile device management tool that provides monitoring, reporting and administrative capabilities in a single, affordable solution. Installed in minutes, easy to deploy, and intuitive enough for the help desk to use, Mailscape lets you manage your entire environment in a sleek, one look dashboard.
Test Drive Mailscape Today!!
This is the error I got while attempting to log on by using a domain user account: "The security database on the server does not have a computer account for this workstation trust relationship."
To fix this, I tried to remove the server core machine from the domain. In core, this can be done in one of 2 ways:
• By using SCONFIG
•
By using NETDOM
Since SCONFIG is easier, I used it. I typed SCONFIG in the Command Prompt window, and when SCONFIG opened, I pressed on the "1" key.
I then attempted to remove the machine from the domain in order to later re-join it.
I entered the right local credentials:
But no matter what I did, I got an error: "Failed to join domain." (Actually, I tried to get out of a domain, but no matter...)
So I tried using NETDOM. In the Command Prompt window I typed the following command: netdom /remove %computername% /domain:petri-labs.local /userd:administrator /passwordd:************ I got an error: "No mapping between account names and security IDs was done." The command failed to complete successfully. I also tried a variation of the username I used: netdom /remove %computername% /domain:petri-labs.local /userd:petri-labs\administrator /passwordd:************ Still, same error.
Rats! And then it hit me. The error I got when attempting to log on by using a domain user account had a clue in it. There was no computer account for the server core machine in Active Directory Users and Computers! So I went to the DC, opened the Active Directory Users and Computers snap-in, and bingo, indeed the computer account was missing. I created the server core computer account by clicking on the "Computers" container > New > Computer.
I created the new computer object with a name that matches the name of the server core machine.
Attempting to leave the domain again resulted with a success, and I was asked to reboot the machine.
Back in Active Directory Users and Computers, the computer account's object was disabled.
It's worth noting that I only encountered this specific issue on server core machines, and while it's possible that it could happen in GUI-based operating systems such as Windows XP/Vista/7 etc., these will usually let you complete the action even if the computer account was missing.
Prepare your Domain for the Windows Server 2008 R2 Domain Controller
by Daniel Petri - July 19, 2010 Printer Friendly Version
Before installing the first Windows Server 2008 R2 domain controller (DC) into an existing Windows 2000, Windows Server 2003 or Windows Server 2008 domain, you must prepare the AD forest and domain. You do so by running a tool called ADPREP.
SolarWinds Network Performance Monitor Wins 7 Key Awards
Awards for Network Performance Monitor (NPM):
• • 2011 Windows IT Pro Editor's Best & Community Choice Awards Redmond Magazine 2011 Readers Choice Preferred Product & ISV and Grand Slam Award for the Best Performance Management Product winner 4 years in a row! 2011 Network Computing Awards (UK) Network Management Product of the Year 2011 WindowsNetworking.com Readers Choice Award WINNER in Network Monitoring Category
• •
Learn More About Network Performance Monitor
ADPREP extends the Active Directory schema and updates permissions as necessary to prepare a forest and domain for a domain controller that runs the Windows Server 2008 R2 operating system. Note: You may remember that ADPREP was used on previous operating systems such as Windows Server 2003, Windows Server 2003 R2 and Windows Server 2008. This article focuses on Windows Server 2008 R2. What does ADPREP do? ADPREP has parameters that perform a variety of operations that help prepare an existing Active Directory environment for a domain controller that runs Windows Server 2008 R2. Not all versions of ADPREP perform the same operations, but generally the different types of operations that ADPREP can perform include the following:
• Updating the Active Directory schema
• • • •
Updating security descriptors Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder Creating new objects, as needed Creating new containers, as needed
To prepare the forest and domain for the installation of the first Windows Server 2008 R2 domain controller please perform these tasks: Lamer note: The following tasks are required ONLY before adding the first Windows Server 2008 R2 domain controller. If you plan on simply joining a Windows Server 2008 R2 Server to the domain and configuring as a regular member server, none of the following tasks are required. Another lamer note: Please make sure you read the system requirements for Windows Server 2008 R2. For example, you cannot join a Windows Server 2008 R2 server to a Windows NT 4.0 domain, not can it participate as a domain controller in a mixed domain. If any domain controllers in the forest are running Windows 2000 Server, they must be running Service Pack 4 (SP4). First, you should review and understand the schema updates and other changes that ADPREP makes as part of the schema management process in Active Directory Domain Services (AD DS). You should test the ADPREP schema updates in a lab environment to ensure that they will not conflict with any applications that run in your environment. You must make a system state backup for your domain controllers, including the schema master and at least one other domain controller from each domain in the forest (you do have backups, don't you?). Also, make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain. Next, insert the Windows Server 2008 R2 DVD media into your DVD drive. Note that if you do not have the media handy, you may use the evaluation version that is available to download from Microsoft's website. You can also use an MSDN or Technet ISO image, if you have a subscription to one of them. Windows Server 2008 Trial Software: http://www.microsoft.com/windowsserver2008/en/us/trial-software.aspx If you only have the ISO file and do not want to or cannot actually burn it to a physical DVD media, you can mount it by using a virtual ISO mounting tool such as MagicIso (can Convert BIN to ISO, Create, Edit, Burn, Extract ISO file, ISO/BIN converter/extractor/editor). Browse to the X:\support\adprep folder, where X: is the drive letter of your DVD drive. Find a file called adprep.exe or adprep32.exe. Note: Unlike in Windows Server 2008 where you had to use either the 32-bit or 64-bit installation media to get the right version of ADPREP, Windows Server 2008 R2 ADPREP is available in a 32-bit version and a 64-bit version. The 64-bit version runs by default. If you need to run ADPREP on a 32-bit computer, run the 32-bit version (adprep32.exe).
To perform this procedure, you must use an account that has membership in all of the following groups:
• • • Enterprise Admins Schema Admins Domain Admins for the domain that contains the schema master
Open a Command Prompt window by typing CMD and pressing ENTER in the Run menu. Drag the adprep.exe file from the Windows Explorer window to the Command Prompt window. Naturally, if you want, you can always manually type the path of the file in the Command Prompt window if that makes you feel better... Note: You must run adprep.exe from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. Note: If your existing DCs are Windows Server 2008, dragging and dropping into a Command Prompt window will not work, as that feature was intentionally disabled in windows Server 2008 and Windows Vista. In the Command Prompt window, type the following command: adprep /forestprep
You will be prompted to type the letter "c" and then press ENTER. After doing so, process will begin.
ADPREP will take several minutes to complete. During that time, several LDF files will be imported into the AD Schema, and messages will be displayed in the Command Prompt window. File sch47.ldf seems to be the largest one.
When completed, you will receive a success message.
Note: As mentioned above, ADPREP should only be run on an existing DC. When trying to run it from a non-DC, you will get this error: Adprep cannot run on this platform because it is not an Active Directory Domain Controller. [Status/Consequence]
Adprep stopped without making any changes. [User Action] Run Adprep on a Active Directory Domain Controller. Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2. In the Command Prompt window, type the following command: adprep /domainprep Process will take less than a second.
ADPREP must only be run in a Windows 2000 Native Mode or higher. If you attempt to run in Mixed Mode you will get this error: Adprep detected that the domain is not in native mode [Status/Consequence] Adprep has stopped without making changes. [User Action] Configure the domain to run in native mode and re-run domainprep Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2. If you're running a Windows 2008 Active Directory domain, that's it, no additional tasks are needed. If you're running a Windows 2000 Active Directory domain, you must also the following command: adprep /domainprep /gpprep
Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2. If you're running a Windows 2003 Active Directory domain, that's it, no additional tasks are needed. However, if you're planing to run Read Only Domain controllers (RODCs), you must also type the following command: adprep /rodcprep If you already ran this command for Windows Server 2008, you do not need to run it again for Windows Server 2008 R2. Process will complete in less than a second.
Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2. To verify that adprep /forestprep completed successfully please perform these steps: 1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on domain controllers that run Windows Server 2008 or Windows Server 2008 R2. On Windows Server 2003 you must install the Resource Kit Tools. 2. Click Start, click Run, type ADSIEdit.msc, and then click OK. 3. Click Action, and then click Connect to.
4. Click Select a well known Naming Context, select Configuration in the list of available naming contexts, and then click OK. 5. Double-click Configuration, and then double-click CN=Configuration,DC=forest_root_domain where forest_root_domain is the distinguished name of your forest root domain. 6. Double-click CN=ForestUpdates. 7. Right-click CN=ActiveDirectoryUpdate, and then click Properties.
8. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, and then click OK.
9. Click ADSI Edit, click Action, and then click Connect to. 10. Click Select a Well known naming context, select Schema in the list of available naming contexts, and then click OK. 11. Double-click Schema. 12. Right-click CN=Schema,CN=Configuration,DC=forest_root_domain, and then click Properties.
13. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the objectVersion attribute value is set to 47, and then click OK.
Backing Up Group Policy Objects
by Brien Posey - April 10, 2009 Printer Friendly Version
Introduction Not too long ago I got a call from a friend who was having some problems related to group policy objects on his network. My friend made a habit of backing up his domain controllers on a regular basis. Even so, someone in the organization have made some changes to some group policy objects, and my friend needed to return them to their previous state. The catch was that he didn't want to have to perform an authoritative restoration of the entire Active Directory just to recover a few group policy settings.
Comprehensive Configuration & Change Management
SolarWinds Network Configuration Manager (NCM) delivers affordable, easy-to-use network configuration management through a full featured, rich web-based console that offers point-andclick simplicity and easy access to configuration data. SolarWinds NCM simplifies managing network configuration files in multi-vendor network environments by continuously monitoring device configurations and providing immediate notification of configuration changes to help resolve problems before they impact users. Start backing up and tracking your network configs in less than an hour!
Learn More or Download a FREE, Fully-Functional 30-day Trial
Fortunately, there is a way that you can backup your group policy settings separately from the rest of the Active Directory. Of course you have to do this before the need to restore your group policy settings arises. Backing Up the Group Policy Objects Begin the process by logging on to a Windows Server 2008 domain controller, and opening the Group Policy Management console. Now, navigate through the console tree to Group Policy Management | Forest: <your forest > | Domains | <your domain > | Group Policy Objects. When you do, the details pane should display all of the group policy objects that are associated with the domain. In Figure A there are only two group policy objects, but in a production environment you may have many more.
Figure A
The Group Policy Objects container stores all of the group policy objects for the domain. Now, right-click on the Group Policy Objects container, and choose the Back Up All command from the shortcut menu. When you do, Windows will open the Back Up Group Policy Object dialog box. As you can see in Figure B, this dialog box requires you to provide the path to which you want to store the backup files. You can either store the backups in a dedicated folder on a local drive, or you can place them in a folder on a mapped network drive. The dialog box also contains a Description field that you can use to provide a description of the backup that you are creating. Figure B
You must provide the path to which you want to store your backup of the group policy objects.
To initiate the backup process, just click the Back Up button. When the backup process completes, you should see a dialog box that tells you how many group policy objects were successfully backed up. Click OK to close the dialog box, and you're all done. Backing Up Individual Group Policy Objects In case you're wondering, Windows Server 2008 does allow you to backup individual group policy objects. The process for doing so is very similar to what I just showed you. The difference is that when you select the Group Policy Objects container, shown in Figure A, you would rightclick on an individual Group Policy Object rather than on the Group Policy Objects container. From there, you would choose the Back Up command from the shortcut menu. The rest of the process is identical to what you have already seen. The Anatomy Of The Back Up When you create a backup, Windows creates individual folders within the target folder. Each of these individual folders bears the GUID of the Group Policy Object that contains. This is true whether you are backing up an individual Group Policy Object, or all of the Group Policy Objects in the entire domain. You can see what the backup folder looks like in Figure C. Figure C
Windows creates a separate folder for each Group Policy Object. The Restoration Process When it comes to restoring a backup of any Group Policy Object, you have two options. The first option is to right-click on the Group Policy Object, and choose the Restore From Backup command from the shortcut menu. When you do this, Windows will remove all of the individual settings from the Group Policy Object, and then implement the settings found in the backup. Your other option is to right-click on the Group Policy Object you want to restore, and choose the Import Settings option. This option works more like a merge than a restore. Any settings that presently reside within the Group Policy Object are retained unless there is a contradictory settings within the file that is being imported. Conclusion As you can see, it is pretty simple to backup your Group Policy Objects. Even so, a lot of administrators do not realize the importance of backing up group policy objects separate from backing up the Active Directory.
Who hasn't heard of "someone" who has accidentally deleted an entire Organizational Unit (OU) in Active Directory? If you're lucky, you've never had to explain a personal human error such as this, but I've heard of many horror stories of people who have accidentally deleted OUs filled with hundreds, and in one case, over 5000 users. It's true that by using a proper backup procedure it is possible to restore these objects. It's also true that you can use manual restore procedures such as the one in my Recovering Deleted Items in Active Directory article. However, I'm sure you'll gladly agree that it's best not to put yourself in that position in the first place. Luckily for us, in Windows Server 2008 and Windows Server 2008 R2, Microsoft has introduced a new option designed to protect Active Directory objects from being accidentally deleted. The option to protect objects from accidental deletion is available for all objects that are manageable through Active Directory Users and Computers (ADUC), and is enabled by default when you create a new OU. Let's see an example. I will create an OU and select the "Protect container from accidental deletion":
Next, I will attempt to delete the object:
As you can see, I failed to delete the object and received the following error message:
So how does this work? By selecting the Protect container from accidental deletion option, an Access Control Entry (ACE) is added to the Access Control List (ACL) on the object, protecting it from accidental deletion. In order to view the ACL for the protected object, we need to change the view in ADUC so that it shows the Advanced Features.
Look at the object's security tab:
Click on the Advanced button, then select the entry for "Everyone" and click "Edit":
The ACE that is added is a "Deny" entry for the Everyone group, and it denies the Delete and Delete Subtree permissions on ACL of the object. Important: Please note that by default, the accidental deletion protection is enabled by default ONLY for Organization Units (OUs), and NOT for user objects. This means that if you attempt to delete one or more user objects, even if you're located inside a protected OU, you will succeed:
In order to protect user, group or computer objects from accidental deletion, you must MANUALLY enable this option in the object's properties. Change the view in ADUC so that it shows the Advanced Features, open the object's properties window, and click on the "Object" tab. There you can select the accidental deletion protection option.
When selected, if you attempt to delete the object, you'll get this message:
In order to delete the object, you must first disable the accidental deletion protection by deselecting the "Protect object from accidental deletion" option. This is done on the Object
tab of the object in ADUC. If not enabled, change the view in ADUC so that it shows the Advanced Features, open the object's properties window, and click on the "Object" tab.
By deselecting this option, you are removing the previously mentioned Deny ACE from the ACL of the object, and by doing so you allow the deletion of the object. Note: You may consider enabling this setting on some of the most important existing AD DS objects, including certain AD DS groups, user accounts, and computer accounts. You can use this list as a reference:
• •
Built in Administrator and krbtgt accounts. Built in privileged groups including (Account Operators, Administrators, Allowed RODC Password Replication Group, Schema Admins, Backup Operators, Cert Publishers, Denied RODC Password Replication Group, DnsAdmins, DnsUpdateProxy, Domain Admins, Domain Computers, Domain Controllers, Domain Users, Enterprise Admins, Enterprise Read-only Domain Controllers, Group Policy Creator Owners, Incoming Forest Trust Builders, Read-only Domain Controllers, Server Operators, and Users. Built in Containers and OUs including Builtin, Computers, Domain Controllers, Foreign Security Principles, LostAndFound, Program Data, System, Users, and NTDS Quotas.
•
Error when Attempting to Remove Windows Server 2008 Server Core from Domain
by Daniel Petri - August 18, 2010 Printer Friendly Version
A few days ago I played around with some of my virtual machines and encountered an issue when attempting to remove a Windows Server 2008 R2 Server Core machine from a domain. Because both the core machine and the Domain Controller (DC) machine were virtual machines, when I reverted the DC back to a previous snapshot, the core machine could no longer access resources on the DC, and I couldn't log on to the machine by using the domain admin user account.
Test Drive: Exchange & Mobile Device Management Tool
Mailscape is an award-winning Exchange and mobile device management tool that provides monitoring, reporting and administrative capabilities in a single, affordable solution. Installed in minutes, easy to deploy, and intuitive enough for the help desk to use, Mailscape lets you manage your entire environment in a sleek, one look dashboard.
Test Drive Mailscape Today!!
This is the error I got while attempting to log on by using a domain user account: "The security database on the server does not have a computer account for this workstation trust relationship."
To fix this, I tried to remove the server core machine from the domain. In core, this can be done in one of 2 ways:
• By using SCONFIG
•
By using NETDOM
Since SCONFIG is easier, I used it. I typed SCONFIG in the Command Prompt window, and when SCONFIG opened, I pressed on the "1" key.
I then attempted to remove the machine from the domain in order to later re-join it.
I entered the right local credentials:
But no matter what I did, I got an error: "Failed to join domain." (Actually, I tried to get out of a domain, but no matter...)
So I tried using NETDOM. In the Command Prompt window I typed the following command: netdom /remove %computername% /domain:petri-labs.local /userd:administrator /passwordd:************ I got an error: "No mapping between account names and security IDs was done." The command failed to complete successfully. I also tried a variation of the username I used: netdom /remove %computername% /domain:petri-labs.local /userd:petri-labs\administrator /passwordd:************ Still, same error.
Rats! And then it hit me. The error I got when attempting to log on by using a domain user account had a clue in it. There was no computer account for the server core machine in Active Directory Users and Computers! So I went to the DC, opened the Active Directory Users and Computers snap-in, and bingo, indeed the computer account was missing. I created the server core computer account by clicking on the "Computers" container > New > Computer.
I created the new computer object with a name that matches the name of the server core machine.
Attempting to leave the domain again resulted with a success, and I was asked to reboot the machine.
Back in Active Directory Users and Computers, the computer account's object was disabled.
It's worth noting that I only encountered this specific issue on server core machines, and while it's possible that it could happen in GUI-based operating systems such as Windows XP/Vista/7 etc., these will usually let you complete the action even if the computer account was missing.
Prepare your Domain for the Windows Server 2008 R2 Domain Controller
by Daniel Petri - July 19, 2010 Printer Friendly Version
Before installing the first Windows Server 2008 R2 domain controller (DC) into an existing Windows 2000, Windows Server 2003 or Windows Server 2008 domain, you must prepare the AD forest and domain. You do so by running a tool called ADPREP.
SolarWinds Network Performance Monitor Wins 7 Key Awards
Awards for Network Performance Monitor (NPM):
• • 2011 Windows IT Pro Editor's Best & Community Choice Awards Redmond Magazine 2011 Readers Choice Preferred Product & ISV and Grand Slam Award for the Best Performance Management Product winner 4 years in a row! 2011 Network Computing Awards (UK) Network Management Product of the Year 2011 WindowsNetworking.com Readers Choice Award WINNER in Network Monitoring Category
• •
Learn More About Network Performance Monitor
ADPREP extends the Active Directory schema and updates permissions as necessary to prepare a forest and domain for a domain controller that runs the Windows Server 2008 R2 operating system. Note: You may remember that ADPREP was used on previous operating systems such as Windows Server 2003, Windows Server 2003 R2 and Windows Server 2008. This article focuses on Windows Server 2008 R2. What does ADPREP do? ADPREP has parameters that perform a variety of operations that help prepare an existing Active Directory environment for a domain controller that runs Windows Server 2008 R2. Not all versions of ADPREP perform the same operations, but generally the different types of operations that ADPREP can perform include the following:
• Updating the Active Directory schema
• • • •
Updating security descriptors Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder Creating new objects, as needed Creating new containers, as needed
To prepare the forest and domain for the installation of the first Windows Server 2008 R2 domain controller please perform these tasks: Lamer note: The following tasks are required ONLY before adding the first Windows Server 2008 R2 domain controller. If you plan on simply joining a Windows Server 2008 R2 Server to the domain and configuring as a regular member server, none of the following tasks are required. Another lamer note: Please make sure you read the system requirements for Windows Server 2008 R2. For example, you cannot join a Windows Server 2008 R2 server to a Windows NT 4.0 domain, not can it participate as a domain controller in a mixed domain. If any domain controllers in the forest are running Windows 2000 Server, they must be running Service Pack 4 (SP4). First, you should review and understand the schema updates and other changes that ADPREP makes as part of the schema management process in Active Directory Domain Services (AD DS). You should test the ADPREP schema updates in a lab environment to ensure that they will not conflict with any applications that run in your environment. You must make a system state backup for your domain controllers, including the schema master and at least one other domain controller from each domain in the forest (you do have backups, don't you?). Also, make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain. Next, insert the Windows Server 2008 R2 DVD media into your DVD drive. Note that if you do not have the media handy, you may use the evaluation version that is available to download from Microsoft's website. You can also use an MSDN or Technet ISO image, if you have a subscription to one of them. Windows Server 2008 Trial Software: http://www.microsoft.com/windowsserver2008/en/us/trial-software.aspx If you only have the ISO file and do not want to or cannot actually burn it to a physical DVD media, you can mount it by using a virtual ISO mounting tool such as MagicIso (can Convert BIN to ISO, Create, Edit, Burn, Extract ISO file, ISO/BIN converter/extractor/editor). Browse to the X:\support\adprep folder, where X: is the drive letter of your DVD drive. Find a file called adprep.exe or adprep32.exe. Note: Unlike in Windows Server 2008 where you had to use either the 32-bit or 64-bit installation media to get the right version of ADPREP, Windows Server 2008 R2 ADPREP is available in a 32-bit version and a 64-bit version. The 64-bit version runs by default. If you need to run ADPREP on a 32-bit computer, run the 32-bit version (adprep32.exe).
To perform this procedure, you must use an account that has membership in all of the following groups:
• • • Enterprise Admins Schema Admins Domain Admins for the domain that contains the schema master
Open a Command Prompt window by typing CMD and pressing ENTER in the Run menu. Drag the adprep.exe file from the Windows Explorer window to the Command Prompt window. Naturally, if you want, you can always manually type the path of the file in the Command Prompt window if that makes you feel better... Note: You must run adprep.exe from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. Note: If your existing DCs are Windows Server 2008, dragging and dropping into a Command Prompt window will not work, as that feature was intentionally disabled in windows Server 2008 and Windows Vista. In the Command Prompt window, type the following command: adprep /forestprep
You will be prompted to type the letter "c" and then press ENTER. After doing so, process will begin.
ADPREP will take several minutes to complete. During that time, several LDF files will be imported into the AD Schema, and messages will be displayed in the Command Prompt window. File sch47.ldf seems to be the largest one.
When completed, you will receive a success message.
Note: As mentioned above, ADPREP should only be run on an existing DC. When trying to run it from a non-DC, you will get this error: Adprep cannot run on this platform because it is not an Active Directory Domain Controller. [Status/Consequence]
Adprep stopped without making any changes. [User Action] Run Adprep on a Active Directory Domain Controller. Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2. In the Command Prompt window, type the following command: adprep /domainprep Process will take less than a second.
ADPREP must only be run in a Windows 2000 Native Mode or higher. If you attempt to run in Mixed Mode you will get this error: Adprep detected that the domain is not in native mode [Status/Consequence] Adprep has stopped without making changes. [User Action] Configure the domain to run in native mode and re-run domainprep Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2. If you're running a Windows 2008 Active Directory domain, that's it, no additional tasks are needed. If you're running a Windows 2000 Active Directory domain, you must also the following command: adprep /domainprep /gpprep
Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2. If you're running a Windows 2003 Active Directory domain, that's it, no additional tasks are needed. However, if you're planing to run Read Only Domain controllers (RODCs), you must also type the following command: adprep /rodcprep If you already ran this command for Windows Server 2008, you do not need to run it again for Windows Server 2008 R2. Process will complete in less than a second.
Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2. To verify that adprep /forestprep completed successfully please perform these steps: 1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on domain controllers that run Windows Server 2008 or Windows Server 2008 R2. On Windows Server 2003 you must install the Resource Kit Tools. 2. Click Start, click Run, type ADSIEdit.msc, and then click OK. 3. Click Action, and then click Connect to.
4. Click Select a well known Naming Context, select Configuration in the list of available naming contexts, and then click OK. 5. Double-click Configuration, and then double-click CN=Configuration,DC=forest_root_domain where forest_root_domain is the distinguished name of your forest root domain. 6. Double-click CN=ForestUpdates. 7. Right-click CN=ActiveDirectoryUpdate, and then click Properties.
8. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, and then click OK.
9. Click ADSI Edit, click Action, and then click Connect to. 10. Click Select a Well known naming context, select Schema in the list of available naming contexts, and then click OK. 11. Double-click Schema. 12. Right-click CN=Schema,CN=Configuration,DC=forest_root_domain, and then click Properties.
13. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the objectVersion attribute value is set to 47, and then click OK.
Backing Up Group Policy Objects
by Brien Posey - April 10, 2009 Printer Friendly Version
Introduction Not too long ago I got a call from a friend who was having some problems related to group policy objects on his network. My friend made a habit of backing up his domain controllers on a regular basis. Even so, someone in the organization have made some changes to some group policy objects, and my friend needed to return them to their previous state. The catch was that he didn't want to have to perform an authoritative restoration of the entire Active Directory just to recover a few group policy settings.
Comprehensive Configuration & Change Management
SolarWinds Network Configuration Manager (NCM) delivers affordable, easy-to-use network configuration management through a full featured, rich web-based console that offers point-andclick simplicity and easy access to configuration data. SolarWinds NCM simplifies managing network configuration files in multi-vendor network environments by continuously monitoring device configurations and providing immediate notification of configuration changes to help resolve problems before they impact users. Start backing up and tracking your network configs in less than an hour!
Learn More or Download a FREE, Fully-Functional 30-day Trial
Fortunately, there is a way that you can backup your group policy settings separately from the rest of the Active Directory. Of course you have to do this before the need to restore your group policy settings arises. Backing Up the Group Policy Objects Begin the process by logging on to a Windows Server 2008 domain controller, and opening the Group Policy Management console. Now, navigate through the console tree to Group Policy Management | Forest: <your forest > | Domains | <your domain > | Group Policy Objects. When you do, the details pane should display all of the group policy objects that are associated with the domain. In Figure A there are only two group policy objects, but in a production environment you may have many more.
Figure A
The Group Policy Objects container stores all of the group policy objects for the domain. Now, right-click on the Group Policy Objects container, and choose the Back Up All command from the shortcut menu. When you do, Windows will open the Back Up Group Policy Object dialog box. As you can see in Figure B, this dialog box requires you to provide the path to which you want to store the backup files. You can either store the backups in a dedicated folder on a local drive, or you can place them in a folder on a mapped network drive. The dialog box also contains a Description field that you can use to provide a description of the backup that you are creating. Figure B
You must provide the path to which you want to store your backup of the group policy objects.
To initiate the backup process, just click the Back Up button. When the backup process completes, you should see a dialog box that tells you how many group policy objects were successfully backed up. Click OK to close the dialog box, and you're all done. Backing Up Individual Group Policy Objects In case you're wondering, Windows Server 2008 does allow you to backup individual group policy objects. The process for doing so is very similar to what I just showed you. The difference is that when you select the Group Policy Objects container, shown in Figure A, you would rightclick on an individual Group Policy Object rather than on the Group Policy Objects container. From there, you would choose the Back Up command from the shortcut menu. The rest of the process is identical to what you have already seen. The Anatomy Of The Back Up When you create a backup, Windows creates individual folders within the target folder. Each of these individual folders bears the GUID of the Group Policy Object that contains. This is true whether you are backing up an individual Group Policy Object, or all of the Group Policy Objects in the entire domain. You can see what the backup folder looks like in Figure C. Figure C
Windows creates a separate folder for each Group Policy Object. The Restoration Process When it comes to restoring a backup of any Group Policy Object, you have two options. The first option is to right-click on the Group Policy Object, and choose the Restore From Backup command from the shortcut menu. When you do this, Windows will remove all of the individual settings from the Group Policy Object, and then implement the settings found in the backup. Your other option is to right-click on the Group Policy Object you want to restore, and choose the Import Settings option. This option works more like a merge than a restore. Any settings that presently reside within the Group Policy Object are retained unless there is a contradictory settings within the file that is being imported. Conclusion As you can see, it is pretty simple to backup your Group Policy Objects. Even so, a lot of administrators do not realize the importance of backing up group policy objects separate from backing up the Active Directory.
