Tag Archives: AD

Non-Authoritative and Authoritative SYSVOL Restore (DFS Replication)

Healthy SYSVOL replication is key for every active directory infrastructure. when there is SYSVOL replication issues you may notice,

1. Users and systems are not applying their group policy settings properly.

2. New group policies not applying to certain users and systems.

3. Group policy object counts is different between domain controllers (inside SYSVOL folders)

4. Log on scripts are not processing correctly

Also, same time if you look in to event viewer you may able to find events such as,

Event Id

Event Description

2213

The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.

Recovery Steps

1. Back up the files in all replicated folders on the volume. Failure to do so may result in data loss due to unexpected conflict resolution during the recovery of the replicated folders.

2. To resume the replication for this volume, use the WMI method ResumeReplication of the DfsrVolumeConfig class. For example, from an elevated command prompt, type the following command:

wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where volumeGuid=”xxxxxxxx″ call ResumeReplication

5002

The DFS Replication service encountered an error communicating with partner <FQDN> for replication group Domain System Volume.

5008

The DFS Replication service failed to communicate with partner <FQDN> for replication group Home-Replication. This error can occur if the host is unreachable, or if the DFS Replication service is not running on the server.

5014

The DFS Replication service is stopping communication with partner <FQDN> for replication group Domain System Volume due to an error. The service will retry the connection periodically.

Some of these errors can be fixed with simple server reboot or running commands describe in the error ( ex – event 2213 description) but if its keep continuing we need to do Non-Authoritative or Authoritative SYSVOL restore.

Non-Authoritative Restore

If it’s only one or few domain controller (less than 50%) which have replication issues in a given time, we can issue a non-authoritative replication. In that scenario, system will replicate the SYSVOL from the PDC.

Authoritative Restore

If more than 50% of domain controllers have SYSVOL replication issues, it possible that entire SYSVOL got corrupted. In such scenario, we need to go for Authoritative Restore. In this process, first we need to restore SYSVOL from backup to PDC and then replicate over or force all the domain controllers to update their SYSVOL copy from the copy in PDC.

SYSVOL can replicate using FRS too. This is deprecated after windows server 2008, but if you migrated from older Active Directory environment you may still have FRS for SYSVOL replication. It also supports for Non-Authoritative and Authoritative restore but in this demo, I am going to talk only about SYSVOL with DFS replication.

Non-Authoritative DFS Replication

In order to perform a non-authoritative replication,

1) Backup the existing SYSVOL – This can be done by copying the SYSVOL folder from the domain controller which have DFS replication issues in to a secure location.

2) Log in to Domain Controller as Domain Admin/Enterprise Admin

3) Launch ADSIEDIT.MSC tool and connect to Default Naming Context

4) Brows to DC=domain,DC=local > OU=Domain Controllers > CN=(DC NAME) > CN=DFSR-LocalSettings > Domain System Volume > SYSVOL Subscription

5) Change value of attribute msDFSR-Enabled = FALSE

6) Force the AD replication using,

repadmin /syncall /AdP

7) Run following to install the DFS management tools using (unless this is already installed),

Add-WindowsFeature RSAT-DFS-Mgmt-Con

8) Run following command to update the DFRS global state,

dfsrdiag PollAD

9) Search for the event 4114 to confirm SYSVOL replication is disabled.

Get-EventLog -Log "DFS Replication" | where {$_.eventID -eq 4114} | fl

10) Change the attribute value back to msDFSR-Enabled=TRUE (step 5)

11) Force the AD replication as in step 6

12) Update DFRS global state running command in step 8

13) Search for events 4614 and 4604 to confirm successful non-authoritative synchronization.

All these commands should run from domain controllers set as non-authoritative.

Authoritative DFS Replication

In order to perform to initiate authoritative DFS Replication,

1) Log in to PDC FSMO role holder as Domain Administrator or Enterprise Administrator

2) Stop DFS Replication Service (This is recommended to do in all the Domain Controllers)

3) Launch ADSIEDIT.MSC tool and connect to Default Naming Context

4) Brows to DC=domain,DC=local > OU=Domain Controllers > CN=(DC NAME) > CN=DFSR-LocalSettings > Domain System Volume > SYSVOL Subscription

5) Update the given attributes values as following,

msDFSR-Enabled=FALSE

msDFSR-options=1

6) Modify following attribute on ALL other domain controller.

msDFSR-Enabled=FALSE

7) Force the AD replication using,

repadmin /syncall /AdP

8) Start DFS replication service in PDC

9) Search for the event 4114 to verify SYSVOL replication is disabled.

10) Change following value which were set on the step 5,

msDFSR-Enabled=TRUE

11) Force the AD replication using,

repadmin /syncall /AdP

12) Run following command to update the DFRS global state,

dfsrdiag PollAD

13) Search for the event 4602 and verify the successful SYSVOL replication.

14) Start DFS service on all other Domain Controllers

15) Search for the event 4114 to verify SYSVOL replication is disabled.

16) Change following value which were set on the step6. This need to be done on ALL domain controllers.

msDFSR-Enabled=TRUE

17) Run following command to update the DFRS global state,

dfsrdiag PollAD

18) Search for events 4614 and 4604 to confirm successful authoritative synchronization.

Please note you do not need to run Authoritative DFS Replication for every DFS replication issue. It should be the last option.

Hope this was useful and if you have any questions feel free to contact me on rebeladm@live.com

Step-by-Step Guide to enable Azure AD Domain Services

Azure AD, Azure AD Domain Services, On-premises Active Directory, AD-sync ….. All these terms are now start to appear on most of now a days infrastructure projects. Based on the questions I get from the blog also represent still engineers struggle how to implements Azure services with their needs and how to get best benefits out from it. So this article also a series of articles I was doing to cover up Azure AD related services and how to use these services to enhanced your current infrastructure operations.

Azure AD Domain Services

Azure AD Domain Services is in preview for a while now (6 months). Azure AD Domain Services is a managed domain service which provides group policy, LDAP, NTLM/Kerberos Authentication without need of “Domain Controller” in your azure cloud setup.

If you have “cloud-only” service with Azure, this service will allow you to manage your azure identities more affectively. You can deploy the azure ad domain services in to the same virtual network your other IaaS workloads runs. Then these VM can connect to the Azure AD as typical domain join servers and can control those centrally. Also can apply group policies if you like.

If its hybrid setup you can sync your on-premises identities to the cloud and use those along with the azure Iaas workloads.

These are the main features of Azure Active Directory Domain Services (From: https://azure.microsoft.com/en-gb/documentation/articles/active-directory-ds-features/)

•    Simple deployment experience: You can enable Azure AD Domain Services for your Azure AD tenant using just a few clicks. Regardless of whether your Azure AD tenant is a cloud-tenant or synchronized with your on-premises directory, your managed domain can be provisioned quickly.
•    Support for domain-join: You can easily domain join computers in the Azure virtual network that Azure AD Domain Services is available in. The domain join experience on Windows client and Server operating systems works seamlessly against domains serviced by Azure AD Domain Services. You can also use automated domain join tooling against such domains.
•    One domain instance per Azure AD directory: You can create a single Active Directory domain for each Azure AD directory.
•    Create domains with custom names: You can create domains with custom names (eg. contoso.local) using Azure AD Domain Services. This includes both verified as well as unverified domain names. Optionally, you can also create a domain with the built-in domain suffix (i.e. *.onmicrosoft.com) that is offered by your Azure AD directory.
•    Integrated with Azure AD: You do not need to configure or manage replication to Azure AD Domain Services. User accounts, group memberships and user credentials (passwords) from your Azure AD directory are automatically available in Azure AD Domain Services. New users, groups or changes to attributes ocurring in your Azure AD tenant or in your on-premises directory are automatically synchronized to Azure AD Domain Services.
•    NTLM and Kerberos authentication: With support for NTLM and Kerberos authentication, you can deploy applications that rely on Windows Integrated Authentication.
•    Use your corporate credentials/passwords: Passwords for users in your Azure AD tenant work with Azure AD Domain Services. This means users in your organization can use their corporate credentials on the domain – for domain joining machines, logging in interactively or over remote desktop, authenticating against the DC etc.
•    LDAP bind & LDAP read support: You can use applications that rely on LDAP binds in order to authenticate users in domains serviced by Azure AD Domain Services. Additionally, applications that use LDAP read operations to query user/computer attributes from the directory can also work against Azure AD Domain Services.
•    Group Policy: You can leverage a single built-in GPO each for the users and computers containers in order to enforce compliance with required security policies for user accounts as well as domain joined computers.
•    Available in multiple Azure regions: See the Azure services by region page to know the Azure regions in which Azure AD Domain Services are available.
•    High availability: Azure AD Domain Services offer high availability for your domain. This offers the guarantee of higher service uptime and resilience to failures. Built-in health monitoring offers automated remediation from failures by spinning up new instances to replace failed instances and to provide continued service for your domain.
•    Use familiar management tools: You can use familiar Windows Server Active Directory management tools such as the Active Directory Administrative Center or Active Directory PowerShell in order to administer domains provided by Azure AD Domain Services.

In my demo today I am going to show how to enable Azure AD Domain Services and how to configure it properly for cloud-only IaaS setup.

I have created Azure AD instance called REBELADMIN already. I will be using it during the demo.

Setup Azure Virtual Network

I am going to show how to setup new azure virtual network. The azure AD domain service instance also need to assign to the same virtual network as your other service run in order to integrate those resources.

1) In Azure Classic Portal click on “Networks” option in left side.

2) Then click on “Create a Virtual Network”

3) In wizard type the name for the virtual network and select the location, then click on proceed button to go to next step

4) In next page, I am not going to define any DNS servers as I will setup it in later time in this demo, click on proceed button

5) In next window it will show the address space, you can either customize or proceed with default. I am going to use default.

6) After proceed, its created the new virtual network successfully

Enable Azure AD Domain Service

Now we got the virtual network setup. Next step is to enable the domain service.

1) Click on the Azure AD directory instance which needs to enable Azure AD Domain Service (if you not done yet you can do it using New > App Services > Active Directory > Directory )

2) Then click on “Configure”

3) Under the “Domain Services” click on “Yes” button to enable the domain services.

4) DNS Domain name of domain services – This option to define the dns domain name. If you do not have domain setup you still can use default azure name which is ends up with onmicrosoft.com.
Connect domain service to this virtual network – in here you can define which virtual network domain service should assign to. I have selected the new virtual network created on previous step.
After changes click on “Save”

5) Then it will start to activate the service.

6) Currently it takes like 30 minutes to get service enabled. Once its setup we can see the DNS server ip address appears. This is important as we need to add these in to virtual network in order to join servers to domain.

Add DNS server details into Virtual Network

1) Click on the virtual network where Azure AD domain service also associated with.

2) Click on the configure and then add the DNS server info

3) Click on Save to submit the changes

Create “AAD DC Administrator” group

Since Azure AD Domain service is managed service you will not get domain admin or enterprise administrator privileges to the Ad instance. But you allowed to create this group and all the members of this group will be granted with administrator privileges to the domain join servers (This group will added to the administrators group in domain join servers).

In order to do that need to load the Azure AD instance again,

1) Click on the relevant Azure AD instance.

2) Click on the “Groups” and then Add Group

3) Then in next window type the group name as “AAD DC Administrators” and type as “Security” then click on proceed button. Please note you must use the text on same format in order to get enable this group.

4) Then you can add the member as you prefer

With this our initial configuration is done. The next step is to enable password synchronization to allow users to use their cooperate logins to log in to the domain. I will explain it on my next post as another step-by-step guide.

If you have any questions about the post feel free to contact me on rebeladm@live.com

The Active Directory Replication Status Tool (ADREPLSTATUS)

Healthy Active directory replication is important for active directory infrastructure. REPADMIN is command line utility which can use to check the AD replication status. I wrote an article before about common replication errors and how to use these command line utilities for troubleshooting. If you till not read it you can find it in here.

The Active Directory Replication Status Tool (ADREPLSTATUS) is a small but handy tool Microsoft published which can use to analyze the replication status of active directory environment. The output is similar to output of command REPADMIN /SHOWREPL * /CSV but with few enhancements.

Specific capabilities for this tool include:

    • Expose Active Directory replication errors occurring in a domain or forest
    • Prioritize errors that need to be resolved in order to avoid the creation of lingering objects in Active Directory forests
    • Help administrators and support professionals resolve replication errors by linking to Active Directory replication troubleshooting content on Microsoft TechNet
    • Allow replication data to be exported to source or destination domain administrators or support professionals for offline analysis

System Requirement

Domain membership requirements:

• Must be joined to the Active Directory domain or forest you intend to monitor
.NET Framework requirements:
• .NET Framework 4.0 (you may be prompted to install .NET Framework 3.5.1 first on Windows Server 2008)

Required User Credentials:

• Target forest/domain user account

Other Requirements:

ADREPLSTATUS will not work when the following security setting is enabled on the operating system:
• System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms

The tool can be download from https://www.microsoft.com/en-gb/download/details.aspx?id=30005

Installation

It is very straight forward. All need to do is double click on the file.

Once install, double click on the icon to run the application.

Once tool is loaded, you can check the replication on entire forest or specific domains.

After you specify the replication boundaries, click on refresh replication status button. It will discover the current configuration and replication status.

If you required you can export the data to xps or csv format.

hope this info helps. If you have any questions feel free to contact me on rebeladm@live.com

Step by Step Guide to downgrade domain and forest functional level

Till Windows server 2008 R2, forest and domain functional level are not possible to downgrade once it’s upgraded. Well it’s not a problem if you properly plan you active directory upgrades. But sometime it’s save life with difficulties admins face with AD upgrades. With starting windows server 2008 R2 you can downgrade forest and function levels. The minimum level it can downgrade is windows server 2008.

In here on my demo I am using domain controller with forest and domain function level set to windows 2012 R2.

There is no GUI to perform this downgrade. We have to use PowerShell commands to do it.

First, log in to the domain controller as domain admin / Enterprise admin.

Then load PowerShell with Admin rights.

Then we need to import the AD module.

To do that type Import-Module -Name ActiveDirectory

Before proceed as confirmation here my domain and forest function levels are set to windows server 2012 R2.

First I am going to set forest function level to windows server 2008.
To do that,

Set-ADForestMode –Identity “CANITPRO.com” –ForestMode Windows2008Forest

In here my FQDN is CANITPRO.com you can replace it with your domain name.
After run the command ask for the confirmation, type Y or A to confirm the change.

Next step is to downgrade the domain function level to windows server 2008.
To do that,

Set-ADDomainMode –Identity “CANITPRO.com” –DomainMode Windows2008Domain

After successfully commands, next step is to confirm the new forest and domain function levels. This time I am using PowerShell.

If you have any questions feel free to contact me on rebeladm@live.com

How to fix error “No mapping between account names and security IDs” in Active Directory

Happy New Year to all my blog reader! It’s been quite time for the blog as I was stuck on some projects. With New Year I am back in blogging.

Today I am going to show how to fix the Active directory group policy related error. The relevant event viewer error code is 1202.

It can be in either on domain controllers itself or the local computers. It will be visible in Event viewer > Windows Logs > Application Log

So what is this error about?

As it describes in error it’s saying no mapping between account names and security IDs. Which means there is a GPOs setting which used for domain computers, controllers with orphaned account details. Those accounts couldn’t resolved to correct SID.

How it is possible?

Well there is only two possibilities.
1) The relevant account used in the GPO is removed from AD.
2) Within the GPO the account name is typed incorrectly.

Microsoft done great job on the event log explaining how to fix that error. But let’s see how we really can trigger down the problem.

The first thing we need to do is find out the accounts which have problems with.

To find it need to run command from the domain controller as domain administrator

FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log

Oh, it is saying no log file. It is because its not enabled. To do it go to regedit,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}

And then double click on key ExtensionDebugLevel and set it to 2.

If the log is created first time, we need to wait for some time till it collect the logs.

Then let’s try again same command.

This time it shows canitpro_prg1 is the account. So next step is to find where it is used.

To do it run RSoP (Resultant Set of Policy) mmc to identify the source GPO that contain the problems.

To do it go to Run > RSoP.msc > Enter

Then in result window it shows problem is stick with the computer configuration

Then when go to Computer Configuration > Security Settings > Local Policies > User Rights Assignment it shows log on as a service got the faulty account applied.

So let’s see if this account exist in AD.

As can see its not existing in AD, the error is clear. To fix the issue we need to remove this account from the list. Once you done that, make sure you run gpupdate /force to apply the new policy setting.

If you have any question about article feel free to contact me on rebeladm@live.com

Step-by-Step Guide to install Active Directory on Windows server technical preview 2

Microsoft released Windows Server 2016 Technical Preview 2 for the public. I am sure most of you already got the news. In this article I am going to demonstrate how we can install AD in Windows server 2016 TP2.

You can download windows 2016 TP2 from https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-previewit

You can deploy it using .iso or .vhd file. If you notice, installation no longer allows to select the GUI option during the installation. It gives 2 options to select from, one is goes as core version and the one with administrative tools gives ability to use admin tools such as server manager. If you like to install GUI you need to install it using server manager or using command Install-WindowsFeature Server-Gui-Shell –Restart -Source wim:E:\sources\install.wim:4

In here E: is the DVD with the windows server 2016 source files.

What is new in AD DS?

Well it may be too early to look for what is going to be in windows server 2016 in AD end. But here is the few new features, enhancements available for TP.

Privileged Access Management – This PAM feature allows to mitigate security concerns in AD environment which cause by techniques such as pass-the-hash, spear fishing etc.

Azure AD Join – This enhance identity experience for businesses. Including benefits such as SSO, access organizational resources, MDM integration etc.

Microsoft Passport – Microsoft Passport is a new key-based authentication approach organizations and consumers that goes beyond passwords. This form of authentication relies on breach, theft, and phish-resistant credentials.

Deprecation of File Replication Service (FRS) and Windows Server 2003 functional levels – Although File Replication Service (FRS) and the Windows Server 2003 functional levels were deprecated in previous versions of Windows Server, it bears repeating that the Windows Server 2003 operating system is no longer supported. As a result, any domain controller that runs Windows Server 2003 should be removed from the domain. The domain and forest functional level should be raised to at least Windows Server 2008 to prevent a domain controller that runs an earlier version of Windows Server from being added to the environment.

Complete description about these features can find on https://technet.microsoft.com/en-us/library/mt163897.aspx

Let’s gets started. In here my demo I am using windows server 2016 TP2 with GUI.
Log in to server as administrator. Then load server manager.

Then go to Manage > Add Roles and Features

In the wizard click on next.

In installation type selection, let the default selection run and click on next.

For the server selection leave the default and click on next.

From the role selection window select “Active Directory Domain Services” click next. Then it will ask to add the dependent features. Click on add features button. Then click next.

In the features selection will keep the default selection and then click next to continue.

Then it gives description window about AD DS. Click next to proceed.

Then in next window click on install button to install AD DS role.

Once it is finished, click on link “Promote this server to a domain controller”

Then it will open up the new wizard for the AD DS configuration. In here I am going to deploy new forest, so do the relevant selection and fill information and click on next.

In next window select the forest function and domain function level, to “Windows server technical preview” and then add the domain controller capabilities such as DNS, then submit the DSRM password and click next.

Then click next to complete DNS delegation.

In next window we can specify the Netbios name and then click next to continue.

In next window select the paths for database installation etc. then click next.

Then it gives option to review the configuration, and click next to continue.

Once prerequisite check is done, click on install to proceed.

Then it starts the installation process. It will reboot server automatically once completed.
Once reboot, we can see AD DS is configured and functioning as expected.

This completes installation process. The steps are very similar to with AD DS installation on windows server 2012.

If you have any issues feel free to contact me on rebeladm@live.com

Step-by-Step Guide to setup windows azure active directory – Part 01

This is the start of series of post which will explain installation and configuration of WAAD. In previous article I explain about the WAAD and its features. If you not read it yet you can find it here.

Windows Azure Active Directory (WAAD)

In this post I will demonstrate how we can do the WAAD initial setup. As explain on previous post Azure AD comes with 3 versions. Once you subscribed with required version, to setup log in to Azure Management Portal.

Then click on +New button on the left hand bottom corner.

Then go and click on App Services > Active Directory > Directory

Then click on Custom Create to create WAAD instance with your requirements.

Once click on it will open a form. In here “Name” field refer to the instance name. “Domain Name” should be unique name. Initially it create with .onmicrosoft.com extension. But later you can change it to domain name your organization already using.

Once these info are filed in click on complete button.

Once it’s complete it can see on the portal as active.

Then if you click on selected instance it will bring you to the page where you can configure the WAAD instance.

As the first configuration we need to add the domain to match with our existing organization. Because on setup it uses a name with .onmicrosoft.com extension. To do this click on domains tab.

Then once load click on “Add a custom domain”

In new wizard, put the domain name to match with local active directory domain. In here later i will configure SSO with local AD. So I selected that option too. Once information are type in click on add to continue.

Once it’s done it will list on the page. But as we can see here it’s not yet “verified” and set as “primary domain”. To do that we need to do the AD integration with local organization. In next post let’s see how we can do that.

If you have any questions about the post feel free to contact me on rebeladm@live.com

Active Directory in Hybrid Cloud

“Cloud”, the most common term now in IT, its everywhere . Companies which provides IT services bringing their products and services in to the cloud rapidly. “Hosting services” was the first industry affect with it and now its spread to even small companies, individual professionals. With introduce of everyday products like Microsoft office365 every one start to understand the benefits of the “cloud”. Some organizations are use their own private cloud while some are completely move in to public cloud services.

One of the main concern people had about cloud was how they can bring there infrastructure services, resources, applications without impact to productivity. For example most organizations uses Single-Sign-On (SSO) to reduce the complexity of the authentication and authorization process. After we move organization’s resources, products, services to cloud if SSO do not work it still preventing full benefits of the cloud in end user prospective. The same time it will make impact on productivity directly. This access control and authentication concerns are more applying in to “Hybrid Cloud” systems. In Hybrid cloud some resources, services, application will run on-premises and some will be run from public cloud or private cloud setup in data center. This is the most commonly used cloud model in industry.

One of the solution used to address this is federation services. But issue is not every application or products uses same standards, protocols for identity management. As we know most of available products supports integration with AD services. Even Microsoft gives relevant tools, techniques to succeed with SSO on application development. So if you have working infrastructure system with all company requirement, how you convince management to move in to cloud system which will needs to deal with identity and access issues?

Well, Microsoft has found the solution for this. “Microsoft cloud – Azure” and windows server 2012 allows to extend the active directory in to the cloud. It allows to use claim based authorization. We can use windows azure AD as the identity store for the hybrid cloud and easily integrate other systems such as web portals, email system, crm, non-Microsoft apps. Also it can sync with the on-premises windows server active directory using “DirSync (Windows Azure Active Directory Sync Agent)” with AD FS (Active Directory Federation Services).

In next posts let’s see how we can configure Azure AD and how it works with integration. If you have any question about post feel free to contact me on rebeladm@live.com

Image Source: http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-98-54-metablogapi/clip_5F00_image001_5F00_1E3725C4.png

Step-by-Step Guide to clone a Domain Controller

From Windows server 2012 Microsoft introduce feature to allow clone on domain controller. It helps to quickly restore a domain controller in event of failure and also it helps to deploy test environments easily when needed.

In previous, if you clone a domain controller, it will not allow to deploy on same domain or the forest without running sysprep to remove security information before cloning. Then afterwards you need to promote the domain manually. But now when clone domain controller it will do the sysprep and promote process automatically.

For the demo purpose I am using a windows 2012 R2 domain controller which is deployed in Hyper-V environment.

1) Log in to the Source Domain controller as Domain admin or Enterprise administrator
2) Go to Server Manager > Tools > Active Directory Users and Computers

3) Then go to “Domain Controllers” OU. Select the DC needs to clone and right click to select properties.

4) Go to member of tab and click on Add.

5) Then add security group Cloneable Domain Controllers and click ok.

6) Close the mmc and load the windows PowerShell with admin rights. Then type and enter Get-ADDCCloningExcludedApplicationList . This will check the system if there is program which will not compatible with the clone process.

7) If it’s comes up with list make sure those services are removed before clone.
8) After cleanup process type
New-ADDCCloneConfi gFile –Static -IPv4Address “10.10.10.7” -IPv4DNSResolver “10.10.10.2” -IPv4SubnetMask “255.255.255.0” –CloneComputerName “DC2” -IPv4DefaultGateway “10.10.10.1” -SiteName “Default-First-Site-Name”

In here I specify the ip address information it (the clone server) will hold. Also the computer name and site name.

9)    Once its pass and completed the process, exit from the console and the server.
10)    For next steps we need to turn off the source domain controller. So before proceed make sure organization is aware about the downtime and the impact.
11)    Load the Hyper-V manager and right click on the DC which needs cloning. Then select Turn-off.

12) Once its turn off, right click on DC and select export. Then select the path to save the export file.

13) Once export process is completed, right click on the source dc and click on start.
14) Then in Hyper-V go to Action > Import Virtual Machine

15) It will open up the import wizard and click next to continue.

16) In next window specify the folder path to the exported DC. Then click next.

17) Next window to select the DC and click next

18) In next window from the list select “Copy the virtual machine (create a new unique ID )” option can click next.

19) In next window it ask for the VM path. You can leave default or the different path based on your requirement. Once done click on next.

20) Next it’s ask for storage folder. Again it can change as per requirement. Once done click next.

21) Then it gives a summary page. Click on finish to start the import process.

22) Once import is completed, right click on the clone dc and click on start.
23) It will runs under several stages preparing the AD.

24) Once process is completed, l logged in to the server as domain admin. In Domain controller OU I can see the new clone dc. Also under site and services I can see the cloned dc located correctly.

This is the end of the post and if there is any question feel free to contact me on rebeladm@live.com

Active Directory Database, SYSVOL and System State

When I talk to administrators, network engineers about the active directory issues, errors most of the time they know how to install an active directory and how to work with in active directory environment but when I ask about terms like AD database, SYSVOL, System state most of the time I get wrong answer or incomplete answer. Most of the time engineers will not care about these until they go in to disaster recovery process of crashed active directory environment. But if you do not know the use of these and value of these you will not be able to properly plan for disaster recovery in AD environment. I have seen people who had spent thousands of dollars on backup solutions and still couldn’t recover AD in disaster as they didn’t properly backup AD with required components.

Active Directory Database

As soon as people here “database” they think about software like Microsoft SQL, MySQL, Oracle etc. because we used to deploy a “database server” first and then add the “databases” to it. But here it’s quite different. Active directory database uses the “Extensible Storage Engine (ESE)” which is an indexed and sequential access method (ISAM) database. It is uses record-oriented database architecture which provides extremely fast access to records. ESE indexes the data in the database file. This database file can grow up to 16 terabyte and hold over 2 billion records.

The default active directory database file location is C:\Windows\NTDS. This file location can easily change during the active directory installation. As a best practice it is always good if it can be save in different hard disk partition rather than operating system partition.

Let’s look in to the files in the folder and use of them.

Ntds.dit – This is the physical active directory database file. This is where all the active directory data stored. It holds domain info, schema info and configuration info. Mainly it contain 3 tables.
1)    Link table
2)    Data table
3)    Security Depositor table

Edb.log – in here we can see the few log files starts with edb*. Each of them are 10mb or less in size. It is the transaction log maintain by system to store the directory transaction before write in to the database file.

Edb.chk – it is the file to keep track of data transaction committed in to database from log files (Edb*.log).

Temp.edb – This is used during the active directory database maintenance to hold data and also to store info about large in-progress AD data transactions.

Res1.log and Res2.log – Even we can’t see it in this example this is a file type which will store log entries if edb.log file full.

SYSVOL

SYSVOL is a shared folder which contains files which is common for the domain. This share will be created automatically when set up the DC. The default file location is C:\Windows\SYSVOL but it can be change during the DC setup.

Let’s see what sort of data sysvol folder will have.

Group Policies – Group policies will use to manage user and computers based on company requirements. It can be to control computer application, security, network behaviors etc. Those will apply to computer accounts when those are restarted and connect to the domain. User policies will apply when they log in to domain computers.

Login Scripts – It also used to store login scripts for the domain users. Those are load when users log in to domain computer. It can be batch file, PowerShell script or vbscript.

Staging folders – This is used to sync data and files between domain controllers.

File system junctions – an isolated location in hard disk which refers to the data located in different partition, or different storage device.

System State

All most all backup solution allows you to backup “system states” in windows environment. When I ask some engineers “how you backup dc?” most of them says you need to backup system state. But how many of you know what exactly system state have?

It includes the following list of files and data.

Active Directory DC Database file (ntds.dit)
SYSVOL folder and its files
Certificate Store
User Profiles
IIS metabase
Boot files
DLL cache folder
Registry info
COM+ and WMI info
Cluster service info
Windows Resource Protection system files

So if you looking to backup domain controller you need to back up the system state. The size of the system state backup depend of the size of the above files and folders.

In this article I was trying to explain what active directory database, sysvol and system state terms means. If you have any question feel free to contact me on rebeladm@live.com