Tag Archives: domain functional level

Active Directory Protected Users Security Group

Active Directory is great tool, no doubt about it, administrators can do their magic to manage resources in infrastructure with it. But same time if someone able to gain access to AD account with privileges, easily they can use those across the domain joined resources. So the protection of the AD infrastructure is critical.

Microsoft continues with implementing new security features to the Active Directory Services to protect infrastructures with emerging threats. “Protected Users Group” also a great feature implemented with windows server 2012 R2 active directory services to protect “High Valued” accounts in AD infrastructure. Advantage of this feature is member of this security group will have “non-configurable” protection automatically. I think it’s a good point especially for security feature. When have configurable options admins make changes to make their life easier and sometime losing the whole concept about security. With this security group the only way to modify the protection for account is to remove it from the group.

To use this feature the primary domain controller needs to be run on windows 2012 R2 domain functional level and devices should need to run minimum of windows 2012 R2 or windows 8.1.

What it does?

According to Microsoft,

1.    The member of the Protected Users group cannot authenticate by using NTLM, Digest Authentication, or CredSSP. On a device running Windows 8.1, passwords are not cached, so the device that uses any one of these Security Support Providers (SSPs) will fail to authenticate to a domain when the account is a member of the Protected User group.
2.    The Kerberos protocol will not use the weaker DES or RC4 encryption types in the pre-authentication process. This means that the domain must be configured to support at least the AES cipher suite.
3.    The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation. This means that former connections to other systems may fail if the user is a member of the Protected Users group.
4.    The default Kerberos Ticket Granting Tickets (TGTs) lifetime setting of four hours is configurable by using Authentication Policies and Silos, which can be accessed through the Active Directory Administrative Center (ADAC). This means that when four hours has passed, the user must authenticate again.

This protection should not use for accounts for service and computers.
This table includes the properties of the group

Attribute

Value

Well-known SID/RID

S-1-5-21-<domain>-525

Type

Domain Global

Default container

CN=Users, DC=<domain>, DC=

Default members

None

Default member of

None

Protected by ADMINSDHOLDER?

No

Safe to move out of default container?

Yes

Safe to delegate management of this group to non-service admins?

No

Default user rights

No default user rights

How to add member to the group?

To add user,

1)    Log in to the Domain controller as Domain admin or Enterprise Admin
2)    Go to Server Manager > Tools > Active Directory Users and Computers
3)    Then under “Users” can find the “Protected Users” group

protect1

4)    Double click to open the group properties and under the “members” tab you can add the users, groups

protect2

Hope this help, If you have any questions about the post feel free to contact me on rebeladm@live.com

Step by Step Guide to downgrade domain and forest functional level

Till Windows server 2008 R2, forest and domain functional level are not possible to downgrade once it’s upgraded. Well it’s not a problem if you properly plan you active directory upgrades. But sometime it’s save life with difficulties admins face with AD upgrades. With starting windows server 2008 R2 you can downgrade forest and function levels. The minimum level it can downgrade is windows server 2008.

In here on my demo I am using domain controller with forest and domain function level set to windows 2012 R2.

There is no GUI to perform this downgrade. We have to use PowerShell commands to do it.

First, log in to the domain controller as domain admin / Enterprise admin.

Then load PowerShell with Admin rights.

down-1

Then we need to import the AD module.

To do that type Import-Module -Name ActiveDirectory

down-2

Before proceed as confirmation here my domain and forest function levels are set to windows server 2012 R2.

down-4

down-3

First I am going to set forest function level to windows server 2008.
To do that,

Set-ADForestMode –Identity “CANITPRO.com” –ForestMode Windows2008Forest

In here my FQDN is CANITPRO.com you can replace it with your domain name.
After run the command ask for the confirmation, type Y or A to confirm the change.

down-5

Next step is to downgrade the domain function level to windows server 2008.
To do that,

Set-ADDomainMode –Identity “CANITPRO.com” –DomainMode Windows2008Domain

down-6

After successfully commands, next step is to confirm the new forest and domain function levels. This time I am using PowerShell.

down-7

If you have any questions feel free to contact me on rebeladm@live.com

Domain In-Place Upgrade Method

8867.Microsoft_5F00_Logo_2D00_for_2D00_screen

It is important to keep the domain environments running with its latest versions. It allow organizations to use new features, enhancements available on new directory services. Typically when we upgrade from old DC to new version, we add a new server or servers to the same network and then add it to the existing forest, domain. Then promote it as DC and move roles to the new system. Later on we demote the old DC and later we go with forest and domain functional level upgrades (once all legacy domain controllers are demoted). This is the seamless and preferred method. This we call as swing-server upgrade method.

But due to limitations on budget, resources not all organizations or companies can go with swing-server upgrade method. This issue can address using the in-place upgrade method. In this method we upgrade the operating system of the running domain controller.

Currently available in-place upgrade path is windows server 2008 or windows 2008 R2 to Windows server 2012 or windows server 2012 R2. In following table you can find the versions it can upgrade in to. Please be aware that you can’t use in-place upgrade to upgrade from windows 2003 or 32 bit versions of windows server 2008 to latest windows server 2012. If you need to upgrade from those versions you must use the swing-server method. Also windows server core 2008 R2 to windows server core 2012 not supported for in-place upgrade.

Current Version

Version that can upgrade into

Windows Server Standard 2008 with SP2, Windows Server Enterprise 2008 with SP2

Windows server 2012 Standard or Datacenter

Windows Server Datacenter 2008 with SP2         

Windows server 2012 Datacenter

Windows Web Server 2008

Windows server 2012 Standard

Windows Server Standard R2 2008 with SP1, Windows Server Enterprise R2 2008 with SP1

Windows server 2012 Standard or Datacenter

Windows Server Datacenter R2 2008 with SP1

Windows server 2012 Datacenter

Windows Web Server 2008 R2

Windows server 2012 Standard

Once upgrade is completed you need to manually change the forest and domain functional levels.

Before in-place upgrade it is important to consider on following points,

1)    Hardware Requirements – Before upgrade make sure the current hardware setup support for the new operating system. Verify the free disks space on the server. It is recommended to have at least 20% free space on the partition / disk which holds the active directory database.
2)    Application Compatibility – Sometime DC server also runs different applications (even its not recommended) for the company. So before upgrade you must make sure those are compatible with the new operating system and DC.
3)    Downtime – during the upgrade process the domain services will be down, so you need to prepare for the downtime.
4)    Permissions – you must have domain admin or enterprise admin rights to proceed with upgrade.

Known issues – please refer https://technet.microsoft.com/en-us/library/hh994618 to find out about the known issues for in-place upgrade method.

This is the end of the post and if you have any questions feel free to contact me on rebeladm@live.com

Image source: http://blogs.microsoft.com/wp-content/uploads/2012/08/8867.Microsoft_5F00_Logo_2D00_for_2D00_screen.jpg

Step-by-Step Guide to migrate FSMO roles from windows 2003 server to windows 2012 R2 server

Even its been over decade after windows server 2003 release , It’s no wonder that still organizations using windows server 2003 / windows server 2003 R2 as their domain controllers. Microsoft has announced that windows server 2003 / windows server 2003 R2 supports ends on 2015, July 14th (http://support2.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Microsoft+Windows+Server+2003&Filter=FilterNO). So the day has come to plan out for the upgrades if you still running those versions in infrastructure.

This guide will explain how we can transfer DC FSMO roles from windows server 2003 to windows server 2012 R2 which is latest. In Windows DC environment FSMO roles holds all the information about DC and its necessary to have all this 5 roles working correctly to maintain proper DC environment. The 5 FSMO roles as following,

•    Schema master
•    Domain naming master
•    RID master
•    PDC emulator
•    Infrastructure master

You can find more information about this roles from http://support.microsoft.com/kb/197132

For the demonstration I am using the following setup

Server Name

Operating System

Server Roles

canitpro-dc2k3.canitpro.local

Windows server 2003 SP2 x86

Active Directory FSMO roles, DNS

CANITPRO-DC2K12.canitpro.local

Windows server 2012 R2 x64

Additional Domain Controller, DNS

So in here I already added windows 2012 r2 server to domain and make it additional domain controller. Currently it do not hold any FSMO roles. My plan is to migrate all the FSMO roles in to windows 2012 r2 server.

role1

Note : In before if we adding windows 2008 server to windows 2003 environment, first we need to prepare the forest and domain schema by running adprep \forestprep and adprep \domainprep  from windows 2008 source files \ support \ adprep. But in windows 2012 you do not need to worry about it when adding 2012 as additional domain controller. When you run the dcpromo it will automatically update it in windows 2003 remotely.

Transfer RID master, PDC emulator, Infrastructure master Roles

As the first step let’s look how we can transfer these 3 roles over to new server.

•    Log in to the windows 2012 R2 server as domain administrator
•    Click on Server Manager > Tools > Active Directory Users and Computers

role2

•    In MMC, right click on the domain name > click on “Operation Masters”

role3

•    In next window it will show the 3 FSMO roles. The default is “PDC”. In there it shows the current PDC holder. Then it is asking if need to change it to new windows 2012 r2 server click on change. There for lets go ahead and click on “Change”

role4

•    Then it’s asking for confirmation. Click yes to continue.

role5

•    Once its confirm as operation completed we can see the window shows the current PDC role holder as new windows 2012 r2 server.

role6

•    Please repeat the same steps to transfer the RID master and Infrastructure master Roles

Transfer domain naming master role

•    Log in to the windows 2012 R2 server as domain administrator.
•    Click on Server Manager > Tools > Active Directory Domains and Trusts.

role8

•    In MMC right click on Active Directory Domains and Trusts > click on Operation Master.

role9

•    In here it shows the current domain naming master role holder (canitpro-dc2k3.canitpro.local) and its asking if we need to move it to windows server 2012 R2 (CANITPRO-DC2K12.canitpro.local). Click on change to move the role over.

role10

•    Then it’s asking for confirmation and click yes to continue.

role11

•    Once its confirm about task completion we can see current domain naming master is windows server 2012 R2 (CANITPRO-DC2K12.canitpro.local).

role12

Transfer schema master role

•    Log in to the windows 2012 R2 server as domain administrator.
•    Open “Run” window in server (Windows key + R) and type regsvr32 schmmgmt.dll and press enter.

role13

•    It will give the confirmation message and click on ok to continue.

role14

•    Then again open “Run” window and type mmc and click ok

role15

•    Then in mmc window click on File > Add-Remove snap-in

role16

•    Then from snap in select “Active Directory Schema” and click on “Add” button

role17

•    Then click on Ok button to continue

role18

•    Then right click on “Active Directory Schema” and click on “Change Active Directory Domain Controller”

role19

•    In Next window select the windows server 2012 R2 DC (CANITPRO-DC2K12.canitpro.local) and click ok.

role20

•    It will give information message and click ok to continue. 

role21

•    Then right click on “Active Directory Schema” and click on “Operation Master”

role22

•    In here it shows the current schema master role holder (canitpro-dc2k3.canitpro.local) and its asking if we need to move it to windows server 2012 R2 (CANITPRO-DC2K12.canitpro.local). Click on change to move the role over.

role23

•    Then it’s asking for confirmation and click yes to continue.

role24

•    Once it’s confirm about task completion we can see current schema master is windows server 2012 R2 (CANITPRO-DC2K12.canitpro.local).

role25

Now we successfully move all 5 fsmo roles over to new windows server 2012 R2. To confirm it open command prompt in new server and type command netdom query fsmo and press enter.

role26

Yipeeee!!! Its shows as all fsmo roles moved successfully.

It will take some time to move all the data over. After that it’s safe to demote the DC role from the windows 2003 server.
Once its demote 2003 DC make sure you raise the forest functional level and domain functional level in to windows server 2012 R2 to experience new changes.
If you have any questions regarding the post feel free to contact me on rebeladm@live.com