Archive for the ‘Windows Server 2012’ Category.

Active Directory Backup and Disaster Recovery Procedures

Nedenstående link giver en rigtig god step-by-step guide til AD Disaster Recovery for 2003/2008 R2/2012.
http://www.edeconsulting.be/activedirectorypublications.asp

Forbered AD Schema Update til Windows Server 2012

I forbindelse med Schema update til Windows Server 2012, er der en række punkter man kan tjekke forinden.

Først, se nedenstående link omkring generel AD information
http://blogs.technet.com/b/ashleymcglone/archive/2012/01/03/everything-you-need-to-get-started-with-active-directory.aspx

Herefter kan man lave et AD Health Check som følger.

Tjek eventlog på samtlige DC’ere for warnings og errors og vurder dem individuelt.

Kør herefter Best Practices Analyzer (AD DS BPA) mod det eksisterende AD miljø.
http://technet.microsoft.com/en-us/library/dd391875(v=ws.10).aspx

Lav generel AD diagnostics med DCDIAG. Her vil man også kunne se problemer med AD replikering.

Dette kan gøres via nedenstående kommando, som tjekker alle DC’erne.
DCDIAG /V /C /D /E /s:WIN-DC-01 > c:\dcdiag.log

Når man kigger logfilen igennem, vil man kunne se 4 fejl med ”The RPC server is unavailable”.
Dem kan man ignorere ifølge nedenstående MS artikel.

DCDIAG.EXE /E or /A or /C expected errors
http://support.microsoft.com/kb/2512643

For tjek af AD replikering kan man også beytte GUI toolet Active Directory Replication Status Tool.
http://www.microsoft.com/en-us/download/details.aspx?id=30005

2012_Domain_Upgrade_012012_Domain_Upgrade_02

Hvis man har glemt DSRM Administrator password, er det tid til at resette det nu. Se nedenstående link hvordan det skal gøres.
How To Reset the Directory Services Restore Mode Administrator Account Password in Windows Server 2003
http://support.microsoft.com/kb/322672

Afslut med at lave en valid system state backup af dine Domain Controllere. Dette kan gøres med nedenstående kommando.
wbadmin start systemstatebackup -backuptarget:\\ServerName\SharedFolder -quiet

Tjek at backup er gået  godt i command vinduet og Evetloggen. Test herefter backuppen i et test-miljø.

Backup_01Backup_02

For mere info til System State Backup se disse links.
Wbadmin start systemstatebackup
http://technet.microsoft.com/en-us/library/998366c1-0a64-45e6-9ed3-4c3f5b8406f0

Error message when you try to perform a system state backup in Windows Server 2008 and Windows Server 2008 R2
http://support.microsoft.com/kb/944530

Hvis noget skulle gå galt i forbindelse Schema Update, hvilket jeg aldrig har oplevet, så kan man forinden forberede sig på en forest recovey, som kan ses her.
Windows Server 2008: Planning for Active Directory Forest Recovery
http://www.microsoft.com/en-us/download/details.aspx?id=16506

Active Directory Forest Recovery
http://social.technet.microsoft.com/wiki/contents/articles/7668.active-directory-forest-recovery-en-us.aspx

Man er nu klar til Schema Update som kan udføres med Adprep som man gjorde tidligere (gælder dog kun for x64) eller med den nye Active Directory Domain Services Configuration Wizard.

Schema Update via Adprep (2 trins update) se nedenstående info. Kræver stadigvæk en account med Enterprise/Schema admin rettigheder.

Fra udpakket ISO eller medie eksekver nedenstående fra stien <Media Drive:>\support\adprep\adprep.exe. Det er denne metode jeg har benyttet i mit test miljø.

adprep.exe /forestprep
adprep.exe /domainprep

adprep.exe /domainprep /gpprep (Hvis du har kørt denne command tidligere i forbindelse med Schema Update fra 2003 til feks, 2008/2008 R2, skal den ikke køres igen)

Adprep "not a valid Win32 application" error on Windows Server 2003, 64-bit version
http://support.microsoft.com/kb/2743367

Citat:
Adprep.exe integration

Beginning with Windows Server 2012, there is only one version of Adprep.exe (there is no 32-bit version, adprep32.exe). Adprep commands are run automatically as needed when you install a domain controller that runs Windows Server 2012 to an existing Active Directory domain or forest.

Although adprep operations are run automatically, you can run Adprep.exe separately. For example, if the user who installs AD DS is not a member of the Enterprise Admins group, which is required in order to run Adprep /forestprep, then you might need to run the command separately. But, you only have to run adprep.exe if you are planning to in-place upgrade your first Windows Server 2012 domain controller (in other words, you plan to in-place upgrade the operating system of a domain controller that runs Windows Server 2012).

Adprep.exe is located in the \support\adprep folder of the Windows Server 2012 installation disc. The Windows Server 2012 version of adprep is capable of executing remotely.

The Windows Server 2012 version of adprep.exe can run on any server that runs a 64-bit version of Windows Server 2008 or later. The server needs network connectivity to the schema master for the forest and the infrastructure master of the domain where you want to add a domain controller. If either of those roles is hosted on a server that runs Windows Server 2003, then adprep must be run remotely. The server where you run adprep does not need to be a domain controller. It can be domain joined or in a workgroup.

Schema Update via GUI (Active Directory Domain Services Configuration Wizard). Man bliver her promtet for en account med Enterprise/Schema admin rettigheder.

Upgrade your Active Directory from 2008 to Windows Server 2012
http://autodiscover.wordpress.com/2012/09/06/upgrade-your-active-directory-from-2008-to-windows-server-2012-microsoft-winserv2012/

Introducing the first Windows Server 2012 Domain Controller (Part 1 of 2)
http://blogs.technet.com/b/askpfeplat/archive/2012/09/03/introducing-the-first-windows-server-2012-domain-controller.aspx

Introducing the first Windows Server 2012 Domain Controller (Part 2 of 2)
http://blogs.technet.com/b/askpfeplat/archive/2012/09/06/introducing-the-first-windows-server-2012-domain-controller-part-2-of-2.aspx

Upgrading an Active Directory Domain from Windows Server 2008 or Windows Server 2008 R2 to Windows Server 2012
http://msmvps.com/blogs/mweber/archive/2012/07/27/upgrading-an-active-directory-domain-from-windows-server-2008-or-windows-server-2008-r2-to-windows-server-2012.aspx

Efter Schema Update kan man tjekke den nye version (56) med nedenstående kommando
dsquery * cn=schema,cn=configuration,dc=win,dc=local -scope base -attr objectVersion

Dette er også dokumenteret i nedenstående MS artikel.
How to find the current Schema Version
http://support.microsoft.com/kb/556086

Hvis man ser eventid 1153 efter Schema Update til Windows Server 2012, så kan de ignorers i følge nedenstående MS artikel.
Error message when you run the ForestPrep, PrepareSchema, or PrepareAD command in Exchange Server: "Invalid Superclass. Inheritance Ignored"
http://support.microsoft.com/default.aspx?id=268329

Det hele kan afsluttes med at man flytter FSMO rollerne samt Windows time services over på den nye 2012 Domain Controller.
Yderligere referencer til ovenstående:

What’s New in Active Directory Domain Services Installation and Removal
http://technet.microsoft.com/en-us/library/hh472161.aspx

How to view and transfer FSMO roles in Windows Server 2003 (Gælder også for 2008 R2 og Server 2012)
http://support.microsoft.com/kb/324801

How to configure an authoritative time server in Windows Server (Gælder også for Server 2012)
http://support.microsoft.com/kb/816042

For den server der har PDC Emulator rollen skal man afvikle nedenstående kommandoer fra en admin prompt, for at angive den som ny time server.

w32tm /config /manualpeerlist:"0.dk.pool.ntp.org 1.dk.pool.ntp.org 2.dk.pool.ntp.org" /syncfromflags:manual /reliable:yes /update
w32tm /resync /nowait /rediscover
net stop w32time
net start w32time

På den gamle PDC Emulator skal man ligeledes afvike nedenstående kommandoer for at demote den som time server.

w32tm /config /syncfromflags:domhier /reliable:no /update
net stop w32time
net start w32time

Tjek Eventloggen (Eventid 143) på den nye PDC Emulator at den opfatter sig selv som time server for den opdateret AD forest.

Time_Server_01

Hvis de andre Domain Controllere eller domain servere har problemer med at få tiden fra den nye time server, kør nedenstående kommandoer.

w32tm /config /syncfromflags:domhier /update
W32tm /resync /rediscover
net stop w32time

net start w32time

What’s new in Active Directory Domain Services in Windows Server 2012

Dette link giver rigtig god info omkring alle de nye features i AD DS 2012. Husk også at se punktet Further reading.
Whitepaper: What’s New in Active Directory Domain Services in Windows Server 2012
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2012/10/29/whitepaper-what-s-new-in-active-directory-domain-services-in-windows-server-2012.aspx