Checklists when promoting a Windows Domain Controller

Here are some of the things that you must configure when promoting a domain controller at a forest with multi sites and multi domains topology. 

If this is a new Domain Controller at new site: 

a. At Active Directory Sites and Services, create a new site. 

b. Create a new subnet and link it to the newly created site. 

c. Configure the IP site link for Active Directory replication. 

· Promote the Windows Server to become Domain Controller. 

· Configure the Domain Controller to become a DNS server – Active Directory Integrated (Domaindnszones). 

· Configure the Domain Controller to become a Global Catalog server. 

· Configure DNS Forwarders. 

· Configure the Domain Controller to be the Authoritative Name Servers in the domain. 

· Enable Strict Replication Consistency. (more) 

· Disable Windows Scalable Networking Pack Components. (more) 

· Change Windows Time Service MaxNegPhaseCorrection and MaxPosPhaseCorrection value to 48 hours. (more)

How to disable Windows Scalable Networking Pack Components

Description
Scalable Networking Pack (SNP) is enabled by default as part of installing Windows Server 2003 Service Pack 2. SNP can be used, under specific circumstances, to improve network performance. Most environments, however, do not have SNP capable network adapters/drivers. This can result in unexpected network problem which is why it is recommended to disable SNP unless a server can benefit from it. For Domain Controller, it is recommended to disable this feature.

Resolution
To disable SNP, modify certain this registry values:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: EnableTCPChimney
Value: EnableRSS
Value: EnableTCPA
Data: 0 or 1
Each component can be individually enabled or disabled. Set the value to "0" to disable it.

Windows Time Service time correction setting

Description
The Windows Time service by default in Windows 2000 and 2003 allows for a positive or negative time correction of any amount for domain controllers. This can cause serious problems in a forest should a dramatic time shift occur. This can even occur when synchronizing with other authoritative sources as hardware problems, software problems or human error can cause them to provide the wrong time. Some of the problems that can occur from a dramatic time change are Windows Server 2003 based domain controllers may be quarantined, deleted objects may be prematurely purged before end-to-end replication of the deletion is fully replicated (causing lingering objects), user and computer passwords may expire unexpectedly, and trust passwords becoming out of sync.

Resolution
Modify the default value on the following registry.
The registry key(s) are different depending upon the operating system version.
Windows 2003/2008
Path: HKLM\System\CurrentControlSet\Services\W32Time\Config
Value: MaxNegPhaseCorrection
Default data: 0xFFFFFFFF (4,294,967,295)
(Note: there is an accompanying MaxPosPhaseCorrection value to control positive time changes.)
Windows 2000
Path: HKLM\System\CurrentControlSet\Services\W32Time\Parameters
Value: MaxAllowedClockErrInSecs
Default data: 0xFFFFFFFF (4,294,967,295)
(Note: Windows 2000 has a single value to control both positive and negative time changes.)
Change them to a positive/negative value of 48 hours (0x2A300 or 172,800 seconds).

Invalid FSMO Role Owner for Application Partition

Description:
When running the ADRAP program you found the following warning/error.
The following application partition contains an invalid FSMO role owner:
Partition: cn=infrastructure,dc=forestdnszones,dc=corp,dc=com
FSMO:CN=NTDS Settings\0ADEL:97d…,CN=Server01\0ADEL:67…,CN=Servers,CN=SITEA,CN=Sites,CN=Configuration,DC=corp,DC=com

Resolution:
Use adsiedit.msc and reset the fSMORoleOwner attribute on the infrastructure master of your root domain. Use the value from Distinguished Name (DN) attribute of the corresponding application partition as the new value. You may need to use an account which has Enterprise Admin permission.

Group Policy for safe sender lists in Outlook 2007 does not work

Description:
You have set Outlook 2007 safe sender list through GPO however it isn’t applying to users. You’ve check that the GPO was applied successfully.

Resolution:
Change the safe sender list path to \\servername\sharefolder\filename. It cannot use the %logonserver%\sharefolder syntax.

Proxy Exception at Internet Explorer does not work

Description:
You have set proxy exception for IE through Group Policy (GPO). For some reason the setting won’t apply to user’s computer. You verified that the GPO has the right setting and has no conflict with other GPO. You also confirmed that the GPO was applied to user’s computer, but the computer registry contains different data.

Resolution:
Please check the exception list content. Make sure there’s no invalid character or value. If the http address in Proxy Exception list contains more than two “/” characters, the IE Branding extension would accept this setting. You should remove the rest of the “/” from the http address in proxy exception list.

Missing PTR Record in DNS

Description

You create a PTR record on your Active Directory Integrated DNS Server. After a while the PTR record suddenly missing. Your Active Directory and your DNS server are working fine. Replication between Domain Controller also working normally.

Resolution

Be sure the "register this connection's addresses to the DNS" checkbox option is enable, the server than will automatically register its ptr record to the DNS server.

Enable Strict Replication Consistency

Description
Supposed a domain controller get disconnected from the replication topology for an extended period and then later on reconnect it. You need to make sure that no outdated Active Directory objects can be replicated within the forest.

Resolution
Use regedit command and go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Create a Strict Replication Consistency with REG_DWORD data type. Set 1 as the value.

This setting ensures that no outdated objects are reintroduced into Active Directory Domain Services (AD DS).
You need to set it on all of the Domain Controller within the Forest.

AD Modify

If you ever need to change an attribute for a lot of user in Active Directory, you might want to use ADModify.Net tools. It is available free.

Following is the example for querying any user that has empty mobile phone number field in Active Directory.

(&(&(objectcategory=person)(objectclass=user))(!mobile=*))

How to Install Active Directory Using Restored Backup Media

By installing Active Directory from restored backup media, you can reduce the replication traffic that is initiated during the installation of an additional domain controller in an Active Directory domain. Reducing the replication traffic reduces the time necessary to install the additional domain controller. The procedures in this task are particularly useful for installing domain controllers in remote sites.

To install Active Directory from restored backup media:
1. Click Start, click Run, type dcpromo /adv, and then press ENTER.
2. In the Active Directory Installation Wizard, select Additional domain controller for existing domain.
3. Select From these restored backup files, and point to the same location where you restored the system state data.
4. If the domain controller whose system state backup you are using is a global catalog server, the Active Directory Installation Wizard asks you whether you want this server to also be a global catalog server.
5. Give appropriate credentials for the operation.
6. Enter the domain of the new domain controller. This domain must be the domain of the domain controller whose system state backup you are using.
7. Complete the remaining pages of the Active Directory Installation Wizard.

Dcpromo.exe will install Active Directory using the data present in the restored files, which eliminates the need to replicate every object from a partner domain controller. However, objects that were modified, added, or deleted since the backup was taken must be replicated. If the backup was recent, the amount of replication required will be considerably less than that required for a regular Active Directory installation.

DsRemoveDsDomainW error 0x2015 when removing metadata from Active Directory

From Microsoft KB887424
Description
When you use the Ntdsutil command-line tool to try to remove metadata for a domain controller that was removed from your network, you may receive the following error message:
DsRemoveDsDomainW error 0x2015 (The directory service can perform the requested operation only on a leaf object).

Resolution
To resolve this issue, follow these steps:
1. Click Start, click Run, type ntdsutil, and then press ENTER.
2. At the Ntdsutil command prompt, type domain management, and then press ENTER.
3. Type connections, and then press ENTER.
4. Type connect to server Domain_Controller_Name, and then press ENTER.
5. After the following message appears, type quit, and then press ENTER:
Connected to Domain_Controller_Name using credentials of locally logged on user
6. At the domain management prompt, type list, and then press ENTER.
7. Note the following entry:
DC=DomainDnsZones,DC=Child_Domain, DC=extensionFor example, if the child domain is Contoso.com, note the following entry:
DC=DomainDnsZones,DC=contoso,DC=com
8. Type the following command, and then press ENTER.
delete nc dc=domaindnszones,dc=Child_Domain,dc=extensionNote In this command, Child_Domain represents the name of the child domain that you want to remove. For example, if the child domain is Contoso.com, type the following command, and then press ENTER:
delete nc dc=domaindnszones,dc=contoso,dc=com
9. Quit Ntdsutil.

How to remove an oprhaned domain from Active Directory

Description:
For some reason you have to force demote one of your child domain.
You have follow Microsoft KB216498 "How to remove data in Active Directory after an unsuccessful domain controller demotion". You have remove the cname record in the _msdcs.rootdomain of forest zones in DNS. Also there're no A record and Name Server record of it on DNS. You also have deleted the server name from AD Sites & Services.
However when people logon, they can still see that child domain at the Log on to field. You want it to be disappear from there.

Resolution:
Removing Orphaned Domains from Active Directory (Microsoft KB230306)

1. Determine the domain controller that holds the Domain Naming Master Flexible Single Master Operations (FSMO) role. To identify the server holding this role:

• Start the Active Directory Domains and Trusts Microsoft Management Console (MMC) snap-in from the Administrative Tools menu.
• Right-click the root node in the left pane titled Active Directory Domains and Trusts, and then click Operations Master.
• The domain controller that currently holds this role is identified in the Current Operations Master frame.NOTE: If this changed recently, not all computer may have received this change yet due to replication.

2. Verify that all servers for the domain have been demoted.
3. Click Start, point to Programs, point to Accessories, and then click Command Prompt.
4. At the command prompt, type: ntdsutil.
5. Type: metadata cleanup, and then press ENTER.
6. Type: connections, and then press ENTER. This menu is used to connect to the specific server on which the changes will occur. If the currently logged-on user is not a member of the Enterprise Admins group, alternate credentials can be supplied by specifying the credentials to use before making the connection. To do so, type: set creds domainname username password , and then press ENTER. For a null password, type: null for the password parameter.
7. Type: connect to server servername (where servername is the name of the domain controller holding the Domain Naming Master FSMO Role), and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and that the credentials you supplied have administrative permissions on the server.
8. Type: quit, and then press ENTER. The Metadata Cleanup menu is displayed.
9. Type: select operation target, and then press ENTER.
10. Type: list domains, and then press ENTER. A list of domains in the forest is displayed, each with an associated number.
11. Type: select domain number, and then press ENTER, where number is the number associated with the domain to be removed.
12. Type: quit, and then press ENTER. The Metadata Cleanup menu is displayed.
13. Type: remove selected domain, and then press ENTER. You should receive confirmation that the removal was successful. If an error occurs, please refer to the Microsoft Knowledge Base for articles on specific error messages.
14. Type: quit at each menu to quit the NTDSUTIL tool. You should receive confirmation that the connection disconnected successfully.

Active Directory in Windows Server 2008 – What’s new?

Ø Active Directory Role in Windows Server 2008
o Active Directory Domain Services (ADDS) – this is like the current AD
o Active Directory Certificate Services (ADCS)
o Active Directory Federation Services (ADFS) – for possible access between two different organization
o Active Directory Lightweight Directory Services (ADLDS) – this is like ADAM in Windows 2003
o Active Directory Rights Management Services (ADRMS)
o Active Directory Read Only Domain Controller (ADRODC) – truly new feature
Ø ADLDS contains customize AD attribute, mainly use for application in DMZ and it is read only too. No authentication and doesn’t support exchange.
Ø ADRMS – for Intranet, Website, Email, and document
Ø For RODC implementation must have at least Windows Server 2003 forest functionality and one Windows Server 2008 DC
Ø By default RODC doesn’t keep password. A password replication policy must be setup. PDC emulator on the Domain must run on Windows Server 2008.
Ø Local Administrator can be set on RODC without giving access to Active Directory.
Ø Improved Auditing in AD
o Directory Service Access (current)
o Directory Service Change
o Directory Service Replication
o Detailed Directory Service ReplicationAuditing is not setup by default. When it’s enable, it can track AD object creation, deletion, modify, or movement.

How to audit Active Directory account management in Windows 2003?

The following was taken from one of conversation on Microsoft Managed Newsgroup.

By default, Windows Server 2003 system ships the following Audit policies:
> Audit account logon event
> Audit account management
> Audit directory service access
> Audit logon events
> Audit object access
> Audit policy change
> Audit privilege use
> Audit process tracking
> Audit system events

To audit add/deleting events, you may open Default Domain Controller Policy, locate Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy, enable "Audit account management" with Success.

After that, when a new user is created on a domain controller, the following event will be logged:

Event ID: 624
Type: Success Audit
Description: User Account Created:
New Account Name: %1 New Domain: %2
New Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6
Privileges %7

When an existing user is deleted on the domain controller, the following event will be logged:
Event ID: 630
Type: Success Audit
Description: User Account Deleted:
Target Account Name: %1 Target Domain: %2
Target Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6
Privileges %7

We can monitor event 633 and 632 which records security enabled global group membership removed/added.

E.g. you, domain\administrator1 have removed/added user1 from/to group1.
And the following events will be recorded.

Event ID: 633 (logged when you remove a user from a security group)
Type: Success Audit
Description: Security Enabled Global Group Member Removed:
Member Name: CN=user1,CN=Users,DC=domain,DC=com.
Member ID: domain\user1
Target Account Name: domain\administrator
Target Domain: Domain
Target Account ID: domain\group1
Caller User Name: administrator1
Caller Domain: domain

Event ID: 632 (logged when you add a user from a security group)
Type: Success Audit
Description: Security Enabled Global Group Member Added:
Member Name: CN=user1,CN=Users,DC=domain,DC=com.
Member ID: domain\user1
Target Account Name: domain\administrator
Target Domain: Domain
Target Account ID: domain\group1
Caller User Name: administrator1
Caller Domain: domain

We can audit who at what time, modifies which attribute of the user. But we cannot see what's the
Workstation or what's the application. To audit the property change issues, follow the below steps:

1. Enable the Auditing for Directory Services Access for Success in the Default Domain Controller Policy.
2. Go to the Security of the User account you want to audit and Enabled the Auditing for WRITE ATTRIBUTES for Everyone.

We will get the 566 event when any one will change any Attribute like

Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 07/06/2007
Time: 11:14:56
User: ALPINESKIHOUSE\t1
Computer: ASH-DC1
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: user
Object Name: CN=t6,CN=Users,DC=alpineskihouse,DC=com
Handle ID: -
Primary User Name: ASH-DC1$
Primary Domain: ALPINESKIHOUSE
Primary Logon ID: (0x0,0x3E7)
Client User Name: t1
Client Domain: ALPINESKIHOUSE
Client Logon ID: (0x0,0x67A9AEE)
Accesses: Write Property

Properties:
Write Property
Public Information
Department
user

Additional Info:
Additional Info2:
Access Mask: 0x20

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

3. Now to check on which DC the change was initiated you can take the
Repadmin report as Follow
Repadmin /showmeta "DN OF THE USER" and you can see the Originating DC and the timestamp.

Windows 2000/2003 Active Directory Deployment Guideline

When you are deploying active directory in a large environment especially in multiple domain and multiple site, there’s a lot of thing to be done.

Depends on your design, here are among a few top important things that you must configure/remember during the Deployment:
Ø Recommended to place Global Catalog on each site.
Ø Don’t put Global Catalog and Infrastructure Master Role on the same Domain Controller server.
Ø Create a proper subnet, site, and Site Replication Path on Active Directory Sites and Services console.
Ø For child domain configuration, set DNS delegation from root domain.
Ø Choose Active Directory Integrated DNS type.
Ø Enable, configure, and authorize DHCP server for each site if needed.
Ø Enable WINS for NETBIOS names resolution if needed.