Reference Point

Options
Search Blogs
Tags
Archive
Archives

March, 2013

TechNet Blogs » Reference Point » March, 2013
Sort by: Most Recent | Most Views | Most Comments
Excerpt View | Full Post View

  • How to clone a virtual Domain Controller

    Posted over 1 year ago
    by Paulo Viralhadas}

    Hello my name is Paulo Viralhadas and I'm a Premier Field Engineer at Microsoft.

    On one of my previous posts I wrote about vDC cloning which is my preferred feature in Windows Server 2012 "http://blogs.technet.com/b/reference_point/archive/2012/12/11/so-you-wanted-to-deploy-domain-controllers-faster-now-you-can.aspx".

    VDC cloning gives you the ability to scale up your production forest and to recover from disasters faster, or simply to build a lab in a blink of the eye.
     
    In this post you may watch a number of videos that show how to clone a vDC.

    Note: I tried to keep the videos as simple as possible for quick reference.

     

    HOW TO CLONE A vDC

    The Requirements are:
    Hypervisor must have support for VMGID (VM-Generation ID).
    ADDS schema version 56
    Windows Server 2003 Forest Functional Level.
    Source DC must be running Windows Server 2012.
    PDCe must be running on a Windows Server 2012 DC.
    PDCe and RID master online and available.

    The video contents are:

    Video 1 - Pre-requisit check.

    Step 1 - Verify that the source VDC is running on a supported hypervisor.
    Step 2 - Verify Schema version.
    Step 3 - Verify Forest Functional Level.
    Step 4 - Check if the VDC source Operating System.
    Step 5 - Verify that the PDCe FSMO role is running on a Windows Server 2012 DC
    Step 6 - Ensure that PDC and RID master are available during cloning process.

     

     

    Video 2 - Getting the Clone ready.

    Step 7 - Create DCCloneConfig.xml file.
    Step 8 - Add the source VDC to the "Cloneable Domain Controllers" security group.
    Step 9 - Shutdown the source VDC.

     

     

    Video 3 - Cloning...

    Step 10 - Export the source VM (Virtual Machine).
    Step 11 - Import the VM with the option "Copy the virtual machine (create a new unique ID)".
    Step 12 - Start the new VM.

     

     

    Detailed steps:


    Step 1 -  Verify that the source VDC is running on a supported hypervisor.

    On the source vDC:
    open [Device Manager]
    expand [System Devices]
    open properties of [Microsoft Hyper-V Generation Counter]
    select the "Driver" tab
    click "Driver details"
    verify that the driver is "vmgencounter.sys"
    This is the driver that makes vDC cloning and snapshot restore possible in Windows Server 2012.

    Step 2 - Verify Schema version.

    On any DC in the forest:
    run [regedit]
    browse to HKLM\System\CCS\Services\NTDS\Parameters
    verify that "Schema Version" REG_DWORD value is 56.
    This is the Windows Server 2012 version of the schema.

    Step 3 - Verify Forest Functional Level.

    On any DC in the forest:
    open [Powershell]
    run [Get-ADForest]
    verify that "ForestMode" value is "Windows2003Forest" or higher.

    Step 4 - Check the vDC source Operating System.

    On the source vDC:
    run [winver]
    verify that source vDC is a Windows Server 2012.

    Step 5 - Verify that the PDCe FSMO role is running on a Windows Server 2012 DC

    On any DC in the domain:
    open [cmd]
    run [netdom query fsmo]
    copy the PDC FQDN
    open [Powershell]
    run [Get-ADDomainController -server <paste the PDC FQDN here>
    verify that OperatingSystemVersion value is 6.2 (9200) or higher

    Step 6 - Ensure that PDC and RID master are available during cloning process.

    Step 7 - Create DCCloneConfig.xml file.

    open [Powershell]
    run [New-ADDCCloneconfigFile]
    (this will create an empty configuration file, you might want to have a look on the table below before you add
     configuration information to this file)

    Step 8 - Add the source VDC to the "Cloneable Domain Controllers" security group.

    open [ADAC]
    browse your domain to the "Users" container
    double-click "Cloneable Domain Controllers" security group
    Select "Members" tab and click "Add" button to add the source domain controller account

    Step 9 - Shutdown the source VDC.

    Step 10 - Export the source VM (Virtual Machine).

    open [Hyper-V Manager]
    Right-click the source vDC VM
    Select Export
    Specify where you want to save the files

    Step 11 - Import the VM with the option "Copy the virtual machine (create a new unique ID)".

    open [Hyper-V Manager]
    click on "Import Virtual Machine"
    Locate Folder
    Select Virtual Machine
    Choose import type:  "Copy the virtual machine (create a new unique ID)"

    Step 12 - Start the new VM.

    (Refer to the diagram below in order to understand the cloning/snapshot restore decision process)

     

     

    The Cloning/Snapshot safeguards are:

    •DC resets the Invocation ID
    •Discards the RID pool
    •Updates Up-to-Dateness-vector table
    •Replicates AD object differences
    •Replicates SYSVOL differences
    •Updates msDS-GenerationID

     

     The following table puts together the outcomes of the diagram above:

     

     

    By the way you may find a playlist of all 3 videos above at: 

    http://www.youtube.com/playlist?list=PLRiiq9ROPBOtJhPx2SciZcMfhJ4PN4K7y 

     

    Hope it helps!

     Best regards

    Paulo

     

  • AD recycle bin feature and Windows Server 2012 GUI

    Posted over 1 year ago
    by Paulo Viralhadas}

    Hello my name is Paulo Viralhadas and I'm a Premier Field Engineer at Microsoft.

     

    The AD recycle bin feature has been released on Windows Server 2008 R2 without a graphical user interface, which made it's deployment and usability (I mean recovering deleted objects from AD) somewhat difficult for system admins.

    In this post I will write about how to enable the ADRB feature on both WS2008 and WS2012.

    This will provide you with the skills necessary to perform object recovery regardless of the operating system you are using currently.

    Be amazed on how easy it is to recover deleted objects in WS2012.

    This feature can be enabled if your forest is running at WIN2008R2 functional level.

    If you already have all DCs in the forest running on Windows Server 2008R2 or higher you may use the following powershell command to raise the FFL:

    Set-ADForestMode 4 -Identity <forestname>

    which requires that all domains in the forest run at WIN2008R2 domain functional level, so if needed run:

    Set-ADDomainMode 4 -Identity <domainname>

    Before running the powershell commands above and if using WS2008R2 you have to import the Active Directory module for powershell (WS2012 does it automatically).

    Important: Enabling Active Directory Recycle Bin is an irreversible procedure.

    To enable the AD Recycle Bin feature using powershell run:

    Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com’ –Scope ForestOrConfigurationSet –Target ‘<forestname>’

    To check if recycle bin is enabled:

    Get-ADOptionalFeature -filter *

    To restore a deleted object do the following:

    Get-ADObject -Filter {displayName -eq "name"} -IncludeDeletedObjects | Restore-ADObject

    Watch the video - Enable AD Recycle Bin and restore a single object using powershell on WS2008R2

    Although restoring a single object is fairly simple, the restoration procedures get more complex when restoring multiple nested objects.

    For example when you need to restore an OU with hundreds or thousands of objects in it (like users, groups, computers or even sub OUs which in its turn may contain more objects).

    You will have to investigate how deep OU nesting is by querying deleted users lastknownparent attribute in order to understand the deleted OU structure.

    Then you must start restoring from top to bottom so one hierarchy level at a time.

    The reason behind is that when an object is deleted and moves to the deleted objects container, the object distinguished name (DN) gets mangled and the deleted objects container doesn't contain/keep an hierarchy.

    The only way to return the objects hierarchy is by searching for it's lastknownparent attribute.

    For example consider the following scenario:

    [picture 1]

    In this scenario we need to start by searching for known objects that have been deleted, for example in this case by finding the lastknownparent of a user named Peter:

    Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -ldapFilter:"(msDs-lastKnownRDN=Peter)" – IncludeDeletedObjects –Properties lastKnownParent

    Then by finding all objects that have HumanResources as lastknowparent (note: add another \ before 0ADEL:):

    Get-ADObject –SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastKnownParent -eq 'OU=HumanResources\ \0ADEL:c876daac-da9b-57ce-bded-978aed9c0e2b,CN=Deleted Objects,DC=contoso,DC=com'} -IncludeDeletedObjects - Properties lastKnownParent | ft

    At this stage we must go through the output and look for other OUs contained within HumanResources OU, then we need to search for other deleted objects inside it in case we find extra OUs (in this case we explore the Users OU within HumanResources):

    Get-ADObject –SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastKnownParent -eq 'OU=Users\ \0ADEL:6b507c43-172b-8145-93bf-61e00302bb4a,CN=Deleted Objects,DC=contoso,DC=com'} -IncludeDeletedObjects - Properties lastKnownParent | ft

    So far we found that HumanResources OU has been deleted (by noticing the mangled DN) and with the following command we may validate if there is any other OU above it and if it was also deleted (if so we have to perform the same steps as above to find other objects within it):

    Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -ldapFilter:"(msDs-lastKnownRDN=HumanResources)" –IncludeDeletedObjects –Properties lastKnownParent

    After investigation is complete, then we can start restoring the objects from top to bottom:

    to restore the HumanResources OU:

    Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=HumanResources)" –IncludeDeletedObjects | Restore-ADObject

    to restore all deleted objects under it (including the Users OU):

    Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastKnownParent -eq "OU=HumanResources,DC=contoso,DC=com"} -IncludeDeletedObjects | Restore-ADObject

    To restore all deleted objects under the Users OU:

    Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastKnownParent -eq "OU=Users,OU=HumanResources,DC=contoso,DC=com"} -IncludeDeletedObjects | Restore-ADObject

    Note: Depending on your infrastructure you may have to go deeper into OU hierarchy, but then you just have to repeat the steps above accordingly.

    Watch the video - Restore multiple objects using powershell on WS2008R2

    Now that we covered how to restore deleted objects using the recycle bin attribute in WS2008R2 lets see how easy it is to do the same in WS2012 with the new recycle bin GUI:

    You have to open the Deleted Objects container using ADAC and perform the same searches on it just by using the UI and by working out the hierarchy by looking at the Last Known Parent attribute.

    If looking for specific objects we may click add criteria and in case we don't know exactly what to search for -this is one of the reasons why having AD proper documented is so important - an idea would be to add "and Last modified between these dates:")

    Watch the video - Restore multiple objects using the NEW Recycle Bin GUI in WS2012

    Hope it helps!

    Enjoy!

    PS: I will add the videos throughout the week.

    In my next post I will share more information on how actually the AD recycle bin works.