DomainController: Difference between revisions

Set DNS to point to domain controllers:

Get-netadapter | Set-DnsClientServerAddress -ServerAddresses ("10.0.0.1","10.0.0.2")

Domain join the computer:

Add-Computer –domainname <domain> -Credential <domain account> -restart

Open the following ports on firewall for active directory domain services to function correctly:

TCP - ["53", "88", "135", "139", "389", "445", "464", "636", "3268", "3269", "5722", "9389", "49152-65535"]
UDP - ["53", "88", "123", "137", "138", "389", "445", "464", "49152-65535"]

Find all domain controllers in the domain:

Resolve-DnsName -Type ALL -Name _ldap._tcp.dc._msdcs.$env:userdnsdomain

Testing of Domain Replication between controllers can be done using "repadmin" command

repadmin /replsummary (Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes the results in a report.)

Get detailed info on domain controller status:

dcdiag /v /c /e | out-file C:\temp\dctest.txt

Get FSMO Roles held by Domain Controllers

netdom query FSMO

If there is an issue with creating group policy there may be an issue with the sysvol directory. Check for replication issues and any changes to the permissions that might have occurred.

Check for any DNS issues for entries associated with the Domain Controllers.

Check the Microsoft Guide for recovery: MS Guide

If domain controller/controllers have been offline for over 60 days then all domain services will be complaining.

To fix the domain the easiest way will be to destroy all the domain controllers but the one which has the data you want to keep.

Seize all FSMO roles onto that domain controller and do authoritive restore of SYSVOL.

Delete all other domain controllers from Active directory using the AD users and computers MMC. This should also clear up all domain records for those domain controllers. Then delete all DNS records which point to the other domain controllers.

Then for the remaining DC set the msDFSR-Enabled attribute to False, and msDFSR-Options attribute to 1 (stop DFS service first)

Then start the DFS service and check for event 4602 which will give you details on the DFSR status:

Get-WinEvent -LogName 'DFS Replication' | Where-Object ID -EQ 4602 | Format-Table -AutoSize -Wrap

Check the output then stop the DFSR service.

Change msDFSR-Enabled attribute to True, then start the DFSR service again and check the events.

Hopefully this will restore the sysvol replication and everything will start working again.

You can then force demote/rebuild the other domain controllers and join them back to the domain. Probably best to do this process offline until you are ready to promote them back to being a domain controller.

If there are issues with domain replication use the following tools to diagnose:

• dcdiag - will provide fill diagnostics on the domain controllers use /c to do all tests (dcdiag /c)
• repadmin - will provide details on replication between domain controllers - use eg : repadmin /replsummary

To migrate from FRS to DFS you will need to put the domain controllers through three states: Prepared, Redirected, and Eliminated

Check current state on DC:

dfsrmig /getglobalstate

This will return a state from 0-4, 0=Start, 1=Prepared, 2=Redirected, 3=Eliminated.

Detailed information can be found here: https://learn.microsoft.com/en-us/windows-server/storage/dfs-replication/migrate-sysvol-to-dfsr

Another good guide can be found here: https://techcommunity.microsoft.com/t5/storage-at-microsoft/streamlined-migration-of-frs-to-dfsr-sysvol/ba-p/425405

Migrating to prepared state

Migrating to the Prepared state includes the following tasks:

Verify the health of Active Directory Domain Services: run the following command to check sysvol share on each DC, also check disk space on the drive that contains the sysvol

net share

Check replication is healthy:

repadmin /ReplSum

Check the following Reg key for the location of sysvol and confirm location HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters, also check the reg key "sysvolready" = 1

Check on each domain controller in Administritive tools that DFS Replication is listed and is set to automatic startup

Raise the domain functional level to Windows Server 2008 minimum if domain is not already at this functional level:

• in Active directory domains and trusts right click the domain to check (properties) Then Right click and select raise functional level (This cannot be reversed one completed, check this will not cause an issue with old gpo templates etc)

Check the state of the sysvol and connectivity between domain controllers: Make sure all tests succeed before starting:

Dcdiag /e /test:sysvolcheck /test:advertising

Migrate the domain to the Prepared state: on full domain controller (not read-only) set the global state to prepared

dfsrmig /setglobalstate 1

Verify that the domain has migrated to the Prepared state:

dfsrmig /getglobalstate

Check all domain controllers have reached the Prepared State: (this can take some time)

dfsrmig /getmigrationstate

Verify all domain controllers have reached the prepared state:

1.  Open **DFS Management** from the **Administrative Tools** folder.  
      
    If DFS Management is not already installed, from Server Manager, use the Add Features Wizard to install the **Remote Server Administration Tools** feature, and select the **File Services Tools** feature with the **Distributed File System Tools** option.  
      
2.  In the console tree, under the **Replication** node, click **Domain System Volume**.  
      
3.  Click the **Membership** tab, click **Membership Status**, and then for each domain controller in the domain, verify that the **Enabled** check box is selected for a **Local Path** of \[*drive*:\\\]*Windows\_folder*\\SYSVOL\_DFSR\\domain.  
      
4.  Right-click **Domain System Volume**, and then click **Create Diagnostic Report** to create a diagnostic report for DFS Replication of the SYSVOL\_DFSR folder. Follow the instructions in the Diagnostic Report Wizard and view the report that the wizard produces to verify the health of DFS Replication of the SYSVOL\_DFSR folder.  
      
    DFS Management in Windows Server 2008 includes the ability to run a propagation test and generate two types of diagnostic reports—a propagation report and a general health report. To verify that SYSVOL replication is working properly, perform the propagation test and examine both reports for problems.

Migrating to Redirected State

Once all domain controllers are functioning in the prepared state you can migrate to redirected state:

dfsrmig /setglobalstate 2

Check state with the following command:

dfsrmig /getglobalstate

Check the migration status with the following command:

dfsrmig /getmigrationstate

Verify the state of the sysvol on each domain controller: you want to see that the mapped share is the dfsr share(sysvol_dfsr\sysvol)

• net share

Use DFS management to create diagnostic report to confirm dfsr status

1.  Open **DFS Management** from the **Administrative Tools** folder.  
      
2.  In the console tree, under the **Replication** node, click **Domain System Volume**.  
      
3.  Click the **Membership** tab, click **Membership Status**, and then for each domain controller in the domain, verify that the **Enabled** check box is selected for a **Local Path** of \[*drive*:\\\]*Windows\_folder*\\SYSVOL\_DFSR\\domain.  
      
4.  Right-click **Domain System Volume**, and then click **Create Diagnostic Report** to create a diagnostic report for the DFS Replication of the SYSVOL\_DFSR folder. Follow the instructions in the Diagnostic Report Wizard and view the report that the wizard produces to verify the health of the DFS Replication of the SYSVOL\_DFSR folder.  
      
    DFS Management in Windows Server 2008 provides the ability to run a propagation test and generate two types of diagnostic reports—a propagation report and a general health report. To verify that SYSVOL replication is working properly, perform the propagation test and examine both reports for problems.

Migrating to Eliminated State

After confirming that there are no issues with domain controllers in the Redirected state the domain controllers can be put into the Eliminated state:

Check migration status:

dfsrmig /getmigrationstate

Confirm AD replication is functioning correctly:

repadmin /ReplSum

Backup the state of the domain controllers: (run on each domain controller)

Wbadmin start systemstatebackup

Finally migrate to the eliminated state: (run on writable DC)

dfsrmig /setglobalstate 3

Check global state:

dfsrmig /getglobalstate

Check migration state:

dfsrmig /getmigrationstate

Check the sysvol share:

net share

Get DFS report:

1.  Open **DFS Management** from the **Administrative Tools** folder.  
      
2.  In the console tree, under the **Replication** node, click **Domain System Volume**.  
      
3.  Click the **Membership** tab, click **Membership Status**, and then for each domain controller in the domain, verify that the **Enabled** check box is selected for a **Local Path** of \[*drive*:\\\]*Windows\_folder*\\SYSVOL\_DFSR\\domain.  
      
4.  Right-click **Domain System Volume**, and then click **Create Diagnostic Report** to create a diagnostic report for the DFS Replication of the SYSVOL\_DFSR folder. Follow the instructions in the Diagnostic Report Wizard and view the report that the wizard produces to verify the health of the DFS Replication of the SYSVOL\_DFSR folder.  
      
    DFS Management in Windows Server 2008 provides the ability to run a propagation test and generate two types of diagnostic reports—a propagation report and a general health report. To verify that SYSVOL replication is working properly, perform the propagation test and examine both reports for problems.

Stop and disable the FRS service on each domain controller:

Sc *<servername>*stop ntfrs
Sc *<servername>*config ntfrs start=disabled

Use this process to rebuild the sysvol replication group without demoting and promoting domain controllers

To check if this is required look in ADSIedit.msc for the entries for the domain controllers, if they do not have the CN=DFSR-Localsettings in the AD object then it is likely there is no DFSR config.

1: Take backups

2: Shut down DFSR services on all domain controllers

3: On the Domain controller with PDCEmulator FSMO role enter the following Reg keys:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DFSR\Parameters\SysVols\Promoting SysVols] 
Information Is Committed=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DFSR\Parameters\SysVols\Promoting SysVols\<Yourdomain>]
Is Primary=dword:00000001 
Command=DcPromo Parent Computer=""    (entry is blank)
Replicated Folder Name=<yourdomain> 
Replicated Folder Root=C:\Windows\SYSVOL\Domain Replicated 
Folder Root Set=C:\Windows\SYSVOL\sysvol\<yourdomain> 
Replicated Folder Stage=C:\Windows\SYSVOL\staging areas\<yourdomain> 
Replication Group Name=<yourdomain> 
Replication Group Type=Domain"

Make sure "is primary" is only = 1 on the PDC emulator DC

4:Start DFSR on PDCEmulator domain controller CN=Domain System Volume will be recreated under CN=Dfsr-GlobalSettings,CN=System,DC=<DOMAIN> All created registry keys and values will be deleted DFSR Event 4602 will be written on the PDCE

5:Create the following Reg keys on the other writable domain controllers(not RODC):

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DFSR\Parameters\SysVols\Promoting SysVols] 
Information Is Committed=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DFSR\Parameters\SysVols\Promoting SysVols\<Yourdomain>]
Is Primary=dword:00000000 
Command=DcPromo Parent Computer="DC01.yourdomain"    (point to FQDN of PDC emulator DC - the previously configured one)
Replicated Folder Name=<yourdomain> 
Replicated Folder Root=C:\Windows\SYSVOL\Domain Replicated 
Folder Root Set=C:\Windows\SYSVOL\sysvol\<yourdomain> 
Replicated Folder Stage=C:\Windows\SYSVOL\staging areas\<yourdomain> 
Replication Group Name=<yourdomain> 
Replication Group Type=Domain"

6: Start DFSR server on other domain controllers - CN=Domain System Volume will be recreated under CN=Dfsr-GlobalSettings,CN=System,DC=<DOMAIN> All created registry keys and values will be deleted DFSR Event 4614, 6805, and 4804 will be written when the server is replicating SYSVOL successfully Be Patient, it might take few minutes before replication starts

If the sysvol is damaged but the replication group is still functioning and the dfsr=true flags can be seen for the domain controllers in adsiedit.msc then you may be able to restore from backup and start the replication again from the known good restored sysvol

See the guide below:

https://gist.github.com/RavuAlHemio/00e51d3ea64731be9d43b01eda18734f

All domain members should use NT5DS domain time.

Desktops and member servers sync with any domain controller.

Domain controllers sync with PDC emulator (one per domain)

PDC emulator in child domain can sync with any domain controller in parent domain.

PDC emulator in parent domain syncs with either a hardware clock or possibly an external source.

https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-direc...

for all domain members (aside from PDCe) should have happened by default but you can confirm by running;

w32tm /unregister
net stop w32time
w32tm /register
net start w32time
w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time
then check
w32tm /query /source
w32tm /query /configuration

for the PDCe

w32tm /unregister
net stop w32time
w32tm /register
net start w32time
w32tm /config /manualpeerlist:<preferred ip address> /syncfromflags:manual /reliable:yes /update
net stop w32time
net start w32time

then check

w32tm /query /source
w32tm /query /configuration

https://docs.microsoft.com/en-gb/archive/blogs/nepapfe/its-simple-time-configuration-in-active-directory

If some servers are unable to change the time zone because they are synced via group policy settings but are on the wrong time zone use powershell:

If the time zone is not able to be changed from the GUI open an admin powershell session and use the following cmdlet:

• set-timezone "GMT Standard Time"

Can check connection to NTP server with the following command:

• w32tm /stripchart /computer:time.windows.com /dataonly

If a server has lost the trust relationship after being restored use the following commands:

Test local computer password:

Test-ComputerSecureChannel -verbose

Check the Servers Computer account is in the domain and is not disabled

Reset the Computer machine account:

Reset-ComputerMachinePassword -Server <DomainController> -Credential <DomainAdmin>

Reset-ComputerMachinePassword -Server DC01 -Credential DomainAdminAccount

The other way to restore is to unjoin the Server from the domain and then re-join it to the domain.

Fix Trust Relationship

To demote a domain controller you can select in server manager to uninstall the Active Directory Services Role.

Alternatively you can use powershell for windows server versions >= 2012:

Uninstall-Addsdomaincontroller

Ref: MS KB

For older domain controllers dcpromo.exe can be used: MS KB

If the demote does not go correctly or the domain controller is no longer able to contact the other domain controllers you may need to carry out the process manually: MS KB

See the following guide: MS KB

FSMO Roles

Move FSMO roles with powershell: MS KB

Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_Name” –OperationMasterRole 0,1,2,3,4

ID	FSMO Role
0	PDC Emulator
1	RID Master
2	Infrastructure Master
3	Schema Master
4	Domain Naming Master

IP Address

To change the IP address of a domain controller make sure services are functioining then change over the ip address. After changing the IP address carry out the following commands to make sure DNS and active directory records are correct:

• ipconfig /flushdns to remove local cache
• ipconfig /registerdns to ensure the new IP is registered by the DNS server
• dcdiag /fix to ensure service records are registered.

Then check AD sites and services has been updated.

Can check for issues with the command:

• dcdiag /test:dns /v

Use the following powershell command to access the DNS records on the domain controller:

Get-DnsServerResourceRecord -ZoneName "contoso.com"

you can specify specific types of records with the -rrtype flag

Get-DnsServerResourceRecord -ZoneName "contoso.com" -RRType "srv"