Mark Minasi's Windows Networking Tech Page
Issue #97 April 2012

Document copyright 2012 Mark Minasi; please see below for info on subscribing, unsubscribing or copying portions of this text.

What's Inside

  • News
    • Learn with My Seminars, Audio Recordings and More!
  • Tech Section
    • Prepping for your First R2 (or 08) Domain Controller, Step One
  • Conferences
  • To Subscribe, Unsubscribe, Read Old Newsletters or Change Your Email Address

News

Hi all —

As I've done the R2 class (and if you've been thinking of attending, there are only three more sessions -- Philly in three weeks, Phoenix in late June and the Washington, DC area in September) , I've gotten a fair amount of questions about what folks have to do to get ready to start adding Windows Server 2008R2 (or, for that matter, Windows Server 2008) DCs to their domains.  I feel dumb for not having covered it before, mostly because I'm an OS geek and so I get my domains on the latest version of Server when it appears, but of course in the real world most IT folks have, well, a few other priorities.  Anyway, getting a forest ready for R2 is actually pretty easy and I'm sure that many of you are already pretty far down "the R2 road," but for those who've only recently gotten the go-ahead from On High to start adding 2008 or 2008R2 DCs to their forests, I've put together a few articles, the first of which is here.  I hope it's a useful read and contains a new idea or two but first, a word from our sponsor ...

Don't Miss ITEdge Intersection!

Windows Server 2016 is coming, are you ready? Server 2016 and many other important topics are the focus of ITEdge Intersection at the MGM Grand in Las Vegas, Oct 25-29. Your favorite speakers are there, including Scott Guthrie, Brad Anderson, Jeffrey Snover and of course, Mark Minasi. Register today for the conference and a workshop and you can go home with an XBOX One S, Surface 3 table or MS Band 2. Register at www.itedgeintersection.com.

Bring Mark's Windows 10 Support Class and Our PowerShell Classes to Your Site

Mark has delivered his new "Deploying, Managing and Securing "the Last Windows: Working with Windows 10" class to nearly a dozen clients, and the reviews are uniformly great.  Designed for the Windows 7 support pro, this course tells you everything you need to know to support, deploy, or manage Windows 10 systems.  Fast-paced, lecture-based and entertaining, this course gives you the shortest path to Windows 10 expertise. Learn about Windows 10's completely new licensing approach.  See how to enable the new "parallel universe" security tools.  Discover the cloud-y new tools in Windows 10 like joining a system not to an Active Directory but instead to a cloud.  Find out what you can learn at our course outline at http://www.minasi.com/w10class.htm. 

To bring this class to your site, just drop us a line at assistant@minasi.com.

And while you're at it, are your folks PowerShell adepts?  There really isn't a productivity-enhancer available for Windows support people like PowerShell.  Bring Mark's "Learning PowerShell: Hands-On with AD, Networking, and More" class to your site and he'll make your command-line-hating techies into PowerShell fans.  Outline at http://www.minasi.com/Posh2day/. 

Prepping for your First R2 (or 08) Domain Controller, Step One

Windows Server 2003's a pretty good product... so good, in fact, that an awful lot of folks haven't yet moved their Active Directories from 2003 to 2008 or 2008 R2.  At least, that's what I hear from a lot of people who ask me, "what's' involved in adding my first 2008/2008 R2 DC?"  Fortunately, it's fairly simple to move to 08/8R2, but there are a few wrinkles, so here's the first in a short series of newsletters on what to watch for when moving up to 08 or 08R2.  As I see it, there are four issues:

  • Checking and "cleaning up" your 2003-based AD before you start moving to Windows Server 2008 or 2008 R2
  • Upgrading your AD's schema, groups and the like with adprep and adprep32
  • Killing the File Replication Service (FRS) vis-a-vis Sysvol by using dfsrmig to start using DFS-R and kick FRS to the curb
  • Moving any DFS shares from FRS to DFS-R... and that's actually more difficult than it should be if you're moving from 2003 to R2

Ready to start moving from 2003?  Let's take up the first hurdle...

Step Zero:  Not Every Forest Can Upgrade

Minor item, but I should mention in passing that you can't add a 2008 or R2 DC to a forest that is in 2000 Mixed Mode, or 2003 Interim Mode.  If you're not sure what functional level your forest is currently at, open up Active Directory Domains and Trusts, right-click on the icon labeled "Active Directory Domains and Trusts" and then click on "Raise forest functional level."  In the resulting dialog box, you'll see your current forest functional level, like this:

In that case, you see that I'm working from a forest in 2008 R2 forest functional level.  If you do have a forest in 2000 Mixed or 2003 Interim level, then you must have had NT 4 domain controllers in your network at some point... but if you do, it may be time to consider bidding them a fond farewell.  Once they're gone, you can go to 2000 Native Mode or 2003 Forest Functional Level, and then you'll be ready to start thinking about incorporating 2008 or R2 DCs.

Step One:  Check the Pipes with Repadmin

(Note:  this first step will be obvious so some readers -- I'm going to talk about doing some AD replication tests -- so if that sounds like a diagnostic that you know well and do every day, then feel free to skip this.  Otherwise, welcome, I hope this is useful!)

In general, adding your first 08/08r2 DC is pretty risk free, unless there's an existing problem in your AD, in which case trying to add your first 08/08R2 DC is the moral equivalent of making an asthma sufferer run a marathon during pollen season.  It's not terribly unusual for me to run into the odd AD that's been running for seven years that seems okay... but isn't.  Maybe one of the DCs has somehow dropped off the radar from the point of view of the other DCs, but that DC doesn't know that it's out of touch -- and maybe even thinks that they've all gone away, and has decided to go all Al Haig on the domain.  Maybe Sysvol stopped replicating on a DC because on 2003, Sysvol shuts itself off if it sees less than a gigabyte free on its volume, without leaving any events behind, without telling you that it shut itself off, and, well, without telling you anything.  (And there are a number of equally dumb reasons why Sysvol gets unhappy, which is a major reason why you want to at least get to 2008 domain functional level, because at that point you can kiss the old Sysvol transport system (FRS) goodbye and move up to DFS-R... but that's a story we'll cover later.)  Or, heaven forbid, your schema FSMO's offline and no one's noticed because, well, you really don't change your schema all that often... but you're going to have to change the schema before you can add your first 08/08R2 DC.

Basically what I'm saying is that if you think of your DCs as toilets and your AD replication pathways as pipes (which is, I know, not something you normally hear, but trust me, it'll work), then  before we start trying to put in a few of those fancy toilets with the seat warmer and the cleansing spray (those are the AD features in this metaphor), let's just flush all the toilets and make sure that the pipes don't leak before we put any strain on the system.  If anything's wrong with AD, let's find that out and get it fixed now, before we start changing things.  And where, then, is the flush handle?  It comes with the finest AD replication tool in the land, "repadmin." 

In case you're not currently using repadmin, it first arrived as a Resource Kit tool back in Server 2000 and 2003, and "went legit" in 2008, where it's built into the OS.  It is a command-line tool, so try it out on a repadmin-equipped system by opening up a command prompt and typing

repadmin /syncall dcname

Where dcname is the host name of the DC you're sitting at, so for example if I'm sitting at a machine named DC64.bigfirm.com, I'd type

repadmin /syncall dc64

Yes, it's goofy to have to type the name of the system you're sitting at, but they wrote repadmin back in the days when no one had firewalls on their servers, and so the idea was that you could sit at one system and issue "replicate now!" commands to any number of DCs.  Several versions of repadmin ago, you could just use a period to mean "this server I'm sitting at," as in

repadmin /syncall .

but that stopped working in 2008, if memory serves.  Anyway, let's dissect what this does.  "/syncall" says, "contact all of your replication partners and ask them to tell you about anything that's changed since the last time you asked them."  Now, given that systems created with 2003 SP1 or later check in with their partners every 15 seconds and earlier systems check in every five minutes, it's likely that your DC won't learn anything new from its partners, but that doesn't matter; instead, what matters is just one thing:  seeing The command completed successfully.  Trust me, sweeter words an admin cannot read.  Again, we don't really care what got delivered -- we care that the pipes are clear, and that validates it.

But what did we replicate?  Interestingly enough, we essentially replicated the schema, and, again, given that we don't change the schema much, we had no real reason to replicate much.  More accurately, we replicated the "configuration naming context," a combination of the schema and a sort of "executive summary" of the forest -- none of which, like the schema, changes all that often, as it's basically a list of the domains, FSMOs, and domain controllers in the forest.

Next, go do that on every DC in the forest.  We're about to change the schema, and the schema is a forest attribute, not a domain attribute, so we want to be 100 percent sure that every DC in the forest is ready, willing and able to accept schema changes.

Dealing With Troubled DCs

Did your DCs pass?  If so, excellent... we've got another tests to try, and I'll cover it in a minute.  But what if repadmin failed on a DC or two?  In that case, take a minute and identify the bad DC.  If you have three DCs named DC1, DC2 and DC3 and DC3 is malfunctioning, then all three of your repadmin commands will show at least one failure -- but a closer look will show that when you run it on DC1, then the replication to DC2 works but the replication to DC3 fails, repadmin on DC2 works with DC1 but fails with DC3, and all replications from DC3 fail... which pretty much pulls the chain on DC3.

Once you know that DC3 is troubled, you've got a couple of options.  First, you can spend some time (or perhaps a lot of time) trying to figure out what's wrong with it.  If you do that, and if you succeed, then terrific, my hat's off to you, but let me let you in on a little AD old-timer secret:  it's usually not worth spending a lot of time on one troubled DC.  Believe or not, one of the best AD repair and diagnostic tools is DCPROMO.  If I've got a troubled DC, I like to run DCPROMO to "un-DC" it, and then run DCPROMO again to try to re-promote it.  Sometimes that solves the whole problem, and we can just go on working.  Other times, though, DCPROMO fails, and when it does, it leaves some very useful logs in \windows\logs that can help smoke out the problem. 

Either way, my advice is the same:  don't start moving to 08 or 08R2 until your DCs are all working well.  So if you've got a DC that simply can't replicate, get it off your AD.  As it can't really replicate, the safest way to remove it is a three-step process:

  • Disconnect the DC from the network
  • Run dcpromo /forceremoval
  • From 2003, use NTDSUTIL to do a "metadata cleanup" to clean the DC out of your AD.  (How to do that is in the Mastering Windows Server 2003 book, or Microsoft's Knowledge Base article 230306.)  If, on the other hand, you already have at least one Windows Server 2008 DC, then all you need do is to start up Active Directory Users and Computers from a 2008 DC, look in the Domain Controllers OU, find the troubled DC, and then right-click it and delete it.  (Yeah, it's that simple.  It's one of the reasons why I love 2008 and 2008 R2.)

In either case, we're doing that same thing:  ripping a DC out of AD by its roots.  Once that's gone, run your repadmin tests again and all should be well.  Eventually you should try running DCPROMO on the troubled systems to make them DCs again, but before we do that, let's get that first 2008/2008R2 DC in the forest.  Before we do that, however, let's do one more test.

Replicate the Domain Naming Context

So far, we've used repadmin to check the way all of the DCs in our forest replicate the "configuration naming context."  I suggested that you do that first because the configuration naming context (let's abbreviate that to "configuration NC") contains the schema and, again, we're going to update the schema.  The phrase "naming context," by the way, essentially means "database," and as I've already said, the configuration NC is a relatively small bit of overview data on the forest.  Every domain in the forest also has an NC of its own, so if your forest had, say, five domains in it, then you'd have six NCs in your forest -- one for each domain, and the one configuration NC for the whole forest.  (DNS can also have something like an NC, but we needn't worry about it here.)

Before moving in the new DC, then, we'll want to know not only that the configuration NC replicates without trouble but also that the NC for the domain where we're going to add our first 2008 or R2 DC also replicates.  Now, in 99.9% of the cases where I've done this, I've not encountered a problem, inasmuch as long as the configuration NC replicates okay then the domain NC replicates okay as well, but it doesn't hurt to try.  To force replication on a DC's naming context, the repadmin command looks like

repadmin /syncall dcname LDAP-name-of-domain

As you may know, many AD tools don't want you to express the name of your domain as something like "UK.bigfirm.com" but instead "dc=UK,dc=bigfirm,dc=com," the "LDAP-ese" way of expressing it.  In that case, supposing that you were running repadmin on a DC called Surry.uk.bigfirm.com, you'd type

repadmin /syncall surry dc=uk,dc=bigfirm,dc=com

Again, do that for all of the DCs in that domain, and remove any troublemakers.  Once you've gotten all that done, you'll be ready for the next step, ADPREP... and I'll cover that in the next newsletter.

 

Upcoming Conferences


  • I will be keynoting the free Tampa IT Pro Camp 2016 on 20 August 2016. Great speakers, sign up now to learn great stuff from some terrific speakers.  https://www.eventbrite.com/e/tampa-it-pro-camp-2016-tickets-24569378673 and tell 'em Mark sent you.
  • I will be presenting at IT/Dev Connections in Vegas the week of 10 October. Http://www.itdevconnections.com/dc16/Public/Enter.aspx for more info.
  • I will also be speaking at the Intersection show also in Vegas the week of 24 October.  Visit https://next.devintersection.com for more info. 
  • December TechMentor is in Orlando this year and I'm keynoting about Server 2016. https://techmentorevents.com/Home.aspx for all the scoop!
I hope to see some of you at one of these shows!

To Subscribe, Read Old Newsletters, Send Me a Comment or Change Your Email Address

To subscribe: (which just means I'll send you about a tweet-sized message in plain text via email including a link to my latest newsletter), please visit http://www.minasi.com/nwsreg.htm.

To change e-mail or other info, link to http://www.minasi.com/edit-newsletter-record.htm

To read old newsletters: visit http://www.minasi.com/nwstoc.htm and, if you like 'em, please consider subscribing.

To send me a comment:  please visit http://www.minasi.com/gethelp.

All contents copyright 2012 Mark Minasi.  I encourage you to quote this material, SO LONG as you include this entire document; thanks!  See you next month.