TheGeek: March 2016

Wednesday, March 9, 2016

SYSVOL Migration (FRS to DFRS)

Following checks must be carried out before attempting the DFSR migration. If any of the checks fail, do not perform the DFSR migration until the issue is resolved.

1. Check if Domain functional level is at least Windows Server 2008.

2. Check all domain controller’s operating system is at least Windows Server 2008.

3. Check if built-in Administrators group has the 'Manage Auditing and Security Log' user right assignment.

4. Check if all domain controllers have enough free disk space.

5. Check if Active Directory replication is working.

6. Check SYSVOL sharing is correct.

7. Valid system state backup.

1. Check if Domain functional level is at least Windows Server 2008

Verify if Windows domain functional level is at least Windows Server 2008.

For Windows Server 2008 R2

1. Click Start and select Administrative Tools, 'Active Directory Domains and Trusts'.

2. Right-click the domain name e.g. HPV.local and select Properties.

For Windows Server 2012 R2

1. Open Server Manager.

2. From the Tools menu, select 'Active Directory Domains and Trusts'.

3. Right-click your domain name e.g. HPV.local and select Properties.

2. Check if built-in Administrators group has the 'Manage Auditing and Security Log' user right assignment.

For a successful migration, make sure that the built-in Administrators group has the 'Manage auditing and security log' User Rights Assignment.

Follow the process on all domain controllers in the domain:

1. Log on to one domain controller.

2. From the Run type RSoP.msc.

3. Go to 'Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment'.

4. Right-click 'Manage auditing and security log' and select Properties.

5. Confirm Administrators is listed.

6. Click Cancel and close Resultant Set of Policy.

3. Free Disk space

Confirm that all domain controllers have an appropriate amount of free disk space. This should be at least twice the size of the current SYSVOL share. C:\Windows\SYSVOL.

4. Check if Active Directory replication is working

Open Command prompt and enter the following command:

repadmin /showrepl *

Confirm that all domain controller’s last replication was successful for each partition. Repeat this on all of your domain controllers.

C:\Windows\system32>repadmin /showrepl

Repadmin: running command /showrepl against full DC HPV-HV-01.hpv.local

hpv\HPV-HV-01

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: faf7771d-2541-44d0-b605-95701cb6aaa1

DSA invocationID: ab577af4-9b41-44aa-9f73-09d8f65e6f02

==== INBOUND NEIGHBORS ======================================

DC=hpv,DC=local
HPV\SRV-02 via RPC
DSA object GUID: 4a8717eb-8e58-456c-995a-c92e4add7e8e Last attempt @ 2014-07-25 10:25:37 was successful.

CN=Configuration,DC=hpv,DC=local
HPV\SRV-02 via RPC
DSA object GUID: 4a8717eb-8e58-456c-995a-c92e4add7e8e Last attempt @ 2014-07-25 10:25:37 was successful.

5. Check SYSVOL sharing is correct

DFSR migration depends on correct SYSVOL sharing and its correct advertisement on all domain controllers. Open a Command prompt and type the following command:

dcdiag /e /test:sysvolcheck /test:advertising

Make sure all tests pass without error or warning.

C:\Windows\system32>dcdiag /e /test:sysvolcheck /test:advertising

Directory Server Diagnosis

Performing initial setup:

Trying to find home server...

Home Server = HPV-HV-01

* Identified AD Forest.

Done gathering initial info.

Doing initial required tests

Testing server: HPV\HPV-HV-01

Starting test: Connectivity

......................... HPV-HV-01 passed test Connectivity

Testing server: HPV\HPV-HV-02

Starting test: Connectivity

......................... HPV-HV-02 passed test Connectivity

Doing primary tests

Testing server: HPV\HPV-HV-01

Starting test: Advertising

......................... HPV-HV-01 passed test Advertising

Starting test: SysVolCheck

......................... HPV-HV-01 passed test SysVolCheck

Testing server: HPV\HPV-HV-02

Starting test: Advertising

......................... HPV-HV-02 passed test Advertising

Starting test: SysVolCheck

......................... HPV-HV-02 passed test SysVolCheck

Running partition tests on : ForestDnsZones

Running partition tests on : DomainDnsZones

Running partition tests on : Schema

Running partition tests on : Configuration

Running partition tests on : hpv

Running enterprise tests on : hpv.local

SYSVOL Migration Procedure (FRS to DFSR)

Make sure all of the above checks have passed, if not resolve issues before continuing. The migration Procedure have three states:

Migrating to the Prepared State - FRS continues to replicate the SYSVOL shared folder that the domain uses, while DFS Replication replicates a copy of the SYSVOL folder. FRS mounts both SYSVOL and NETLOGON shares.

Migrating to the Redirected State - The DFS Replication copy of the SYSVOL folder becomes responsible for servicing SYSVOL requests from other domain controllers. FRS continues to replicate the original SYSVOL folder, but DFS Replication now replicates the production SYSVOL folder that domain controllers in the Redirected state use.

Migrating to the Eliminated State - DFS Replication continues to handle all the SYSVOL replication. Windows deletes the original SYSVOL folder, and FRS no longer replicates SYSVOL data.

For the rest of steps we only need to run all dfsrmig commands on a single domain controller.

1. Migrate Domain to Prepared State.

1. Type the following command at a command prompt to begin the global migration state to be Prepared.

dfsrmig /setglobalstate 1

To speed the migration use the below commands.

repadmin /syncall /force /APed

dfsrdiag pollad

2. Type the following command to see the progress of the migration:

dfsrmig /getmigrationstate

When all of the domain controllers reach the Prepared state, the output will look like this:

All Domain Controllers have migrated successfully to Global state (‘Prepared’).

Migration has reached a consistent state on all Domain Controllers.

Succeeded.

Make sure the above step is successful before continuing next stage.

2. Migrate Domain to Redirected state

1. Type the following command to begin the global migration state to be Redirected.

dfsrmig /setglobalstate 2

To speed the migration use the below commands.

repadmin /syncall /force /APed

dfsrdiag pollad

2. Type dfsrmig /getglobalstate to verify that the global migration state is Redirected.

Current DFSR global state: ‘Redirected’

Succeeded.

3. Type the following command to see the progress of the migration:

dfsrmig /getmigrationstate

When all domain controllers are Redirected, the output will look like this:

All Domain Controllers have migrated successfully to Global state (‘Redirected’).

Migration has reached a consistent state on all Domain Controllers.

Succeeded.

Make sure the above step is successful before continuing next stage.

3. Migrate Domain to Eliminated State

1. Type the following command to begin the global migration state to be Eliminated.

dfsrmig /setglobalstate 3

To speed the migration use the below commands.

repadmin /syncall /force /APed

dfsrdiag pollad

2. Type dfsrmig /getglobalstate to verify that the global migration state is Eliminated

Current DFSR global state: ‘Eliminated’

Succeeded.

3. Use the following command to review the progress of the migration:

dfsrmig /getmigrationstate

When all domain controllers are Eliminated, the output look like this:

All Domain Controllers have migrated successfully to Global state (‘Eliminated’).

Migration has reached a consistent state on all Domain Controllers.

Succeeded.

Note: It is recommended to check the FRS and DFSR logs for any error through the stages.

For more information please go to following Microsoft tech net link.

https://technet.microsoft.com/en-us/library/dd640019(v=ws.10).aspx

To roll back SYSVOL migration

You can only rollback if you are in a ‘Prepared’ state or in the ‘Redirected’ state. Type the following command to go back to the previous states:

1. Roll back from the Redirected state to the Prepared state.

dfsrmig /setglobalstate 1

2. Roll back from the Prepared state or Redirected state to the Start state.

dfsrmig /setglobalstate 0

For more information please go to following Microsoft tech net link

https://technet.microsoft.com/en-us/library/dd640509(v=ws.10).aspx

Wednesday, March 2, 2016

Active Directory Offline Defragmentation on Server 2008 R2

Offline defragmentation create a modified version of the old database (Ntds.dit) file in a new location which we provide. Later we can copy the compacted (offline defragmented) database file to its original location.

Note: Always make sure you have enough space in your local directory were you are trying to compact the AD database. Check the size of Ntds.dit and check the space of drive and make sure the drive is having more space than the Ntds.dit file.

I have followed the below steps for successful Offline Defragmentation.

Steps for offline defragmentation:

1. Open a Command Prompt as an administrator.

2. At the command prompt, type the following command to step AD DS Service, and then press ENTER.

net stop ntds

3. Type yes to stop other service also. It will look like below.

Do you want to continue this operation? (Y/N) [N]: y

The File Replication Service service is stopping...

The File Replication Service service was stopped successfully.

The Kerberos Key Distribution Center service was stopped successfully.

The Intersite Messaging service is stopping.

The Intersite Messaging service was stopped successfully.

The DNS Server service is stopping.

The DNS Server service was stopped successfully.

The Active Directory Domain Services service is stopping.

The Active Directory Domain Services service was stopped successfully.

4. At the command prompt, type ntdsutil, and then press ENTER.

5. At the ntdsutil prompt, type activate instance ntds, and then press ENTER.

6. At the ntdsutil prompt, type files, and then press ENTER.

7. At the file maintenance prompt, type compact to <drive>:\ <LocalDirectoryPath> (where <drive>:\ <LocalDirectoryPath> is the path to a location on the local computer), and then press ENTER.

8. I created a local directory in C:\Temp\NtdsCompact. So command should be like Compact to C:\Temp\NtdsCompact. An example is given below:

C:\Users\Administrator.TEST>ntdsutil

ntdsutil: activate instance ntds

Active instance set to "ntds".

ntdsutil: files

file maintenance: compact to C:\Temp\NtdsCompact

Initiating DEFRAGMENTATION mode...

Source Database: C:\Windows\NTDS\ntds.dit

Target Database: C:\Temp\NtdsCompact\ntds.dit

Defragmentation Status (% complete)

0 10 20 30 40 50 60 70 80 90 100

|----|----|----|----|----|----|----|----|----|----|

...................................................

It is recommended that you immediately perform a full backup

of this database. If you restore a backup made before the

defragmentation, the database will be rolled back to the state

it was in at the time of that backup.

Compaction is successful. You need to:

copy "C:\Temp\NtdsCompact\ntds.dit" "C:\Windows\NTDS\ntds.dit"

and delete the old log files:

del C:\Windows\NTDS\*.log

9. If defragmentation completes successfully, type quit and again type quit the file maintenance mode.

10. If defragmentation fails with errors, go to step 17

11. Type quit to exit from Ntdsutil prompt.

12. Now from the command prompt delete the log file as per the instruction above.

C:\Users\Administrator.TEST>del C:\Windows\NTDS\*.log

13. Copy the compacted database file to the original location as per the instruction above.

C:\Users\Administrator.TEST>copy "C:\Temp\NtdsCompact\ntds.dit" "C:\Windows\NTDS\ntds.dit"

Overwrite C:\Windows\NTDS\ntds.dit? (Yes/No/All): y

1 file(s) copied.

14. Now at the command prompt, type ntdsutil, and then press ENTER.

15. At the ntdsutil prompt type activate instance ntds and press Enter.

Will get the message Active instance set to "ntds".

16. At the ntdsutil prompt, type files, and then press ENTER.

17. At the file maintenance prompt, type integrity, and then press ENTER.

18. Once the integrity check succeeds type quit and press ENTER to quit the file maintenance prompt, and then type quit and press ENTER again to exit from Ntdsutil.exe.

19. Start the AD DS Service by typing the following command.

net start ntds

C:\Users\Administrator.TEST>net start ntds

The Active Directory Domain Services service is starting.....

The Active Directory Domain Services service was started successfully.

20. If integrity check fails follow Step 13 to 16 again.

21. Below is the example of above performed commands (step 13 to 16).

C:\Users\Administrator.TEST>ntdsutil

ntdsutil: activate instance ntds

Active instance set to "ntds".

ntdsutil: files

file maintenance: integrity

Doing Integrity Check for db: C:\Windows\NTDS\ntds.dit.

Checking database integrity.

Scanning Status (% complete)

0 10 20 30 40 50 60 70 80 90 100

|----|----|----|----|----|----|----|----|----|----|

...................................................

Integrity check successful.

It is recommended you run semantic database analysis

to ensure semantic database consistency as well.

22. If you need you can perform the semantic database check as well by following Microsoft Technet article (https://technet.microsoft.com/en-us/library/cc816754(v=WS.10).aspx)

23. Please check if you are receiving the following Events in Directory Service.

Log Name: Directory Service

Source: NTDS ISAM

Event ID: 701

Task Category: Online Defragmentation

Level: Information

Keywords: Classic

Description: Online defragmentation has completed a full pass on database C:\WINNT\NTDS\ntds.dit, freeing xx pages.

Log Name: Directory Service

Source: NTDS ISAM

Event ID: 700

Task Category: Online Defragmentation

Level: Information

Keywords: Classic

Description: Online defragmentation is beginning a full pass on database 'C:\Windows\NTDS\ntds.dit'.

TheGeek

Wednesday, March 9, 2016

SYSVOL Migration (FRS to DFRS)

Wednesday, March 2, 2016

Active Directory Offline Defragmentation on Server 2008 R2

About Me

Total Pageviews