Migrate SBS 2008 Domain to Windows 2008

Migrate SBS 2008 to Windows 2008 Server

Step 1: Backup the SBS 2008 Box (Make sure SBS 2008 is in Healthy State)

Step 2: Introduce Windows 2008 to the SBS 2008 Domain
Use the below link to make it an additional domain controller in the same domain as SBS 2008
Installing an Additional Domain Controller
http://technet.microsoft.com/en-us/library/cc733027(WS.10).aspx

Step 3: Introduce another Windows 2008 as a member server
* Install Windows 2008 on another new box
* This Windows 2008 server would be used for Exchange server 2007 installation as it is not recommended that you run Exchange on a domain controller
* Use the below link to make this Windows 2008 as a member server and join it to the SBS 2008 domain

Introduce a Windows Server 2008-Based Member Server
http://technet.microsoft.com/en-us/library/cc771368(WS.10).aspx

Join a Domain from a Workgroup
http://technet.microsoft.com/en-us/library/cc772134(WS.10).aspx

Step 4: Install Exchange 2007 on the Windows 2008 member server
*Install Exchange 2007 on the Windows 2008 member server

How to Perform a Typical Installation Using Exchange Server 2007 Setup
http://technet.microsoft.com/en-us/library/bb123694.aspx

Step 5: Remove POP3 connectors from SBS 2008 because these are not supported in Exchange 2007

Step 6: Public Folder Replication from SBS 2008 to Exchange 2007
* Start replicating the public folders between the Exchange 2007(part of SBS 2008) and the standalone product of Exchange 2007

How to Configure Public Folder Replication
http://technet.microsoft.com/en-us/library/bb691120.aspx

* After replication of public folders, move the Public folder content

How to Move Public Folder Content from one Public Folder Database to Another Public Folder Database
http://technet.microsoft.com/en-us/library/bb331970.aspx

Step 7: Move Offline Address Book from SBS 2008 to Exchange 2007
How to Move the Offline Address Book Generation Process to another Server
http://technet.microsoft.com/en-us/library/bb123917.aspx

 Step 8: Move Mailboxes from SBS 2008 to Exchange 2007
How to Move a Mailbox Within a Single Forest
http://technet.microsoft.com/en-us/library/aa997961.aspx

Step 9: Similarly, all the other server data(WSS, WSUS, SQL) can be moved to the standalone server.

Step 10: Transfer the FSMO roles

* Transfer the FSMO roles to the Windows 2008 which is running as an additional domain controller.
* From this point on, you have 7 days to complete the migration.

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/kb/255504

Step 11: Uninstall Exchange 2007
How to Completely Remove Exchange 2007 from a Server
http://technet.microsoft.com/en-us/library/bb123893.aspx

Step 12: Demote the SBS 2008 as a domain controller
Demote a domain controller
http://technet.microsoft.com/en-us/library/cc740017(WS.10).aspx

Step 13: Format the SBS 2008 box

Universal groups, global groups, domain local groups

AD Group types: universal groups, global groups, domain local groups

Groups 

Distribution Groups — Used for email. Useful for programs such as MS Exchange.
Security Groups – Used to secure file/folders, printers, etc.

Local – Stored on the local SAM (Local Computers)
Domain Local – Stored on Domain Controllers.
Global Groups – Gives you a greater group scope.
Universal – Gives you an even broader group scope.

Group Scopes

Group scope normally describes the type of users that should be clubbed together in a way that is easy for their administration. Therefore, groups play an important part in domain. One group can be a member of other group(s), which is known as Group nesting. One or more groups can be members of any group in the entire domain(s) within a forest.

  • Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which the domain local group was created. Domain local groups can exist in all mixed, native, and interim functional level of domains and forests. Domain local group memberships are not limited as users can add members as user accounts and universal and global groups from any domain. Nesting cannot be done in a domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain.
  • Global Group: Users with similar functions can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in the same forest. Simply put, global groups can be use to grant permissions to gain access to resources that are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which the global group is created. Nesting is possible in Global groups within other groups as users can add a global group into another global group from any domain. They can be members of a Domain Local group to provide permission to domain specific resources (like printers and published folder). Global groups exist in all mixed, native, and interim functional level of domains and forests.
  • Universal Group Scope: these groups are precisely used for email distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security principal (security group type) in a windows 2000 native or windows server 2003 domain functional level domain. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of a universal group. Universal groups can be nested under a global or Domain Local group in any domain. 

Universal Group: can contain users and groups (global and universal) from any domain in the forest.  Universal groups do not care about trust.  Universal groups can be a member of domain local groups or other universal groups but NOT global groups.

Global Group: can contain users, computers and groups from same domain but NOT universal groups.  Can be a member of global groups of the same domain, domain local groups or universal groups of any domain in the forest or trusted domains.

Domain Local Group:  Can contain users, computers, global groups and universal groups from any domain in the forest and any trusted domain, and domain local groups from the same domain.  Can be a member of any domain local group in the same domain.

The short answer is that domain local groups are the only groups that can have members from outside the forest. And use global groups if you have trust, universal groups if you don’t care about trust.

When do we need to use local, global and universal group permission?

Use global security groups to group user (or computer) accounts with similar characteristics, for example members of Sales department.

Use domain local security groups to define access to resources (share, NTFS, printer),
for example you would create domain local group “DL ColorPrinter Print” and assign print permission to this group. Then you would put global security group Sales in “DL ColorPrinter Print” group to enable printing for sales department. If marketing department wants to use the same printer you have to create global group Marketing and put this group in “DL ColorPrinter Print” group. This strategy is called A-G-DL-P. Put accounts in global groups, global groups in domain local groups and assign permissions to domain local groups and you will assign permission only once. Everything else happens in Active Directory Users and Computers when you modify groups memberships.

Universal groups should only be used in multiple domain forest. Universal groups are used to nest global groups. Group strategy is then called A-G-U-DL-P.

In shot below are the details

Global Groups:
Use these to group users with similar needs within the organisation, sales people, finance people, manager’s etc

Domain Local Groups:
Use these to specify access to resources e.g. database users, Colour Printer Users.

Universal Groups
Use only in mulitiple domains to give forest wide privileges.

How to determine your AD and Exchange Schema version

How to tell what version of AD/Exchange you have.

To find the current Active Directory Schema Version, you can use one of the following methods:
  
Note: The internal root domain that we use in this demo is: “domain.com “.
  
1. Using “ADSIEdit.msc” or/and “LDP.exe” tools:
 
Navigate to: 
CN=Schema,CN=Configuration,DC=domain,DC=com”  
and review the current “objectVersion” attribute.

  2. Using “DSQuery” command line:
 “dsquery * cn=schema,cn=configuration,dc=domainname,dc=com -scope base -attr objectVersion

Example:
C:\Documents and Settings\nocadmin>dsquery * cn=schema,cn=configuration,dc=KINETICSYSTEMS,dc=Local -scope base -attr objectversion
 Objectversion
  31
 Note: Here the Objectversion is 31 and domain name is KINETICSYSTEMS.Local
 
The following information provide a mapping between the “objectVersion” attribute value, to 
the Active Directory Schema commutability:

 13 -> Windows 2000 Server
30 -> Windows Server 2003 RTM, Windows 2003 With Service Pack 1, Windows 2003 With Service Pack 2
31 -> Windows Server 2003 R2
44 -> Windows Server 2008 RTM
47-> Windows Server 2008 R2
 
 To find the current Exchange Schema Version, you can use one of the following methods:
 
 Note: The internal root domain that we use in this demo is: “domain.com“.
  
1. Using “ADSIEdit.msc ” or/and “LDP.exe” tools:
 
Navigate to: 
CN=ms-Exch-Schema-Version-Pt,CN=Schema,CN=Configuration,DC=domain,DC=com” 
and review the current “rangeUpper” attribute.
   
2. Using “DSQuery” command line: 
dsquery * CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,dc=domain,dc=com -scope base -attr   rangeUpper
 
 The following information provide a mapping between the “rangeUpper” attribute value, to 
the Exchange Schema commutability:

4397 -> Exchange Server 2000 RTM
4406 -> Exchange Server 2000 With Service Pack 3
6870 -> Exchange Server 2003 RTM
6936  -> Exchange Server 2003 With Service Pack 3
10628 -> Exchange Server 2007
11116 -> Exchange 2007 With Service Pack 1
14622->  Exchange 2007 With Service Pack 2

Domain Rename for Windows 2003/2008

Domain Rename for Windows 2003/2008

Prerequisites for a domain rename in a simple single domain forest for windows 2003/2008:
•Enterprise Administrator credentials are required.
•The domain should be well formed and healthy. Ran dcdiag /q and repadmin /replsum to check for any errors and fix the same before you proceed. Ran gpotool can check all the policies are OK.
•The forest functional level must be Windows Server 2003 or 2008, and all DC’s running at least Server 2003.
•A DNS zone for the new domain must be in place.

The Rendom and Gpfixup tools must be copied to a domain member workstation to perform the rename operations. The operations should not be initiated from a domain controller.

See the TechNet link below for details on requirements if you’re using DFS redirection, roaming profiles, running a CA, or Exchange Server.

The domain rename is performed using the Rendom tool, which is installed with Active Directory when running dcpromo. Once this process is started, you must ensure that no changes are made to the forest configuration until complete. The steps are as follows.

1.To generate the current forest description file
Run “rendom /list” to generate a state file named Domainlist.xml. This file contains the current forest configuration.

2.To edit the domainlist.xml file
Using a simple text editor such as notepad, edit the state file, changing the and fields to the desired values for the new domain name.

3.To review the new forest description in domainlist.xml
Run “rendom /showforest” to show the potential changes; this step does not actually make any changes.

4.To generate the domain rename instructions and upload them to the domain naming master
Run “rendom /upload” to upload the rename instructions to the configuration directory partition on the domain controller holding the domain naming operations master role. The instructions are then replicated to all other DC’s in the forest. Once replicated to all DC’s, the rename instructions are ready to be carried out. You can force replication by running the “repadmin /syncall” command.

5.To verify the readiness of domain controllers in the forest
Run “rendom /prepare” to verify the readiness of each domain controller in the forest to carry out the rename instructions. This should contact all DC’s successfully and return no errors before proceeding.

6.To execute the domain rename instructions on all domain controllers
Run “rendom /execute”, this verifies readiness of all DC’s, then performs the rename action on each one. There will be a service interruption during this period. Upon completion domain controllers will be rebooted. If an error occurs on a DC during this phase, the entire transaction is rolled back. Any DC’s that don’t complete successfully after this phase must be demoted and removed from service.

7.To fix up Group Policy in every renamed domain
Run “gpfixup” to refresh all intradomain references and links to group policy objects.
For example,
Gpfixup /olddns:xyz.com.au /newdns:abc.com.au /oldnb: xyz /newnb: abc /dc:dc.zyz.com.au

8.Reboot client computers and member servers twice to obtain new domain name.
Because the GUID’s of the domain remain the same during the rename process, domain membership is not affected. The DNS suffix of the client machines will also be updated assuming the default option of “Change primary DNS suffix when domain membership changes” is enabled.

9.To perform attribute clean up after domain rename
Run “rendom /clean” to remove references of the old domain name from Active Directory.

10.To unfreeze the forest configuration
Run “rendom /end” to unfreeze the forest configuration and allow further changes. This was frozen during the rendom /upload step. \
Should you have any problems with clients recognizing the new domain name, you can remove them by running “netdom remove /Domain : /Force”, rebooting, and then rejoining the new domain. Once the rename is complete, there is one final change required on domain controllers. The DNS suffix of a DC is not changed as part of this process. This must be changed manually or the DC’s will have a DNS suffix that differs from the AD domain name.

For further details on renaming Server 2008 domains, reference this TechNet article: http://technet.microsoft.com/en-us/library/cc794869.aspx

Metadata Cleanup of a Domain controller

Delete orphan DCs from Active Directory

The following commands should be run to cleanup orphan domains and domain controllers.

At the command prompt, type ntdsutil

ntdsutil: metadata cleanup

Metadata cleanup: connections

Server connections: connect to server yourserver.yourdomain.com (i.e. the root forest domain controller) Binding to yourserver.yourdomain.com ……. Connected to yourserver.yourdomain.com using credentials of locally logged on user server connections: quit (You are now connected to the domain controller)

Metadata cleanup: select operation target

Select operation target: list domains
(Lists all domains in the forest) Found 7 domains(s)
0 – DC=yourserver, DC=yourdomain, DC=com
1 – DC=……….. (Listing of all domains in the forest)

Select operation target: select domain x
(Where x is the number of the domain to be deleted and/ or where the domain controller to be deleted is located) No current site
Domain – DC=….. No current server
No Current Naming Context

Select operation target: list sites
Found 1 site(s)
0 – CN=yoursite, CN=Sites, CN=Configuration, DC=yourserver, DC=yourdomain, DC=com

Select operation target: select site x
(Where x is the number of the site where the domain and/or the domain controller to be deleted is located)
Site – CN=yoursite, CN=Sites, CN=Configuration, DC=yourserver, DC=yourdomain, DC=com
Domain – DC=……..
No current server No current Naming Context

Select operation target: list servers in site
Found 6 server(s) 0 – CN=……… 1 – CN=………. (Listing of all servers found in the site selected)

Select operation target: select server x
(Where x is the number of the server to be deleted from the list displayed in the previous operation)
Site – CN=yoursite, CN=Sites, CN=Configuration, DC=yourserver, DC=yourdomain, DC=com
Domain – DC=……
Server – CN=…….
DSA object – CN=NTDS Settings, CN=…….. (Display of the domain, server and settings for the domain controller to be deleted)
No current Naming Context
select operation target: quit

Metadata cleanup: remove selected server
“CN=……..” server being removed (A popup window is also displayed verifying you really want to delete this domain controller) removed from server “yourserver.yourdomain.com” (verifies the removal of the domain controller) metadata cleanup: remove selected domain
“DC=…….” removed from server “yourserver.yourdomain.com” (verifies the removal of the domain)

Note: At this point, Active Directory confirms that the domain controller was removed successfully. If you receive an error that the object could not be found, Active Directory might have already removed from the domain controller.
Metadata cleanup: quit

Ntdsutil: quit
Disconnecting from …………

To remove the failed server object from the sites
1. In Active Directory Sites and Services, expand the appropriate site.
2. Delete the server object associated with the failed domain controller.

To remove the failed server object from the domain controllers container
1. In Active Directory Users and Computers, expand the domain controllers container.
2. Delete the computer object associated with the failed domain controller.

To remove the failed server object from DNS
1. In the DNS snap-in, expand the zone that is related to the domain from where the server has been removed.
2. Remove the CNAME record in the _msdcs.root domain of forest zone in DNS. You should also delete the HOSTNAME and other DNS records.
3. If you have reverse lookup zones, also remove the PTR record of the server from these zones.

For more details refer below articles:
http://support.microsoft.com/kb/216498
http://www.petri.co.il/delete_failed_dcs_from_ad.htm

How to find and remove lingering objects in Active Directory

How to Troubleshoot Lingering Objects

Lingering Object : An object which has been deleted on a domain controller and even garbage collected but it still remains on another domain controller is termed as a Lingering Object

Some of the biggest annoyances for any Active Directory administrator are odd little things called lingering objects. These have existed since Windows 2000 Server and will probably never go away completely, although Microsoft has worked to give us some great tools to get rid of them and protect our domain controllers.

While there are already some good articles out there describing lingering objects, I’d like to put my own spin on the issue based on experiences I’ve had with them. I still find many Active Directory admins who either don’t understand what lingering objects are or don’t know what to do about them. Put simply, a lingering object is any Active Directory object that has been deleted, but gets reanimated when a DC has not replicated the change during the domain’s tombstone lifetime period.

Preventing Lingering Objects

Of course, it’s most desirable to prevent lingering objects from being created in the first place. There is a registry key called StrictReplicationConsistency — which we’ll refer to as Strict Mode — that will protect a DC from lingering objects:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
ValueName = Strict Replication Consistency
Data Type = Reg_DWORD
Value Data = 1 = Strict 0=Loose

If this value is set to 1, it will prevent a partner from replicating lingering objects to the DC it is defined on. Thus, if every domain controller has Strict Mode enabled, they are protected from lingering objects

How to Find and Remove Lingering Objects in Active Directory

Event ID 1988 proves the presence of Lingering Object in the domain below is the example for the same.

Event Type:       Error
Event Source:   NTDS Replication
Event Category:               Replication
Event ID:            1988
Date:                     5/31/2011
Time:                    11:58:46 PM
User:                     NT AUTHORITY\ANONYMOUS LOGON
Computer:          EXCHANGE1

Description:
Active Directory Replication encountered the existence of objects in the following partition that have been deleted from the local domain controllers (DCs) Active Directory database.  Not all direct or transitive replication partners replicated in the deletion before the tombstone lifetime number of days passed.  Objects that have been deleted and garbage collected from an Active Directory partition but still exist in the writable partitions of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as “lingering objects”.

This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory database.  This replication attempt has been blocked.

The best solution to this problem is to identify and remove all lingering objects in the forest.
Source DC (Transport-specific network address):
039c75ff-f65c-4f31-90b4-d68570ff4142._msdcs.rootcon.local
Object:
CN=932c938c-2b18-4704-bb6a-0bbe4ce02dacADEL:781d5c06-bdd9-4423-9772-2f51ef1763cc, CN=Deleted Objects, CN=Configuration, DC=rootcon, DC=local

Object GUID:
781d5c06-bdd9-4423-9772-2f51ef1763cc

User Action:
Remove Lingering Objects:
The action plan to recover from this error can be found at http://support.microsoft.com/?id=314282.
If both the source and destination DCs are Windows Server 2003 DCs, then install the support tools included on the installation CD.  To see which objects would be deleted without actually performing the deletion run “repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC> /ADVISORY_MODE”. The eventlogs on the source DC will enumerate all lingering objects.  To remove lingering objects from a source domain controller run “repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC>”.

If either source or destination DC is a Windows 2000 Server DC, then more information on how to remove lingering objects on the source DC can be found at http://support.microsoft.com/?id=314282 or from your Microsoft support personnel.

If you need Active Directory replication to function immediately at all costs and don’t have time to remove lingering objects, enable loose replication consistency by unsetting the following registry key:

Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Strict Replication Consistency

Replication errors between DCs sharing a common partition can prevent user and compter accounts, trust relationships, their passwords, security groups, security group memberships and other Active Directory configuration data to vary between DCs, affecting the ability to log on, find objects of interest and perform other critical operations. These inconsistencies are resolved once replication errors are resolved.  DCs that fail to inbound replicate deleted objects within tombstone lifetime number of days will remain inconsistent until lingering objects are manually removed by an administrator from each local DC.

Lingering objects may be prevented by ensuring that all domain controllers in the forest are running Active Directory, are connected by a spanning tree connection topology and perform inbound replication before Tombstone Live number of days pass.For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The description of the Event ID 1988 is quite descriptive. It gives the following Information

1. The GUID of the source domain controller from where the lingering objects are coming.

Source DC (Transport-specific network address):
039c75ff-f65c-4f31-90b4-d68570ff4142._msdcs.rootcon.local

2. The DN of the Lingering Object (This piece of information is helpful in determining the location of the lingering object with respect to the naming context – domain partition, configuration partition , global catalog)

Object:
CN=932c938c-2b18-4704-bb6a-0bbe4ce02dacADEL:781d5c06-bdd9-4423-9772-2f51ef1763cc, CN=Deleted Objects, CN=Configuration, DC=rootcon, DC=local

3. The event also gives the command that needs to be run to remove lingering objects

Repadmin /RemoveLingeringObjects <Name of the Source DC> <GUID of the DC which do not have the Lingering Objects>

Name of the Source DC: The Event ID 1988 mentions the GUID of the source DC. From this GUID, we need to get the name of that DC

GUID of the DC which do not have the Lingering Objects: DC on which we are getting Event ID 1988is the one on which we do not have the Lingering Objects.

Remember this; there is no “Bad” domain controller or “Good” domain controller. There is domain controller which has lingering objects and domain controller which do not have lingering objects. The presence of lingering objects does not make a domain controller “Bad”

Ping the GUID which is mentioned in the Event 1988. This is the GUID of the domain controller which has Lingering Objects. By pinging the GUID, we will get the name of the domain controller having lingering objects

C:\>ping 039c75ff-f65c-4f31-90b4-d68570ff4142._msdcs.rootcon.local
Pinging authserver.Rootcon. Local [10.10.10.10] with 32bytes of data
pinging 10.10.10.10 with 32 bytes of data:

Reply from 10.10.10.10: bytes=32 time<1ms TTL=127
Reply from 10.10.10.10: bytes=32 time<1ms TTL=127
Reply from 10.10.10.10: bytes=32 time<1ms TTL=127
Reply from 10.10.10.10: bytes=32 time<1ms TTL=127
Ping statistics for 10.10.10.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Now we need to get the GUID of the domain controller which does not have lingering objects. The domain controller on which we get 1988 is the one which does not have lingering objects. We can get the GUID of this domain controller from DNS.

As stated earlier, the Event ID 1988 contains the DN of the lingering object which can help us to identify the naming context (partition) in which we have the lingering objects

Object:
CN=932c938c-2b18-4704-bb6a-0bbe4ce02dacADEL:781d5c06-bdd9-4423-9772-2f51ef1763cc, CN=Deleted Objects, CN=Configuration, DC=rootcon, DC=local

To remove the lingering object run Repadmin /RemoveLingeringObjects

The same command can be run with “Advisory Mode” and without “Advisory Mode”

With “Advisory Mode”: This only shows the number and name of the Lingering Objects in the form of Events in the Event Viewer. This does NOT removes the Lingering Objects

C:\Documents and Settings\noc>repadmin /removelingeringobjects Authserver 04dc247f-cb35-43ac-8856-23f4603076b0 CN=configuration, DC=rootcon, DC=local/advisory_mode
RemoveLingeringObjects sucessfull on authserver.

Without “Advisory Mode”: This actually removes the Lingering Objects
Run the command on the domain controller on which you are getting the Event 1988

C:\Documents and Settings\noc>repadmin /removelingeringobjects Authserver 04dc247f-cb35-43ac-8856-23f4603076b0 CN=configuration, DC=rootcon, DC=local
RemoveLingeringObjects sucessfull on authserver.

Events gets generated after running the command with the “Advisory Mode”

Running the actual command without “Advisory Mode” in event log it shows that the Removal of Lingering Objects has begun. Finally Event stating that the Lingering Object has been Removed will be logged Directory Service.

Users on Authserver which were present in AD as Lingering Objects are now removed from the Active Directory.

To remove lingering objects from other Directory Partition below are the sample examples.

Repadmin /removelingeringobjects ServerName ServerGUID Directory Partition /advisory_mode .The distinguished name of the directory partition that is identified in the event message. For example,
DC=rootcon, DC=local   for a domain directory partition,
CN=configuration, DC=rootcon, DC=local   for the configuration directory partition, or CN=schema, CN=configuration, DC=rootcon, DC=local for the schema directory partition

Example:
C:\Documents and Settings\noc>repadmin /removelingeringobjects authserver 04dc24
7f-cb35-43ac-8856-23f4603076b0 DC=rootcon, DC=local
RemoveLingeringObjects sucessfull on authserver.

C:\Documents and Settings\noc>repadmin /removelingeringobjects authserver 04dc24
7f-cb35-43ac-8856-23f4603076b0 CN=configuration, DC=rootcon, DC=local
RemoveLingeringObjects sucessfull on authserver.

C:\Documents and Settings\noc>repadmin /removelingeringobjects authserver 04dc24
7f-cb35-43ac-8856-23f4603076b0 CN=schema, cn=configuration,DC=rootcon,DC=local
RemoveLingeringObjects sucessfull on authserver.

Reference KB article for lingering object:
http://technet.microsoft.com/en-us/library/cc738018(WS.10).aspx
http://support.microsoft.com/kb/870695
http://support.microsoft.com/kb/317097

Authoritative /Non-Authoritative Restore in Windows2008

 How to restore Server 2008 Active Directory (Non-Authoritative / Authoritative Restore)

Windows Server Backup
Windows Server Backup the Windows Server Backup feature provides a basic backup and recovery solution for computers running the Windows Server® 2008 operating system. Windows   Server Backup introduces new backup and recovery technology and replaces the previous Windows Backup (Ntbackup.exe) feature that was available with earlier versions of the ntbackup.

The ntbackup command is not available in Windows Vista or Windows Server 2008. Instead, you should use the wbadmin command and subcommands to back up and restore your computer and files from a command prompt. You cannot recover backups that you created with ntbackup by using wbadmin.

How to take systemstate backup.

To perform a system state backup, you must be a member of the Backup Operators group or the Administrators group, or you must have been delegated the appropriate permissions. In addition, you must run wbadmin from an elevated command prompt. (To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator

Syntax: Wbadmin start systemstatebackup –backupTarget: <VolumeName>[-quiet]

Example: Wbadmin start systemstatebackup –backupTarget: F:

How to Restore Server 2008 Active Directory (non-authoritative)

1. On Server 2008 DC, open the command prompt on the server.

2. Run below commands to enter Directory Services Restore Mode (DSRM).                                           

 Bcedit / set safeboot dsrepair
 Shutdown –t 0 -r

Note: To manually boot in Directory Services Restore Mode, press the F8 key repeatedly. Do this immediately after BIOS POST screen, before the Windows logo appears. (Timing can be tricky; if the Windows logo appears you waited too long.) A text menu menu will appear. Use the up/down arrow keys to select Directory Services Restore Mode or DS Restore Mode. Then press the Enter key.

3. Login using administrator and DSRM password.

4. Run below command (note that e: is the drive letter of your backup), this will show you the version identifier of the backup.

Wbadmin get versions –backuptarget:e:

5. Run below command to start the restore.

Wbadmin start systemstaterecovery -version:10/08/2011-17:27–backuptarget :e:

6. After the restore process is completed, run following commands to reboot.

Bcedit /deletevalue safeboot
Shutdown –t 0 -r

How to Restore Server 2008 Active Directory if Someone Accidentally Deletes an Object. (Authoritative restore)

1.Restore Server 2008 Active Directory (non-authoritative), do not reboot the server

2. Open command prompt, run following commands, where CN=JIM,OU=HR,DC=TEST,DC=LOCAL is the object you wish to restore.

C:\>ntdsutil

ntdsutil: activate instance ntds

Active instance set to “ntds”.

ntdsutil: authoritative restore

authoritative restore: restore object CN=JIM,OU=HR, DC=TEST,DC=LOCAL

3. Once it’s completed. Type quit

4. After the restore process is completed, run following commands to reboot.

     Bcedit /deletevalue safeboot
     Shutdown –t 0 -r

How to transfer or seize FSMO roles

How to transfer or seize FSMO roles

The first Microsoft Windows 2000 Active Directory (AD) domain controller in a forest is granted five FSMO roles when you run the Dcpromo.exe program and install the AD. There are two FSMO roles that are forest wide and three that are per domain. If child domains are created, the two forest wide roles do not change. A forest with two domains would have eight FSMOs; two for the forest and three domain specific FSMO roles in each domain.

The five FSMO roles are:

• Schema master – Forest wide and one per forest.

• Domain naming master – Forest wide and one per forest.

• RID master – Domain Specific and one for each domain.

• PDC emulator – Domain Specific and one for each domain.

• Infrastructure master – Domain Specific and one for each domain.

If you only have one server (like SBS) it holds all the roles, if you have multiple domain controllers there is a chance that the roles have been divided to other servers (by whomever installed the forest…).

In order to find out which server holds which role you can use the following command on one of the servers:

Ntdsutil roles Connections “Connect to server<ServerName> ” Quit “select Operation Target” “List roles for connected server” Quit Quit Quit
**replace <ServerName> with the name of one of your DC’s
OR
Open command prompt and type netdom query fsmo

To move the FSMO roles from one computer to another, you can use two different methods. You can use the first method if both computers are running. This method is a Transfer and is the method that is recommended. Use the second method if the FSMO roles holder is offline. The second method requires you to use the Ntdsutil.exe tool to seize the roles.

NOTE: Only seize the FSMO roles to the remaining Active Directory domain controllers if you are removing the FSMO role holder from the domain or forest.

Transfer FSMO roles

To transfer the FSMO roles by using the Ntdsutil utility, follow these steps:

1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being transferred. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.

2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.

3. Type roles, and then press ENTER.

Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type? and then press ENTER.

4. Type connections, and then press ENTER.

5. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to assign the FSMO role to.

6. At the server connections prompt, type q, and then press ENTER.

7. Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article.

For example,

To transfer the Domain Naming master role, type transfer naming master

To transfer the infrastructure master role, type transfer infrastructure master

To transfer the Domain Naming master role, type transfer pdc

To transfer the RID master role, type transfer rid master

To transfer the Domain Naming master role, type transfer schema master

Note: The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator.

8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

Seize FSMO roles

To seize or transfer the FSMO roles by using Ntdsutil, follow these steps:

2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.

3. Type roles, and then press ENTER.

4. Type connections, and then press ENTER.

5. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to use.

6. At the server connections prompt, type q, and then press ENTER.

7. Type seize role, where role is the role that you want to seize. At the fsmo maintenance prompt, and then press ENTER,

For example,

To seize the Domain Naming master role, type seize naming master

To seize the infrastructure master role, type seize infrastructure master

To seize the Domain Naming master role, type seize pdc

To seize the RID master role, type seize rid master

To seize the Domain Naming master role, type seize schema master

Notes• Under typical conditions, all five roles must be assigned to “live” domain controllers in the forest. If a domain controller that owns a FSMO role is taken out of service before its roles are transferred, you must seize all roles to an appropriate and healthy domain controller.

If the domain controller that formerly held any FSMO role is not present in the domain and if it has had its roles seized by using the steps in this post, remove it from the Active Directory by following the procedure that is outlined in the following Microsoft Knowledge Base article: 216498 (http://support.microsoft.com/kb/216498/) How to remove data in active directory after an unsuccessful domain controller demotion.

Domain Rename in Windows2003/2008

Prerequisites for a domain rename in a simple single domain forest for windows 2003/2008:

  • Enterprise Administrator credentials are required.
  • The domain should be well formed and healthy. Ran dcdiag /q and repadmin /replsum to check for any errors and fix the same before you proceed. Ran gpotool can check all the policies are OK.
  • The forest functional level must be Windows Server 2003 or 2008, and all DC’s running at least Server 2003.
  • A DNS zone for the new domain must be in place.

 The Rendom and Gpfixup tools must be copied to a domain member workstation to perform the rename operations. The operations should not be initiated from a domain controller.

See the TechNet link below for details on requirements if you’re using DFS redirection, roaming profiles, running a CA, or Exchange Server.

The domain rename is performed using the Rendom tool, which is installed with Active Directory when running dcpromo. Once this process is started, you must ensure that no changes are made to the forest configuration until complete. The steps are as follows.

1.       To generate the current forest description file

Run “rendom /list” to generate a state file named Domainlist.xml. This file contains the current forest configuration.

2.       To edit the domainlist.xml file

Using a simple text editor such as notepad, edit the state file, changing the <DNSname> and <NetBiosName> fields to the desired values for the new domain name.

3.       To review the new forest description in domainlist.xml

 Run “rendom /showforest” to show the potential changes; this step does not actually make any changes.

4.       To generate the domain rename instructions and upload them to the domain naming master

Run “rendom /upload” to upload the rename instructions to the configuration directory partition on the domain controller holding the domain naming operations master role. The instructions are then replicated to all other DC’s in the forest. Once replicated to all DC’s, the rename instructions are ready to be carried out. You can force replication by running the “repadmin /syncall” command.

 5.       To verify the readiness of domain controllers in the forest

Run “rendom /prepare” to verify the readiness of each domain controller in the forest to carry out the rename instructions. This should contact all DC’s successfully and return no errors before proceeding.

 6.       To execute the domain rename instructions on all domain controllers

Run “rendom /execute”, this verifies readiness of all DC’s, then performs the rename action on each one. There will be a service interruption during this period. Upon completion domain controllers will be rebooted. If an error occurs on a DC during this phase, the entire transaction is rolled back. Any DC’s that don’t complete successfully after this phase must be demoted and removed from service.

 7.       To fix up Group Policy in every renamed domain

 Run “gpfixup” to refresh all intradomain references and links to group policy objects.

For example,

Gpfixup /olddns:xyz.com.au /newdns:abc.com.au /oldnb: xyz /newnb: abc /dc:dc.zyz.com.au

 8.       Reboot client computers and member servers twice to obtain new domain name.

Because the GUID’s of the domain remain the same during the rename process, domain membership is not affected. The DNS suffix of the client machines will also be updated assuming the default option of “Change primary DNS suffix when domain membership changes” is enabled.

 9.       To perform attribute clean up after domain rename

Run “rendom /clean” to remove references of the old domain name from Active Directory.

 10.   To unfreeze the forest configuration

 Run “rendom /end” to unfreeze the forest configuration and allow further changes. This was frozen during the rendom /upload step.

Should you have any problems with clients recognizing the new domain name, you can remove them by running “netdom remove <machine-name> /Domain :< old-domain> /Force”, rebooting, and then rejoining the new domain. Once the rename is complete, there is one final change required on domain controllers. The DNS suffix of a DC is not changed as part of this process. This must be changed manually or the DC’s will have a DNS suffix that differs from the AD domain name.

For further details on renaming Server 2008 domains, reference this TechNet article: http://technet.microsoft.com/en-us/library/cc794869.aspx

How to restore a Virtualized Domain Controller and prevent USN Rolllback

How to restore a Virtualized Domain Controller and prevent USN Rolllback

Information:
This summarizes the steps needed to properly restore a backup copy of a Virtualized DC to the Active Directory forest. The copied Virtual DC can be returned to the domain and can have all updates replicated to it with the following procedure. Use this procedure only under the following conditions:
•Updates included with Knowledge Base article 875495 (Windows Server 2003) or article 885875 (Windows 2000 Server with SP4) were installed on the domain controller prior to the failure.
•The backup image of the domain controller has not been booted.
•The current domain controller is offline.
•The backup image of the domain controller is not older than the Tombstone lifetime of object in Active Directory (60 days by default).
•The backup image of the domain controller does not hold any FSMO roles.

Note:
This procedure can only be used when the backup image of the Virtualized DC has not been booted since being created.

Important:
When restoring a backup image of a virtualized domain controller using this method do not restart the domain controller in normal operation mode. Simply starting a domain controller in normal operation mode, even if it is disconnected from the network, causes changes in the directory service that will increment USNs on the domain controller. You must start the domain controller in Directory Services Restore mode and then use the recovery steps in the following procedure.

How to restore a Virtualized DC image to prevent USN Rollback from occurring:

1)Using the Virtualized DC image, start the domain controller in Directory Services Restore mode.

a.In a registry editor, if the entry “DSA Previous Restore Count” under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters is visible, make a note of the value. If the entry is not visible, assume a value of 0. Do not add the entry.

b.Add the registry entry “Database restored from backup” under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
i. Data type: REG_DWORD
ii. Value=1

c.This setting creates a valid system state backup and immediately restores the backup.

Note:
The “Database restored from backup” entry is available on domain controllers that are running Windows 2000 Server with SP4 and domain controllers that are running Windows Server 2003 with updates included with Knowledge Base article 875495 installed.

2)Restart the domain controller normally.

3)In the registry, check to be sure that the value in DSA Previous Restore Count is equal to its previous value plus 1.

4)In the Directory Service event log, check to see that event ID 1109 appears.

a.This event confirms that the virtualized DC has been restored and the invocation ID has been changed. Event ID 1109 places the following information in the log:

Active Directory has been restored from backup media, or has been configured to host an application partition. The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is a%n
%nInvocationID attribute (old value):%n%1
%nInvocationID attribute (new value):%n%2
%nUpdate sequence number:%n%3
%n
%n The invocationID is changed when a directory server is restored from backup media or is configured to host a writeable application directory partition.

More Information:
USN Rollback occurs when an Active Directory Domain Controller is restored via a snapshot or imaging process. Microsoft considers this a non-supported method of restoring Active Directory and it is this type of method that causes an Update Sequence Number (USN) rollback, because it results in the USN on the restored DC to be lower than what the other Domain Controllers are using.

To properly backup and restore Active Directory you should use an “Active Directory-aware backup utility” like NTBackup, etc.