I’ve Made A Huge Mistake

I’ve recently had a chance to finally upgrade to 2008 R2, or started the process at least. I wanted to list out all the resources I used as reference.

The Master Upgrade Guide from Technet

http://technet.microsoft.com/en-us/library/cc731188(WS.10).aspx

Few Others Upgrade Overview

http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2010/05/26/transitioning-your-active-directory-to-windows-server-2008-r2.aspx

http://blogs.technet.com/b/askds/archive/2008/11/11/so-you-want-to-upgrade-to-windows-2008-domain-controllers-adprep.aspx

Firewall Ports Required

http://support.microsoft.com/kb/179442

http://support.microsoft.com/kb/832017/

Schema Stuff

http://technet.microsoft.com/en-us/library/testing-for-active-directory-schema-extension-conflicts(WS.10).aspx

http://blogs.technet.com/b/askds/archive/2010/04/16/friday-mail-sack-i-live-again-edition.aspx

“Search for Is there a way to isolate a DC in order to do an AD Schema upgrade?” for the support policy on doing this.

Preparing For The Worst (Yikes!)

http://technet.microsoft.com/en-us/library/planning-active-directory-forest-recovery(WS.10).aspx

Installing AD on separate volumes for performance (You want to make sure you have enough RAM to load the entire DB)

http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2007/02/09/active-directory-on-separate-volumes.aspx

Running ADPrep (Gives you the ADSIEdit.mmc way to confirm /SchemaPrep /DomainPrep /RODCPrep)

http://technet.microsoft.com/en-us/library/dd464018(WS.10).aspx

Common mistakes when upgrading from 2000 to 2003 (still some are relevant)

http://support.microsoft.com/kb/555040

Setting NTP server on the new PDC Master (Don’t forget this step)

http://blogs.dirteam.com/blogs/paulbergson/archive/2010/05/18/moving-the-ntp-service-to-a-new-pdce.aspx

Putting a DC in a VM?

http://blogs.technet.com/b/askds/archive/2010/06/10/how-to-virtualize-active-directory-domain-controllers-part-1.aspx

http://blogs.technet.com/b/askds/archive/2010/06/15/how-to-virtualize-active-directory-domain-controllers-part-2.aspx

Verifying SRV DNS Records

http://support.microsoft.com/default.aspx?scid=kb;en-us;816587
Transferring FSMO Roles via Powershell

http://msmvps.com/blogs/ad/archive/2010/08/10/using-powershell-to-transfer-fsmo-roles.aspx

By default, in Active Directory Users and Computers, if you try to search on the attribute value for login script, this field isn’t an option in the user drop down. You can however use the tool DSQuery to get the information you need. Try running the following command.

DSQuery * -Filter “(&(sAMAccountType=805306368)(scriptPath=yourscriptnamehere))”  -Attr samAccountName -L -Limit 0

Fresh from the Exchange team, they will now support Exchange 2003 to query against 2008 R2 DCs. This means that if you are on 2003 and plan on going to 2007 or 2010, you can upgrade your DCs to 2008 R2 and then raise your forest/domain levels to the latest and greatest of 2008 R2 after 2003 has been removed from your environment. This actually saved me 1 upgrade I now no longer have to do.

http://msexchangeteam.com/archive/2009/11/30/453327.aspx

So a common pain can be joining machines to a domain if you are IT staff person where you have a lot of machines. By default an authenticated user can join up to 10 machines to a domain. What if you need to join more? Microsoft provides 3 ways to do this. Let’s take a look.

http://support.microsoft.com/kb/251335/EN-US/

Updated for XP

http://support.microsoft.com/kb/314462/EN-US/

1.) Pre-Create the machines, not entirely difficult but something the admin has to do.

2.) Grant the Create Machines/Delete machines privilege. This will work for NEW MACHINES but what about machines that already exist, we will get to it.

3.) Up the default count from 10 to whatever number you want.This will affect all users and you may not want to do that for everyone.

So how can you set permissions for an IT staff person to join and more importantly “re-join” machines to a domain without giving them too many permissions. Here is the answer.

Permissions Needed to Join and Re-Join Machines

Besides the Create User Objects and Delete user Objects from number 2.

Reset Password
That’s it. So simple. It is the reset password permission people usually miss which is key for re-joining as the computer account needs to be reset as well.

You may also need to add the Write permissions depending on how you set the permissions previously for this access. Once again you can check all this info use ADSIEdit.

Does anyone know that the limit if for common Active Directory features that you’d never think you’d hit in your environment but then one day you come close? Sometimes you wonder what is the max number of domain controllers you should have in a domain? (It’s 1,200) What about how many GPOs can be applied to a user? (It’s 999) Well all these max limits comes from a Technet article I suggest everyone takes a look at bookmarks for future reference just encase.

http://technet.microsoft.com/en-us/library/cc756101(WS.10).aspx

Just for those that can’t find or aren’t aware of how useful these forums are I’m just telling you they are extremly useful. I’m very active in the Exchange community, people are very helpful and I learn quite a bit just from the MVP/MSFT in there as well as other posters. I highly recommend people to check it out and get active, its a great way to learn.

http://social.technet.microsoft.com/Forums/en-US/categories/

Microsoft has posted a great document on how to use Repadmin to monitor your AD replication.

http://www.microsoft.com/downloads/details.aspx?familyid=c6054092-ee1e-4b57-b175-5aabde591c5f&displaylang=en

I’ll post any .bat files I write using these commands.

I’ve filled a bug about this with MS, they are still working it out. In my environment I have a more update to date .DLL but am still getting this issue. If you try to join a 32-bit Vista client to a 2003 Domain SP1, if you are on SP2 this doesn’t happen or on 64-bit Vista. The error is, “There is a time and date difference between the client and server”. This occurs if you have the Do Not Require Pre-Authentication checkbox enabled. Either disable this checkbox, or upgrade the DCs to SP2.

http://support.microsoft.com/kb/938454

http://blogs.technet.com/ad/archive/2007/05/24/vista-issue-time-skew-error-when-logging-on-across-a-trust.aspx

Well sometimes you forget the password for the local admin account on a domain controller and sometimes that password quits without giving notice. In either case there is an easy way to reset the password witout knowing the previous one.

Go to the command prompt and enter ntdsutil.

Next Enter set dsrm password and hit enter.

To set it for the local machine enter, reset password on server null

Then enter your new password, that’s it. Simple and easy.

http://support.microsoft.com/kb/322672

A scenario can come to pass where the wrong time is set on a DC, especially the PDC. All other DCs will accept this new date and time blindly and apply it, even if it is large quantities of time in the future or past. Naturally these can have pretty bad results.

These are the registry keys, the recommend value is 48 Hours, 0002a300

For more info see these.

http://blogs.msdn.com/w32time/archive/2008/02/28/configuring-the-time-service-max-pos-neg-phasecorrection.aspx

http://support.microsoft.com/default.aspx?scid=kb;EN-US;884776