Active Directory domain controllers are your network's castles of identity. They offer services such as LDAP, Kerberos, and NTLM to people using devices, appliances, and servers. The previous chapter introduced the concepts of forests, trees, and domains. In this chapter, we are going to look at some more tangible things, such as server machines. But please don't take that literally; domain controllers these days are found to be virtual machines more often than physical machines.
I'll walk you through creating new domain controllers and show you which type of domain controller to implement. I'll also show you how to create domain controllers quickly, even when there's only a slow connection between the location with existing domain controllers and the location where you want to implement a new domain controller. We'll also look at creating hundreds of domain controllers quickly.
The following recipes are covered in this chapter:
To make Active Directory a reliable service in any networking environment, the domain controllers need to be available with high integrity. Any changes an administrator needs to make to a deployed domain controller might diminish the availability. Any component or configuration that is misbehaving might diminish the integrity. Therefore, let's look at how to prepare a Windows Server installation to become a domain controller before we promote it to become one.
The following steps are my time-tested recommended practices for production domain controllers within enterprises. I highly recommend these steps to create highly reliable domain controllers.
The first few items on the list of preparations involve having the right ideas about promoting domain controllers throughout their life cycles:
Now, let's look at how to dimension intended domain controllers:
ntds.dit
, in RAM. Plan for ample room in RAM to cache up to 4 KB per Active Directory object, plus a 10 MB minimum for the main objects and partitions. You should start with the minimum RAM required to install Windows Server and then add on the additional memory for Active Directory Domain Services (AD DS). For physical servers, use RAID and separate spindles for storage of Active Directory-related data when possible. Use hardware that will be covered by the manufacturer's (extended) guarantee, support, and life cycle policies for the period in which you need to rely on the domain controller. Before you install Windows Server on intended domain controllers, perform these actions:
After Windows Server is installed, configure these items on the Windows Server instance, either through Server Manager on Windows Server installations with the Desktop Experience feature or by using sconfig.cmd
on Server Core installations:
Tip
When the intended domain controller is to run as a virtual machine within a cloud environment, such as Amazon's AWS or Microsoft's Azure, let the cloud provider assign the IPv4 and/or IPv6 addresses, because manually setting these addresses might break the connectivity of the Windows Server installation. Instead, use IP address reservations to ensure the intended domain controllers remain reachable over the same addresses.
In large organizations, you can't get anything done without the proper changes being filed through change management. Even if your organization doesn't require these steps, it's still a recommended practice to document at least these items:
Tip
As domain controllers are promoted using scripts, there is a chance the password for the built-in account will linger around unintentionally. Also, the password initially set for this account is stored with a weaker hashing algorithm than changed passwords.
See the Creating conditional forwarders recipe in Chapter 9, Managing DNS, to create conditional forwarders.
Promoting a Windows Server installation to a domain controller consists of three steps:
When using dcpromo.exe
, you do not have to install the role beforehand.
You can promote the server in several ways. The following table displays the possibilities:
The methods in the table are all explained in more detail in this recipe.
In some organizations, changes can only be made using scripts and must be accompanied by rollback scripts. In these cases, the answer file and PowerShell cmdlets offer the best method. On Server Core installations of Windows Server, only the last two options are available to promote the server, either on the Command Prompt or through Windows Admin Center, unless you use Server Manager to remotely manage the server you intend to promote to a domain controller.
The Active Directory Domain Services Configuration Wizard no longer features the option to not reboot the Windows Server installation intended as a domain controller after successful promotion. If you need this option – for instance, to harden the domain controller before the first boot with custom scripts – then you can't use the Wizard. Use dcpromo.exe
or the Install-DDSDomainController
, Install-ADDSDomain
, or Install-ADDSForest
cmdlets in these cases.
When creating an additional domain controller in an existing Active Directory domain or forest, check for proper Active Directory replication before implementing the new domain controller.
Unless you are using dcpromo.exe
to promote the Windows Server installation to a domain controller, the Active Directory Domain Services role needs to be installed first.
There are three ways to install the Active Directory Domain Services role:
Install-WindowsFeature
cmdletTo install the Active Directory Domain Services role using Server Manager, perform these steps:
servermanager.exe
. The Server Manager window appears.Install-WindowsFeature
cmdletAs an alternative to using Server Manager, the Install-WindowsFeature
cmdlet can be used. Perform the following line of Windows PowerShell in an elevated window to install the Active Directory Domain Services role:
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
The preceding line of Windows PowerShell offers the only way to install the Active Directory Domain Services role on a Server Core installation of Windows Server locally.
Although a PowerShell script can be run from Windows Admin Center, it also offers a native way to install roles and features. Perform these steps:
There are three ways to promote a Windows Server installation to a domain controller:
Install-DDSDomainController
, Install-ADDSDomain
, or Install-ADDSForest
cmdlets from the Active Directory module for Windows PowerShelldcpromo.exe
with an answer filePerform these steps to promote the server to a domain controller:
servermanager.exe
or return to Server Manager when you've accomplished installing the Active Directory Domain Services role using Server Manager.Tip
In the top-right corner of every Active Directory Domain Services Configuration Wizard screen, it shows the hostname of the Windows Server installation that you're promoting to a domain controller.
Important Note
By default, the Add a domain controller to an existing domain option is selected. This option will create a replica domain controller in the domain. If you're not sure which selection to make, please refer to the Choosing between a new domain or forest recipe in Chapter 1, Optimizing Forests, Domains, and Trusts. The More about deployment configurations link at the bottom of the Deployment Configuration screen provides a Microsoft link with more information.
Tip
The Review Options screen features a button labeled View script. This button displays the Windows PowerShell script used to execute the domain controller promotion. This reusable script may be a real timesaver, especially when adding several domain controllers to an existing domain.
After successful promotion, the Windows Server installation reboots as a domain controller.
For the Active Directory module for Windows PowerShell, Microsoft has decided to take a slightly different route. Instead of using a single PowerShell cmdlet to promote a domain controller, there are three separate PowerShell cmdlets for each of the three scenarios, as presented on the Deployment Configuration screen of the Active Directory Domain Services Configuration Wizard:
To add a domain controller to an existing domain, the simplest script would look like this:
Install-ADDSDomainController -DomainName lucernpub.com
However, to add a domain controller to an existing domain, as you would in the previous example, the following script would suffice:
Install-ADDSDomainController -DomainName lucernpub.com -Credential (Get-Credential) -installDNS:$true -NoGlobalCatalog:$false -DatabasePath "E:\NTDS" -Logpath "E:\Logs" -SysvolPath "E:\SYSVOL" -Sitename RemoteLocation
This adds a domain controller to the lucernpub.com
Active Directory domain, using credentials you will be prompted for securely. The domain controller is installed with a DNS server and configured as a global catalog server. All the Active Directory-related files are stored in corresponding folders on the E:\
drive, and when successful, the Windows Server installation you intend as the domain controller reboots automatically.
Replace the values in the preceding sample script with the values of your choice.
Despite many news outlets reporting that dcpromo
is dead, the popular option to promote a Windows Server installation to a domain controller is alive and well, even in the latest Windows Server versions. One change to the functionality of dcpromo.exe
, when compared to previous versions of Windows Server, is that you can no longer use dcpromo.exe
to launch the Active Directory Domain Services Configuration Wizard. You'll need to use dcpromo.exe
with an answer file or with all the installation arguments specified.
The benefits of using dcpromo.exe
include the use of many options that are not available when using the Active Directory Domain Services Configuration Wizard and also a wide array of sample answer files and scripts. As the type of answer files used when using dcpromo.exe
, and the arguments for use on the command line, have been available since the early days of Windows Server, many people have used them, and many people have written them.
Using dcpromo.exe
with an answer file consists of running the following command prompt line:
dcpromo.exe /unattend: C:\install\dcpromo.txt
Simply replace the text file location with the file of your choice.
You can also use network paths such as \\server\promotiontext$\dcpromo.txt
to supply an answer file to dcpromo.txt
. This makes for an ideal scenario where files don't remain lingering on domain controllers promoted this way.
The answer file consists of several arguments. Typical arguments found in the answer file include the ReplicaOrNewDomain
, InstallDNS
, and ConfirmGC
arguments. A prime example of an answer file to add an additional domain controller to an existing domain would look like the following:
[DCINSTALL]
ReplicaorNewDomain= replica
ReplicaDomainDNSName= lucernpub.com
UserDomain= LUCERNPUB
UserName= Administrator
SiteName= RemoteLocation
Password= "P@$$w0rd"
InstallDNS= Yes
ConfirmGC= Yes
CreateDNSDelegation= No
LogPath= E:\Logs
SYSVOLPath= E:\SYSVOL
SafeModeAdminPassword= "P@$$w0rd"
RebootOnSuccess= true
Using this answer file adds a domain controller to the lucernpub.com
Active Directory domain, using the credentials for the administrator account with the P@$$w0rd
password. The domain controller is installed with a DNS server and configured as a global catalog server. All the Active Directory-related files are stored in corresponding folders on the E:\
drive, and when successful, the Windows Server installation you intend as the domain controller will be rebooted automatically.
Replace the values in the preceding sample file with the values of your choice.
When promotion is successful, the passwords specified as the values for the Password
and SafeModeAdminPassword
arguments are cleared from the answer file. However, when promotion is unsuccessful, these values remain and may cause harm when falling into the wrong hands.
The arguments in the answer file can also be specified as command-line arguments. The arguments can be reused one on one, so the preceding sample answer file would correspond to the following command line:
dcpromo.exe /unattend /replicaornewdomain:Replica /replicadomaindnsname:lucernpub.com /userdomain:LUCERNPUB /username:administrator /password:"P@$$w0rd" /sitename:RemoteLocation /installdns:yes /confirmgc:yes /databasepath:"E:\NTDS" /logpath:"E:\logs" /sysvolpath:"E:\sysvol" /safemodeadminpassword:"P@$$w0rd"
Replace the values in the preceding sample file with the values of your choice.
After promoting a Windows Server installation to the domain controller, it's recommended to check for proper promotion. Perform these steps to check the promotion:
C:\Windows\Debug\dcpromo.log
C:\Windows\Debug\dcpromoui.log
eventvwr.exe
), new dedicated logs are created for Active Directory. Search these logs for any Active Directory-related errors.For more information, refer to the following recipes:
Read-only domain controllers were introduced with Windows Server 2008. They have been hugely popular for providing Active Directory Domain Services to branch offices and small perimeter networks.
Read-only domain controllers are the ideal type of domain controllers for environments with the following:
These characteristics are typically true for branch offices. Before read-only domain controllers, administrators had to make the hard choice between doing nothing, placing fully (read-write) domain controllers in these locations, or upgrading the available bandwidth and/or resiliency of the networking connections between the branch offices and the head office or central data center(s).
Some organizations have opted to deploy read-only domain controllers in perimeter networks. Microsoft supports only one read-only domain controller per Active Directory site. This way, any perimeter network deployment would not have much Active Directory resiliency. Many organizations have, therefore, opted for a separate Active Directory forest for these implementation scenarios.
Read-only domain controllers have requirements that we need to adhere to before we can deploy and use them:
ADPrep /rodcprep
needs to have run at least once on the domain controller holding the Domain Naming Master FSMO role, but this step may be skipped when the Active Directory environment was never set up or has never run with pre-Windows Server 2008-based domain controllers.Read-only domain controllers allow for scoped replication. It's a recommended practice to determine the user accounts and computer accounts that are strictly needed in the branch office location. The read-only domain controller will be able to cache the passwords for these accounts to speed up authentication for these accounts in the branch office. The Allowed RODC Password Replication Group is the default group in which to add (groups of) user accounts and computer accounts for this functionality.
If you desire strict group memberships for this functionality per read-only domain controller, create the groups you need before you promote the Windows Server installation to a read-only domain controller for which you need the group scope.
Another way to think about security before promoting the first read-only domain controller is to determine the privileged accounts and otherwise sensitive accounts for which you do not want passwords replicated to the read-only domain controller you intend to create. These (groups of) accounts can be specified as the accounts that are denied from replicating passwords to the RODC.
Just like read/write domain controllers, promoting a Windows Server installation to a read-only domain controller consists of three steps:
When using dcpromo.exe
, you do not have to install the role beforehand.
There are several ways to promote the server. The following table displays the possibilities:
The methods in the table are all explained in more detail in this recipe.
There are three ways to install the Active Directory Domain Services role:
Install-WindowsFeature
cmdletTo install the Active Directory Domain Services role using Server Manager, perform these steps:
servermanager.exe
. The Server Manager window appears.As an alternative to using Server Manager, the Install-WindowsFeature
cmdlet
can be used. Perform the following line of Windows PowerShell in an elevated window to install the Active Directory Domain Services role:
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
The preceding line of Windows PowerShell offers the only way to install the Active Directory Domain Services role on a Server Core installation of Windows Server locally.
Although a PowerShell script can be run from the Windows Admin Center, it also offers a native way to install roles and features. Perform these steps:
There are three ways to promote a Windows Server installation to a read-only domain controller:
Install-ADDSDomainController
cmdlet from the Active Directory module for Windows PowerShell with the dedicated -ReadOnlyReplica
parameterdcpromo.exe
with an answer filePerform these steps to promote the server to a read-only domain controller:
servermanager.exe
or return to Server Manager when you've accomplished installing the Active Directory Domain Services role using Server Manager.Tip
If a group or an account features in both the accounts that are allowed to replicate passwords to the RODC and accounts that are denied from replicating passwords to the RODC, then the group or account is denied from replicating passwords to the RODC.
SYSVOL
. Click Next > to continue to the Paths screen:C:\Windows
or change the values to store Active Directory-related files somewhere else.Tip
The Review Options screen features a button labeled View script. This button displays the Windows PowerShell script used to execute the read-only domain controller promotion. This reusable script may be a real timesaver, especially when adding several read-only domain controllers to an existing domain.
After successful promotion, the Windows Server installation will reboot as a read-only domain controller.
For the Active Directory module for Windows PowerShell, Microsoft does not offer a dedicated PowerShell cmdlet to add a read-only domain controller. Instead, Install-ADDSDomainController
is used with the dedicated -ReadOnlyReplica
parameter. The simplest script would look like the following code:
Install-ADDSDomainController -DomainName lucernpub.com -Sitename RemoteLocation -ReadOnlyReplica
However, to add a read-only domain controller to an existing domain as you would with the previous example, the following script would be needed:
Install-ADDSDomainController -DomainName lucernpub.com -Credential (Get-Credential) -ReadOnlyReplica -installDNS:$true -NoGlobalCatalog:$false -DatabasePath "E:\NTDS" -Logpath "E:\Logs" -SysvolPath "E:\SYSVOL" -Sitename RemoteLocation
This will add a read-only domain controller to the lucernpub.com
Active Directory domain using credentials you will be prompted for securely. The domain controller will be installed with a DNS server and configured as a global catalog server. All the Active Directory-related files are stored in corresponding folders on the E:\
drive, and, when successful, the Windows Server installation you intend as the domain controller will be rebooted automatically.
Replace the values in the preceding sample script with the values of your choice.
Read-only domain controllers can be promoted using dcpromo.exe
with an answer file or with all the installation arguments specified, just like fully writable domain controllers. An added benefit is that dcpromo.exe
will install the Active Directory Domain Services server role automatically when it's not yet present.
Using dcpromo.exe
with an answer file consists of running the following command line:
dcpromo.exe /unattend: C:\install\dcpromo.txt
A prime example of an answer file to add a read-only domain controller would look like this:
[DCINSTALL]
ReplicaorNewDomain= readonlyreplica
ReplicaDomainDNSName= lucernpub.com
UserDomain= LUCERNPUB
UserName= Administrator
SiteName= RemoteLocation
Password= "P@$$w0rd"
InstallDNS= Yes
ConfirmGC= Yes
CreateDNSDelegation= No
DatabasePath= E:\NTDS
LogPath= E:\Logs
SYSVOLPath= E:\SYSVOL
SafeModeAdminPassword= "P@$$w0rd"
RebootOnSuccess= true
The preceding answer file adds a read-only domain controller to the lucernpub.com
Active Directory domain, using the credentials for the administrator account with the P@$$w0rd
password. The read-only domain controller is installed with a DNS server and configured as a global catalog server. All the Active Directory-related files are stored in corresponding folders on the E:\
drive, and when successful, the Windows Server installation you intend as the read-only domain controller is rebooted automatically.
Replace the values in the preceding sample file with the values of your choice.
The arguments in the answer file can also be specified as command-line arguments. The arguments can be reused one on one, so the preceding sample answer file would correspond to the following command line:
dcpromo.exe /unattend /replicaornewdomain:ReadOnlyReplica /replicadomaindnsname:lucernpub.com /userdomain:LUCERNPUB /username:administrator /password:"P@$$w0rd" /sitename:RemoteLocation /installdns:yes /confirmgc:yes /databasepath:"E:\NTDS" /logpath:"E:\logs" /sysvolpath:"E:\sysvol" /safemodeadminpassword:"P@$$w0rd"
Replace the values in the preceding command line with the values corresponding to your environment.
After promoting a Windows Server installation to a read-only domain controller, it's recommended practice to check for proper promotion. Perform these steps to check:
C:\Windows\Debug\dcpromo.log
C:\Windows\Debug\dcpromoui.log
eventvwr.exe
, new dedicated logs are created for Active Directory Domain Services. Search these logs for any Active Directory-related errors.Read-only domain controllers are different from normal domain controllers in the following ways:
krbtgt
). Additionally, because no Active Directory writes are expected from read-only domain controllers, normal domain controllers don't replicate from them.
For more information, refer to the following recipes:
For Active Directory environments with really low bandwidth or networking resiliency between locations with domain controllers, regardless of whether these are read-only domain controllers or fully writable domain controllers, promoting a Windows Server installation to a domain controller can take a long time or even fail.
In these types of scenarios, for adding an additional domain controller or read-only domain controller to an existing domain, Microsoft offers the Install From Media (IFM) option.
When creating IFM media, check for proper Active Directory replication before creating the IFM media on the domain controller. This ensures that the domain controller is up to date with all changes in Active Directory.
Create a folder on the source and destination domain controller to store the files needed for IFM.
IFM consists of two steps:
IFM
packageIFM
packageTo create the IFM
package, perform the following actions on a domain controller in a well-connected networking location, running the same version of Windows Server on which you intend to use the IFM
package to swiftly promote it to a domain controller in a low-bandwidth scenario:
Tip
IFM
packages to create read-only domain controllers can be created on both read-only domain controllers and on fully writable domain controllers. IFM
packages to create fully writable domain controllers can only be created on fully writable domain controllers.
cmd.exe
, but instead of running it by pressing Enter, press Ctrl, Shift, and Enter.ntdsutil.exe
activate instance ntds
IFM
creation context:IFM
IFM
, including the contents of the Active Directory SYSVOL
for a read-only domain controller, and place it in the C:\IFM
folder:create RODC C:\IFM
IFM
context:quit
quit
To leverage the IFM
package on the destination domain controller in the remote location, choose one of the following methods:
dcpromo.exe
Install-ADDSDomainController
PowerShell cmdletPerform these steps to leverage the install using the Active Directory Domain Services Configuration Wizard:
The Install-ADDSDomainController
PowerShell cmdlet only needs the -InstallationMediaPath
additional parameter to leverage the IFM
package when promoting a Windows Server installation to a domain controller.
When combining it with the sample PowerShell command for adding a domain controller to an existing domain, the following line of Windows PowerShell emerges:
Install-ADDSDomainController -DomainName lucernpub.com -InstallationMediaPath "C:\IFM"
Replace lucernpub.com
with the DNS domain name of your Active Directory domain.
As with the Install-ADDSDomainController
PowerShell cmdlet, dcpromo.exe
requires an optional parameter to leverage the IFM
package.
Perform the following steps:
ReplicationSourcePath= "C:\IFM"
/ReplicationSourcePath:"C:\IFM"
As a Windows Server installation becomes a domain controller, it replicates the contents of the Active Directory database and the Active Directory SYSVOL to its local hard drive(s). The entire package needed for this replication can also be assembled before promotion. Then, the IFM
package can be delivered to the remote location, or even carried by the technician that will promote the (read-only) domain controller.
Important Note
The amount of network traffic needed when using the IFM option is heavily reduced but is certainly not zero. As the IFM
package represents a point-in-time snapshot of the contents of the Active Directory database and the Active Directory SYSVOL, any changes between the time of the creation of the IFM
package and using it will need to replicate before promotion of the domain controller is successfully completed.
The IFM
feature for promoting domain controllers leverages the fact that the contents of the Active Directory database and the Active Directory SYSVOL are identical throughout all domain controllers within the domain. The domain controller cloning feature takes this one step further and leverages the fact that all domain controllers are largely identical – not just the Active Directory-related files but all operating system files, most agent installations, information security measures, and most configuration items.
When a domain controller is properly prepared and promoted, it can serve as a template.
The domain controller cloning feature requires the following:
The domain controller you intend to clone needs to adhere to the following requirements:
When cloning domain controllers, check for proper Active Directory replication before cloning. This ensures that the domain controllers are up to date with all changes in Active Directory and can communicate the changes involved in adding a domain controller.
There are four steps to cloning a domain controller:
To successfully clone a domain controller, all agents and software packages that you've installed and configured on the domain controller you intend to clone need to support it.
When you install the Active Directory Domain Services role on a Windows Server 2012 installation, or on any newer version of Windows Server, there is the Get-ADDCCloningExcludedApplicationList
PowerShell cmdlet that you can use. When you run this PowerShell cmdlet, it will return the applications and services that Microsoft does not know whether you can successfully clone.
All Microsoft services and add-on packages that ship with Windows Server are tested, so these are already part of the DefaultDCCloneAllowList.xml
file. The contents of C:\Windows\System32\DefaultDCCloneAllowList.xml
are shown as follows:
For any other service and/or application, the recommended practice is to ask the vendor whether domain controller cloning is supported. When all services and applications check out, you can run the following line of PowerShell to add them to your organization's CustomDCCloneAllowList.xml
file:
Get-ADDCCloningExcludedApplicationList -GenerateXml -Path C:\Windows\NTDS -Force
In the preceding line of Windows PowerShell, the default path for the Active Directory database is supplied. Change it accordingly before running it.
After cloning, the domain controller picks up this file when you store it on removable media or in the same path as the Active Directory database.
The new domain controller that is created when an existing domain controller is cloned will need to be different from the existing one. It will need a different hostname, IPv4 address(es), IPv6 address(es), possibly different DNS Server allocations, or a different Active Directory site.
Microsoft provides a way to supply this information through the DCCloneConfig.xml
file. Again, after cloning, the domain controller picks up this file when you store it on removable media or in the same path as the Active Directory database.
If no DCCloneConfig.xml
file is supplied, the new domain controller will boot into Directory Services Restore Mode.
If an empty DCCloneConfig.xml
file is supplied, the new domain controller will be assigned the following:
If a specific hostname, Active Directory site, or IP address is needed, look at the parameters you can specify for New-ADDCCloningConfig
, such as the -SiteName
, -CloneComputerName
, and -Static -IPv4Address
parameters.
A sample PowerShell one-liner to create a new domain controller with the name DC04
in the Active Directory site named RemoteLocation
with the correct IPv4 information would look like the following:
New-ADDCCloneConfigFile -CloneComputerName "DC04" -SiteName RemoteLocation -Static -IPv4Address "10.0.1.3" -IPv4SubnetMask "255.255.255.0" -IPv4DefaultGateway "10.0.1.1" -IPv4DNSResolver "10.0.0.2"
Change the values for the -SiteName
, -CloneComputerName
, -Static
, -IPv4Address
, -IPv4SubnetMask
, -IPv4DefaultGateway
, and -IPv4DNSResolver
parameters for parameters that make sense for your environment.
In large organizations, the team responsible for managing Active Directory is usually a different team from the one managing the hypervisor platform. Through the integration components and/or VMware tools, the latter team might configure domain controllers for cloning and clone them, adding to the management burden of the Active Directory management team.
Therefore, the Active Directory team must explicitly allow a domain controller to be cloned in Active Directory. The mechanism to do so is to add source domain controllers to the Cloneable Domain Controllers group.
The following line of PowerShell accomplishes this for a source domain controller named DC03
in the lucernpub.com
Active Directory domain:
Add-ADGroupMember "Cloneable Domain Controllers" "CN=DC03,OU=Domain Controllers,DC=LucernPub,DC=com"
Replace the distinguishedName
value of DC03
with the distinguishedName
value of the domain controller you want to add to the Cloneable Domain Controllers group.
Now, the hypervisor platform team can clone the source domain controller.
As an Active Directory administrator, shut down the domain controller you intend to clone. After cloning has been successful, remove the source domain controller from the Cloneable Domain Controllers group and start it again as one of the domain controllers for the domain, or leave it off and allow it to be cloned repeatedly for a maximum period of 60 to 180 days, depending on the current tombstone lifetime period settings.
Domain controller cloning leverages the VM-GenerationID feature found in most modern hypervisor platforms. Through the specifications that Microsoft wrote for this feature, this ID is stored in every virtual machine's RAM and only changes under certain circumstances. These circumstances are the following:
Active Directory Domain Services is the first server role to take advantage of the VM-GenerationID feature to do the following:
By storing the 128-bit value for the VM-GenerationID in RAM in the Active Directory database, and the domain controller checking the value stored in the database with the value in RAM before each major action, the domain controller can sense when a snapshot is applied or when the hard disk is reused.
Important Note
As the VM-GenerationID feature is a hypervisor platform feature, a domain controller cannot sense when a snapshot is applied or when the hard disk is reused when these actions originate from the storage fabric or otherwise outside of the hypervisor platform.
When a hard disk is reused and the domain controller is properly prepared to be cloned, domain controller cloning creates a perfect clone of the source domain controller.
Domain controller cloning only allows cloning of fully writable domain controllers. It does not apply to read-only domain controllers.
Use the information in the Determining whether a virtual domain controller has a VM-GenerationID recipe to see whether the hypervisor platform supports domain controller cloning.
Refer to the Modifying the tombstone lifetime period recipe in Chapter 16, Hardening Azure AD, to find out whether domain controllers can be cloned for 60 or 180 days.
One of the requirements for Active Directory Virtualization Safeguards and domain controller cloning is the ability of the hypervisor platform to provide the VM-GenerationID to the virtual domain controller.
To determine whether a virtual domain controller has the VM-GenerationID, perform these steps:
devmgmt.msc
. The Device Manager window appears.Microsoft Hyper-V Generation Counter
system device. The existence of such a device means the virtual domain controller has a VM-GenerationID.When the hypervisor platform supports the VM-GenerationID feature, it will create a device to place the value of the VM-GenerationID in the virtual memory of the virtual domain controller.
To determine whether a virtual domain controller has a VM-GenerationID, look for this system device.
Every domain controller has a life cycle. After a certain period, it should make room for newer, better, more agile, or even more cost-efficient domain controllers, or other solutions, such as Azure Active Directory Domain Services.
Before you demote a domain controller, you should ensure of the following:
For successful demotions, the domain controller you intend to demote needs to have at least one network interface card attached to the network. Other domain controllers should be reachable and Active Directory replication should be working properly.
This recipe describes two supported ways to demote a domain controller graciously:
To demote a domain controller graciously using Server Manager, perform these steps:
servermanager.exe
. The Server Manager window appears.To demote a domain controller graciously, you can use the Uninstall-ADDSDomainController
PowerShell cmdlet like this:
Uninstall-ADDSDomainController
This removes the domain controller from the Active Directory domain and prompts you for the new password for the built-in administrator account after demotion. Replace the values in the previous sample file with the values of your choice.
To remove the Active Directory Domain Services role after demotion, use the following line of Windows PowerShell:
Uninstall-WindowsFeature AD-Domain-Services -IncludeManagementTools
The domain controller is then demoted, and the Active Directory Domain Services role is removed.
Every domain controller has its information stored in numerous places throughout the Active Directory database.
To remove this information and stop other domain controllers from replicating to non-existing domain controllers, the domain controllers should be demoted.
Proper demotion of a domain controller will remove all the references to the domain controller from Active Directory.
However, it is a recommended practice to check the following tools manually after demotion:
dnsmgmt.msc
)dssite.msc
)It's also an option to forcefully remove a domain controller from Active Directory. While graciously demoting should be the preferred option, you might have to resort to this option.
The process of demoting a domain controller forcefully consists of these steps:
If the domain controller was the last domain controller for a domain in an existing forest, the domain will need to be removed, as it is now an orphaned domain.
Although you would demote a domain controller forcefully when it no longer replicates, you should ensure that the remaining domain controllers are replicating properly.
This recipe describes two ways to do it:
The Active Directory Domain Services Configuration Wizard can be used to forcefully demote a domain controller when the Windows Server installation is still bootable and you are able to sign in to it with administrative credentials.
Perform these steps:
servermanager.exe
. The Server Manager window appears.Sometimes, the Active Directory Domain Services Configuration Wizard cannot be used, such as in the following situations:
In these scenarios, the following manual steps can be performed to remove the domain controller from Active Directory.
Perform these steps to perform metadata cleanup:
cmd.exe
, but instead of running it by pressing Enter, press Ctrl, Shift, and Enter.ntdsutil.exe
metadata cleanup
DC04.lucernpub.com
server:remove selected server "CN=DC04,CN=Servers,CN=RemoteLocation,CN=Sites,CN=Configuration,DC=LucernPub,DC=com"
quit
quit
After the metadata cleanup, the DNS records for the domain controller may still be present. Use the DNS MMC Snap-in to remove the DNS A, AAAA, PTR, and SRV records for the domain controller.
To delete the computer object for the domain controller, use the Active Directory Administrative Center:
dsac.exe
. The Active Directory Administrative Center window appears.To delete the computer object for the domain controller, alternatively, run the following line of Windows PowerShell:
Remove-ADComputer -Identity DC04
Replace DC04
with the name of the domain controller you want to remove.
The domain controller was also a member of the replication group for the Active Directory SYSVOL.
Perform these steps to remove the domain controller:
dsac.exe
. The Active Directory Administrative Center window appears.To delete the domain controller from Active Directory Sites and Services, perform these steps:
dssite.msc
. The Active Directory Sites and Services window appears:When you've removed the last domain controller for a domain, it becomes an orphaned domain. Perform these steps to perform a metadata cleanup for the orphaned domain:
cmd.exe
, but instead of running it by pressing Enter, press Ctrl, Shift, and Enter.ntdsutil.exe
metadata cleanup
Connections connect to server localhost quit
select operation target list domains
select domain <ID>
quit
remove selected domain
quit quit
To seize the FSMO roles, see the Managing FSMO roles recipe in Chapter 3, Managing Active Directory Roles and Features.
To configure domain controllers as global catalog servers, see the Managing global catalogs recipe in Chapter 3, Managing Active Directory Roles and Features.
It's a good thing to know all the domain controllers throughout an Active Directory domain. This activity doesn't just show the management burden for Active Directory administrators; it also allows them to make smart choices, especially when the environment is breached.
Although it's not recommended practice, administrators may place domain controllers outside the Domain Controllers Organizational Unit (OU). In that case, simply checking the computer accounts in that OU will not provide a 100% view of the domain controllers in use.
This recipe shows two ways to get a good overview of the domain controllers in an Active Directory domain:
Active Directory Users and Computers allows for querying the entire Active Directory domain for either writable domain controllers or read-only domain controllers in the following way:
dsa.msc
. The Active Directory Users and Computers window appears.The list of domain controllers for the domain is now shown in the search results pane.
Using the Active Directory module for Windows PowerShell to inventory domain controllers is even easier.
Simply use the following line of Windows PowerShell:
Get-ADDomainController | Select-Object Name
If you want more information on the domain controllers within the current domain, simply add the characteristics you would like to see after the Select-Object
cmdlet. For instance, you can add IPv4Address
, IsGlobalCatalog
, isReadOnly
, OperatingSystem
, and Site
for good measure. If you're looking for a smart layout, simply append | Format-Table
. If you want to get the information straight to your clipboard so that you can paste it into a report or anywhere else, append | clip
.
One of the benefits of deploying read-only domain controllers is their ability to recover quickly from an information security breach.
Since only the passwords for a subset of users are cached on the read-only domain controller when these users signed on through the read-only domain controller and the passwords for really sensitive accounts weren't allowed to be cached on the read-only domain controller, the impact of a stolen read-only domain controller is small, compared to a fully writable domain controller.
To render the read-only domain controller useless to an attacker or thief, perform these steps:
dsa.msc
. The Active Directory Users and Computers window appears.Each read-only domain controller caches the hashes of the passwords for users signing in through the read-only domain controller. For this functionality, the read-only domain controller contacts a writable domain controller.
When a user account is denied having its password cached, the password is not cached. For accounts on which the passwords have been cached, the best remedy is to reset these passwords.
Every Kerberos ticket that is given to devices or user accounts is encrypted using the separate krbtgt
account for the read-only domain controller. These tickets are bound to the read-only domain controller. When the read-only domain controller is removed from the Active Directory domain, these Kerberos tickets become useless.
Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.
If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.
Please Note: Packt eBooks are non-returnable and non-refundable.
Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:
If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:
Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.
You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.
Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.
When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.
For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.