Archive for November, 2010


Part 2 of 3

Previous Post (Part 1 of 3)

Final Post (Part 3 of 3)

Step 4 – Enable CredSSP (multihop-authentication)

Before I could start using DCPROMO I needed to enable multihop-authentication using CredSSP. Now I will not explain this in detail, instead I would like to refer you to the excellent post by Ravikanth Chaganti – http://www.ravichaganti.com/blog/?p=1230

As this will need to be allowed in bulk then I suggest you use the GPO :
Computer Configuration/Administrative Templates/Windows Components/Windows Remote Management (WinRM)/WinRM Service/Allow CredSSP authentication

This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts CredSSP authentication from a remote client. Once enabled this policy sets the WinRM service to accept CredSSP authentication from a remote client.

The management client will also need to be configured to allow credentials to be passed onto remote clients. In my case I only wanted to allow this on my management server so I used this command on that system:


Enable-WSManCredSSP -Role Client -DelegateComputer *.domain1.sch.uk

This command once enabled basically allows me to pass my credentials onto any system in the domain that has the WinRM service configured to accept CredSSP authentication.

I recommend that you give this a test run before moving onto the next step.
Create a variable $Cred and store the account you’re going to be using for the DCPROMO commands, for example:


$Cred = Get-Credential DOMAIN1\DomainAdmin

Then use Invoke-Command to echo back the server name(s) of each remote system:

icm $Servers { $ENV:ComputerName } -Authentication CredSSP -Credential $Cred

Step 5 – Create DCPROMO demote and RODC promote answer files using a word replace template method

The idea of this is quite simple, first create a DCPROMO demote and a RODC promotion answer files from a test/lab server and use these as templates. The template will be loaded into RAM and if necessary a word replace will be performed creating the unique answer file needed, the file will then be saved onto the target server. This was the code used to create the two answer files:


$SiteCodes| % {
$DCPROMODemote = gc 'C:\Scripts\DCPROMODemoteTemplate.txt'
$DCPROMODemote | Out-File "\\D1-$($_)-001\C$\Support\DCPROMODemote.txt" -Encoding ascii
Write-Host "File Saved: \\D1-$($_)-001\C$\Support\DCPROMODemote.txt"
$DCPROMORODCTemplate = gc 'C:\Scripts\DCPROMO-RODC-Template.txt'
$DCPROMORODCAnswerFile = $DCPROMORODCTemplate -replace '',$($_)
$DCPROMORODCAnswerFile | Out-File "\\D1-$($_)-001\C$\Support\DCPROMORODCAnswerFile.txt" -Encoding ascii
Write-Host "File Saved: \\D1-$($_)-001\C$\Support\DCPROMORODCAnswerFile.txt"
}

Next the answer file used for the DCPROMO demotion, no word replacement was necessary.


; DCPROMO unattend file - Auth jfrmilner
; Usage:
;   dcpromo.exe /unattend:C:\SUPPORT\DCPROMODemote.txt
;
[DCInstall]
; Demotion
RetainDcMetadata=No
IsLastDCInDomain=No
AdministratorPassword=passwordgoeshere
RebootOnCompletion=Yes

This was the template answer file used for the DCPROMO RODC promotion. All text that matched ‘<SiteCode>’ was replaced with the Site Code passed from the pipeline, for example if the first value in the $SiteCode variable was ‘AFCPS’ then the line ‘PasswordReplicationAllowed=”DOMAIN1\<SiteCode>-Laptops”’ would be changed to ‘PasswordReplicationAllowed=”DOMAIN1\AFCPS-Laptops”’.


; DCPROMO unattend file - Auth jfrmilner
; Usage:
;   dcpromo.exe /unattend:C:\Support\DCPROMORODCAnswerFile.txt
;
[DCInstall]
; Read-Only Replica DC promotion
ReplicaOrNewDomain=ReadOnlyReplica
ReplicaDomainDNSName=domain1.sch.uk
; RODC Password Replication Policy
PasswordReplicationDenied="BUILTIN\Administrators"
PasswordReplicationDenied="BUILTIN\Server Operators"
PasswordReplicationDenied="BUILTIN\Backup Operators"
PasswordReplicationDenied="BUILTIN\Account Operators"
PasswordReplicationDenied="DOMAIN1\Denied RODC Password Replication Group"
PasswordReplicationAllowed="DOMAIN1\Allowed RODC Password Replication Group"
PasswordReplicationAllowed="DOMAIN1\<SiteCode>-Laptops"
PasswordReplicationAllowed="DOMAIN1\<SiteCode>-Pupils"
PasswordReplicationAllowed="DOMAIN1\<SiteCode>-Staff"
PasswordReplicationAllowed="DOMAIN1\<SiteCode>-Workstations"
; D1-RODC-Admins will include the Service Desk Global Group
DelegatedAdmin="DOMAIN1\D1-RODC-Admins"
SiteName=<SiteCode>
InstallDNS=Yes
ConfirmGc=Yes
CreateDNSDelegation=No
UserDomain=domain1.sch.uk
UserName=DOMAIN1\DomainAdmin
Password= passwordgoeshere
ReplicationSourcePath="C:\Support\IFM_RODC"
ReplicationSourceDC=D1-DC-001.domain1.sch.uk
DatabasePath="C:\Windows\NTDS"
LogPath="C:\Windows\NTDS"
SYSVOLPath="C:\Windows\SYSVOL"
SafeModeAdminPassword= passwordgoeshere
; Run-time flags (optional)
; CriticalReplicationOnly=Yes
RebootOnCompletion=Yes

I should point out that the passwords in these files are stored in clear text when they are created. The passwords are removed from each file after they have been used as answer files for the DCPROMO tasks, with this in mind you should consider carefully which account you use and not to create these files until you are ready to use them.

Step 6 – DCPROMO demote the DC to a Member Server

Before I began to demote servers I created a new OU titled ‘DCPROMO Holding’, this OU also had a GPO linked that would enable PowerShell remoting. By default a demoted server would be returned to the Computer OU and because of this would have all GPO’s removed.

With all the prerequisites out of the way I could now start demoting Domain Controllers back to Member Servers.
I did about ten servers at a time and I suggest you do the same. I did this by using the Range operator, for example say $Servers was a 100 item array, writing $Servers[0..9] would select the first 10 and $Servers[10..19] would be the next ten etc..

This is the code I used for the first 10:


icm $Servers[0..9] { dcpromo.exe /unattend:C:\SUPPORT\DCPROMODEMOTE.txt | Tee-Object -filepath C:\SUPPORT\DCPROMODEMOTEResultFile.txt } -Authentication CredSSP -Credential $Cred

Note the Tee-Object cmdlet, this allows the output of the promotion to appear on the console and also a text file. It would not be difficult to parse the text file for detailed information or collect the data and concatenate this information into a single report.

All went to plan, the computer objects for all ten systems were returned to the Computers OU. Checking this OU is actually the quickest way to get an overall feel of the success of the bulk demotion. I then moved the computer objects from the Computers OU to the ‘DCPROMO Holding’ OU.

Thanks for reading. I will post the final part over the course of the week so please check back.

Regards,

jfrmilner

; DCPROMO unattend file – Auth jfrmilner

; Usage:

;   dcpromo.exe /unattend:C:\Support\DCPROMORODCAnswerFile.txt

;

[DCInstall]

; Read-Only Replica DC promotion

ReplicaOrNewDomain=ReadOnlyReplica

ReplicaDomainDNSName=domain1.sch.uk

; RODC Password Replication Policy

PasswordReplicationDenied=”BUILTIN\Administrators”

PasswordReplicationDenied=”BUILTIN\Server Operators”

PasswordReplicationDenied=”BUILTIN\Backup Operators”

PasswordReplicationDenied=”BUILTIN\Account Operators”

PasswordReplicationDenied=”DOMAIN1\Denied RODC Password Replication Group”

PasswordReplicationAllowed=”DOMAIN1\Allowed RODC Password Replication Group”

PasswordReplicationAllowed=”DOMAIN1\<SiteCode>-Laptops”

PasswordReplicationAllowed=”DOMAIN1\<SiteCode>-Pupils”

PasswordReplicationAllowed=”DOMAIN1\<SiteCode>-Staff”

PasswordReplicationAllowed=”DOMAIN1\<SiteCode>-Workstations”

; D1-RODC-Admins will include the Service Desk Global Group

DelegatedAdmin=”DOMAIN1\D1-RODC-Admins”

SiteName=<SiteCode>

InstallDNS=Yes

ConfirmGc=Yes

CreateDNSDelegation=No

UserDomain=domain1.sch.uk

UserName=DOMAIN1\DomainAdmin

Password= passwordgoeshere

ReplicationSourcePath=”C:\Support\IFM_RODC”

ReplicationSourceDC=D1-DC-001.domain1.sch.uk

DatabasePath=”C:\Windows\NTDS”

LogPath=”C:\Windows\NTDS”

SYSVOLPath=”C:\Windows\SYSVOL”

SafeModeAdminPassword= passwordgoeshere

; Run-time flags (optional)

; CriticalReplicationOnly=Yes

RebootOnCompletion=Yes


Part 1 of 3

Next Post (Part 2 of 3)

Final Post (Part 3 of 3)

Scenario: This month presented me with an interesting issue that I would like to share. In effort to provide Role Based Accounts (RBA) to both 1st and 2nd Line Support it became clear that 2nd Line needed to locally administer DCs as they also acted as File Servers at some sites, but being a member of Domain Admins was overkill and as such went against Least Privilege best practices. The solution to this issue was to convert all non-dedicated DCs or FSMO Role holders to Read Only Domain Controllers (RODCs). RODCs run as member servers with a local Security Accounts Manager (SAM) and run AD as an isolated service; this allowed me to configure dedicated local administration. This was achieved by adding the 2nd Line role based account group to the BUILTIN\Administrators group on each local RODC. There are other benefits to RODCs but I’ll not cover those in this post.

Now the issue is that this particular Domain has over 150 DCs that need to be converted to RODCs with the majority being on slow WAN links. I needed to find a way to do this with minimum network traffic, in a consistent manor (to keep the Change Manager happy) and quickly. This was how I did it:

Summary of steps to perform:
1. Sort all Computer and User Objects into Groups that will be used for Password Replication Policies.
2. Set the DNS Server options on each DC NIC to point back to the Core DCs in Head Office.
3. Use the “Install From Media” option of NTDSUTIL to create two local cache copies of the Active Directory. One will be for RODCs and the other will be for Full DCs, the latter could be used for Roll Back scenarios should I wish to restore the DC to its original state.
4. Enable CredSSP used for multihop authentication.
5. Create DCPROMO demote and RODC promote answer files using a word replace template method.
6. DCPROMO demote the DC to a Member Server.
7. Force a restart of the Servers.
8. ReDCPROMO to RODC.
9. Replicate the Passwords for the User and Computer Objects to the local RODC responsible for authentication.

Step 1 – Sort all Computer and User Objects into Groups that will be used for Password Replication Policies

Luckily this step was particularly straight forward for me due to the fact that we use a five letter code for each customer and this code is used to reference the Site, Parent OU and is also used to prefix the Computer Objects. All I needed to do was create an array of all the Site Codes and store it in a variable called $siteCode, then pass that through to a foreach loop that collected all the Computer Objects for that OU and then added them to a Group following a simple pattern match.

This is the code that I used for the first batch of ten (Please note that I used the free Quest AD cmdlets for this and some of the other steps and as such they will need to be installed for this to work):


$siteCodes[0..9] | % {
$siteCode = $($_)
#Sort Computer Membership
$Comps = Get-QADComputer -OU domain1.sch.uk/Schools/$siteCode | ? { $_.memberof.count -ne 1 }
$Comps | ? { $_.Name -match "$($siteCode)W" } | % { Add-QADGroupMember -Identity "$($siteCode)-Workstations" -Member $_.DN }
$Comps | ? { $_.Name -match "$($siteCode)L" } | % { Add-QADGroupMember -Identity "$($siteCode)-Laptops" -Member $_.DN }
}

I also used the below code to list any Computer Objects that were not a member of a single Group, which for me mainly highlighted incorrectly named systems.


$siteCodes[0..9] | % {
$siteCode = $($_)
#Check for Problem Systems
Get-QADComputer -OU domain1.sch.uk/Schools/$siteCode | select name,@{name='MemberShipCount';expression={$_.memberof.count}} | ? { $_.Membershipcount -ne 1 }
}

Step 2 – Set the DNS Server options on each DC NIC to point back to the Full DCs in Head Office.

If you’re going to DCPROMO demote a Server from a DC to a Member Server you will need to be sure that the Server does not reference itself as a DNS Server. I needed to find the teamed NIC that is configured with the DNS registered IP Address of that Server and reconfigure the DNS Search Order. I did this by using PowerShell Remoting to first collect the IP Address from DNS that references the Servers host name and then that information to find the NIC with that configured, and then use a WMI method to set this NICs DNS Search Order to an Array using a couple of DNS Server from Head Office.


#Set DNS
icm $Servers -ScriptBlock {  $DNSArray = '10.10.10.10','10.10.10.11' ; (Get-WmiObject -class win32_networkadapterconfiguration | ? { $_.IPAddress -eq ( ([System.Net.Dns]::GetHostEntry($ENV:ComputerName).AddressList | ? { $_.AddressFamily -eq 'InterNetwork' }).IPAddressToString ) } ).SetDNSServerSearchOrder($DNSArray) }

To Check my configuration Changes:


#Audit DNS
icm $Servers -ScriptBlock { Get-WmiObject -class win32_networkadapterconfiguration | ? { $_.IPAddress -eq ( ([System.Net.Dns]::GetHostEntry($ENV:ComputerName).AddressList | ? { $_.AddressFamily -eq 'InterNetwork' }).IPAddressToString )} } | select __SERVER,IPAddress,DNSServerSearchOrder

Step 3 – Use the “Install From Media” (IFM) option of NTDSUTIL to create two local cache copies of the Active Directory.
One will be for RODCs and the other will be for Full DCs, the latter could be used for Roll Back scenarios should I wish to restore the DC to its original state.

To begin with I needed to increase the amount of memory that a PowerShell remoting session can use from the default 150MB to 1GB due to the memory hungry IFM process. This setting can be restored as soon as you have finished creating your IFM snapshots. Using the Group Policy Management Console (GPMC) I edited the policy that manages Remoting and edited the setting Computer Configuration/Administrative Templates/Windows Components/Windows Remote Shell/ Specify maximum amount of memory in MB per Shell, this option should look like Figure1.

RODC-GPOMaxMemPerShellMB

RODC-GPOMaxMemPerShellMB

The next step is to create the actual IFM snapshots using NTDSUTIL. This again was achieved using PowerShell Remoting; here is the code I used:


icm $Servers -ScriptBlock { ntdsutil "Activate Instance NTDS" ifm "Create SYSVOL Full C:\Support\IFM_Full" q q >> C:\Support\IFM_Full.log }
icm $Servers -ScriptBlock { ntdsutil "Activate Instance NTDS" ifm "Create SYSVOL RODC C:\Support\IFM_RODC" q q >> C:\Support\IFM_RODC.log }

Thanks for reading. I will post the remaining two parts over the course of the week so please check back.

Regards,

jfrmilner