Part 2 of 3
Step 4 – Enable CredSSP (multihop-authentication)
Before I could start using DCPROMO I needed to enable multihop-authentication using CredSSP. Now I will not explain this in detail, instead I would like to refer you to the excellent post by Ravikanth Chaganti – http://www.ravichaganti.com/blog/?p=1230
As this will need to be allowed in bulk then I suggest you use the GPO :
Computer Configuration/Administrative Templates/Windows Components/Windows Remote Management (WinRM)/WinRM Service/Allow CredSSP authentication
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts CredSSP authentication from a remote client. Once enabled this policy sets the WinRM service to accept CredSSP authentication from a remote client.
The management client will also need to be configured to allow credentials to be passed onto remote clients. In my case I only wanted to allow this on my management server so I used this command on that system:
Enable-WSManCredSSP -Role Client -DelegateComputer *.domain1.sch.uk
This command once enabled basically allows me to pass my credentials onto any system in the domain that has the WinRM service configured to accept CredSSP authentication.
I recommend that you give this a test run before moving onto the next step.
Create a variable $Cred and store the account you’re going to be using for the DCPROMO commands, for example:
$Cred = Get-Credential DOMAIN1\DomainAdmin
Then use Invoke-Command to echo back the server name(s) of each remote system:
icm $Servers { $ENV:ComputerName } -Authentication CredSSP -Credential $Cred
Step 5 – Create DCPROMO demote and RODC promote answer files using a word replace template method
The idea of this is quite simple, first create a DCPROMO demote and a RODC promotion answer files from a test/lab server and use these as templates. The template will be loaded into RAM and if necessary a word replace will be performed creating the unique answer file needed, the file will then be saved onto the target server. This was the code used to create the two answer files:
$SiteCodes| % {
$DCPROMODemote = gc 'C:\Scripts\DCPROMODemoteTemplate.txt'
$DCPROMODemote | Out-File "\\D1-$($_)-001\C$\Support\DCPROMODemote.txt" -Encoding ascii
Write-Host "File Saved: \\D1-$($_)-001\C$\Support\DCPROMODemote.txt"
$DCPROMORODCTemplate = gc 'C:\Scripts\DCPROMO-RODC-Template.txt'
$DCPROMORODCAnswerFile = $DCPROMORODCTemplate -replace '',$($_)
$DCPROMORODCAnswerFile | Out-File "\\D1-$($_)-001\C$\Support\DCPROMORODCAnswerFile.txt" -Encoding ascii
Write-Host "File Saved: \\D1-$($_)-001\C$\Support\DCPROMORODCAnswerFile.txt"
}
Next the answer file used for the DCPROMO demotion, no word replacement was necessary.
; DCPROMO unattend file - Auth jfrmilner ; Usage: ; dcpromo.exe /unattend:C:\SUPPORT\DCPROMODemote.txt ; [DCInstall] ; Demotion RetainDcMetadata=No IsLastDCInDomain=No AdministratorPassword=passwordgoeshere RebootOnCompletion=Yes
This was the template answer file used for the DCPROMO RODC promotion. All text that matched ‘<SiteCode>’ was replaced with the Site Code passed from the pipeline, for example if the first value in the $SiteCode variable was ‘AFCPS’ then the line ‘PasswordReplicationAllowed=”DOMAIN1\<SiteCode>-Laptops”’ would be changed to ‘PasswordReplicationAllowed=”DOMAIN1\AFCPS-Laptops”’.
; DCPROMO unattend file - Auth jfrmilner ; Usage: ; dcpromo.exe /unattend:C:\Support\DCPROMORODCAnswerFile.txt ; [DCInstall] ; Read-Only Replica DC promotion ReplicaOrNewDomain=ReadOnlyReplica ReplicaDomainDNSName=domain1.sch.uk ; RODC Password Replication Policy PasswordReplicationDenied="BUILTIN\Administrators" PasswordReplicationDenied="BUILTIN\Server Operators" PasswordReplicationDenied="BUILTIN\Backup Operators" PasswordReplicationDenied="BUILTIN\Account Operators" PasswordReplicationDenied="DOMAIN1\Denied RODC Password Replication Group" PasswordReplicationAllowed="DOMAIN1\Allowed RODC Password Replication Group" PasswordReplicationAllowed="DOMAIN1\<SiteCode>-Laptops" PasswordReplicationAllowed="DOMAIN1\<SiteCode>-Pupils" PasswordReplicationAllowed="DOMAIN1\<SiteCode>-Staff" PasswordReplicationAllowed="DOMAIN1\<SiteCode>-Workstations" ; D1-RODC-Admins will include the Service Desk Global Group DelegatedAdmin="DOMAIN1\D1-RODC-Admins" SiteName=<SiteCode> InstallDNS=Yes ConfirmGc=Yes CreateDNSDelegation=No UserDomain=domain1.sch.uk UserName=DOMAIN1\DomainAdmin Password= passwordgoeshere ReplicationSourcePath="C:\Support\IFM_RODC" ReplicationSourceDC=D1-DC-001.domain1.sch.uk DatabasePath="C:\Windows\NTDS" LogPath="C:\Windows\NTDS" SYSVOLPath="C:\Windows\SYSVOL" SafeModeAdminPassword= passwordgoeshere ; Run-time flags (optional) ; CriticalReplicationOnly=Yes RebootOnCompletion=Yes
I should point out that the passwords in these files are stored in clear text when they are created. The passwords are removed from each file after they have been used as answer files for the DCPROMO tasks, with this in mind you should consider carefully which account you use and not to create these files until you are ready to use them.
Step 6 – DCPROMO demote the DC to a Member Server
Before I began to demote servers I created a new OU titled ‘DCPROMO Holding’, this OU also had a GPO linked that would enable PowerShell remoting. By default a demoted server would be returned to the Computer OU and because of this would have all GPO’s removed.
With all the prerequisites out of the way I could now start demoting Domain Controllers back to Member Servers.
I did about ten servers at a time and I suggest you do the same. I did this by using the Range operator, for example say $Servers was a 100 item array, writing $Servers[0..9] would select the first 10 and $Servers[10..19] would be the next ten etc..
This is the code I used for the first 10:
icm $Servers[0..9] { dcpromo.exe /unattend:C:\SUPPORT\DCPROMODEMOTE.txt | Tee-Object -filepath C:\SUPPORT\DCPROMODEMOTEResultFile.txt } -Authentication CredSSP -Credential $Cred
Note the Tee-Object cmdlet, this allows the output of the promotion to appear on the console and also a text file. It would not be difficult to parse the text file for detailed information or collect the data and concatenate this information into a single report.
All went to plan, the computer objects for all ten systems were returned to the Computers OU. Checking this OU is actually the quickest way to get an overall feel of the success of the bulk demotion. I then moved the computer objects from the Computers OU to the ‘DCPROMO Holding’ OU.
Thanks for reading. I will post the final part over the course of the week so please check back.
Regards,
jfrmilner
; DCPROMO unattend file – Auth jfrmilner
; Usage:
; dcpromo.exe /unattend:C:\Support\DCPROMORODCAnswerFile.txt
;
[DCInstall]
; Read-Only Replica DC promotion
ReplicaOrNewDomain=ReadOnlyReplica
ReplicaDomainDNSName=domain1.sch.uk
; RODC Password Replication Policy
PasswordReplicationDenied=”BUILTIN\Administrators”
PasswordReplicationDenied=”BUILTIN\Server Operators”
PasswordReplicationDenied=”BUILTIN\Backup Operators”
PasswordReplicationDenied=”BUILTIN\Account Operators”
PasswordReplicationDenied=”DOMAIN1\Denied RODC Password Replication Group”
PasswordReplicationAllowed=”DOMAIN1\Allowed RODC Password Replication Group”
PasswordReplicationAllowed=”DOMAIN1\<SiteCode>-Laptops”
PasswordReplicationAllowed=”DOMAIN1\<SiteCode>-Pupils”
PasswordReplicationAllowed=”DOMAIN1\<SiteCode>-Staff”
PasswordReplicationAllowed=”DOMAIN1\<SiteCode>-Workstations”
; D1-RODC-Admins will include the Service Desk Global Group
DelegatedAdmin=”DOMAIN1\D1-RODC-Admins”
SiteName=<SiteCode>
InstallDNS=Yes
ConfirmGc=Yes
CreateDNSDelegation=No
UserDomain=domain1.sch.uk
UserName=DOMAIN1\DomainAdmin
Password= passwordgoeshere
ReplicationSourcePath=”C:\Support\IFM_RODC”
ReplicationSourceDC=D1-DC-001.domain1.sch.uk
DatabasePath=”C:\Windows\NTDS”
LogPath=”C:\Windows\NTDS”
SYSVOLPath=”C:\Windows\SYSVOL”
SafeModeAdminPassword= passwordgoeshere
; Run-time flags (optional)
; CriticalReplicationOnly=Yes
RebootOnCompletion=Yes
jfrmilner's Tech Blog 