Well, it all comes down to your environment and how it can handle down-time. Personally I would migrate if possible due to the complexity of the domain rename process.
What you need to understand is that the domain rename process is complex and in some ways "uncontrolled". Meaning that if you start it, it will try to finish or fail.
Things to understand:
- Headless Management: Rendom will not use AD Repl, each DC will be contacted individually.
- Forest will be "offline" during the process: The time is proportional to the number of DCs.
- DC is either successful or must be removed from the forest.
- Member computers must be rebooted twise after all DCs are updated, note that legacy OS needs to unjoin/join the domain.
- DNS host names are not automatically changed during rendom: Primary DNS suffix of the DC will not mathc the new domain DNS name. Requires additional steps after rendom.
- DNS suffix on member computers will not match for a period of time: Time it takes is proportional to the number of machines in the domain and if it is auto updated or not.
- Runs from a separate computer
- CLI interface
- Each DC is changed independently
- Step-by-step, steps must succeed on every DC or it stops
- Steps are idempotent
3 DC states:
- Initial
- Prepared
- Final (success or fail)
Note that Prepared to Final can only be accomplished if every DC in the forest has reached the required state!
Overview of the steps:
- Manually specify the new forest structure
- Generate instructions encoded as script
- Transfer the script to each DC
- Verify the script on every DC to see if it is ready to execute the instructions
- Execute instructions on each DC (forest offline during this step)
- Fix-up Policy metadata
- Clean-up metadata written to the directory
Remember that this is just a basic overview of how it works, you must test, test again and test again in a lab before trying it in production!
Wednesday, June 12, 2013
The LastLogonTimeStamp Attribute – What it was designed for and how it works
I came across an excellent explanation of the LastLogonTimeStamp attribute and how it actually works:
http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx
If you ever had a question about it, I bet you'll find the answer there.
http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx
If you ever had a question about it, I bet you'll find the answer there.
Tuesday, June 11, 2013
What is new in Windows 8.1
Here you can read about Windows 8.1: http://technet.microsoft.com/en-us/windows/dn140266.
Monday, June 10, 2013
NON-LVR groupmembers - how to find them - Step 4.
Step 3 in my blog (http://www.jimmytheswede.blogspot.se/2013/06/non-lvr-groupmembers-how-to-find-them.html) will create a separate file for each group (DN is the filename of the group). Within those files you need to search for the string LEGACY, so what I did in step 4 was to search the files for the string LEGACY and then copy the files into a separate folder.
Note that my folder containing the files is "c:\temp\searchFiles" and I copied the files that contained the string "LEGACY" to the folder "c:\temp\searchResult".
In PowerShell:
get-childitem c:\temp\searchFiles | select-string LEGACY -List |%{copy-item -path $_.path -destination 'c:\temp\searchResult'}
Now I have all files (named as the group's DN) in a separate folder that contains LEGACY members, I then create a list of the filenames as input when I change them (http://www.jimmytheswede.blogspot.se/2013/06/non-lvr-groupmembers-how-to-change-them.html).
Note that my folder containing the files is "c:\temp\searchFiles" and I copied the files that contained the string "LEGACY" to the folder "c:\temp\searchResult".
In PowerShell:
get-childitem c:\temp\searchFiles | select-string LEGACY -List |%{copy-item -path $_.path -destination 'c:\temp\searchResult'}
Now I have all files (named as the group's DN) in a separate folder that contains LEGACY members, I then create a list of the filenames as input when I change them (http://www.jimmytheswede.blogspot.se/2013/06/non-lvr-groupmembers-how-to-change-them.html).
TechEd North America Sessions
The
session recordings for TechEd 2013 are now available - http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013#fbid=S8kTtlJUJv2
Friday, June 07, 2013
NON-LVR groupmembers - how to change them
After I had removed the groups I didn't want to refresh the group membership in, I ended up with a textfile called refresh.txt as input file.
I ended up using this command in a command prompt to re-add the users in the groups from this file.
for /F "delims=" %f in (refresh.txt) do dsget group %f /members | dsmod group %f /chmbr
Things you must take into consideration is that if you do this on many groups with many members, it will start a lot of replication. So, you might want to split the list into multiple smaller lists to not affect the network too much.
I ended up using this command in a command prompt to re-add the users in the groups from this file.
for /F "delims=" %f in (refresh.txt) do dsget group %f /members | dsmod group %f /chmbr
Things you must take into consideration is that if you do this on many groups with many members, it will start a lot of replication. So, you might want to split the list into multiple smaller lists to not affect the network too much.
Wednesday, June 05, 2013
NON-LVR groupmembers - how to find them
Today I was trying to find out which group members that still was LEGACY, meaning not using LVR. I was definately not going to manually look at the groups metadata since it was about 7000+ groups. So this is how I did it form the command prompt:
[the domain name is: demo.net and DC name is DC1 in this example, you need to replace that with your domain and DC]
2. Remove all built-in groups and groups that are created by default during a fresh installation since I didn't want to "touch" them.
(metadata is the folder where I saved the output files to)
4. Now the only thing left is to search the files created in the metadata folder for LEGACY. And you will have a list of which groups contains non-LVR memberships.
When I have my complete list I will then remove/add the members to be able to utilize LVR. I haven't decided how I will do that yet, but most likely dsget group | dsmod group but I will post that after I've done it.
[the domain name is: demo.net and DC name is DC1 in this example, you need to replace that with your domain and DC]
1. Create a list of all groups in the domain:
Dsquery group dc=demo,dc=net /limit 0 > allGroups.txt2. Remove all built-in groups and groups that are created by default during a fresh installation since I didn't want to "touch" them.
3. Get objMeta of all groups in the text file:
For /f “delims=” %f in (groups.txt) do repadmin /showobjmeta
DC1 %f > metadata\%f(metadata is the folder where I saved the output files to)
4. Now the only thing left is to search the files created in the metadata folder for LEGACY. And you will have a list of which groups contains non-LVR memberships.
When I have my complete list I will then remove/add the members to be able to utilize LVR. I haven't decided how I will do that yet, but most likely dsget group | dsmod group but I will post that after I've done it.
Evaluate group membership - Address Token Limitations
You can use this to evaluate issues with token sizes, it is especially good in environments that contain complex group structures.
In the below example, my domain is vfroot.prv and my DC name is SDF. In the below example I evaluated a group, but you can evaluate users as well.
To do this you will use the Ntdsutil command:
ntdsutil
ntdsutil: group membership evaluation
group membership evaluation: set account dc SDF
group membership evaluation: set global catalog SDF
group membership evaluation: set resource dc SDF
group membership evaluation: run vfroot.prv grouptest
This will give you output to a file called tab-separated-value (.tsv) file, that contains the following information:
-SID in Token: Security Identifier that is part of the token.
-SID Type: The type of SID that is being added. The SID can be either the Primary SID or a SID from the sIDHistory attribute.
-SID History Count: The number of SIDs in the sIDHistory attribute for the principal represented by this SID. For a row represented by a sIDHistory SID, the value is zero.
-Distinguished Name: The Distinguished Name (DN) of the entry.
-SamAccountName: The samAccountName attribute for the SID.
-DC Queried: The domain controller (DC) that provided this SID for addition to the list of tokens.
-Group Owner: The samAccountName of the owner of the group. If the SID pertains to an object other than a group, this field contains "N/A."
-Group Owner SID: The SID of the group's owner. If the SID pertains to an object other than a group, this field contains "N/A."
-WhenCreated (UTC): The date and time when the group was created. If the SID pertains to an object other than a group, this field contains "N/A."
-WhenChanged (UTC): The last date and time when any attribute of the group was changed.
-Member WhenChanged (UTC): The last date and time when the membership attribute of the group was changed.
-GroupType WhenChanged (UTC): The last date and time when the GroupType attribute of the group was changed.
-One Level MemberOf Count: The number of groups which this entry is directly a member of.
-Total MemberOf Count: The number of groups which this entry is both directly a member of and recursively a member of.
-Group Type: The type of group that this entry represents. Some examples are: User, Domain Local Security Group, and Well Known Computers.
-Depth From User: The number of transitive links between the group in question and the user. If the user Joe was a member of Group1 which is a member of Group2 which is a member of Group3, then the depth from user Joe to Group3 would be 3. If there is more than one path from the user to Group3 then the shortest path is chosen.
-Closest Parent OU: The closest organizational unit that the entry is a member of.
For more information, please see: http://www.microsoft.com/en-us/download/details.aspx?id=13749
In the below example, my domain is vfroot.prv and my DC name is SDF. In the below example I evaluated a group, but you can evaluate users as well.
To do this you will use the Ntdsutil command:
ntdsutil
ntdsutil: group membership evaluation
group membership evaluation: set account dc SDF
group membership evaluation: set global catalog SDF
group membership evaluation: set resource dc SDF
group membership evaluation: run vfroot.prv grouptest
This will give you output to a file called tab-separated-value (.tsv) file, that contains the following information:
-SID in Token: Security Identifier that is part of the token.
-SID Type: The type of SID that is being added. The SID can be either the Primary SID or a SID from the sIDHistory attribute.
-SID History Count: The number of SIDs in the sIDHistory attribute for the principal represented by this SID. For a row represented by a sIDHistory SID, the value is zero.
-Distinguished Name: The Distinguished Name (DN) of the entry.
-SamAccountName: The samAccountName attribute for the SID.
-DC Queried: The domain controller (DC) that provided this SID for addition to the list of tokens.
-Group Owner: The samAccountName of the owner of the group. If the SID pertains to an object other than a group, this field contains "N/A."
-Group Owner SID: The SID of the group's owner. If the SID pertains to an object other than a group, this field contains "N/A."
-WhenCreated (UTC): The date and time when the group was created. If the SID pertains to an object other than a group, this field contains "N/A."
-WhenChanged (UTC): The last date and time when any attribute of the group was changed.
-Member WhenChanged (UTC): The last date and time when the membership attribute of the group was changed.
-GroupType WhenChanged (UTC): The last date and time when the GroupType attribute of the group was changed.
-One Level MemberOf Count: The number of groups which this entry is directly a member of.
-Total MemberOf Count: The number of groups which this entry is both directly a member of and recursively a member of.
-Group Type: The type of group that this entry represents. Some examples are: User, Domain Local Security Group, and Well Known Computers.
-Depth From User: The number of transitive links between the group in question and the user. If the user Joe was a member of Group1 which is a member of Group2 which is a member of Group3, then the depth from user Joe to Group3 would be 3. If there is more than one path from the user to Group3 then the shortest path is chosen.
-Closest Parent OU: The closest organizational unit that the entry is a member of.
For more information, please see: http://www.microsoft.com/en-us/download/details.aspx?id=13749
Tuesday, October 02, 2012
MVP 2012 - Directory Services
I received this in my mail yesterday:
___________
Dear Jimmy Andersson,
Congratulations! We are pleased to present you with the 2012 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Directory Services technical communities during the past year.
___________
This is the 14th year in a row I got honored with this award, and I'm proud of it!
___________
Dear Jimmy Andersson,
Congratulations! We are pleased to present you with the 2012 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Directory Services technical communities during the past year.
___________
This is the 14th year in a row I got honored with this award, and I'm proud of it!
Monday, March 05, 2012
Microsoft Server and Cloud Platform Blog
The Microsoft Server and Cloud Platform Blog can be found here.
More Win8 info
Bill Laing, Corporate Vice President Server & Cloud, posted some good information about Win8 that can be found here.
Subscribe to:
Posts (Atom)