I review for BookLook Bloggers

Saturday, December 29, 2012

Windows Server 2008 ADPREP


Before you can introduce Windows Server 2008 domain controllers into existing Windows 2000 or Windows Server 2003 domains, you must prepare the forest and domains with the ADPREP utility. ADPREP.exe is a command-line tool that extends the Active Directory schema, and updates permissions as necessary to prepare a forest and domain for a domain controller that runs the Windows Server 2008 operating system.


Note: ADPREP was also available in Windows Server 2003 and Windows Server 2003 R2. In Windows Server 2008, ADPREP follows the same logic and performs similar tasks to prepare for the upgrade to Windows Server 2003 or Windows Server 2003 R2. Please read my "Windows 2003 ADPREP" article for more information on that.

ADPREP.exe is a command-line tool that is available on the Windows Server 2008 installation disc in the 'sources'adprep folder.

When you run it, it must be run ADPREP from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
Where should I run ADPREP?

ADPREP /forestprep must be run on the Schema Master of a forest and under the credentials of someone in the Schema Admins and Enterprise Admins groups.

ADPREP /domainprep must be run on the Infrastructure Master of a domain and under the credentials of someone in the Domain Admins group.

Important: Since at the time of running ADPREP you still do not have any Windows Server 2008 Domain Controllers, it should be made clear that these commands MUST be run on EXISTING Windows 2000 or Windows Server 2003 Domain Controllers. That is why you MUST make sure you keep a copy of the 32-bit version of the Windows Server 2008 installation DVD. You cannot use the 64-bit version of the installation media to run ADPREP on 32-bit versions of Windows 2000/2003. Because Windows Server 2008 installation media is 64-bit by default, remember to request the 32-bit version when you get your copy. In case you don't have the 32-bit version available, you can also use the evaluation version of Windows Server 2008 32-bit installation media to run ADPREP, so just download the file from Microsoft's website, and use it to run ADPREP on your 32-bit Windows 2000/2003 DCs.

What does ADPREP do?
Before running ADPREP, all Windows 2000 Active Directory Domain Controllers in the forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.

ADPREP /forestprep command extends the schema with quite a few new classes and attributes. These new schema objects are necessary for the new features supported by Windows Server 2008. You can view the schema extensions by looking at the .ldf files in the 'sources'adprep directory on the Windows Server 2008 DVD. These files contain LDIF entries for adding and modifying new and existing classes and attributes.

ADPREP /domainprep creates new containers and objects, modifies ACLs on some objects, and changes the meaning of the Everyone security principal.
Before you can run ADPREP /domainprep, you must be sure that the updates from /forestprep have replicated to all domain controllers in the forest.
You can view detailed output of the ADPREP command by looking at the log files in the %Systemroot%'system32'debug'adprep'logs directory. Each time ADPREP is executed, a new log file is generated that contains the actions taken during that particular invocation.  The log files are named based on the time and date ADPREP was run.
Once you’ve run both /forestprep and /domainprep and allowed time for the changes to replicate to all domain controllers, you can then start upgrading your domain controllers to Windows Server 2008 or installing new Windows Server 2008 domain controllers.
Running ADPREP
In order to run ADPREP, insert the DVD media of Windows Server 2008 into the DVD drive of the appropriate Windows 2000/2003 DC, which, as noted above, should be the Schema Master of a forest.
Lamer note: You can use a network path or even copy the files locally to the server if you don't have a DVD drive on your DC…
If you're prompted to install Windows Server 2008, do NOT install it. Close the window instead.


Browse to the 'sources'adprep directory.

Open a Command Prompt window (Click Start > Run > CMD > Enter), and drag the ADPREP.exe file to the Command Prompt window.
Lamer note: If you can't drag 'n drop, you can simply type the path… duh…
In the Command Prompt window, type the following command:
adprep /forestprep

In order to prevent accidental running of the command, you must press the "C" key on your keyboard, then press Enter. Command will begin to load a bunch of LDIF files containing all the necessary changes to the existing AD and Schema. Process will take a few moments.

When done, you'll be prompted. Make sure you let the existing Domain Controllers replicate all the changes throughout the entire forest BEFORE proceeding to the next step.

Next, go to the Infrastructure Master of each domain that you wish to upgrade and insert the DVD media of Windows Server 2008 into the DVD drive. Repeat the instructions to open the Command Prompt window, and type:
adprep /domainprep

Unlike the /forestprep action which takes some time, the /domainprep action is almost instantaneous.
Note: The existing Windows 2000/2003 domain MUST be in Native mode, as not Windows NT 4.0 BDCs are supported by Windows Server 2008 DCs. Therefore, if that is not the case, you'll get this error:
Adprep detected that the domain is not in native mode

[Status/Consequence]

Adprep has stopped without making changes.

[User Action]

Configure the domain to run in native mode and re-run domainprep
Switch your domain to Native mode or above, then repeat the operation.




Again, make sure you let the existing Domain Controllers replicate all the changes throughout the domain BEFORE proceeding to the next step.
Repeat the /domainprep action for each domain in the forest that requires new Windows Server 2008 Domain Controllers.
Windows 2000 Domain Notes
When upgrading Windows 2000 domains, an additional command must be run before installing the first Windows Server 2008 DC.
Go to the Infrastructure Master of each domain that you wish to upgrade and insert the DVD media of Windows Server 2008 into the DVD drive. Repeat the instructions to open the Command Prompt window, and type:
adprep /domainprep /gpprep
This command performs similar updates as domainprep. However, this command also provides updates that are necessary to enable Resultant Set of Policy (RSOP) Planning Mode functionality. In Active Directory environments that run Microsoft Windows® 2000, this command performs updates during off-peak hours. This minimizes replication traffic that is created in those environments by updates to file system permissions and Active Directory permissions on existing Group Policy objects (GPOs). This command is also available on Microsoft Windows Server 2003 with Service Pack 1 (SP1) or later.

Windows 2003 Domain and first RODC Notes

In Windows Server 2008, a new Domain Controller installation option is available, called Read Only domain Controller. I will not go into detail about RODCs in this article (search my site for more information about RODCs), however, in order to enable the installation of the first RODC in an existing Windows Server 2003 Active Directory forest, where you have already added at least one Windows Server 2008 regular DC, you must run the following command:
adprep /rodcprep
This command updates permissions on application directory partitions to enable replication of the partitions to RODCs. This operation runs remotely; it contacts the infrastructure master in each domain to update the permissions. You need to run this command only once in the forest. You can run this command on any computer in the forest. You must be a member of the Enterprise Admins group to run this command.
You are now ready to introduce your first Windows Server 2008 Domain Controller. Read my "Installing Active Directory on Windows Server 2008" article for more information on that.

Links

ADPREP http://technet.microsoft.com/en-us/library/cc731728.aspx
Download Windows Server 2008 Evaluation http://www.microsoft.com/windowsserver2008/en/us/trial-software.aspx

Original Link :

Thursday, December 13, 2012

Why can't I create new Active Directory objects?


In environments with a high rate of object creation or even during the process of migrating a large group of users, you may encounter the problem of being unable to create new objects in Active Directory. In most cases, the problem is simply a matter of the domain controller's running out of RIDs.
A RID or relative identifier is part of the unique security ID (SID) assigned to every object within the AD domain. The SID is created by combining an object's RID with the domain's own unique identification number. Since every domain controller in a Windows 2000 or Windows 2003 based AD domain can create new objects, the potential exists for two domain controllers to create objects with the same SID. So, to eliminate this potential, each domain controller is given a small range of RIDs to assign to new objects. The RID master (one of the FSMO AD roles) distributes the RIDs. When a DC uses all the RIDs in its current allotment, it requests a new RID set from the RID master.
If a DC attempts to create a new object before it receives the new RID set, the object will not be created. This produces an error, which is recorded in the Directory Services event log with an event ID of 16645. When this error appears in the event log, or you find yourself unable to create new objects, you need to resolve the issue. Here are some steps:
  1. Make sure the RID master is online and accessible. Use the Active Directory Users and Computers console to discover which DC is hosting the RID master FSMO role. Right click over the domain name from the console and select Operations Masters. Then select the RID master tab. Ping this server and attempt to connect to any share resource it offers to ensure communications.
  2. Test new object creation from another DC. If other DCs can create objects, then the problem is only with the initial DC. If no DCs can create objects, you may need to seize the RID master role.
  3. If a DC runs out of RIDs, it must request a new RID set from the RID master. There is no manual means to force this activity. So, you must wait for the DC to perform this operation on its own.
You can help avoid the problem in the future by increasing the size of the RID set. To do so, edit the Registry on the RID master DC. Change the RID Block Size entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\RID Values key. The minimum value is 500. Any assigned value to this entry between 0 and 500 will be treated as 500 by the system.
By default, Pre-SP4 Windows 2000 DCs are configured to request a new RID set when their current set is depleted by 80 percent. SP4 changed this value to 50 percent. Windows Server 2003 systems request new RID sets at 50 percent consumption. Microsoft documentation lists no means by which to alter the consumption percentage.

Original Post:

How to Send an Smtp Email using Powershell – Send-MailMessage

 

Sending an Smtp mail using power shell as been simplified using “Send-MailMessage” Cmdlet

Lets see how to do it !!

Send-MailMessage –From “administrator@careexchange.in” –To “User1@domain.com”, “User2@careexchange.in” -Subject "Mail using Powershell !!" –Body “Body of my Power shell Email” -Priority High -SMTPserver "Exchange2010 Server FQDN"


image

Logging into User1 or User2
Received the below email

image

Mail Generated to User1 and User2 Successfully !

Original Post:

How to Migrate Users Across forest (Cross Forest) using ADMT 3.2 with sid and Passwords


Once Trust is in place
Open Administrators Group in the Source Forest , Add Administrator of the Target Forest to acquire proper Permissions
Vice Versa
Open Administrators Group in the Target Forest , Add Administrator of the Source Forest to acquire proper Permissions
otherwise you will end up with Access denied errors while Moving Users back and forth
image
Once permission part is done
We have to configure a Password Export Server in the source domain to allow exporting the passwords to the Target domain

If your Source Domain DC is running a 64 bit Version
Password Export Server version 3.1 (x64)
If your Source Domain DC is running a 32 bit Version
Password Export Server version 3.1 (x86)

Choose Next
image

Before you choose next , We need to create a password Encryption file from the Target Domain

Reference –
Enabling Migration of Passwords
http://technet.microsoft.com/en-us/library/cc974435(v=ws.10).aspx

Open a Command Prompt where ADMT is installed on the Target Domain , Run the Below Command to Create a .pes file
admt key /option:create /sourcedomain:<SourceDomain> /keyfile:<KeyFilePath>

image

Once the File is Created on the Target Domain , Bring the File to the Source domain and Browse for the file

image

image
Click Finish

Reboot the Server to complete the installation

Start the “Password Export Serve Service”

image

Now Open ADMT , Choose User Account Migration Wizard
image
Choose Source Domain and Target domain
image

Now Select users
image

image

Choose the Target OU

image

Choose Migrate Passwords

image

Choose Target Same as source
Choose Migrate User SIDS to Target Domain

image

Type User name and Password of the Source domain

image
Choose Next

image

Choose Next

image

Choose Next

image


image

Great !!

Now Users with SID and Password have been migrated across forest (Cross forest) Successfully

Original Post:

How to install ADMT 3.2 in Windows Server 2008 R2


 Download Active Directory Migration Tool version 3.2

image

Type the Default Instance if you have a SQL Server ,
I have the SQL server on DC itself , So I have typed
.\SQLEXPRESS
If you are not aware of SQLEXPRESS , Have the Explained the Steps below to configure it
Only SQLEXPRESS 2005 will work properly if you are planning to Install on DC itself

People who are aware of SQL , Please skip the SQL setup

image

=====================================================================
If you don’t have a SQL Server , You can Download
Microsoft SQL Server 2005 Express Edition Service Pack 3

Accept
image
Next
image
Next
image
Next
image
Next
image
Next
image
Install
image
Finish
image
Choose No
image
Then Close
Great !
Now SQL is configured

Start  – Administrative Tools –> Active Directory Migration Tool
image

Now ADMT is Ready to Migrate Users

Original Post

Thursday, October 11, 2012

How to remove data in Active Directory after an unsuccessful domain controller demotion

This article describes how to remove data in Active Directory after an unsuccessful domain controller demotion.

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

The Active Directory Installation Wizard (Dcpromo.exe) is used for promoting a server to a domain controller and for demoting a domain controller to a member server (or to a stand-alone server in a workgroup if the domain controller is the last in the domain). As part of the demotion process, the wizard removes the configuration data for the domain controller from Active Directory. This data takes the form of an NTDS Settings object that exists as a child of the server object in Active Directory Sites and Services.

The information is in the following location in Active Directory:
CN=NTDS Settings,CN=<servername>,CN=Servers,CN=<sitename>,CN=Sites,CN=Configuration,DC=<domain>...
The attributes of the NTDS Settings object include data representing how the domain controller is identified in respect to its replication partners, the naming contexts that are maintained on the machine, whether the domain controller is a global catalog server, and the default query policy. The NTDS Settings object is also a container that may have child objects that represent the domain controller's direct replication partners. This data is required for the domain controller to operate in the environment, but is retired upon demotion.

If the NTDS Settings object is removed incorrectly (for example, if the NTDS Settings object is removed incorrectly from a demotion attempt), the administrator can manually remove the metadata for a server object. In Windows Server 2008, and Windows Server 2008 R2, the administrator can remove the metadata for a server object by removing the server object in the Active Directory Users and Computers snap-in.

In Windows Server 2003 and Windows 2000 Server, the administrator can use the Ntdsutil.exe utility to manually remove the NTDS Settings object. The following steps list the procedure for removing the NTDS Settings object in Active Directory for a particular domain controller. At each Ntdsutil menu, the administrator can type help for more information about the available options.

Windows Server 2003 Service Pack 1 (SP1) or later service packs – Enhanced version of Ntdsutil.exe

The version of Ntdsutil.exe that is included with Service Pack 1 or later service packs for Windows Server 2003 has been enhanced to make the metadata cleanup process complete. The Ntdsutil.exe version that is included with SP1 or later service packs does the following when metadata cleanup is run:
  • Removes the NTDSA or NTDS Setting subject.
  • Removes inbound AD connection objects that existing destination DCs use to replicate from the source DC being deleted .
  • Removes the computer account .
  • Removes FRS member object.
  • Removes FRS subscriber objects.
  • Tries to seize flexible single operations master roles (also known as flexible single master operations or FSMO) held by the DC that are being removed .
Caution The administrator must also make sure that replication has occurred since the demotion before manually removing the NTDS Settings object for any server. Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

Procedure 1: Windows Server 2003 SP1 or later service packs only

  1. Click Start, point to Programs, point to Accessories, and then click Command Prompt.
  2. At the command prompt, type ntdsutil, and then press ENTER.
  3. Type metadata cleanup, and then press ENTER. Based on the options given, the administrator can perform the removal, but additional configuration parameters must be specified before the removal can occur.
  4. Type connections and press ENTER. This menu is used to connect to the specific server where the changes occur. If the currently logged on user does not have administrative permissions, different credentials can be supplied by specifying the credentials to use before making the connection. To do this, type set creds DomainNameUserNamePassword, and then press ENTER. For a null password, type null for the password parameter.
  5. Type connect to server servername, and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and the credentials you supplied have administrative permissions on the server.

    Note If you try to connect to the same server that you want to delete, when you try to delete the server that step 15 refers to, you may receive the following error message:
    Error 2094. The DSA Object cannot be deleted0x2094
  6. Type quit, and then press ENTER. The Metadata Cleanup menu appears.
  7. Type select operation target and press ENTER.
  8. Type list domains and press ENTER. A list of domains in the forest is displayed, each with an associated number.
  9. Type select domain number and press ENTER, where number is the number associated with the domain the server you are removing is a member of. The domain you select is used to determine whether the server being removed is the last domain controller of that domain.
  10. Type list sites and press ENTER. A list of sites, each with an associated number, appears.
  11. Type select site number and press ENTER, where number is the number associated with the site the server you are removing is a member of. You should receive a confirmation listing the site and domain you chose.
  12. Type list servers in site and press ENTER. A list of servers in the site, each with an associated number, is displayed.
  13. Type select server number, where number is the number associated with the server you want to remove. You receive a confirmation listing the selected server, its Domain Name System (DNS) host name, and the location of the server's computer account you want to remove.
  14. Type quit and press ENTER. The Metadata Cleanup menu appears.
  15. Type remove selected server and press ENTER. You should receive confirmation that the removal completed successfully. If you receive the following error message, the NTDS Settings object may already be removed from Active Directory as the result of another administrator removing the NTDS Settings object or replication of the successful removal of the object after running the DCPROMO utility.
    Error 8419 (0x20E3)
    The DSA object could not be found


    Note You may also see this error when you try to bind to the domain controller that will be removed. Ntdsutil has to bind to a domain controller other than the one that will be removed with metadata cleanup.
  16. Type quit, and then press ENTER at each menu quit the Ntdsutil utility. You should receive confirmation that the connection disconnected successfully.
  17. Remove the cname record in the _msdcs.root domain of forest zone in DNS. Assuming that DC will be reinstalled and re-promoted, a new NTDS Settings object is created with a new GUID and a matching cname record in DNS. You do not want the DCs that exist to use the old cname record.

    As best practice, you should delete the host name and other DNS records. If the lease time that remains on Dynamic Host Configuration Protocol (DHCP) address assigned to offline server is exceeded then another client can obtain the IP address of the problem DC.
  18. In the DNS console, use the DNS MMC to delete the A record in DNS. The A record is also known as the Host record. To delete the A record, right-click the A record, and then click Delete. Also, delete the cname record in the _msdcs container. To do this, expand the _msdcs container, right-click cname, and then click Delete.

    Important If this is a DNS server, remove the reference to this DC under the Name Servers tab. To do this, in the DNS console, click the domain name under Forward Lookup Zones, and then remove this server from the Name Servers tab.

    Note If you have reverse lookup zones, also remove the server from these zones.
  19. If the deleted computer is the last domain controller in a child domain, and the child domain was also deleted, use ADSIEdit to delete the trustDomain object for the child. To do this, follow these steps:
    1. Click Start, click Run, type adsiedit.msc, and then click OK
    2. Expand the Domain NC container.
    3. Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
    4. Expand CN=System.
    5. Right-click the Trust Domain object, and then click Delete.
  20. Use Active Directory Sites and Services to remove the domain controller. To do this, follow these steps:
    1. Start Active Directory Sites and Services.
    2. Expand Sites.
    3. Expand the server's site. The default site is Default-First-Site-Name.
    4. Expand Server.
    5. Right-click the domain controller, and then click Delete.
  21. When you use DFS Replication in Windows Server 2008 and in later versions, the current version of Ntdsutil.exe does not clean up the DFS Replication object. In this case, you can use Adsiedit.msc to correct the DFS Replication objects for Active Directory Domain Services (AD DS) manually. To do this, follow these steps:
    1. Logon a domain controller as a domain administrator in the affected domain.
    2. Start Adsiedit.msc.
    3. Connect to the default naming context.
    4. Locate the following DFS Replication topology container:
      CN=Topology,CN=Domain System Volume,CN=DFSR-Globalsettings,CN=System,DC=Your Domain,DC=Domain Suffix
    5. Delete the msDFSR-Member CN object that has the old computer name.

Procedure 2: Windows 2000 (All versions) Windows Server 2003 RTM

  1. Click Start, point to Programs, point to Accessories, and then click Command Prompt.
  2. At the command prompt, type ntdsutil, and then press ENTER.
  3. Type metadata cleanup, and then press ENTER. Based on the options given, the administrator can perform the removal, but additional configuration parameters must be specified before the removal can occur.
  4. Type connections and press ENTER. This menu is used to connect to the specific server where the changes occur. If the currently logged on user does not have administrative permissions, different credentials can be supplied by specifying the credentials to use before you make the connection. To do this, type set creds DomainNameUserNamePassword, and then press ENTER. For a null password, type null for the password parameter.
  5. Type connect to server servername, and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and the credentials you supplied have administrative permissions on the server.

    Note If you try to connect to the same server that you want to delete, when you try to delete the server that step 15 refers to, you may receive the following error message:
    Error 2094. The DSA Object cannot be deleted0x2094
  6. Type quit, and then press ENTER. The Metadata Cleanup menu appears.
  7. Type select operation target and press ENTER.
  8. Type list domains and press ENTER. A list of domains in the forest is displayed, each with an associated number.
  9. Type select domain number and press ENTER, where number is the number associated with the domain the server you are removing is a member of. The domain you select is used to determine whether the server being removed is the last domain controller of that domain.
  10. Type list sites and press ENTER. A list of sites, each with an associated number, is displayed.
  11. Type select site number and press ENTER, where number is the number associated with the site the server you are removing is a member of. You should receive a confirmation listing the site and domain you chose.
  12. Type list servers in site and press ENTER. A list of servers in the site, each with an associated number, is displayed.
  13. Type select server number, where number is the number associated with the server you want to remove. You receive a confirmation listing the selected server, its Domain Name System (DNS) host name, and the location of the server's computer account you want to remove.
  14. Type quit and press ENTER. The Metadata Cleanup menu appears.
  15. Type remove selected server and press ENTER. You should receive confirmation that the removal completed successfully. If you receive the following error message:
    Error 8419 (0x20E3)
    The DSA object could not be found
    the NTDS Settings object may already be removed from Active Directory as the result of another administrator removing the NTDS Settings object, or replication of the successful removal of the object after you run the Dcpromo utility.

    Note You may also see this error when you try to bind to the domain controller that will be removed. Ntdsutil has to bind to a domain controller other than the one that will be removed with metadata cleanup.
  16. Type quit at each menu to quit the Ntdsutil utility. You should receive confirmation that the connection disconnected successfully.
  17. Remove the cname record in the _msdcs.root domain of forest zone in DNS. Assuming that DC will be reinstalled and re-promoted, a new NTDS Settings object is created by using a new GUID and a matching cname record in DNS. You do not want the DC's that exist to use the old cname record.

    As best practice you should delete the hostname and other DNS records. If the lease time that remains on Dynamic Host Configuration Protocol (DHCP) address assigned to offline server is exceeded then another client can obtain the IP address of the problem DC.
Now that the NTDS Settings object has been deleted, you can delete the computer account, the FRS member object, the cname (or Alias) record in the _msdcs container, the A (or Host) record in DNS, the trustDomain object for a deleted child domain, and the domain controller.

Note You do not need to manually remove the FRS member object in Windows Server 2003 RTM because the Ntdsutil.exe utility has already removed the FRS member object when you run the utility. Additionaly, the metadata of the computer account cannot be removed if the computer account of the DC contains another leaf object. For example, Remote Installation Services (RIS) might be installed on the DC.

The Adsiedit utility is included with the Windows Support Tools feature in both Windows 2000 Server and Windows Server 2003. To install the Windows Support Tools, following these steps:
  • Windows 2000 Server: On the Windows 2000 Server CD, open the Support\Tools folder, double-click Setup.exe, and then follow the instructions that appear on the screen.
  • Windows Server 2003: On the Windows Server 2003 CD, open the Support\Tools folder, double-click Suptools.msi, click Install, and then follow the steps in the Windows Support Tools Setup Wizard to complete the installation.
  1. Use ADSIEdit to delete the computer account. To do this, follow these steps:
    1. Click Start, click Run, type adsiedit.msc in the Open box, and then click OK.
    2. Expand the Domain NC container.
    3. Expand DC=Your Domain Name, DC=COM, PRI, LOCAL, NET.
    4. Expand OU=Domain Controllers.
    5. Right-click CN=domain controller name, and then click Delete.
    If you receive the "DSA object cannot be deleted" error message when you try to delete the object, change the UserAccountControl value. To change the UserAccountControl value, right-click the domain controller in ADSIEdit, and then click Properties. Under Select a property to view, click UserAccountControl. Click Clear, change the value to 4096, and then click Set. You can now delete the object.

    Note The FRS subscriber object is deleted when the computer object is deleted because it is a child of the computer account.
  2. Use ADSIEdit to delete the FRS member object. To do this, follow these steps:
    1. Click Start, click Run, type adsiedit.msc in the Open box, and then click OK
    2. Expand the Domain NC container.
    3. Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
    4. Expand CN=System.
    5. Expand CN=File Replication Service.
    6. Expand CN=Domain System Volume (SYSVOL share).
    7. Right-click the domain controller you are removing, and then click Delete.
  3. In the DNS console, use the DNS MMC to delete the A record in DNS. The A record is also known as the Host record. To delete the A record, right-click the A record, and then click Delete. Also delete the cname (also known as the Alias) record in the _msdcs container. To do so, expand the _msdcs container, right-click the cname, and then click Delete.

    Important If this was a DNS server, remove the reference to this DC under the Name Servers tab. To do this, in the DNS console, right-click the domain name under Forward Lookup Zones, click Properties, and then remove this server from the Name Servers tab.

    Note If you have reverse lookup zones, also remove the server from these zones.
  4. If the deleted computer was the last domain controller in a child domain and the child domain was also deleted, use ADSIEdit to delete the trustDomain object for the child. To do this, follow these steps:
    1. Click Start, click Run, type adsiedit.msc in the Open box, and then click OK
    2. Expand the Domain NC container.
    3. Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
    4. Expand CN=System.
    5. Right-click the Trust Domain object, and then click Delete.
  5. Use Active Directory Sites and Services to remove the domain controller. To do this, follow these steps:
    1. Start Active Directory Sites and Services.
    2. Expand Sites.
    3. Expand the server's site. The default site is Default-First-Site-Name.
    4. Expand Server.
    5. Right-click the domain controller, and then click Delete.

Advanced optional syntax with the SP1 or later versions of Ntdsutil.exe

Windows Server 2003 SP1 introduced a new syntax that can be used. By using the new syntax, it is no longer required to bind to the DS and select your operation target. To use the new syntax, you must know or obtain the DN of the NTDS settings object of the server that is being demoted. To use the new syntax for metadata cleanup, follow these steps:
  1. Run ntdsutil.
  2. Switch to the metadata cleanup prompt.
  3. Run the following command
    remove selected server <DN of the server object in the config container>
    An example of this command is as follows.

    Note The following is one line but has been wrapped.
    Remove selected server cn=servername,cn=servers,cn=sitename,cn=sites,cn=configuration,dc=<forest_root_domain>
  4. Remove the cname record in the _msdcs.root domain of forest zone in DNS. Assuming that DC will be reinstalled and re-promoted, a new NTDS Settings object is created by using a new GUID and a matching cname record in DNS. You do not want the DCs that exist to use the old cname record.

    As best practice, you should delete the host name and other DNS records. If the lease time that remains on Dynamic Host Configuration Protocol (DHCP) address assigned to offline server is exceeded, another client can obtain the IP address of the problem DC.
  5. If the deleted computer was the last domain controller in a child domain, and the child domain was also deleted, use ADSIEdit to delete the trustDomain object for the child. To do this, follow these steps:
    1. Click Start, click Run, type adsiedit.msc, and then click OK.
    2. Expand the Domain NC container.
    3. Expand DC=Your Domain Name, DC=COM, PRI, LOCAL, NET.
    4. Expand CN=System.
    5. Right-click the Trust Domain object,, and then click Delete.
  6. Use Active Directory Sites and Services to remove the domain controller. To do this, follow these steps:
    1. Start Active Directory Sites and Services.
    2. Expand Sites.
    3. Expand the server's site. The default site is Default-First-Site-Name.
    4. Expand Server.
    5. Right-click the domain controller, and then click Delete.

    Original Post:

Delete Failed DCs from Active Directory

When you try to remove a domain controller from your Active Directory domain by using Dcpromo.exe and fail, or when you began to promote a member server to be a Domain Controller and failed (the reasons for your failure are not important for the scope of this article), you will be left with remains of the DCs object in the Active Directory. As part of a successful demotion process, the Dcpromo wizard removes the configuration data for the domain controller from Active Directory, but as noted above, a failed Dcpromo attempt might leave these objects in place.
The effects of leaving such remains inside the Active Directory may vary, but one thing is sure: Whenever you'll try to re-install the server with the same computername and try to promote it to become a Domain Controller, you will fail because the Dcpromo process will still find the old object and therefore will refuse to re-create the objects for the new-old server.
In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe utility to manually remove the NTDS Settings object.
If you give the new domain controller the same name as the failed computer, then you need perform only the first procedure to clean up metadata, which removes the NTDS Settings object of the failed domain controller. If you will give the new domain controller a different name, then you need to perform all three procedures: clean up metadata, remove the failed server object from the site, and remove the computer object from the domain controllers container.
You will need the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and Computers.
Also, make sure that you use an account that is a member of the Enterprise Admins universal group.
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.
To clean up metadata
  1. At the command line, type Ntdsutil and press ENTER.
C:\WINDOWS>ntdsutil
ntdsutil:
  1. At the Ntdsutil: prompt, type metadata cleanup and press Enter.
ntdsutil: metadata cleanup
metadata cleanup:
  1. At the metadata cleanup: prompt, type connections and press Enter.
metadata cleanup: connections
server connections:
  1. At the server connections: prompt, type connect to server <servername>, where <servername> is the domain controller (any functional domain controller in the same domain) from which you plan to clean up the metadata of the failed domain controller. Press Enter.
server connections: connect to server server100
Binding to server100 ...
Connected to server100 using credentials of locally logged on user.
server connections:
Note: Windows Server 2003 Service Pack 1 eliminates the need for the above step.
  1. Type quit and press Enter to return you to the metadata cleanup: prompt.
server connections: q
metadata cleanup:
  1. Type select operation target and press Enter.
metadata cleanup: Select operation target
select operation target:
  1. Type list domains and press Enter. This lists all domains in the forest with a number associated with each.
select operation target: list domains
Found 1 domain(s)
0 - DC=dpetri,DC=net
select operation target:
  1. Type select domain <number>, where <number> is the number corresponding to the domain in which the failed server was located. Press Enter.
select operation target: Select domain 0
No current site
Domain - DC=dpetri,DC=net
No current server
No current Naming Context
select operation target:
  1. Type list sites and press Enter.
select operation target: List sites
Found 1 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
select operation target:
  1. Type select site <number>, where <number> refers to the number of the site in which the domain controller was a member. Press Enter.
select operation target: Select site 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Domain - DC=dpetri,DC=net
No current server
No current Naming Context
select operation target:
  1. Type list servers in site and press Enter. This will list all servers in that site with a corresponding number.
select operation target: List servers in site
Found 2 server(s)
0 - CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
1 - CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
select operation target:
  1. Type select server <number> and press Enter, where <number> refers to the domain controller to be removed.
select operation target: Select server 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Domain - DC=dpetri,DC=net
Server - CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
 DSA object - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
 DNS host name - server200.dpetri.net
 Computer object - CN=SERVER200,OU=Domain Controllers,DC=dpetri,DC=net
No current Naming Context
select operation target:
  1. Type quit and press Enter. The Metadata cleanup menu is displayed.
select operation target: q
metadata cleanup:
  1. Type remove selected server and press Enter.
You will receive a warning message. Read it, and if you agree, press Yes.


Original Post:

Wednesday, October 10, 2012

Identifying Worker Process (w3wp.exe) – IIS 6.0 and IIS 7.0 for Debugging ASP.NET Application

If you are debugging a ASP.NET web application which is hosted on IIS, you need to attach the particular worker process in Visual Studio to start debugging. To Attach a process we can go to Tools > Attach Process or use shortcut key Ctrl +P. The process window will show the worker process (w3wp.exe) which is currently running on IIS. You need to select the process and click on attach button to start the debugging.
Problem starts when you have multiple worker process running on IIS.  If you have multiple sites hosted on IIS and each site having their own application pool then you will see the list of all worker process in the Process Attach window.

Here  you need to identify the particular worker process which is associated with your application pool.
Note: Whenever we create a new Application Pool, the ID of the Application Pool is being generated and it’s registered with the HTTP.SYS (Kernel Level of IIS) . So whenever HTTP.SYS Received the request from any web application,  it checks for the Application Pool and based on the application pool it send the request
To know more about IIS Request Process, here is one of my aticle How IIS Process ASP.NET Request
Identify Worker Process in IIS 6.0

• Start > Run > Cmd
• Go To Windows > System32
• Run cscript iisapp.vbs
• You will get the list of Running Worker ProcessID and the Application Pool Name.

So, here is your list of all worker process with corresponding application pool name.  From  the Application pool name you can easily identify which worker process is related with your application.
Identify Worker Process in IIS 7.0

From IIS 7.0 you need you to run IIS Command Tool ( appcmd ) .
• Start > Run > Cmd
• Go To Windows > System32 > Inetsrv
• Run appcmd list wp
This will show you list worker process that is running on IIS 7.0 in the similar format of IIS 6.0

Original Post:

How to use IIS Manager to get Worker Processes (w3wp.exe) details information ?

In one of my previous blog post, Identifying Worker Process (w3wp.exe) – IIS 6.0 and IIS 7.0 for Debugging ASP.NET Application  -  I have explained about how we can identify the list of currently running worker process  using command prompt while we need to attach process from visual studio . But do you know for IIS 7.0 and IIS 7.5 we can get the worker process (w3wp.exe) details like Application Pool name, Process ID, CPU Usages from IIS Manager itself. Even you can get details of each worker process for a “Web Gardenscenarios.  So when you need to attach some process for debugging from Visual studio, Instead of going to command prompt, you can easily identify the worker process Id from IIS itself.  
2

Get Worker Processes ( w3wp.exe) List :

To get list of running  worker process, Open IIS Manager ( Run > Inetmgr ), Select root level from left site navigation tree and from “Features View Panel” select “Worker Processes”
1
Click on the “Worker Processes” to get details of all worker process which are currently running as shown in below.
ProcessList
So from the above list of worker processes you can get the details of Application Pool Name, Process ID, state of worker processes along with CPU uses and memory uses.

Attach Worker Processes (w3wp.exe) For Debugging  :

From Visual studio Attach Process window you will find the same list of worker process with the same Process ID. So based on your application Pool name you can attach the process and start the debugging.
AttacheProcess
To Know more about attach process while debugging your application is running on IIS,  please read one of my complete article -  Debug Your ASP.NET Application that Hosted on IIS : Process Attach and Identify which process to attach ( Note: This article was targeted to debugging with IIS 6.0 )

What else we can have from Worker Processes lists in IIS 7 Manager?

We have already identified the worker process  and Application Pool name which are more than enough for us to attach a process from Visual Studio. Now what else we can get out of this list ? Yes we can have enough information regarding worker process like
  • Worker Process Current State
  • CPU Uses by the worker process
  • Memory uses by worker process
  • Current Request Handling by Worker Process

What about the current Worker Process (w3wp.exe ) State  ?

You can get the current status of worker process from status column. Worker processes having 3 status as listed below
  1. Running
  2. Stopping
  3. Starting
image
 RunningState
You must be wondering why there is no  “Stopped” Status for Worker Process in IIS ?  I will explorer it in a different blog post. Yeah that will be very interesting ! Very soon !
Similar like State you can also monitor CPU % Uses and  Memory Uses from the IIS Itself.

What about the Current  Request  at Worker Process ?

Well, you can view the current request details for a particular worker process from IIS Manager Itself. So, When your worker process is on running mode, If you want to check the what are the thing going on backend, just double click on the particular worker process.
CurrentRequest
From the request details, you can get web site id, URL, HTTP Verbs, client ID and State along with Module Name. I liked the State and  Module name column very much. This two columns will let you know where is your current request and which HTTP Module is taking care of that Request.
To know more about how fundamentals How IIS process ASP.NET Request you can read one of my article How IIS Process ASP.NET Request
You can also read  “Securely Implement Request Processing, Filtering, and Content Redirection with HTTP Pipelines in ASP.NET” to know more advance topics.
To know more about Worker Process Request read View Currently Executing Requests in a Worker Process (IIS 7)

View Details of Each Worker Process when you are using Web Garden

Before start web garden mode, if you want to know more about Web garden or just wanted to recap please read on of my previous article  What is the difference between Web Farm and Web Garden ?  
If You have configured  your site as Web Garden, you can also get the list of all the worker process in the worker processes list with the  different worker Process ID  but all worker process should have a “Single Application Pool “ .
ConfigureWebGarden  WebGardens
So, from the above diagrams you can see, “WCFSite” has configured as  Web Garden mode with Two Worker Process and from the Worker Processes list you can view both the worker process with different Worker Process Id and both of them are listed under  same Application Pool.
Note: You will able to see only the worker process which are in running state .
Summary : In this blog post I have explained how you can use the power of IIS Manager to get the list of worker process with there application pool id, name, Running State along with CPU and Memory Uses along with viewing the worker process request. I have also explained about how to  get details of each worker process in web garden scenarios. I will publish another blog post  Worker Process State very soon.
Hope this will help !
Thanks !

Original Post: