Thursday, October 20, 2011

REPOST - 2008 R2 Core Installation

REPOST - I found this great article on 2008 R2 Core install.  Reposted here I hope you enjoy.

Implementing a Windows Server 2008 R2 Core Domain Controller into an existing Active Directory Forest is not a daunting task in itself but requires changes in the way many Administrators approach the installation and configuration of the base Windows installation.

Here will go through common configuration steps for integrating Windows Server 2008 R2 Core into an existing corporate Active Directory.

Domain Controllers are prime candidates for Server Core, they provide a smaller OS surface area that in theory at least should ensure there are less vulnerabilities exposed to possible malicious attacks. This means fewer critical hotfixes released by Microsoft are required to be installed on Server Core and can reduce the frequency of maintenance cycles and accompanying reboots, Microsoft estimate if there had been a Server Core edition of Windows Server 2003 it would have required 40% fewer patches than the Gui edition.

Section 1 – Prepare Existing Windows 2000/2003 AD

Section 2 – Configure Windows Server 2008 R2 Core

Section 3 – DCPromo and post DCPromo tasks

Pre-Requisites

Many organisations today still run Windows XP as the standard desktop OS, this is an issue for administrators who support existing AD environments using the Adminpak supplied in Windows 2003. The tools in the Windows Server 2003 Adminpak do not work seamlessly with Windows Server 2008 and the RSAT (Remote Server Administration Tools, the Adminpak replacement for Windows Server 2008) will not run on XP. The RSAT delivered with Windows Server 2008 R1 will run only on Windows Vista Desktops whilst the RSAT delivered with R2 only runs on Windows 7. The RSAT can be installed on a Gui based Windows 2008 server by installing the RSAT feature.

ADPrep needs to be run for both the forest and the individual domain where the Windows Server 2008 R2 Domain Controller will be installed.

Section 1 – Prepare Existing Windows 2000/2003 AD

The ADPrep in Windows Server 2008 adds the RODC (Read Only Domain Controller) ADPrep to the traditional forest and domain ADPreps. In short a RODC contains read-only partitions of the Active Directory Database. Common deployments of RODCs are in branch offices where physical security cannot be guaranteed, benefits offered include improved security, user credential caching meaning faster logon times and make more efficient access to resources on the network. More information on RODCs can be found here. The RODC ADPrep is run once at the forest level.

ADPrep is located on the Windows Server 2008 R2 DVD in the \Support\adprep directory, adprep.exe is the 64 bit version and adprep32.exe is the 32 bit version of the tool. Ensure the command prompt has been started using the “Run As Administrator” if running on a Windows Vista, Windows 7 or Windows Server 2008.

Forest ADPrep

The forest ADPrep requires that the logged in user is a member of the Enterprise Admins and Schema Admins groups as well as being a Domain Admin for the Domain containing the forests Schema Master. The forest ADPrep must be run on the Domain Controller holding the AD forests Schema Master FSMO role, to identify the FSMO roles at a command prompt (on any Domain Controller in the forest) enter, netdom query fsmo To run the forest ADPrep enter the following from the /support/adprep DVD directory.

adprep /forestprep

once completed allow time for the changes to replicate across the entire AD forest before ADPrep’ing any domains in the forest.

Domain ADPrep

The domain ADPrep requires that the logged in user is a member of the Domains Domain Admins group. The Domain ADPrep must be run on the Domain Controller holding the Domains Infrastructure Master FSMO role (see Forest ADPrep on how to identify FSMO roles). To run the Domain ADPrep enter:

adprep /domainprep /gpprep

once completed allow time for the changes to replicate across the entire AD forest before installing any new Domain Controllers in the Domain.

RODC ADPrep

The RODC ADPrep can be run on any computer in the Active Directory Forest and must be able to access all Infrastructure to run successfully. In firewalled/isolated environments it is important to choose a suitable computer on which to run the RODC ADPrep. The user performing the RODC ADPrep must be a member of the Enterprise Admins group. From the /support/adprep directory on the Windows Server 2008 R2 DVD enter:
adprep /rodcprep

once completed allow time for the changes to replicate across the entire AD before installing a RODC.

Section 2 – Configure Windows Server 2008 R2 Core

We will now go through the steps to introduce a first Windows Server 2008 R2 Core Domain Controller into an existing Active Directory forest (for information, into a Windows 2003 R2 forest and domain functional level directory). Ordinarily most of the steps detailed for configuring the Windows Server 2008 R2 Core are included in the server provisioning process. Interactively the sconfig utility is available in R2 which is a text based menu system that can be run from the console command prompt and allow a number of system settings such as TCP/IP network configuration to be made.

Detailed below are the command lines that can be included in an automated provisioning environment, a post installation script or typed directly from the console command prompt.

To identify the features that are enabled (and disabled) on Windows Server Core, enter

dism /online /get-features

Install Powershell 2.0

I advocate using PowerShell as the tool of choice for managing Windows (and VMware) environments. To enable PowerShell the dotNet Framework version 2 and version 3/3.5 must first be enabled. (note: dotNet 3.0 and 3.5 are contained within a single feature). In addition on a Windows Server 2008 R2 DC the Active Directory PowerShell cmdlets module can be enabled allowing a more straightforward approach to AD Powershell similar to the Quest PowerShell Commands for Active Directory used by many Administrators.

dism /online /enable-feature /featurename=NetFx2-ServerCore

dism /online /enable-feature /featurename=NetFx3-ServerCore

dism /online /enable-feature /featurename=MicrosoftWindowsPowerShell dism /online /enable-feature /featurename=ActiveDirectory-PowerShell

Powershell 2.0 WOW64 Support (Optional)

If WOW64 (32bit) support is required additional features need to be enabled.

dism /online /enable-feature /featurename=NetFx2-ServerCore-Wow64

dism /online /enable-feature /featurename=MicrosoftWindowsPowershell-Wow64

Install DNS Server

If the Domain Controller will also be configured as a DNS Server as they often are, the DNS-Server-Core-Role can be added using, (DNS Server can also be installed as a part of the DCPromo):

dism /online /enable-feature /featurename=DNS-Server-Core-Role

Network Configuration

Assuming the Windows Server Core instance has a single interface and is using the logical name “Local Area Connection”, first disable any other network cards, run the following command for each disconnected network connection.

netsh interface set interface “Local Area Connection 2″ DISABLE

configure the IP address, subnet mask and default gateway.

netsh interface ipv4 set address name=”Local Area Connection” static 172.24.32.10 255.255.255.0 172.24.32.1

configure the dns servers for the network connection, in this instance 3 dns servers are specified, of course ensure that the server is configured to point at existing DNS servers that have access to the AD SRV records.

netsh interface ipv4 set dns name=”Local Area Connection” static 172.24.32.4

netsh interface ipv4 add dns name=”Local Area Connection” 172.24.32.5 index=2

netsh interface ipv4 add dns name=”Local Area Connection” 172.24.22.8 index=3

to disable NetBIOS over TCP/IP first identify the adapters index number using

wmic nicconfig get caption,index,TcpipNetbiosOptions

then using one of the following values:

0 – Use NetBios setting from DHCP
1 – Enable NetBios over TCP/IP
2 – Disable NetBios over TCP/IP

set the required NetBIOS over TCP/IP value to each Nic.

wmic nicconfig where index=1 call SetTcpipNetbios 2

In the above example, index=1 is the index number returned for “Local Area Connection” from the earlier command. configure the primary DNS suffix, whether the suffix should change if domain membership changes and set the DNS suffix search list

reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d “ad.mydomain.com”

reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v “NV Domain” /t REG_SZ /d “ad.mydomain.com”

reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v “SyncDomainWithMembership” /t REG_DWORD /d 1

reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v “SearchList” /t REG_SZ /d “ad.mydomain.com,mydomain.com,os.mydomain.com”

optionally a nic config can be backed up and restored using netsh, the following commands perform a backup and then a restore, this is useful if you wish to import a config instead of running many individual netsh commands.

netsh -c interface dump > c:\backup.txt

netsh -f c:\backup.txt

Configure Time Zone

to list the time zone names used by the time zone configuration utility run:

tzutil /l

then configure the time zone using one of the zone names. “_dstoff” can be appended to a zone name to have Daylight Savings Time disabled; the default enables Daylight Savings Time. To configure for GMT with DST switched off:

tzutil /s “GMT Standard Time_dstoff”

Rename Computer

if the server has a temporary name provisioning, it can be renamed using:

netdom renamecomputer /newname:

Diskpart to Create the NTDS/SYSVOL and Log Partitons

To create on Disk 0 a d: drive 50GB in size, a e: drive of 16GB and a f: drive using the remaining free space:

diskpart

select disk 0

list partition

create partition

primary size=50000

list partition

select partion 3

assign letter=D

format FS=NTFS LABEL=”DDrive” QUICK

create partition extended

list partition

select partition 0

create partition logical size=16000

assign letter=E

format FS=NTFS LABEL=”EDrive” QUICK

create partition logical

assign letter=F

format FS=NTFS LABEL=”FDrive” QUICK

list part

exit

The above can be saved as a text file and run using :

diskpart /s

Once created view the partitions using:

diskpart

list part

exit

something similar to the following should be displayed:diskpart

diskpart

list part

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 8144 KB 16 KB

Partition 2 Primary 124 GB 8160 KB

Partition 3 Primary 48 GB 125 GB

Partition 0 Extended 105 GB 173 GB

Partition 4 Logical 15 GB 173 GB

* Partition 5 Logical 89 GB 189 GBBe sure to have rebooted to make all the above settings stick before proceeding further.

Section 3 – DCPromo and Post Promotion Configuration

Promoting a Windows Server Core instance to a Domain Controller must be done using an unattend answer file, this is because Windows Server Core does not support the DCPromo Gui wizard. If a problem is encountered running DCPromo be aware that DCPromo removes all passwords from the unattend answer file including where ”prompt for password” has been set by setting the password value to “*”. Before re-running DCPromo the unattend file must be edited to reset the values in the password password fields. In the following templates the affected fields are:

DNSDelegationPassword=*

Password=*

SafeModeAdminPassword=Password1

AdministratorPassword=Password1

All DC configuration scenarios available running DCPromo in Gui mode are supported using an unattend answer file, (creating a new forest, creating a new domain, removing the last Domain Controller in a domain etc.). As this posting is targeted at introducing a Server Core DC into an already running Active Directory Forest only adding a new DC to an existing domain and removing (in the event a fallback is required!) a DC from a domain.

DC Promote Unattend Template

This template contains the parameters for adding a DC to an existing domain. Details of parameters used in DCPromo unattend files can be found in MS KB947034. A DCPromo unattend file can be created by running and completing the DCPromo wizard on an existing Gui Windows server. In the final step of the wizard an export button is displayed, use this to export the unattend file and simply cancel the wizard so the DCPromo is not run. The saved unattend file can be edited in a text editor and used for running DCPromo in unattend mode.

DC Promote

[DCInstall]

ReplicaOrNewDomain=Replica

ReplicaDomainDNSName=ad.mydomain.com

SiteName=ADSite1

InstallDNS=Yes

ConfirmGc=Yes

CreateDNSDelegation=Yes

DNSDelegationUserName=admydomain\stuartconey

DNSDelegationPassword=*

UserDomain=ad.mydomain.com

UserName=admydomain\stuartconey

Password=*

ReplicationSourceDC=dc2.ad.mydomain.com

DatabasePath=”D:\NTDS”

LogPath=”E:\NTDS”

SYSVOLPath=”D:\SYSVOL”

SafeModeAdminPassword=Password1

; Run-time flags (optional)

; CriticalReplicationOnly=Yes

; RebootOnCompletion=Yes

* substitute Password1 to your standard Safe Mode Password

In the above example, the InstallDNS=yes line will install the DNS Server service. The default for installing DNS is dependent on the environment detected when DCPromo is run. MS KB947034 describes in detail all DCPromo Unattend parameters.

DC Demote Unattend Template

This template demotes a running DC back to member server.

 DC Demote

[DCInstall]

UserName=admydomain\stuartconey

password=*

administratorpassword=Password1

removeapplicationpartitions=yes

removeDNSDelegation=yes

DNSDelegationUserName=admydomain\stuartconey

DNSDelegationPassword=*

* substitute Password1 to your standard local Adminstrator Password

For Domain Controllers Located Behind Firewalls

In environments where domain controllers are separated from other domain controllers or member servers by firewalls it is possible to configure FRS and RPC traffic to use specific ports. Microsoft has the following document and KBs covering this issue.

MS Active Directory in Networks Segmented By Firewalls (Word Document)

MS KB224196, Restricting Active Directory replication traffic to a specific port

MS KB319553, How to restrict FRS traffic o a specific static port

MS KB154596, How to configure RPC dynamic port allocation to work with firewalls

In summary the following registry settings are used to set the ports used by the Active Directory FRS and RPC services.

Port used by FRS for Active Directory Replication:

HKLM\CurrentControlSet\Services\NTDS\ParametersRegistry value: TCP/IPValue type: REG_DWORDValue data: (available port)

Port used for client RPC traffic to a specific port:

HKLM\CurrentControlSet\Services\Netlogon\ParametersRegistry value: DCTcpipPortValue type: REG_DWORDValue data: (available port)

Port used by FRS:

HKLM\CurrentControlSet\Services\NTFRS\ParametersRegistry value: RPC TCP/IP Port AssignmentValue type: REG_DWORDValue data: (available port)

RPC Dynamic Port Range:

HKLM\Software\Microsoft\Rpc\Internet\Ports: REG_MULTI_SZ: 5000-5100PortsInternetAvailable: REG_SZ: YUseInternetPorts: REG_SZ: Y

the above registry settings can be applied on Server Core using regedit /s filename, here is an example regedit file:

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters] “TCP/IP Port”=dword:0000422a

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] “DCTcpipPort”=dword:0000422b

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters] “RPC TCP/IP Port Assignment”=dword:0000411c

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet] “Ports”=hex(7):35,00,32,00,30,00,30,00,2d,00,35,00,33,00,30,00,30,00,00,00,00,00\

“PortsInternetAvailable”=”Y”

“UseInternetPorts”=”Y”

DNS Server Final Configuration

If the Windows Server Core Domain Controller is running DNS Server all AD integrated zones that are configured to “replicate to all DNS servers in the Domain” or “replicate to all DNS servers in the forest” will be synchronized to the DC. The DNS Server can be configured further, (for example configuring forwarding rules) using DNS Server Management MMC snap-in on either a Windows Server 2008 or Windows 7 (RSAT). One time saving new feature in Windows Server 2008 DNS Server is to set the Conditional Forwarding rules for a DNS server and request that they are replicated to all DNS servers in the Domain.

The dnscmd command line utility also offers comprehensive management of the DNS Server on Windows Server Core.

…and finally, if the new Windows Server Core DC is a replacement for an existing DC that will be decommissioned, remember to update GPOs containing DNS Server IP address assignments to Member Workstations and Servers in the forest.

Reference http://stuartconey.com/wp/?p=215

No comments: