IT Core Blog

Never stop questioning. Curiosity has its own reason for existing…

Posts Tagged ‘Active Directory

Hyper-V R2 Cluster CSV stops working when NTLM is disabled in cluster with Hyper-V Enabled

leave a comment »

Hyper-V R2 Cluster CSV stops working when NTLM is disabled in cluster with Hyper-V Enabled

ID: 5121
Source: Microsoft-Windows-FailoverClustering
Version: 6.1
Message: Cluster Shared Volume ‘%1′ (’%2′) is no longer directly accessible from this cluster node

This error may be caused because the NTLM was disabled in your Hyper-Host. Enabling a policy to disable NTLM may break CSV and cause the alert described before.

If the NTLM was disabled using GPO in your Active Directory Domain, identify the GPO with this setting and create an exception to this policy for all clustered Hyper-V computer objects. Alternatively you can create and link another GPO (GPO with “enable NTLM” setting) that applies just to the clustered hosts. 


Written by IT Core

September 21, 2010 at 10:07 PM

TechEd 2010 Virtualization Sessions

leave a comment »

Here’s some interesting sessions for virtualization from TechEd.

Networking and Windows Server 2008 R2 Hyper-V: Deployment Considerations


Microsoft System Center Virtual Machine Manager 2008 R2: Advanced Virtualization Management

The Microsoft System Center Operations Manager Top 20 Must-Have Customizations

Microsoft System Center Operations Manager and Virtual Machine Manager: Monitoring the Service Stack

See the Largest Mission Critical Deployment of Microsoft SQL Server around the World

Check the Latest Videos from TechEd North America

Have Fun 😀

TechNet Wiki – AV Exclusion List

leave a comment »

Wouldn’t it be handy to have one place on the web where you could find an updated list of ALL the AV exclusions you might want to configure? This wiki stub topic is meant to be that list. Feel free to add to the list, it is the wiki way!  


KB822158 Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows

Windows / Active Directory:


Forefront: Considerations when using antivirus software on FF Edge







Exchange 2010:
Exchange 2007:






Recommended Anti-Virus exclusions for MED-V client and workspace installations

System Center:
Recommendations for antivirus exclusions in MOM 2005 and Operations Manager 2007

Active Directory Federation Services 2.0 Available For Download

leave a comment »

Active Directory Federation Services 2.0 helps IT enable users to collaborate across organizational boundaries and easily access applications on-premises and in the cloud, while maintaining application security. Through a claims-based infrastructure, IT can enable a single sign-on experience for end-users to applications without requiring a separate account or password, whether applications are located in partner organizations or hosted in the cloud.

Get it Active Directory Federation Services 2.0 RTW
Read more about Federation Services

Written by IT Core

May 5, 2010 at 7:42 PM

Domain Controllers and Active Directory Domains Part 7

with one comment

Click if you want to review part 1, part 2, part 3, part 4, Part5 or part 6 of Domain Controllers and Active Directory Domains series.

“How to deploy a Read-only Domain Controller in a Windows 2003 domain”

In part 7 of this series, we’re going to discuss a new type of domain controllers, the Read-only domain controllers (RODCs).

Read-only domain controllers (RODCs) are additional domain controllers that host read-only partitions of the Active Directory database. RODCs were introduced in Windows 2008 as new feature of Active Directory Domain Services. This new type of domain controllers are the Microsoft solution to clients that had the need to deploy domain controllers at locations where security could not be 100% guaranteed (e.g. branch offices, perimeter networks). With RODCs Microsoft “offers” a solution that may help to resolve a number of security or manageability issues that existed in older operating system versions .

 So what make the RODCs so especial and what do they have that Read/Writable Domain Controllers (RWDCs) don’t? RODCs have:

  • Read-only copy of Active Directory Database. (Applications can only read data from AD database on RODCs. RODCs will forward certain write operations to writable domain controllers, and they will also send referrals to writable domain controllers when necessary).
  • RODCs have a read-only copy of the SYSVOL folder contents.
  • Unidirectional Replication (RODCs get information from WRDCs, but RWDCs do NOT get information from RODCs, this applies to both AD database and SYSVOL data).
  • Administration Role Separation (ARS) – Domain administrators can delegate both the installation and the administration of RODCs to any domain user, without granting them any additional rights in the domain and without compromising the security of the rest of the domain.
  • Credential caching. By default an RODC does not store user credentials or computer credentials, except for its own computer account and a special krbtgt account for that RODC, this means that by default all authentication requests will be forwarded by RODCs to RWDCs).
  • Password Replication Policy (PRP) – Ability to configure which passwords that are allowed to be cached in a RODC.
  • Filtered Attribute Set (FAS) – Control which attributes are not replicated to RODCs – this allows you to protect sensitive data in scenarios where RODCs are stolen or compromised.

 Active Directory prerequisites to deploy the a RODC?

  • The Forest functional level (FFL) must be set to Windows Server 2003 or higher. FFL 2003 is needed because linked-value replication (LVR) and constrain delegation are only available at this FFL or latter. This also means that all domain controllers (DCs) in the forest must have windows 2003 or later Operating system installed.
  • Before introducing RODCs in a Forest, a  writable domain controller running Windows Server 2008 or Windows Server 2008 R2 MUST exist in the same domain as the RODC. The writable domain controller must be a DNS server that has registered a name server (NS) resource record for the relevant DNS zone. RODCs must be able to replicate domain updates from a writable domain controllers running Windows Server 2008 or Windows Server 2008 R2.
  • IF you’ve a Windows Server 2003 domains, you must also run adprep /rodcprep before introducing a RODC in that Forest. Note: The infrastructure master for each domain and for each application directory partition must be available within the environment for the operation to succeed. If these requirements are not met, you may experience the symptoms described at KB 949257. Also read (Known Issues for Deploying RODCs).
  • To learn how to introduce Windows 2008/2008 R2 Domain controllers in your domain/forest, check part 6 of this series.

 Some considerations to be aware of with RODCs:

  • As discussed before, RODCs need at least one 2008 RWDC, this requirement is due the nature of RODCs context in AD. Write operations, DNs updates, Authentication (non-cached accounts), will be forwarded to RWDCs/ authoritative DNS servers. With these operations in mind is generally a good idea to have enough (more than 1) windows 2008 DC available to serve RODCs requests. To learn how to introduce Windows 2008/2008 R2 Domain controllers in your domain/forest, check part 6 of this series.
  • When a RODC that runs 2008 R2 is added to a domain that has RWDC that runs Windows Server 2008, the RODC logs Event ID 2916.This error can be disregarded, and it will not be logged if there is a RWDC that runs Windows Server 2008 R2 in the domain.
  • Cross-domain authentication will fail if the WAN is offline. RODC domain authentication for cached accounts (including User and Computer accounts) succeeds even if the WAN is offline. RODC domain authentication for accounts that are not cached will fail if the WAN is offline.
  • RODCs can only synchronize their time from a RWDCs that run Windows Server 2008, they are restricted from synchronizing with other RODCs and they are restricted from synchronizing with domain controllers outside their own domain (Client computers can synchronize time from any domain controller, including an RODC).
  • Do not use highly privileged accounts (like members of domain admins) to logon in RODCs.
  • Microsoft Exchange Server does not use RODCs. However, you can configure Outlook clients in a branch office that is serviced by a read-only global catalog server to use the read-only global catalog server for global address book lookups (Applications That Are Known to Work with RODCs).
  • Perform staged RODC Installations. The first stage of the installation (requires Domain Admin credentials) is to create an account for the RODC in AD. The second stage of the installation attaches the actual server that will be the RODC in a remote location, such as a branch office, to the account that was previously created for it. You can delegate the ability to attach the server to a non-administrative group or user.
  • When you upgrade a Windows Server 2003 domain controller it always remains a writable domain controller. You cannot make a Windows Server 2003 domain controller an RODC during the upgrade. If you want to upgrade a Windows Server 2003 domain controller and make it an RODC, you must remove Active Directory Domain Services (AD DS). You can remove AD DS either just before or just after you upgrade the operating system. After you upgrade the server and it is no longer a domain controller, reinstall AD DS and choose the RODC option during the AD DS installation.
  • You cannot convert from a full installation to a Server Core installation, or the reverse.

 Deploy RODCs:

Currently there are, at least, 2 ways to deploy RODCs, Staged installation and Direct installation.

Direct installation is the “normal” way to deploy any Domain Controller, basically you complete a full promotion of an RODC as a member of the Domain Admins group or as a member of an additional group with equivalent delegated permissions.

In this blog post I’m going to show you the Staged installation because I think that makes more sense due the nature of the RODCs security context (RODCs are normally placed at unsecure/un-trusted locations, right :)).

 The Staged Installation is divided in 2 stages:

  1. The Domain Admin prepares the Active Directory to receive the new RODC and delegates the final stage of an RODC installation to any user or group.
  2. The delegated user or group installs the RODC at the remote site and adds the RODC to the domain without the need to have a highly privileged account.

 I suggest the use of the IFM installation option in conjunction with a Staged installation (I’ll show you how during the video). Using the Install from Media (IFM) option, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites more efficiently. After you create the IFM installation media for a RODC, you can secure the installation media before transporting it to the branch office by removing secrets such as user account passwords from it. If the installation media is lost or stolen while it is being transported, it cannot be compromised to reveal passwords. This is valid for RODCs because the RODC does not cache any passwords by default, they do not need to be present in the RODC installation media. 

That said, let’s check “How to deploy a Read-only Domain Controller in a Windows 2003 domain
(Note: Before introducing RODCs into 2003 domains, you must have at least 1 Windows 2008/2008R2 DC, to learn how to introduce Windows 2008/2008 R2 DCs in an existing 2003 Forest/domain check part 6 of this series).

Final Notes:
Do not use highly privileged accounts (like members of domain admins) to logon in RODCs.

– Consider the RODC installation in Windows Server Core.

– Consider the use of Bit Locker on RODCs to protect data more efficiently.

– Unless you’re using DFS Replication, any changes in the RODC SYSVOL  will not be replicated to RWDCs and this change can affect any computer that obtains Group Policy objects or logon scripts from that RODC, not only computers that are defined in the PRP.  To synchronize the contents of the SYSVOL folder again, you can make a change on a writable domain controller to force the directory or file to replicate to the RODC, or you can set the Burflags registry setting to D2, check KB315457 for more information. This behavior is by design because FRS provides limited support for read-only SYSVOL on an RODC.

– Extend the RODC FAS to include any attributes that you want to prevent from replicating to any RODC in the forest. When the attributes are prevented from replicating to RODCs, they cannot be exposed unnecessarily if an RODC is stolen or compromised. (As a best practice, make sure that the forest functional level is Windows Server 2008 or latter if you plan to configure the RODC FAS)

– Use remote management tools to administer RODCs (Microsoft Remote Server Administration Tools (RSAT) – Windows Remote Management (WinRM) protocol and Windows Remote Shell (WinRS))

Reliable time synchronization is required for Kerberos authentication. Client computers can synchronize time from any domain controller, including an RODC. An RODC can synchronize time only from a writable domain controller that runs Windows Server 2008 or later.

After 1,500 security principals are in the Allowed List and the RODC stops caching passwords, if you attempt to cache the password for a user in the Allowed List—using repadmin /rodcpwdrepl for example—you will see the following error message (Check: Administering the Password Replication Policy):
Unable to replicate secrets for user CN=user… on read-only DC dsp17a30 from full DC <GUID=126c27dc-cbb2-41b0-b847-71e5d6b69ea2>.
Error: Replication access was denied. (8453)

 Additional Documentation:
Read-Only Domain Controller Planning and Deployment Guide
RODC Technical Reference Topics
Known Issues for Deploying RODCs
Applications That Are Known to Work with RODCs
Read-only Domain Controllers Step-by-Step Guide
Understanding “Read Only Domain Controller” authentication
Read-Only Domain Controllers and Account Lockouts
KB 944043: Description of the Windows Server 2008 read-only domain controller compatibility pack for Windows Server 2003 clients and for Windows XP clients and for Windows Vista
Active Directory and Active Directory Domain Services Port Requirements
To review all video demonstrations, check video section of Active Directory Windows 2008 and 2008 R2 Documentation

Written by IT Core

April 22, 2010 at 11:59 PM

Posted in Deployment, How to..., Videos

Tagged with

Domain Controllers and Active Directory Domains Part 6

with 2 comments

If you want to review part 1, part 2, part 3, part 4 or Part5 of these series click the hyperlinks.

In part 6 of this series, we’re going to discuss “How to introduce Windows 2008 and 2008 R2 domain controllers in 2003 domains“. Windows 2008 and 2008 R2 have new features and roles, some of those were Microsoft response to their client needs/requests, the result is a great server operating system where (between others) security, stability and management were largely improved.
Before discussing how to introduce windows 2008 / 2008 R2 into 2003 domains, let’s check some of the new Active Directory features in Microsoft Windows 2008 and 2008 R2:

 Windows 2008:
– Auditing
– Fine-Grained Password Policies
– Read-Only Domain Controllers
– Restartable Active Directory Domain Services
– Database Mounting Tool
– User Interface Improvements

Windows 2008 R2, all features in windows 2008 and:
-Active Directory Recycle Bin
-Active Directory module for Windows PowerShell and Windows PowerShell™ cmdlets
-Active Directory Administrative Center
-Active Directory Best Practices Analyzer
-Active Directory Web Services
-Authentication mechanism assurance
-Offline domain join
-Managed Service Accounts

Cool!!! 🙂 In future blog posts I will show you how to use some of these new tools and how to setup some of the new features described earlier.

Before Start:
– Make sure that your forest is healthy, use diagnostic tools like repadmin, nltest, netdiag, dcdiag, etc… to diagnose the health of all existing domains, domain controllers within that forest.
– Design a good rollback plan, this can be achieved in different ways, in most  scenarios the rollback plan includes a complaint backup solution that will allow you to rollback changes if necessary. Some actions may be irreversible (e.g.: Schema upgrades) and the only way to revert them is to rollback all DCs to the state that they were before that change, and that can be a challenge if you’ve a big forest,  keep that in mind. Make sure that you test all procedures before going to production so you won’t be sorry latter… 🙂
– Make sure that the new Domain Controllers or existing ones to be upgraded have the hardware requirements for Windows 2008/2008 R2.
– Create a lab, test, test, test and test again all steps and document everything.
– If you’ve DCs running W200, make sure that SP4 is installed.
Note: To increase security, domain controllers that run Windows Server 2008 and Windows Server 2008 R2 require (by default) that all client computers attempting to authenticate to them perform Server Message Block (SMB) packet signing and secure channel signing. If your production environment includes client computers that run platforms that do not support SMB packet signing (for example, Microsoft Windows NT® 4.0 with Service Pack 2 (SP2)) or if it includes client computers that run platforms that do not support secure channel signing (for example, Windows NT 4.0 with Service Pack 3 (SP3)), you might have to modify default security policies to ensure that client computers running older versions of the Windows operating system or non-Microsoft operating systems will be able to access domain resources in the upgraded domain.
By modifying the settings of the default security policies, you are weakening the default security policies in your environment. Therefore, Microsoft recommends that you upgrade your Windows–based client computers as soon as possible. After all client computers in your environment are running versions of Windows that support SMB packet signing and secure channel signing, you can re-enable default security policies to increase security.

AD Upgrade Options:
You can upgrade your Active Directory environment in 2 different ways: Introducing new DCs with W2008/2008R2 or Performing an in-place upgrade of all existing domain controllers. From my experience you should avoid in-place upgrades when possible and use newly installed DCs, from my experience, newly installed DCs can save you a lot of headaches.
In-Place Upgrade Notes: Direct in-place upgrades from W2000 DCs to W2008 DCs are not supported, if you need to do that you must first upgrade your 2000 DC to 2003 and then to W2008. Windows 2008 R2 is a 64Bit OS, in-place upgrades are only possible in DCs with Windows 2003 64Bit installed.

Prepare the Forest and Domains:
– Check your Forest Functional Level and make sure that is set to 2000 Native or Latter. Check KB322692
– Before introducing a new DC with Windows 2008 / 2008 R2 in our existing Active Directory forest we must prepare the forest schema and each existing domain with a tool called adprep.exe:
Check the Forest Schema version , from cmd type (after running “adprep /forestprep” you should run this commands again to confirm that the forest was upgraded):
dsquery * cn=schema,cn=configuration,dc=domainname,dc=tld -scope base -attr objectVersion
Additional methods to find the schema version – HERE
Update the Forest schema by running “adprep /foretsprep” from command line (Run this command at the schema master, to find the DC holding the Schema Role type from cmd: “netdom query fsmo“. This action requires a user account that is a member of the Schema Admins, Enterprise Admins, and Domain Admins groups).
After running adprep /foretsprep“, wait for replication or force replication between all existing DCs. After having all DCs in sync, go to each domain where you want to install a domain controller that runs Windows Server 2008 or Windows Server 2008 R2 and run from cmd: “adprep /domainprep /gpprep” (in the Infrastructure master)
Prepare the forest for read-only domain controllers (RODCs), if you plan to install them, by running “adprep /rodcprep” (optional).

After upgrading your Active Directory:
Be patience, wait for replication to occur between all DCs in ALL domains in the AD Forest.
Make sure that everything is working as expected, run diagnostic tools (dcdiag, nltest, repadmin, netdiag) and inspect the update logs (“Adprep.log – %SystemRoot%\Windows\Debug\ADPrep\Logs” – “Dcpromoui.log and Dcpromo.log – %systemroot%\Windows\debug”).
Consider an offline defragmentation of Active Directory Database in all existing DCs.
If everything is ok, do a backup now to guarantee all steps performed until now.
The next process is to start adding the new 2008 / 2008 R2 Domain Controllers. It’s recommended that you start at the forest root domain and then to existing child domains. If you’re doing in-place upgrades, you should start the upgrade in servers with the PDCe FSMO role for each domain. If you’re introducing new DCs with 2008/2008 R2 installed, is recommended after introducing them in each domain, you should transfer the FSMO roles to that new Domain Controllers and set the Toop Root Domain PDCe authoritative Time server for the Forest.
Once again be patience during this process, make sure that new information is replicated across all existing DCs before introducing new ones, also make sure that replication is working as expected.

Additional Notes:
– Review, update, and document the domain architecture to reflect any changes that you made during the domain upgrade process.
– Verify that the NETLOGON and SYSVOL shared folders exist and that the File Replication Service (FRS) or Distributed File Service (DFS) Replication is functioning without error by checking Event Viewer.
– Verify that Group Policy is being applied successfully by checking the application log in Event Viewer for Event ID 1704.
– Verify that all service (SRV), alias (CNAME), and host (A) resource records have been registered in Domain Name System (DNS).
– Verify Windows Firewall status.
Note: Although the default behavior for Windows Server 2008 and Windows Server 2008 R2 is that Windows Firewall is turned on, if you upgrade a Windows Server 2003 computer that had Windows Firewall turned off, the firewall will remain off after the upgrade unless you turn it on using the Windows Firewall control panel.
– Continuously monitor your domain controllers and Active Directory Domain Services.

Additional Links:
Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD DS Domains & from TechNet
Migrate Server Roles to Windows Server 2008 R2
ADMT Guide: Migrating and Restructuring Active Directory Domains
Windows Server 2008 R2 Migration Utilities x64 Edition
The Net Logon service on Windows Server 2008 and on Windows Server 2008 R2 domain controllers does not allow the use of older cryptography algorithms that are compatible with Windows NT 4.0 by default
How to view and transfer FSMO roles
Compact the directory database file
AD DS Backup and Recovery Step-by-Step Guide

Check the next demo for “How to deploy a Read-only Domain Controller in a Windows 2003 domain” in Part 7 of this series.

To review all video demonstrations, check video section of Active Directory Windows 2008 and 2008 R2 Documentation

Written by IT Core

April 3, 2010 at 12:01 AM

Posted in Deployment, How to..., Videos

Tagged with

Active Directory and Personal Virtual Desktops

leave a comment »

Here’s a nice article from Remote Desktop Services Team Blog, that explain de Active Directory schema requirements for virtual desktop pools and personal virtual desktops.

Microsoft’s VDI solution offers two deployment scenarios: virtual desktop pools and personal virtual desktops. Virtual desktop pools are not dependent on a specific Active Directory schema level; however, personal virtual desktops do need a Windows Server 2008 or Windows Server 2008 R2 schema.

Here are the Active Directory requirements for personal virtual desktops:

  • To deploy personal virtual desktops, your schema for the Active Directory forest must be at least Windows Server 2008. To use the added functionality provided by the Personal Virtual Desktop tab in the User Account Properties dialog box in Active Directory Users and Computers, you must run Active Directory Users and Computers from a computer running Windows Server 2008 R2 or from a computer running Windows 7 that has Remote Server Administration Tools (RSAT) installed.
  • You must use a domain functional level of at least Windows 2000 Server native mode. The functional levels Windows 2000 Server mixed mode and Windows Server 2003 interim mode are not supported.