Tag Archives: domain controller

In Place Upgrade of Window Server

Posted on by
Reply

 In Place Upgrade KB ID 0001895

Problem

An in-place upgrade of a Windows Server, where you update an existing server installation to a newer version without reinstalling from scratch, can be a powerful way to bring older infrastructure up to date without the lengthy process of rebuilding a system and restoring data. The allure of this method lies in its simplicity and time efficiency; theoretically, you can go from, say, Windows Server 2016 to Windows Server 2022 with much less downtime, keeping configurations, applications, and user data intact. This can be especially appealing in scenarios where budget or time constraints make a full migration impractical, or for environments where a server holds critical roles that are complex to reconfigure from scratch.

However, while in-place upgrades have their perks, they aren’t without pitfalls. For starters, there’s always a risk of compatibility issues, especially if the server runs legacy software that might not play nicely with the new OS version. Performance problems can also arise, as remnants of old files and configurations may lead to a less than optimised system, compared to a clean installation. Additionally, any existing issues on the server, such as misconfigurations, registry bloat, or malware, can carry over to the new version, potentially causing instability. Therefore, before deciding on an in-place upgrade, it’s essential to weigh these pros and cons carefully, considering both the potential gains and risks based on your environment and long-term plans.

As I’ve previously stated, I prefer to do in place upgrades, If you have less than 50 servers and an IT support team, you may want to plan a clean install and data migration, but there comes a point where that’s simply not practical. My firm looks after more than 10 thousand Windows servers, and when a ‘wave’ of them goes outside of supportability – We either stop supporting them or offer and in-place upgrade.

Windows Server In Place Upgrade Paths

Current OS Upgrade Path to Windows Server 2022 Upgrade Path to Windows Server 2025
Windows Server 2008 Upgrade to Windows Server 2008 R2 → Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2022 Upgrade to Windows Server 2008 R2 → Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2025
Windows Server 2008 R2 Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2022 Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2025
Windows Server 2012 Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2022 Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2025
Windows Server 2012 R2 Upgrade to Windows Server 2019 → Upgrade to Windows Server 2022 Upgrade to Windows Server 2019 → Upgrade to Windows Server 2025
Windows Server 2016 Direct upgrade to Windows Server 2022 Direct upgrade to Windows Server 2025
Windows Server 2019 Direct upgrade to Windows Server 2022 Direct upgrade to Windows Server 2025
Windows Server 2022 NA Direct upgrade to Windows Server 2025

Note: Server 2025 information is not official at time of writing, information was provided my Microsoft Copilot.

Solution : In Place Upgrade

In Place Upgrade Planning and Pre Upgrade Steps

As well as making sure you have the compute and storage requirements (of the OS that you are upgrading to), make sure your hardware and/or Hypervisor supports the target OS. Then you have things to consider.

  • Roles And Features.
  • Microsoft Applications.
  • Third Party Applications.

Roles and Features: these are add-on components to the OS that you can enable (add) or disable (remove). Some common ones like DNS server or DHCP server, we just accept and don’t even worry about, but what about roles like certificate services? or a feature like NDES? What if the server is a domain controller? I’ll attempt to answer SOME of those questions below, but this is another reason why you should check, research, and test before upgrading

Show all Roles and Features With PowerShell

[box]

Get-WindowsFeature

[/box]

Microsoft Applications: Here I’m talking about things like Microsoft Exchange, Microsoft SQL, Microsoft Teams etc. Each one of those have their own dependancies OS requirements an upgrade paths that you may need to take into consideration. My personal preference is to migrate these applications onto new clean servers rather than in-place upgrade. I’ve done two in place upgrades of Exchange on the test bench and both of those were 100% successful, I’d be less happy doing them in production, and I’ve got a lot of articles showing you how to upgrade and migrate Exchange, I suggest you look there first! 

Third Party Applications: This will vary from use case to use case, but consider your AV and security products, do they support the new OS? Does you backup and replication software support the new OS. That’s before you look at you line of business or back office applications like print management software, or the software that controls your building access for example.

Show all Installed Software With PowerShell

[box]

Get-WmiObject -Class Win32_Product

[/box]

In Place Upgrade ‘Pre-flight checks’

Most servers these days are virtualised, and time spent on reconnaissance is seldom wasted, If you are considering in place upgrading anything, I would urge you to clone those machines, sandbox them, and perform the in place upgrade in isolation, this will give you a change to do some functional (post upgrade) testing of both the server OS, its installed roles and any third pert applications.

As with all things infrastructure, you’re only as good as your last backup, before doing anything MAKE SURE you have a reliable (tested!) backup. Not just for the server you intend to upgrade but for any server that has a service or software dependency on the server you intend to upgrade.

Ensure the upgrade server is FULLY UPDATED before proceeding.

If the server is virtual, we also have the advantage, to take a snapshot prior to upgrade. (You can even clone a copy and keep it on standby) .

In Place Upgrade Process

Well it’s 95& preparation and 5% execution, the actual upgrade process is alarmingly simple. Present the installation media ISO to the source server, (or copy the files to the server and run setup.exe)

At the welcome screen > Next > At this point the system may take some down getting update’s > Enter the Windows activation code for the new server OS > Next > Select the version you want to install, remember if you want a server with a GUI interface, select the Desktop Experience option > Next.

At the EULA screen > Accept > Select “Keep files settings and apps” > Next > Install.

At this point the upgrade will take place, the server may reboot, but the upgrade process will continue.

When complete, you will be looking at a login screen, simply authenticate with the same credentials as before.

In Place Upgrade of Domain Controllers

Yes it’s possible, yes I’ve done it multiple times, if all the server is doing is performing Active Directory domain services and other common roles like DNS and DHCP, then I would not bother in place upgrading a domain controller, I’d simply build a fresh one, then decommission the old one (possibly needing to migrate FSMO roles)

But I’ve said its possible, just beware you may come across this error during the upgrade.

Active Directory on this domain controller does not contain Windows Server {version} ADPREP / FORESTPREP updates

This one is pretty much self-explanatory, and makes complete sense if you’ve spent any time deploying domains controllers! Well of course it doesn’t! Think about it if this is the first domain controller with the new OS in the domain, the schema has not been updated for that version of domain controller, which would happen if you were installing a DC from scratch. Here there’s only one server in the domain, and I’m on it. DON’T CLOSE THE UPGRADE WINDOW.

Open a administrative command window and change to the D:\Support\Adprep directory, run adprep.exe /forestprep and when prompted press C {Enter} to continue.

I prefer to also perform a adprep.exe /domainprep  also, but you can progress in the upgrade without doing this, below I’m performing the command within PowerShell so I’m using ./adprep.exe /domainprep.

In Place Upgrade of Servers Running Certificate Services

Can you do this? Yes – Even if you have a multi-tier PKI deployment. see here I’ve personally done this twice (Server 2016 > Server 2022 and Server 2019 > Server 2022) and both were 100% successful. You can of course perform a traditional migration of Certificate Services to another server.

In Place Upgrade of Servers Running DHCP

I would not even worry about this, if you wanted to migrate a DHCP scope to another server it’s easy as peas. But in place upgrade of a DHCP server is not a concern. Even if they are performing DHCP HA

In Place Upgrade of Servers Running NPS (Network Policy Server)

I’ve done this successfully, if you wanted to migrate this role manually then simply see the following article Migrate NPS Server.

In Place Upgrade of Servers Running RDS (Remote Desktop  Services)

Whilst supported be aware that if you upgrade you RDS licensing server, ensure you have CALs/Licenses (or SALS if you’re SPLA licensed) that support the new version of Windows. e.g. 2016 RDS CALs will work with Server 2019 but will not with Server 2022. If you have problems ‘post upgrade‘ delete the following folder “\windows\system32\lserver ” then relicense correctly with new CALs/SALs.

Invitation

If you’re reading this and considering an in place upgrade there may be a role or feature, or piece of software your server is running I’ve not covered. If so please bookmark this article, and return later, then post below what OS you upgraded from and to, and what Role/Feature/Software you were running. Was it a seamless procedure, or did you encounter a problem, error message, of complete failure? Please post your follow ups below to help the next person.

Related Articles, References, Credits, or External Links

In Place Upgrade Windows 2016 to Windows 2019

Upgrade Server 2012 (In Place)

Windows – Setting Domain Time

Posted on by

Domain Time KB ID 0000112

Problem

If you have arrived here, you have either noticed that the time is wrong on your server(s) or client PC(s), or you have looked in the event viewer and seen one of the following events being logged. Event ID’s 12, 22, 29, 36, 38, 47, and 50.

Time Problem Events – On the PDC Emulator

Event ID 12 (W32 Time Time Provider NtpClient: This machine is configured to use {text omitted}, but it is the PDC emulator…).

Event ID 29 (The time provider NtpClient is configured to acquire time from one or more time sources…).

Event ID 36 (The time service has not synchronized the system time for 86400 seconds…).

Event ID 38 (The time provider NtpClient cannot reach or is currently receiving invalid time data from…).

Event ID 47 (Time Provider NtpClient: No valid response has been received from manually configured peer…).

Domain Time Problem Events – On Domain Members

Event ID 50 (The time service detected a time difference of greater than 5000 milliseconds for 900 seconds…).

Event ID 22 (The time provider NtpServer encountered an error while digitally signing the NTP response for peer…).

Solution : Domain Time Problems

Setting domain time is a TWO-STEP process, set the time correctly on the PDC emulator, then let the clients take their time from the PDC emulator.

Locate the PDC Emulator

1. On a domain controller, Windows Key+R > netdom query fsmo {Enter}.

2. Take note of the PDC name and go to that server.

NTP Firewall config (Domain Time)

1. Ensure UDP Port 123 is open outbound from the PDC Emulator. How this is done will vary depending on your firewall vendor. If you have a Cisco ASA or a Cisco PIX see my article here.

To Test Use NTPTool

Below either the port is blocked (or the hostname/IP of the external NTP server is incorrect);

This is how it should look, every-time you press query you should get a response, now you know the correct port is open;

Configure the PDC Emulator to collect Reliable Domain Time

There’s two ways to do this, 1. Use Group Policy, and 2. Use command line.

Setting PDC Emulator Time With Group Policy

Of course our PDC Emulator is also a domain controller, so we need to link a GPO to the domain controllers OU. But we dont want all DC’s getting their time from an external source, so we will create a WMI filter to ensure the policy will only apply to the PDC emulator server.

Administrative tools > Group Policy Management > WMI Filter > New > PDC-Emulator-Only > Add > Select * from Win32_ComputerSystem where DomainRole = 5 > OK.

Don’t panic if you see this error > OK > Save.

Create a new GPO linked to the Domain Controllers OU.

Change the policy so it uses your WMI filter;

Edit The Policy, and navigate to;

[box]Computer Configuration > Policies > Administrative eTemplates > System > Windows Time Service > Time Providers[/box]

Configure Windows NTP Client

Enable the policy > set the NtpServer setting to server-name(comma)stratum-type(space). If you get this wrong you wont sync, and you will see this error.

Enable Windows NTP Client

Enable the Policy (The server still needs to get its time from the external source!)

Enable Windows NTP Server

Enable the policy (The server also needs to provide time to the domain clients).

Save and exit the policy editor, then on the PDC emulator force a policy update  and resync the time. Finally run rsop to make sure the settings have applied.

Setting PDC Emulator Time From Command Line

 

1. On the PDC emulator Windows Key+R > cmd {Enter}.

2. At command line execute the following four commands;

[box]

w32tm /config /manualpeerlist:ntp2d.mcc.ac.uk /syncfromflags:manual /reliable:yes /update

net stop "windows time"

net start "windows time"

w32tm /resync

[/box]

Note: If you are NOT in the UK or simply want to use a different NTP time server go here for alternatives.

3. Look in the servers Event log > System Log for Event ID 37.

 

---------------------------------------------------------------
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 37
Date: xx/xx/xxxx
Time: xx:xx:xx
User: N/A
Computer: {servername}
Description:
The time provider NtpClient is currently receiving valid time 
data from ntp2d.mcc.ac.uk (ntp.m|0x0|10.0.0.1:123->130.88.203.64:123).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. —————————————————————

4. You will also see Event ID 35.

---------------------------------------------------------------
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 35
Date: xx/xx/xxxx
Time: xx:xx:xx
User: N/A
Computer: {servername}
Description:
The time service is now synchronizing the system time with the time source 
ntp2d.mcc.ac.uk (ntp.m|0x0|10.0.0.1:123->130.88.203.64:123).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. —————————————————————

Step 2 Check the domain clients

This is all you should need to do, because, (by default) all Domain clients get their time from the PDC when they log on, but to check;

1. Windows Key+R > cmd {enter}.

2. Execute the following command;

[box] w32tm /monitor [/box]

3. You will see the time this client can see, on all the domain controllers.

[box]

C:Documents and SettingsAdministrator.yourdomain>w32tm /monitor
server-dc.yourdomain.co.uk [192.168.1.1]:
ICMP: 0ms delay.
NTP: +363.2032725s offset from server-pdc.yourdomain.co.uk
RefID: server-pdc.yourdomain.co.uk [192.168.69.6]
site2-dc.yourdomain.co.uk [192.168.2.1]:
ICMP: 70ms delay.
NTP: +0.0470237s offset from server-pdc.yourdomain.co.uk
RefID: dc.yourdomain.co.uk [192.168.69.4]
serverdc2.yourdomain.co.uk [192.168.1.4]:
ICMP: 0ms delay.
NTP: +0.0000553s offset from server-pdc.yourdomain.co.uk
RefID: server-pdc.yourdomain.co.uk [192.168.1.6]
server-pdc.yourdomain.co.uk *** PDC *** [192.168.1.6]:
ICMP: 0ms delay.
NTP: +0.0000000s offset from server-pdc.yourdomain.co.uk
RefID: scarp.mc.man.ac.uk [130.88.203.64]

[/box]

(In the case above the time on server-dc is way out, address that first – (it was an old Windows 2000 server and running “net time server-pdc” {enter} fixed it).

4. Once all the domain controllers have a time that’s accurate (like the last three in the example above), then proceed.

5. Execute the following commands on a client machine;

[box]

net stop "windows time"

net start "windows time"

w32tm /resync

[/box]

6. The machines event log should show the following successful events;

Event ID 37 (The time provider NtpClient is currently receiving valid time data from..).

Event ID 35 (The time provider NtpClient is currently receiving valid time data from..).

Setting Domain Clients Time via GPO

As already outlined you should not need to do this, (as it’s the default setting,) but if there’s a problem you can force domain clients to look at your PDC emulator for reliable time.

Create a GPO, and link it to the OU containing the computers you want to sync’

Edit the policy and navigate to;

[box]Computer Configuration > Policies > Administrative eTemplates > System > Windows Time Service > Time Providers[/box]

Configure Windows NTP Client

Enable the policy > Set the NtpServer to {Your-PDC-Name},0x9  > Set the Type to NT5DS.

Enable Windows NTP Client

Enable this policy.

Testing Client NTP Settings

Either run;

[box]w32tm /query /status[/box]

Or run RSOP.

 

Related Articles, References, Credits, or External Links

PDC Emulator: PDC Emulator: Cannot Sync Time From External NTP Server

Cisco ASA – Configuring for NTP 

 

Upgrade Server 2012 (In Place)

Posted on by
2

Upgrade Server 2012 KB ID 0001802

Server 2012 End Of Life

Note: Also See In Place Upgrade of Window Server

Windows Server 2012 (and Windows Server 2012 R2) will go end of life on October 10th 2023. Start planning to migrate your productions workloads off this platform as soon as you can.

I’ve mentioned before on the site, I’m not a fan of ‘in place’ upgrades, you get to migrate all the ‘broken bits’ (that you didn’t realise were broken), and if the process goes wrong, best case scenario is you are going to be restoring from backup.

What can I upgrade to? Well essentially, your target is to upgrade to Server 2019 , (not Server 2022 that’s not supported).

Upgrade Server 2012 Pre Requisites

Licenses: Just because you’re legally running Server 2012 does not mean you can upgrade to Server 2019, unless you have  software assurance. If you’re wondering if you have software assurance you probably do not (typically you buy it on a three year deal with the option to extend it to five years, and it’s VERY expensive). So if you dont know, you probably DONT have the software assurance. So you will need to purchase a new agreement, or buy new retail copies of Server 2019.

You will require a Windows Key for the new server (or KMS services setting up that will allocate a Server 2019 key to the newly upgraded server.)

CALs/SALs (Chances are you WONT have SALs, but if you do then speak to your MSP). You will need the correct amount of user/device CALS for server 2019 before you start your upgrade.

Backup Support: Does your backup solution support server 2019? 

Application Support: Does your AV Software, Endpoint protection solution, or Managed Detection and Response system support Server 2019? Make sure you check this list for Microsoft application support, and ensure any third party applications are supported with the vendor.*

*I cannot stress this enough, I work for a major MSP, and most clients are astounded when we wont simply upgrade their old server(s) from 2012, because we simply cannot guarantee that THEIR applications will work successfully on a newer version of Windows Server.

Hardware Support: Most servers are virtual these days, so this is less of an issue, but the machine/VM being upgraded needs to meet the minimum hardware requirements for server 2019.

Updates: MAKE SURE your existing 2012 server is up to date, (and the applications are patched as much as possible!)

Maintenance Window: During the upgrade the server will be offline to users, this will be for as long as a normal OS install, but you will need to plan in additional time for testing applications (post OS upgrade), then programming in any maintenance timings, and arranging and planning any CAB.

Snapshot: If you’re running in a virtual environment, then carry out a snapshot, (or Checkpoint if you are running Hyper-V).

Backup: Before even entertaining the idea of updating the server, make sure you have a good backup. I would make sure I could restore from backup successfully before even attempting an in place upgrade on a production server running 2012/2012R2. In fact if your risk averse, upgrade the restored server itself!

WARNING: Make sure the media you use to upgrade is up to date. While Windows server has a mainstream support date of 9th January 2024, some earlier versions may not be supported. ENSURE you are using build number 1809 Long-Term Servicing Channel (LTSC) or newer.

If you are in doubt about any role or application that may not work (post in place upgrade), then clone your machine, and test the upgrade on an isolated network to test the procedure beforehand.

Upgrade Server 2012 (Domain Controllers)

Other posts say this is not possible, but that is not true, (with some caveats). But it’s so much easier to build a new member server with server 2019/2022 and then extend the forest and domain, promote the new server to be a DC, and demote the old server(s). 

If you attempt to in place upgrade a 2012 server Windows MAY stop an in place upgrade with the following error;

Active Directory on this server does not contain Windows Server ADPREP / FORESTPREP updates.

Which makes sense (if you’ve ever done any domain upgrades or migrations). Before a 2019 DC can be introduced into a domain the forest and domain need to be prepared, (the schema extended). You can either (on this or another DC) run adprep.exe / forestprep and adprep.exe /domainprep from the 2019 install media (look in the support/adprep folder).  

Note: Make sure you’re logged in as a member of the schema admins group!

Obviously if you’ve already ran forest prep and adprep and already have 2019 domain controllers this error will not appear and the server will simply update.

Upgrade Server 2012 (Exchange Server)

NO ! Just don’t do this. Exchange on-premises is designed to be ‘swing migrated‘ to a newer version. If you need to do this then PeteNetLive is littered with upgrade run through even if you are on older versions of Exchange.

Migrate Exchange 2010 to Exchange 2016 (& 2013)

Exchange 2019 Migration from Exchange 2016 (&2013)

Upgrade Server 2012 (SQL Server)

We are in murky waters here! Server 2019 (at time of writing) does not support anything OLDER than SQL 2014. So you may need to upgrade your SQL instances before you consider upgrading the OS. Every single time I’ve ever replaced a SQL server (and I’ve been doing this for over 20 years now) I’ve built a new one, migrated the databases and then the application vendor has installed ‘whatever‘ application or website that required the database.

Also Server 2019/2022 have particular SQL CU level requirements!

If some SQL Jedi walks in here I’d welcome any comments below. But for me it’s a No!

Upgrade Server 2012 / 2012 R2 to Server 2019 (In Place)

By this point you’re adamant you DON’T want to build a new server and migrate your apps and data, and you’ve understood all the pre-requisites and warnings above.

Before starting, Microsoft recommend that you gather some information, run the following commands and take the information dumped into text files and put them safely elsewhere.

[box]

Systeminfo.exe >> SystemInfo.txt
ipconfig /all >> IPConfig

[/box]

Then take a copy of the contents of the following two registry values;

[box]

HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildLabEx

HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EditionID

[/box]

Note: I lost the will to live trying to work out how to dump those two values into a text file with PowerShell 5.1 (there’s a challenge for you!)

Present the Server 2019 Install to your 2012 server, locate and run setup.exe.

It will ask to check for update let it do so  > Next.

If you are installing a ‘retail’ version of Windows server, at this point it will ask of the licence key > 

Call me an  old traditionalist, I require a graphical user interface > Next.

I believe that someone at Microsoft should be made to read one of these out loud for EVERY copy of Windows it sells, seriously they could put anything in here. Now that your firstborns soul belongs to Microsoft > Accept.

The whole point is to retain our data! > Next.

It will now run through its pre-flight checks, pull down any updates and make sure it’s happy. When finished it will warn you if there’s any potential problems. Here it’s complaining about my monitor driver, (probably because it’s using the Window update download one, and not the VMware tools one to be fair). I know this wont cause me any problems, I can click Confirm > 

Last chance to bail out! Install.

One hour and twenty five minutes later,

In Place Upgrade of Server 2012 Running Certificate Services

Can you do this? Yes – Even if you have a multi-tier PKI deployment. see here

 

Related Articles, References, Credits, or External Links

In Place Upgrade Windows 2016 to Windows 2019

Migrate From Server 2012 to Server 2022 Domain Controllers

Posted on by
12

Server 2012 DC to Server 2022 DC KB ID 0001790

Problem

I get asked about this quite a lot. In the past most of the queries were about moving from Server 2008 to Server 2022, if that’s what you are after then simply go here. This article is purely for the introduction of, and migration to Windows Server 2022 Domain Controllers. And it assumes your current domain controllers are Windows server 2012 (or 2012 R2).

Adding a Server 2022 Domain Controller

Once you have a Windows Server 2022 box stood up and fully updated, ensure it is added to the domain as a member server. Then from Server Manager > Manage > Add roles and features.

Next > Next > Next  Next > Select “Active Directory Domain Services” > When prompted select ‘yes‘ to add the required services.

Next > Next > Next > Install > Close.

Click the ‘Warning Triangle‘ > Promote this server to a domain controller.

Next.

Enter the DSRM Password > Next.

That’s fine (if you’re worried see the link below) >Next.

Windows – A Delegation For This DNS Server Cannot Be Created

Next.

I’m accepting the default AD install locations > Next.

Next (forestprep and domainprep is all done for you now).

Next.

Install.

When complete the server will reboot.

View Server 2022 Domain Controller

You should now see the new domain controller listed in Active Directory

At this point I’m moving all the FSMO roles to the new Windows 2022 server.

Windows Server – Locating, Transferring, and Seizing FSMO Roles

Demoting the 2012 Domain Controller(s)

WARNING: Before proceeding, make sure anything on your network that may be using this server for DNS has been pointed to your new domain controllers. Don’t forget to change the DNS servers that are being distributed via DHCP, (update your DHCP scopes). And change your new domain controllers to look at themselves for DNS not the domain controller(s) you are about to demote!

Over on your 2012 domain controller > Server manager > Manage > Remove roles and features.

Next > Untick ‘Active Directory Domain Services’ > Demote this domain controller > Next.

Tick  ‘Proceed with removal‘ > Next.

Untick ‘Remove DNS delegation’ > Next.

Set a new local administrator password for this server to use after it has been demoted (as it will be a member server at that point). You can of course still log into it as the domain admin. > Next > Demote.

When complete, the server will reboot.

You can now (if you wish raise your domain functional level). Note: Check you meet all the prerequisites for doing so, personally I rarely update them until I have a specific need to do so.

Once you are confident all your domain controllers in the domain have replicated, you can then update the forest functional level if you wish to do so.

Related Articles, References, Credits, or External Links

NA

In Place Upgrade Windows 2016 to Windows 2019

Posted on by
6

KB ID 0001761

Problem

Note: Also See In Place Upgrade of Window Server

For the last twenty years or so I’ve said “In place upgrades are a bad idea“, my rationale has been that if something is broken we are simply migrating that problem, and we are relying on a lot of factors, (some of which may be unknown.) That we will just have to ‘trust that it will work‘. Most modern servers are virtual so we can snapshot them, or clone them and test the upgrade procedure but still it’s something I steer people away from.

A couple of weeks ago I had a client get in touch, he had a few Windows 2016 servers running in one of our data centres, he was experiencing the INCREDIBLY ANNOYING WINDOWS 2016 TAKES FOREVER TO INSTALL UPDATES PROBLEM. I suffer from this with my own test bench servers, so I sympathise. For me it’s not a problem, but when production servers are taking 12 hours plus to reboot, that’s a business continuity problem.

He wanted to do an ‘In place upgrade’ of the servers himself, but (Quite correctly) our service department had red flagged that, as we manage the servers for them, and theres a large chance that things might break horribly, and we should not be held accountable if that happens. With a few caveats (like checking backups before proceeding, cloning the servers first, updating the clones, and retaining the old servers until we knew the process had succeeded etc). Coupled with the fact that in the event of a catastrophic loss service, the client knew their application better than we did, I agreed that this would be fine.

But it got me thinking, how difficult is it to do an ‘In place upgrade’ these days? I mean Server 2019 is just Server 2016 in a pretty dress right?

In Place Upgrade

WARNING: I can afford to be a little cavalier with my test servers. If you need to do this in production check your hardware, Hypervisor support, and ALL the installed applications support the version of Windows you are upgrading to. Then backup and snapshot first!

To test the theory, I created a ‘Perfect Storm’ of things that might break, I’ve got an Exchange 2016 server that’s also a Domain Controller (test machine!) So I cloned that.

Present the ISO, (or pop the DVD in) and follow the instructions, when prompted type in the new Windows unlock code.

Domain Controller In Place Upgrade Warning

Problem: This one is pretty much self explanatory, and makes complete sense if you’ve spent any time deploying domains controllers!

Active Directory on this domain controller does not contain Windows Server 2019 ADPREP / FORESTPREP updates

Well of course it doesn’t! Think about it if this is the first 2019 domain controller in the domain, the the schema has not been updated for 2019 domain controllers, which would happen if you are installing a DC from scratch. Here there’s only one server in the domain, and I’m on it. DON’T CLOSE THE UPGRADE WINDOW.

Open a administrative command window and change to the D:\Support\Adprep directory, run adprep.exe /forestprep and when prompted press C {Enter} to continue.

Then run adprep.exe /domainprep you can then close the command window.

Swap back to the upgrade window, and continue the upgrade process. The server will reboot and upgrade, go get a coffee. When you return you will be looking at Windows Server 2019.

Whats the chances Exchange survived? Well surprisingly;

If you give this a test and come across any problems, error messages, or anomalies. Please post them below.

In Place Upgrade of Server Running Certificate Services

Can you do this? Yes – Even if you have a multi-tier PKI deployment. see here

Related Articles, References, Credits, or External Links

NA

Migrate From Server 2012 to Server 2019 Domain Controllers

Posted on by
2

Server 2012 DC to Server 2019 DC KB ID 0001731

Problem

I get asked about this quite a lot. In the past most of the queries were about moving from Server 2008 to Server 2019, if that’s what you are after then simply go here. This article is purely for the introduction of, and migration to Windows Server 2019 Domain Controllers. And it assumes your current domain controllers are Windows server 2012 (or 2012 R2).

Adding a Server 2019 Domain Controller

Once you have a Windows Server 2019 box stood up and fully updated, ensure it is added to the domain as a member server. Then from Server Manager > Manage > Add roles and features.

Next > Next > Next  Next > Select “Active Directory Domain Services” > When prompted select ‘yes‘ to add the required services.

Next > Next > Next > Install > Close.

Click the ‘Warning Triangle‘ > Promote this server to a domain controller.

Next.

Enter the DSRM Password > Next.

That’s fine (if you’re worried see the link below) >Next.

Windows – A Delegation For This DNS Server Cannot Be Created

Next.

I’m accepting the default AD install locations > Next.

Next (forestprep and domainprep is all done for you now).

Next.

Install.

When complete the server will reboot.

View Server 2019 Domain Controller

You should now see the new domain controller listed in Active Directory

At this point I’m moving all the FSMO roles to the new Windows 2019 server.

Windows Server – Locating, Transferring, and Seizing FSMO Roles

Demoting the 2012 Domain Controller(s)

WARNING: Before proceeding, make sure anything on your network that may be using this server for DNS has been pointed to your new domain controllers. Don’t forget to change the DNS servers that are being distributed via DHCP, (update your DHCP scopes). And change your new domain controllers to look at themselves for DNS not the domain controller(s) you are about to demote!

Over on your 2012 domain controller > Server manager > Manage > Remove roles and features.

Next > Untick ‘Active Directory Domain Services’ > Demote this domain controller > Next.

Tick  ‘Proceed with removal‘ > Next.

Untick ‘Remove DNS delegation’ > Next.

Set a new local administrator password for this server to use after it has been demoted (as it will be a member server at that point). You can of course still log into it as the domain admin. > Next > Demote.

When complete, the server will reboot.

You can now (if you wish raise your domain functional level). Note: Check you meet all the prerequisites for doing so, personally I rarely update them until I have a specific need to do so.

Once you are confident all your domain controllers in the domain have replicated, you can then update the forest functional level if you wish to do so.

Related Articles, References, Credits, or External Links

NA

Domain Controller Wont Boot: Stop Code ‘0x00002e2’

Posted on by
2

KB ID 0001494

Problem

I had this problem after a VMware host upgrade last night, this domain controller would not boot, I tried ‘Last Known Good Configuration’, I tried ‘Safe Mode’ it would not boot. More out of desperation than procedure, I tried to boot to ‘Directory Services Restore Mode’ and it booted up (hooray!) I tried all the client’s usual passwords, and could not log in, I messaged them to ask for the DSRM password, and tried all the ones they sent me, it seems I was defeated!

They had other domain controllers, and their critical systems were up, so I arranged for this server to be restored the following morning from tape.

A lot of you will (I hope) know your DSRM password, so you have less problems that I had, so you can skip reseting the DSRM password part.

Reset DSRM Password (From Boot Disk)

If you Google resetting the DSRM password you get a ton of posts telling you to use ntdsutil, which is great if you can logon, but I could not. I’ll let you into a secret: The DSRM password is actually the LOCAL administrators password on the Domain Controller, and resetting the local admin password, (using a Linux boot disk, {don’t panic it’s simple!}) well we have been able to do this since the days of NT4! (DON’T PAY FOR A UTILITY TO DO THIS).

To download the boot disk and see how this is done follow the instructions I’ve already written in THIS POST. The only difference is, I chose to {blank} the password, rather than reset it, (you can reset it afterwards using ntdsutil if you want to).

Select option 1: Clear (blank) user password;

Boot Into DSRM Mode and Repair Active Directory

You can now boot into DSRM mode, (if you don’t see these options Press F8 as the server boots).

As soon as you enter ‘administrator’ and then click in the password box, the ‘Sign in to‘ option will change from the domain name to the domain controllers name. This usually happens on all machines, that are NOT domain controllers, but in this case, it’s expected behaviour, (as we will be logging in with a LOCAL password.) Remember I blanked the password, so I’m leaving it empty.

First let’s take a backup of AD. Open a command window, and execute the following command;

[box]

xcopy C:\Windows\NTDS\* C:\Backup\NTDS-Backup /E /Y /V /C /I

[/box]

Then execute the following commands;

[box]

cd C:\Windows\NTDS
ren *.log *.log.old
esentutl /p C:\Windows\NTDS\ntds.dit

[/box]

When prompted; CLICK OK.

Now run the following commands;

[box]

ntdsutil
activate instance ntds
files
compact to C:\Windows\NTDS\TEMP
quit
quit

[/box]

As it’s telling us (above), we now need to copy the compacted and repaired database, over the top of the live database, and then get rid of the logs. To do that, run the following commands;

[box]

copy "C:\Windows\NTDS\TEMP\ntds.dit" "C:\Windows\NTDS\ntds.dit"
Yes
del *.log
del *.log.old
shutdown -r -f

[/box]

The server will reboot, and boot back into Windows as normal.

Related Articles, References, Credits, or External Links

A big thank you to Alex at iThinkVirtual.com, for the AD repair procedure, I would not have got over  the line without his excellent ‘Fixing a corrupt Domain Controller’ post.

Dcpromo Error: No Other Active Directory Controllers?

Posted on by
5

KB ID 0001453

Problem

I was trying to demote a domain controller yesterday morning, it was a 2008 R2 Domain controller, (in fact it was SBS 2011). I’d already added a nice new Server 2016 Domain Controller to the domain, and transferred all the FSMO roles, so I was surprised when I tried to gracefully demote the old DC and got this;

You did not indicate that this Active Directory domain controller is the last domain controller for the domain {domain-name}. However, no other Active Directory domain controllers for that domain can be contacted.

Do you want to proceed anyway?

If you click Yes, any Active Directory Domain Services changes that have been made on this domain controller will be lost.

Well, that’s a scary error, and pretty much made me cancel the demotion right away.

Solution

Well I could ping the other domain controller, by name and by IP address, and it was listed in ‘Sites and Services’, and I could replicate Active Directory? (Very Strange). It was not until I ran dcdiag that I saw some warnings about ‘sysvol replication‘. that steered my in the right direction.

On the ‘outgoing’ Domain Controller, run regedit, then navigate to the following location;

[box]HKEY LOCAL MACHINE > SYSTEM > CurrentControlSet > services > Netlogon > Parameters[/box]

Locate the SysvolReady value, (it’s probably set to 0 (Zero)).

Change it to 1 (one) then click OK, (this sort of ‘kicks windows up the backside’, and re-shares Sysvol with the correct permissions). Then after you have changed it, change it back to ZERO. You don’t need to restart any services, just change it, then change it back. Repeat the process on your other domain controllers. Have a coffee, then attempt to demote your Domain Controller again.

Related Articles, References, Credits, or External Links

NA

PowerShell: Creating Domains and Domain Controllers

Posted on by
3

KB ID 0001400

Problem

I needed to spin up some Windows 2016 Servers, and a domain to do some testing. I have promoted hundreds maybe thousands of domain controllers, so I wondered if this time I could do it with PowerShell. It’s actually easier than using the GUI!

Solution

If you were doing this in Server Manager, you would have to add the role first, and PowerShell is no different;

[box]Install-WindowsFeature AD-Domain-Services -IncludeManagementTools[/box]

Then promote the server to a new DC in a new forest;

[box]Install-ADDSForest[/box]

Supply the new domain name and the recovery password. Select ‘Y’ to reboot, go and have a coffee, when finished you will have a new DC in a new domain, ready to log into.

Related Articles, References, Credits, or External Links

NA

Cisco FirePOWER User Agent – Use With the FirePOWER Management Console

Posted on by
23

KB ID 0001179 

Problem

FirePOWER Management Center, will give you a wealth of information on traffic/threats etc. Usually it will tell you what IP the offenders are on, but if you want to know what a USER is doing, then that means you have to look though logs see who had what IP, at what time etc.

So you can install the FirePOWER User Agent on a machine, (this can be a client machine, though I usually put it on a member server). You then tell the the user agent to monitor your active directory server(s) and it keeps a record of which user is where, which it reports back to the FMC for its dashboards and logs.

Note: This is for Version 6.0.0

 You will need to create a user in your domain to query AD with, (just a member of domain users is fine). I typically use svc_firepower as the username.

Solution

Your first challenge is to find the software, you would think it would be with the firewalls or the appliance but no!

In the FMC > System > Integration  >Identity Sources > User Agent  > New Agent > Supply the IP of the server that you are going to install the agent on > OK  > Save.

On the DOMAIN CONTROLLER(S) that you will point the agent at, make sure WMI is open on the firewall

On the DOMAIN CONTROLLER(S) that you will point the agent at, run wmimgmt.msc > WMI Control Local > Properties > Security > Root > cimv2 > Security.

Grant your firepower user Remote Enable > Apply > OK.

On the DOMAIN CONTROLLER(S) that you will point the agent at, run comexp.msc > Console root > Computers > My Computer > Properties > COM Security > ‘Launch and Activation Permissions’ Section > Edit Limits.

Grant your FirePOWER account the Remote Launch and Remote Activation permissions > Apply > OK.

On the Default Domain Controllers Group Policy  > Computer configuration >Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Manage Auditing and security log  >Add in your FirePOWER user.

Note: Allow time for the policy to apply, (or run ‘gpupdate /force‘, or simply force the policy from the GPMC.msc console, (if your domain is 2012)).

On the server/machine that you want to install the agent on, run setup.exe (1), if you run setup.msi (2) then only the agent is installed and it will error if you try and launch it.

Open the agent and add in your domain controllers.

Note: Sometimes, you may have the following problem;

FirePOWER Agent – Real-Time Status ‘Unavailable’

Then add in the FMC Management details, go and have a coffee, and check everything has gone green.

Note: If managing FirePOWER ‘on-board’, (i.e. though the ASDM.) Enter the IP address of the SFR module instead!)

Finally ensure in the FirePOWER Management Center > Policies > Network Discovery > Users  > Ensure all the methods are selected.

Then on the ‘Networks’ tab > Ensure that your rule has ‘Users’ selected.

Related Articles, References, Credits, or External Links

Original article written  27/04/16