Adding a Windows Server 2019/2016 Domain Controller

KB ID 0001262

Problem

Once upon a time, adding a domain controller that was running a newer version of the Windows Server family involved opening command line and schema prepping, and GP prepping etc. Now all this happens in the background when adding a 2019 domain controller and the wizard is doing the heavy lifting for you.

Solution

2008 to 2019 Domain Controller

2008 to 2016 Domain Controller

Obviously the server needs to be a domain member first!

  • For Server 2019 Forest and Domain Functional levels need to be at ‘Windows Server 2008‘. (The documentation says 2008 R2, but Server 2008 also works flawlessly).
  • For Server 2016 Forest and Domain Functional levels need to be at ‘Windows Server 2003‘.

Before You Start!

Remember if your ‘retiring’ domain controller is also a DNS/DHCP server you will also need to address that, and make sure you don’t have a service or device that queries the old domain controller directly (Radius Devices, Firewalls, RSA Appliances, Proxy Filters, Security door software, etc).

Procedure: Deploy a 2019 Domain Controller

With a vanilla install Server Manager will open every time you boot, (unless you’ve disabled it!) To open it manually, run ‘servermanager.exe’  > Manage > Add Roles and Features.

I usually tick the ‘Skip this page by default’ option > Next.

Role Based… > Next.

Ensure the local server is selected, (if you are managing another server, you can of course do the role install from here as well, but let’s keep things simple) > Next.

Select Active Directory Domain Services > Next.

Next.

Next.

Ensure ‘Restart’ is selected > Next.

Next.

Promote Windows Server To Domain Controller

Back in Server Manager > In the ‘Notifications’ section, click the warning triangle > ‘Promote This Server To Domain Controller’.

Assuming you already have a domain, and this is not a greenfield Install > Add a domain controller to an existing domain > Next.

Type and confirm a Directory Services Restore Mode Password (DSRM,) make it something you will remember in a crisis, or store it securely somewhere > Next.

This is fine, You see this error because it’s trying to create a delegation for this DNS zone, and there isn’t a Windows server above you in the DNS hierarchy. For example if your domain name is petelnetlive.co.uk > Then I do not have access to create a delegation in the .co domain space. (So you can safely ignore) > Next

If you have a backup of AD you can ‘Install From Media’. This used to be handy on remote sites that had awful bandwidth, as it saved you having to replicate a large Active Directly over a ‘pants’ connection > I’ve not had to do that in a long time > Next.

Unless you want to change the default AD install locations > Next.

Next.

Read any warnings  > Install

Go have a coffee, we ticked ‘reboot’ earlier so it will complete, then reboot the server, which will come back up as a domain controller.

You will notice, (if you’re interested,) that your schema version is now 88 (Server 2019), or 87 (Server 2016).

 

Find out your Domain Schema Version

Related Articles, References, Credits, or External Links

NA

Windows Administrator “Lost Password” / “Password Reset”

KB ID 0000159

Problem

You have forgotten your password, or the administrators password fo your Windows machine.

Note: You can also ‘Blank’ or reset the DSRM (Directory Services Restore Mode) password on a Domain Controller (Tested on 2012 R2, by blanking the password). Using this method.

Lost Password : Fix

Lost Password Software Download Links

Password Reset CD Image (3.5Mb) Note: This is a .iso file – you need to burn it as an image! Simply dropping this file on a CD will NOT work.

WARNINIG – If your drive has been encrypted with Windows Bitlocker this procedure will not work!

Related Articles, References, Credits, or External Links

Windows 8 – Lost / Forgotten Password?

Windows – Lost / Forgotten Password?

KB ID 0000755

Problem

There are many reasons why you might want to do this, someone has managed to change a user password and that person is not available, you might simply have forgotten it. Or you might have been given a machine, or bought one from ebay that has come without a password. Also there have been a few times when a user has looked me in the eye and said “I’m typing my password in, but it’s not working”, I have never seen a password change on it’s own, so I will just put that down to the evil password gremlins.

The procedure will also work on the Windows local administrators password, just bear in mind that his account is disabled by default, (after Windows 8). This procedure will not work if the machine in question has had its hard drive encrypted using BitLocker.

You can use this procedure to blank, (or reset) a Domain Controllers DSRM (Directory Services Restore Mode) password.

You can avoid this procedure if you have access to another account on this machine that has administrative access. If you can log on as an administrator, then you can change the password of other local accounts on the affected machine without the need to do this.

Solution

How to Burn the ISO Disc Image

1. Download the Password Reset CD Image.

2. Download ImgBurn and install, Launch the program, if it does not look like this you need to select View >EX-Mode-Picker. Select the ‘Write image file to disc’ option.

2. The file you downloaded is a zip file that contains the disk image, you will need to extract the image from the zip file (i.e. drag it to your desktop). From within ImgBurn launch the browse option and navigate to the disk image you have just extracted > Open.

3. Select the burn to disc icon (Note: This will be greyed out, until there is a blank CD in the drive). The image is very small, it will not take long to burn.

Carry Out a Windows 8 Password Reset.

This procedure uses the boot CD you have just created, for it to work you need to make sure the machine will attempt to boot to its CD/DVD Drive before it boots to its hard drive. (Or it will simply boot into Windows again). This change in ‘Boot Order’ is carried out in the machines BIOS, how you enter this varies depending on machine vendor, when you first turn on the machine watch for a message that looks like Press {key} to enter Setup. Typically Esc, Del, F1, F2, or F9. When in the BIOS locate the boot order and move the CD/DVD Drive to the top of the list.

1. Boot your machine from your freshly burned CD, when you see this screen simply press {Enter} to boot.

2. Depending on how many disks/partitions you have it will discover them and assign a number to each one, here I only have 1 so I will type ‘1 {Enter}’.

Note: You may see a small 300Mb partition, ignore that. You may also see your machines recovery partition if it has one, if that’s the case you may have to carry out some trial and error to get the right one.

3. The system is set to look for the default registry location C:WindowsSystem32Config so simply press {Enter}. If it fails at this point you selected the wrong drive/partition.

4. We want password reset so select option 1.

5. We will be editing user data and passwords, so again select option 1.

6. You will be presented with a list of the user objects that it can locate, here I want to reset the password for the ‘PeteLong’ user object so simply type in the username you want to edit.

Note: As mentioned you can see here the administrator account is disabled, if you want to work with that account, you will need to unlock and enable it on the next screen before you blank or change the password.

7. You can choose option 2 and type in a new password, but I’m going the blank the password, then change it when I get back into the machine by selecting option 1.

8. To step back you need to enter an exclamation mark.

9. Enter a ‘q’ to quit.

10. To write the changes you have made enter a ‘y’.

11. As long as you are happy, and have no other accounts that need changing, enter ‘n’.

12. Now remove the boot CD, and press Ctrl+Alt+Delete to reboot the machine.

13. As the user object we are dealing with was the last one that has logged on, it will select that account as soon as the computer boots, and now it has a blank password it will automatically log on.

14. To change the password, press Ctrl+I > Change PC settings.

15. Users > Create a password.

16. Type and confirm your new password, and enter a password hint > Next.

17. Log off the account and test the new password.

 

Related Articles, References, Credits, or External Links

NA