Forest and Domain functional level
All domains in a forest share common characteristics:
- A single schema: If language, cultural, software need to be changed, consider create a new forest
- Forest-wide administrator account: Schema admins and Enterprise Admins. Members of schema Admins can make changes to the schema. Member of Enterprise admins can add or remove domains from the forest and have administrative access to every domain in the forest. By default, only the administrator account for the first domain created in the forest is a member of these two groups.
- Global catalog.
- Operation masters
- Trusts between domains
- Replication between domains.
The domain functional levels must be equal or greater than forest functional levels.
Redircmp: set the default computer account folder in the AD.
requirement: the target ou to where you store the computer object must exist; the functional level must be at least Win2003
dsadd ou “ou=NewCompOU,Dc=frankfu,DC=com”
redircmp “ou=NewCompOU,DC=frankfu,DC=com”
Adding and removing Domains
For windows 2008
Installation
Install new windows 2008 Dc in existing win03 or 2k server domains or forest. You must prepare existing domain controllers for the windows server 2008 DC and schema changes it will bring. Adprep command line program prepares an existing forest or domain for addition of a win2008 dc.
Adprep.exe is on the windows server 2008 installation CD/DVD in the \sources\adprep folder.
You must Copy this folder to the domain controllers(which is windows 2000, or 2003) where you need to run the adprep.
1, To prepare the forest, first run the adprep /forestprep
command or adprep32 /forestprep
on 2k or 03 dc acting as the schema master.
- To determine which dc has this role, in the Active directory schema snap-in, check the operations master. See this how to add this snap-in.
- You must log on to the schema master Dc as a member of all three groups: enterprise admins, schema admins, domain admins
2, Prep the domain, run the adprep /domainprep
or adprep32 /forestprep
in each domain where you plan to add windows server 2008.
- Windows 2k domains requires an extra prameter: adprep /domainprep /gpprep
- This command must be run on the infrastructure master DC for the domain.
- You must log on as a member of Domain Admins for this domain.
Removing DC
Potential issues:
- If the DC performs any operations master role, you must first transfer the role to another DC.
- If the DC is a global catalog server, make sure at least one other DC in the domain is a GC server
- If it’s the only DC in the domain, you will remove the domain.
Use Dcpromo to remove domain services from the DC.
Removing Domain
Dcpromo: it handles removing all vestiges of the domain from the rest of the forest.
Ntdsutil: if the last DC crashed or was simply taken offline without using Dcpromo to demote a server, you must use Ntdsutil to remove the domain. This is called removing an orphaned domain. The procedure is called metadata cleanup, which removes all selected domain data from the rest of the forest. you need to be a member of Enterprise Admins to perform this procedure.
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.
To clean up metadata
- At the command line, type
Ntdsutil
and press ENTER. - At the Ntdsutil: prompt, type
metadata cleanup
and press Enter. - At the metadata cleanup: prompt, type
connections
and press Enter. - At the server connections: prompt, type
connect to server <servername>
, where <servername> is the domain controller (any functional domain controller in the same domain) from which you plan to clean up the metadata of the failed domain controller. Press Enter. - Type
quit
and press Enter to return you to the metadata cleanup: prompt. - Type
select operation target
and press Enter. - Type
list domains
and press Enter. This lists all domains in the forest with a number associated with each. - Type
select domain <number>
, where <number> is the number corresponding to the domain in which the failed server was located. Press Enter. - Type
list sites
and press Enter. - Type
select site <number>
, where <number> refers to the number of the site in which the domain controller was a member. Press Enter.
- Type
list servers in site
and press Enter. This will list all servers in that site with a corresponding number.
- Type
select server <number>
and press Enter, where <number> refers to the domain controller to be removed.
- Type
quit
and press Enter. The Metadata cleanup menu is displayed.
- Type
remove selected server
and press Enter.
- Type
quit
, and press Enter until you return to the command prompt.
To remove the failed server object from the sites
- In Active Directory Sites and Services, expand the appropriate site.
- Delete the server object associated with the failed domain controller.
To remove the failed server object from the domain controllers container
- In Active Directory Users and Computers, expand the domain controllers container.
- Delete the computer object associated with the failed domain controller.
- Windows Server 2003 AD might display a new type of question window, asking you if you want to delete the server object without performing a DCPROMO operation (which, of course, you cannot perform, otherwise you wouldn’t be reading this article, would you…) Select “This DC is permanently offline…” and click on the Delete button.
- AD will display another confirmation window. If you’re sure that you want to delete the failed object, click Yes.
To remove the failed server object from DNS
- In the DNS snap-in, expand the zone that is related to the domain from where the server has been removed.
- Remove the CNAME record in the _msdcs.root domain of forest zone in DNS. You should also delete the HOSTNAME and other DNS records.
- If you have reverse lookup zones, also remove the server from these zones.
Migrating Domain Objects
Simply delete an object and recreate it in another domain will result in losing the original account’s security identifiers (SIDs). So microsoft provides the Active Directory Migration Tool (ADMT) so that administrators can migrate AD objects without losing their security assignments.
ADMT has 3 main types of migration:
- Intraforest migration: Moving object between domains in the same forest. This is often done when a company reorganizes, causing users to change their primary domain memberships.After an intraforest migration, objects that were moved no longer exists in the original domain.
- Interforest migration: Copying object between domains in different forests. It might be indicated when companies merge or a company breaks up into multiple divisions. Migrated objects are actually copied and exist in both domains simultaneously so that users can continue working while the migration is in progress
- Migration of an NT 4.0 domain to an Active Directory domain: You can migrate NT 4.0 domains to win2000 or 03 domains, can not migrate to win2008 domains.
ADMT is not included in win2008, you must download, 3.1 is the required version for 2008.
Some terms used for migration planning and implementation:
- SID history : When an account is migrated to another domain, it’s assigned a new SID. SID is used to assign an object rights and permissions to resources and to determine group membership. SID History is an attribute of an Active Directory Object. When an object is migrated from one domain to another, a new SID is assigned to the migrated object and SID History attribute (a multivalued container) will store all previous SIDs. When a user logs on to the new domain, the SID in SIDHistory is used along with the new SID for determining the object’s rights and permission.
Because most permissions are assigned via global group membership, global groups must be migrated before user accounts. Group objects also maintain SID history.Note: Microsoft recommends using local groups to manage permissions on a server, then adding the Global group to the local groups for the Discretionary Access Control (DACL). The best practice for granting access to resources is to use global groups to group users, and local groups to protect resources. Place global groups into a local group to grant the members of the global group access to the resource.
https://technet.microsoft.com/en-us/library/cc779590%28v=ws.10%29.aspx
https://technet.microsoft.com/en-us/library/cc974412%28v=ws.10%29.aspx - Security Translation: In this process, ADMT examines every resource’s ACL for an occurrence of the migrated account’s SID in the source domain and changes it to the account’s SID in the target domain. Most migration use SID history to maintain user access to resources during migration, and then perform security translation after the migration is finished.
- Password Export Server(PES): It is a separate program, is used to migrate passwords during an interforest migration. It must be installed on a domain controller in the source domain.