totalnetsolutions.net

I built a Windows Server 2008 Server Core DC last week. It’s an interesting exercise because you have to use an unattend.txt file. I found quite a few places online that listed RODC unattend.txt files, but not full read-write DC unattend.txt files. So, attached to this post you’ll find the unattend.txt I used, but also, of more interest, I’m attaching the full help file directly from the server, which I used to create the file.

FIrst, you have to install the server and set an IP address - my previous posts on IP changes on DCs all used netsh commands as well, so if you followed thouse, you should be somewhat prepared for Server Core. I already had a WIndows Server 2003 DC in the environment, so that will be my primary DNS server for the install, untill DCPromo edits the settings.
netsh interface ipv4 set address local static 10.1.1.6 255.255.255.0 10.1.1.1 10
netsh interface ipv4 set dns local static 10.1.1.5
netsh interface ipv4 set wins local static 10.1.1.5

Now networking is set up, we can rename the computer: netdom renamecomputer %computername% /NewName:dc02 and join the domain with netdom join dc02 /domain:foo.local /UserD:FOO\Administrator /reboot:5 /PasswordD:*. The “5″ after the reboot flag says to reboot 5 seconds after completion, and the “*” at the end says to prompt you for your password. I join the system to the domain manually first, because then I can WSUS patch it (if WSUS is in the network), or open up the firewall for any other patching software I have.

Once the server is back from reboot, activate, update the firewall to allow remote MMC connections (if you’re not doing that through GPO already), and install new roles.
slmgr.vbs -ato
netsh advfirewall firewall set rule group="Remote Administration" new enable=yes

The following roles are optional, depending on the service of the server. Mine has DNS and the File Server roles, but not DHCP. None of these are required to install AD Domain Services!
start /w ocsetup DNS-Server-Core-Role
start /w ocsetup DHCPServerCore
start /w ocsetup FRS-Infrastructure
start /w ocsetup DFSN-Server
start /w ocsetup DFSR-Infrastructure-ServerEdition

If this is the first Windows Server 2008 DC in your environment, you’ll need to take the Windows Server 2008 DVD to the DC with the Infrastructure Master role (required for /gpprep only) and run the following (E: assumed as DVD-ROM drive):
e:\sources\adprep\adprep.exe /forestprep
e:\sources\adprep\adprep.exe /domainprep
e:\sources\adprep\adprep.exe /domainprep /gpprep (Also run adprep /rodcPrep if you plan on building RODCs.)

Now you’re ready to do the DCPromo itself. Create an unattend.txt file. To add a DC to an existing domain, you can use:
[DCInstall]
AutoConfigDNS=Yes
ConfirmGc=Yes
DatabasePath=E:\Windows\NTDS
LogPath=c:\windows\NTDS
RebootOnSuccess=Yes
ReplicaDomainDNSName=foo.local
ReplicaOrNewDomain=Replica
ReplicationSourceDC=dc01.foo.local
SafeModeAdminPassword=passwordhere
SysVolPath=e:\windows\SysVol
UserDomain=foo.local
/Password:passwordhere

DCPromo will wipe out the passwords when it starts, or you can fill in “*” instead of the password, to be prompted. When it’s done, the server will reboot and be a new Global Catalog / DC in your domain. DCPromo will install neccessary binaries and configure the firewall for DC Services for you. It’s quite slick.

And as promised, here are the DCPromo Unattend Options for reference for creating your own unattend.txt.

Dean Wells started out Day 3 of DEC 2008 with a recap of the Dean and Joe show. He finished up the demo of “how exactly the FSMO role works” which was amazingly detailed and deep. He also explained more about AdminSDHolder and showed off several of Joe Richard’s tools. They also showed some info about how to read deep into the DIT itself that I found really interesting. Yes, I’ve now dumped my test network’s AD database and read it with their tools.

Don Jones had the next session, but I had to skip out on it to prepare for my session. I did hear some great feedback, but was disappointed, since his was one of the sessions I was most looking forward to prior to the conference start.

I spoke at 11am about how to integrate Linux/Unix systems with Active Directory. Download the deck here. It was a great experience, and the bit of feedback I’ve heard so far has been really positive.  It sounds like several attendees have moved their integration projects forward with information I presented, so I think it was successful.

After lunch, the Microsoft Windows and Active Directory product teams had a chalk talk about what’s next with AD where they solicited a LOT of suggestions from the attendees.  I was surprised by the number of people who are using “Prune and Graft” techniques for domain migrations.  Microsoft was very clear, however: do not EVER prune and graft domains.

And I’ll leave it at that.  In all, in was a great experience, and I learned so much.  I’m going to go back again!

Tuesday the 4th started with Stuart Kwan’s keynote at 8am - he talked about an eventual plug and play software “identity bus” where you just plug in identity management software, and it just works - the same as PCI or USB hardware does on those busses. It’s a pretty cool concept, and that Microsoft is driving in that direction is great. I just can’t see how quickly they’ll be able to get there. But it’s a well thought out plan they seem to have. I’m excited to watch it grow.
(more…)

I spent a large portion of this week at DEC 2008. I mentioned previously that I’d be presenting as well. Now that I’ve had a couple of days back to catch up with work and home, I wanted to recap the amazing experience, and share a few bits of info that I learned as well.

Sunday March 2nd was only registration and the reception for me. I just used the brief time downtown to meet with the Centrify and Likewise teams who worked so hard over the previous month to help me prepare my presentation for Wednesday. I met a bunch of great new contacts as well - not a conversation passed that I didn’t learn something new.

Monday the 3rd included Gil Kirkpatrick’s discussion on AD administrators vs. software developers, Jerry Camel and Brad Turner’s overview of proper architecture for ILM “2″, how Microsoft is using Windows Server 2008 (Brian Puhl), an amazingly indepth look into AD with Dean Wells and Joe Richards, and a discussion about how Centrify DirectControl works (in Centrify’s vendor track). (more…)

As of today:

“Akismet has caught 347 spam for you since you first installed it.”

That’s since 11/29/2007. Akismet has YET to miscategorize a comment as spam, and it has missed a single spam comment. All I had to do was click “this is spam” and it’s cleaned up.

The only other anti-spam product I’ve seen to perform this well is the IronPort mail system at a client. 130,000 or so attempts / day, 1 spam / day in the entire company queue, and no users complaining about spam in 5 months.

Akismet, Ironport, my hat is off to you both.