totalnetsolutions.net

I built a Windows Server 2008 Server Core DC last week. It’s an interesting exercise because you have to use an unattend.txt file. I found quite a few places online that listed RODC unattend.txt files, but not full read-write DC unattend.txt files. So, attached to this post you’ll find the unattend.txt I used, but also, of more interest, I’m attaching the full help file directly from the server, which I used to create the file.

FIrst, you have to install the server and set an IP address – my previous posts on IP changes on DCs all used netsh commands as well, so if you followed thouse, you should be somewhat prepared for Server Core. I already had a WIndows Server 2003 DC in the environment, so that will be my primary DNS server for the install, untill DCPromo edits the settings.
netsh interface ipv4 set address local static 10.1.1.6 255.255.255.0 10.1.1.1 10
netsh interface ipv4 set dns local static 10.1.1.5
netsh interface ipv4 set wins local static 10.1.1.5

Now networking is set up, we can rename the computer: netdom renamecomputer %computername% /NewName:dc02 and join the domain with etdom join dc02 /domain:foo.local /UserD:FOO\Administrator /reboot:5 /PasswordD:*. The “5″ after the reboot flag says to reboot 5 seconds after completion, and the “*” at the end says to prompt you for your password. I join the system to the domain manually first, because then I can WSUS patch it (if WSUS is in the network), or open up the firewall for any other patching software I have.

Once the server is back from reboot, activate, update the firewall to allow remote MMC connections (if you’re not doing that through GPO already), and install new roles.
slmgr.vbs -ato
netsh advfirewall firewall set rule group="Remote Administration" new enable=yes

The following roles are optional, depending on the service of the server. Mine has DNS and the File Server roles, but not DHCP. None of these are required to install AD Domain Services!
start /w ocsetup DNS-Server-Core-Role
start /w ocsetup DHCPServerCore
start /w ocsetup FRS-Infrastructure
start /w ocsetup DFSN-Server
start /w ocsetup DFSR-Infrastructure-ServerEdition

If this is the first Windows Server 2008 DC in your environment, you’ll need to take the Windows Server 2008 DVD to the DC with the Infrastructure Master role (required for /gpprep only) and run the following (E: assumed as DVD-ROM drive):
e:\sources\adprep\adprep.exe /forestprep
e:\sources\adprep\adprep.exe /domainprep
e:\sources\adprep\adprep.exe /domainprep /gpprep (Also run adprep /rodcPrep if you plan on building RODCs.)

Now you’re ready to do the DCPromo itself. Create an unattend.txt file. To add a DC to an existing domain, you can use:
[DCInstall]
AutoConfigDNS=Yes
ConfirmGc=Yes
DatabasePath=E:\Windows\NTDS
LogPath=c:\windows\NTDS
RebootOnSuccess=Yes
ReplicaDomainDNSName=foo.local
ReplicaOrNewDomain=Replica
ReplicationSourceDC=dc01.foo.local
SafeModeAdminPassword=passwordhere
SysVolPath=e:\windows\SysVol
UserDomain=foo.local
/Password:passwordhere

DCPromo will wipe out the passwords when it starts, or you can fill in “*” instead of the password, to be prompted. When it’s done, the server will reboot and be a new Global Catalog / DC in your domain. DCPromo will install neccessary binaries and configure the firewall for DC Services for you. It’s quite slick.

And as promised, here are the DCPromo Unattend Options for reference for creating your own unattend.txt.

Dean Wells started out Day 3 of DEC 2008 with a recap of the Dean and Joe show. He finished up the demo of “how exactly the FSMO role works” which was amazingly detailed and deep. He also explained more about AdminSDHolder and showed off several of Joe Richard’s tools. They also showed some info about how to read deep into the DIT itself that I found really interesting. Yes, I’ve now dumped my test network’s AD database and read it with their tools.

Don Jones had the next session, but I had to skip out on it to prepare for my session. I did hear some great feedback, but was disappointed, since his was one of the sessions I was most looking forward to prior to the conference start.

I spoke at 11am about how to integrate Linux/Unix systems with Active Directory. Download the deck here. It was a great experience, and the bit of feedback I’ve heard so far has been really positive.  It sounds like several attendees have moved their integration projects forward with information I presented, so I think it was successful.

After lunch, the Microsoft Windows and Active Directory product teams had a chalk talk about what’s next with AD where they solicited a LOT of suggestions from the attendees.  I was surprised by the number of people who are using “Prune and Graft” techniques for domain migrations.  Microsoft was very clear, however: do not EVER prune and graft domains.

And I’ll leave it at that.  In all, in was a great experience, and I learned so much.  I’m going to go back again!

Tuesday the 4th started with Stuart Kwan’s keynote at 8am – he talked about an eventual plug and play software “identity bus” where you just plug in identity management software, and it just works – the same as PCI or USB hardware does on those busses. It’s a pretty cool concept, and that Microsoft is driving in that direction is great. I just can’t see how quickly they’ll be able to get there. But it’s a well thought out plan they seem to have. I’m excited to watch it grow.

Next was 2 sessions by Darren Mar-Elia about Group Policy wrapped around a session by Group Policy Program Manager Kevin Sullivan (I couldn’t find a blog/site of his, so that’s the Group Policy team blog). Darren spoke first about automating GPO, then about performance tuning. The information on automating GPO will be used within the next few weeks at work – the one thing I dislike about my job is getting up in the middle of the night to turn on a script element, or change GPO object linking – it’s VERY simple work, takes only seconds, but has to be timed. Now that I can script and schedule, I’m a VERY happy man! Darren did some great demos, provided info about a few of the cmdlets he used, and sent me away with a ton of new info. His second session on GPO performance was really informative, and greatly influenced a few designs I have building right now. He talked about the differences between running lots of objects with few settings vs. few objects with lots of settings and how the engine parses them. It turns out that for a “gpupdate /force” or a reapply of all objects, the timing is about the same!

Kevin Sullivan talked about the new “GP Preferences” and client side extensions available for WinXP and higher OSes, that will be available with the new Remote Server Administration Tool (RSAT). I’ve been looking for that download every day since they mentioned it. Still waiting…  but with some new security initiatives at one of my smaller clients, I’ll be using these soon as well!

Mark Foust from Microsoft had a great discussion on security audits and the most common problems found – they’re amazingly simple ones to fix, too, like cleaning up members of built-in groups such as “Schema Admins”, that even large enterprises miss.  A great reminder of where to start with security house cleaning.

We then had several “Birds of a Feather” sessions – I attended the Group Policy one lead by Kevin and Darren.  We had some great back-and-forth about how other companies are using Group Policy, how to do upgrades to the new Client-Side Extensions, and other GPO subjects.  There were some requests for better reporting than the RSoP provides, and a request for a way to dump RSoP reports into something that can be audited against, like with System Center 2007.  It’s not something I had noticed as missing in my environments, but the idea was mentioned, I realized how great it would be.  Hopefully Kevin has taken the idea back to Redmond for further review.

The evening was spent mostly in the Centrify hospitality suite, talking Linux/Windows interoperability with several other attendees, and an early trip home to rest up for the morning!

I spent a large portion of this week at DEC 2008. I mentioned previously that I’d be presenting as well. Now that I’ve had a couple of days back to catch up with work and home, I wanted to recap the amazing experience, and share a few bits of info that I learned as well.

Sunday March 2nd was only registration and the reception for me. I just used the brief time downtown to meet with the Centrify and Likewise teams who worked so hard over the previous month to help me prepare my presentation for Wednesday. I met a bunch of great new contacts as well – not a conversation passed that I didn’t learn something new.

Monday the 3rd included Gil Kirkpatrick’s discussion on AD administrators vs. software developers, Jerry Camel and Brad Turner’s overview of proper architecture for ILM “2″, how Microsoft is using Windows Server 2008 (Brian Puhl), an amazingly indepth look into AD with Dean Wells and Joe Richards, and a discussion about how Centrify DirectControl works (in Centrify’s vendor track).

Gil Kirkpatrick covered things like mistakes that developers often make because they’re taught how to write well-constructed SQL queries, but not well-constructed LDAP queries. He discussed at great length 11 tips to help ensure that directory-integrated software performs as it should, without killing domain controller performance. The most interesting part, however, was his suggestions on how to talk with software developers so that both halves of the IT team can create a well-rounded product.

After lunch, Brian Puhl with Microsoft IT spoke at length about the rollout of Windows Server 2008 within Microsoft. He talked about the problems they encountered running a release candidate OS, and how their rollout process works, from the test domain to the “pre-production” forest of 5000 real users, to the “real” production forest. That they’re able to run in 2008 Forest mode already is impressive to me. The discussion of using RODCs (Read Only Domain Controllers) in DMZs and remote offices was also very cool.

Dean Wells and Joe Richards – if you ever get a chance to see them speak, take it. Not only do they know things about AD that nobody in the audience knew (and the attendees at DEC are *smart*), but they present really well – personality, humor, and great new info. They covered things like exactly what AdminSDHolder does, and how precisely the Infrastructure Master role works (down to the changes inside the DIT itself). They also had a few things to say about the Second City itself.

I spoke in Centrify’s vendor track about their DirectControl product. We had a decent turnout, considering it was a vendor-specific talk. Likewise Software, NetPro software, and OptimalIDM threw some pretty great parties after hours. It was interesting meeting people like Mark Foust, Mike Dube, and Stuart Kwan from Microsoft, Manny Vellon from Likewise Software, David McNeely from Centrify, and John Serban from WaMu, and talking to them about work and other things.

I’ll follow up on Days 2 and 3, including my presentation, in the next few posts.