Monday, September 21, 2015

Install Windows 2012 RODC step by step

If you are looking for step by step instructions to develop plan to install Windows 2012 R2, this article might ease your task.

#Install Windows 2012 RODC

Preparing and Promoting Windows 2012 R2 Server to be Additional Domain Controller into Existing Windows 2008 R2 Forest/Domain

  1. Click start and click on PowerShell
  2. On the PowerShell window type hostname and press enter
  3. Make sure the server Name is in compliance with the serve name standard in your organization
  4. Rename the Server by using PowerShell
  5. Open PowerShell and type the following command

Rename-Computer -NewName ServerName

In the example below we renamed the server to RODC001 by typing

· Rename-Computer –NewName RODC001

· Press enter (Computer will require reboot for changes to take effect)


  1. From PowerShell window type “ncpa.cpl” and configure static IP address for your domain controller


  1. Reboot the server by typing on the PowerShell

· Shutdown –r –f –t 5 and press enter


  1. After server reboots, use remote desktop software (RDP) to log back onto Server and provide administrator credentials.

#Join Server to Domain

Joining server to existing domain is a good practice before promoting it to be a domain controller. When a server joins to domain the host “A record” will be created within the authoritative DNS zone of your domain name space. This ensures your server is able to talk to valid domain controller and your credentials will be cached by the promotion wizard to make things but easier.

1. Click start and open PowerShell, on the PowerShell window type the following command to join the server to existing domain.

Add-Computer – -Restart


2. Provide domain administrator credentials when prompted.


3. Server has been added to Domain successfully. Reboot the server by typing following on the command line or PowerShell window.

Shutdown –r –f –t 5 and press enter

#Preparing Server to be RODC (Add futures and required roles)

1. Log into your domain (not on the local server)


2. Click start open PowerShell and type hostname and press enter

Type Ipconfig /all and press enter


3. Now we have verified correct server name is being used and the static IP address is assigned to server with valid existing DNS server on the TCP IP properties

4. Type “ServerManager” on the PowerShell to Launch Server Manager

5. Click the Manage link at the top-right of the Server Manager console.

6. Select installation type screen, ensure Role-based or feature-based installation and Click “Next”


7. Role-based or feature-based installation is selected, and then click next.


8. Select destination server screen, pick a server and click next.


9. On the Select server roles screen, select Active Directory Domain Services, and then click ok on the add futures prompt window

10. Select DNS Server and click ok on the add futures prompt window

click Next and add “Group Policy Management” click next


11. Select Group Policy Management and click next


12. Click next


13. Click Next


14. Click Install



15. Wait for all the roles and features to be installed and click “close” when finished


16. When the installation completes, click Promote this server to a domain controller.

Promoting Server to be Read Only Domain Controller

After logging back onto server open server manager by typing “ServerManager” on the PowerShell console. Click yellow triangle to open Post-Deployment configuration wizard on top.


1. On the active directory Domain Services Configuration Wizard make sure the domain name and the correct domain administrator account is being used for the domain controller promotion


2. Click next when ready, on the next page we have an option to specify GC and RODC and we can place the new DC into proper AD Site. After providing DSRM password click Next


3. Leave all the default options and click next


4. Select install from media (IMF) options for sites which have slow replication and do the initial install from media (faster) and let the replication take care of the delta.


5. Choose the DC to replicate from


6. Choose the proper directory for. DIT Database, Log files and SYSVOL, we will leave it default


7. Click next in this window you can export the settings to PowerShell script to automate additional installation. If you are satisfied, click next once again


8. Wait for Prerequisites Check to complete and finally Click install to start the installation


Verifying Successful Domain Controller Promotion

1. Log back on to domain controller with proper domain administrator credentials.

2. Click start and open PowerShell, on the PowerShell type “dssite.msc” and press enter


3. Verify the newly promoted server is showing up under proper Active Directory site and replication connection has been created by KCC.

Type “net share” and press enter to verify the SYSVOL is showing up clip_image051

4. Type DCdiag and investigate the output if any issues found.


You can download the word version of this article from following link;

Oz Casey, Dedeal  ( MVP North America)


Security+, Project +, Server + (Blog) (Blog) (Twitter)

Friday, September 18, 2015

Schema Updates Windows 2012 R2

Schema updates are important task and it is necessary for applications Operations systems etc. Active directory Schema updates can be done ahead of time or it can be done with installation of first operating system or the application ( most of the time )

In cases where schema updates needs to be done separate ahead of time , you would need to build step by step upgrading schema implementation plan. After extending schema you would need to make sure , existing applications would continue to work.

Testing Active Directory Schema updates can be trick task as schema updates are “One Way”  meaning the schema updates needs to get done on your domain controller holds the schema master FSMO role from there it gets replicated to all other domain controllers within the Active directory forest environment. Time to time Active directory engineers will recommend stopping inbound and outbound AD replication on the Schema Master Role holder DC and believing this would prevent schema changes getting replicated to rest of the domain controllers within the environment. Which in reality buys you “Nothing or very little” . When you realize your critical legacy application is no longer functioning due to recent schema updates, your only option is to perform Forest Level recovery and this will be a “surgery” in term of getting everything up and running and especially  large environments. The domain controllers you shutdown will only buy you  recovery time “recover from your backup , active directory database” and you will still have to deal with having old .DIT , SysVOL etc. to replicate rest of the domain controllers and deal with FSMO roles.

If you are not familiar with process check out my previous article “ Active Directory From Total Lost Disaster Recovery Basic Steps.” and make sure you have developed restoring Active Directory from total lost white paper for your environment.

in order to perform AD recovery You need to understand the BurFlag keys and what they do and how to  Perform an authoritative  SYSVOL restore Set BurFlags to D4 or none authoritative restore D2 and understand the crucial difference in between. 

Extending Schema

We will extend the schema from windows 2008 R2 to windows 2012 R2. We will document steps and verify the schema version change.

  1. Log onto your existing windows 2008 R2 Server via RDP ( Remote Desktop Services) with your domain administrator privileges and provide your credentials when prompted.
  2. In order to extend the schema you will need to be member of Schema Admins security group.
  3. After successful logon , click start and on the search menu type PowerShell and press enter.
  4. On the PowerShell window type
Import-Module ActiveDirectory


On the PowerShell window type the following one liner PowerShell to find out the current schema version

Get-ADObject (Get-ADRootDSE).schemaNamingContext -Properties objectversion


let’s explore the schema version numbers

Schema versions :

  • 69 = Widows 2012 R2
  • 56 = Windows 2012
  • 47 = windows Server 2008 R2
  • 44 = Windows Server 2008

You will need adprep folder to perform the schema updates."adprep" folder is located within windows 2012 R2 install CD , under support folder, copy "adprep" folder onto C drive of the domain controller ( windows 2008 R2)


From C:\Temp\adprep folder we will start executing adarep to perform schema updates.

Adprep /? Will show all available options;



Adprep /ForestPrep and press enter , you will need to type letter "C" to confirm and start the schema upgrade.

Adprep /ForestPrep


Schema changes will get done on the schema master first and from there it will get replicated to your other domain controllers. You can use "netdom" to find out the domain controller holds the schema master role and remember there is only one schema master per active directory forest.



Now run the Domain Prep


Now we need to run the PowerShell to get the Schema object version  69 = Widows 2012 R2

Oz Casey, Dedeal  ( MVP North America)
Security+, Project +, Server + (Blog) (Blog


Sunday, August 9, 2015

Move Ad Computer Accounts from csv File into Target OU.

In this example we will move selected computer accounts from csv file into target OU. You will need to prepare csv file similar the one below and name the first column “CN”  and save it to server where you will be running the script from.This script will be very handy if you need to move computers from different locations into selected target OU.

You will need to change few things within the script to make it work within your environment.

$TargetOU = 'OU=Computers,OU=VA,DC=TekPros,DC=com'  (Change this to make sure it suits your needs)



Here is the script

# This script will help to move bulk ad computer accounts into target OU
# Written 08/08/15 Casey, Dedeal
# Fell free to change use any part of this script

#Importing AD Module
Write-Host " Importing AD Module..... "
import-module ActiveDirectory
Write-Host " Importing Move List..... "
# Reading list of computers from csv and loading into variable
$MoveList = Import-Csv -Path "C:\Temp\PC_Move_List.csv"
# defining Target Path
$TargetOU = 'OU=Computers,OU=VA,DC=TekPros,DC=com'
$countPC    = ($movelist).count
Write-Host " Starting import computers ..."

foreach ($Computer in $MoveList){   
    Write-Host " Moving Computer Accounts..."
    Get-ADComputer $Computer.CN | Move-ADObject -TargetPath $TargetOU

Write-Host " Completed Move List "

Write-Host " $countPC  Computers has been moved "

You can download the script from this link

Oz Casey, Dedeal  ( MVP North America)
Security+, Project +, Server + (Blog) (Blog)

Active Directory Moving Users to Another OU via CSV File.

In this task we will move AD users location from their current OU into different OU.

  • we will need to prepare CSV file contains all AD users ( names ) you wish to move into another OU ( Organizational Unit ) see the sample below. Name the first column as “name” and list all the account underneath.
  • Save this into a location on your server where you will be running the PS script from, for instance  C:\temp\Acc_MoveList.csv



This is the location where we will move all the accounts into


# Import AD Module
import-module ActiveDirectory

# Import CSV
$MoveList = Import-Csv -Path "C:\Temp\Acc_MoveList.csv"
# Specify target OU.This is where users will be moved.
$TargetOU =  "OU=SVC_Users,OU=VA,DC=TekPros,DC=com"
# Import the data from CSV file and assign it to variable
$Imported_csv = Import-Csv -Path "C:\temp\Acc_MoveList.csv"

$Imported_csv | ForEach-Object {
     # Retrieve DN of User.
     $UserDN  = (Get-ADUser -Identity $_.Name).distinguishedName
     Write-Host " Moving Accounts ..... "
     # Move user to target OU.
     Move-ADObject  -Identity $UserDN  -TargetPath $TargetOU
Write-Host " Completed move "
$total = ($MoveList).count
Write-Host "Accounts have been moved succesfully..."

Few things you will need to change to run the PS,

  • $TargetOU =  "OU=SVC_Users,OU=VA,DC=TekPros,DC=com" ( you will need to change this to make sure it fits into your environment
  • $MoveList = Import-Csv -Path "C:\Temp\Acc_MoveList.csv" (you will need to change this to make sure it fits into your environment)

Once you make the changes you should be able to move the users listed on your CSV file with no issues.


Download the script and sample CSV from here

you can also download the script from  here

Oz Casey, Dedeal  ( MVP North America)
Security+, Project +, Server + (Blog) (Blog)