Home » Posts tagged 'Windows Server'

Tag Archives: Windows Server

Renaming a Domain Controller

Contrary to some people’s beliefs, it is actually possible to rename a domain controller! For this to work you must have at least 2 domain controllers already in your domain. This WILL NOT work if you have a single domain controller.

Before you start if the domain controller you are renaming holds any FSMO roles, you must migrate these to the other domain controller before you start.

  1. Open Command Prompt and type in netdom computername <current computer name> /add:<new computer name>
  2. then netdom computername <current computer name> /makeprimary:<new computer name>
  3. Restart domain controller
  4. Then open command prompt and type netdom computername <new computer name> /remove:<old computer name>

Precreate 2012 R2 RODC computer object in Active Directory

To pre-create a Read Only Domain Controller account in Active directory using PowerShell perform the following steps

  1. Create a Domain User Account called RODCADMIN and set Password
  2. Create a Security Group called Allowed Prepopulating and add in users you want to allow to cache credentials on a RODC, e.g Domain users and Domain Computers
  3. Run the following Powershell Command
    Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName <RODC Computer> -DomainName <FQDN> -SiteName <AD Site Name> -AllowPasswordReplicationAccountName “<domain>\Allow RODC>” -DelegatedAdministratorAccountName “<domain>\RODCAdmin” -InstallDNS –NoGlobalCatalog –ReplicationSourceDC <Writeable Domain Controller FQDN>
  4. Once created do not join the machine you want to be a RODC to the domain, instead install the AD Domain Services role and then promote to a Domain Controller. These settings should automatically be gathered from AD during this process.

To pre-populate user passwords on a RODC take a look at this script available from technet gallery http://gallery.technet.microsoft.com/scriptcenter/Prepopulate-a-batch-of-34e6d0dc

Performing an Authoritative Synchronisation of SYSVOL using DFSR

I came across a scenario the other week where newly promoted 2012 R2 domain controller would not complete it’s initial SYSVOL replication and in doing so was failing to advertise properly as an available authentication server. The only way I was able to resolve this issue was to perform an authoritative synchronisation of the SYSVOL folder using the PDC as the master.

To perform this please follow the following steps. You should install the DFS Replication role to each domain controller in order to use the DFSR command tools.

  1. Open ADSI Edit on the PDC and connect to the default naming context.
  2. Navigate to CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>,DC=<local>
  3. Modify the attribute msDFSR-Enabled=FALSE
  4. Modify the attribute msDFSR-options=1
  5. For AD replication throughout the forest. You can do this by performing repadmin /replicate <other dc fqdn> <pdc fqdn> “DC=domain,DC=local” /full /force
  6. Next modify the msDFSR-Enabled=FALSE attribute on all other domain controllers and repeat step 5
  7. Start the DFSR service on the PDC and set as authoritative
  8. Look for Event ID 4114 in the DSFR event log
  9. Modify the attribute msDFSR-Enabled=True on the PDC
  10. Repeat Step 5
  11. Run DFSRDIAG POLLAD from the PDC
  12. Look for Event ID 4602 to indicate SYSVOL has been initialised
  13. Start the DFSR service on all other domain controllers and you should see Event ID 4114 in each event log
  14. Modify the attribute msDFR-Enabled=True on all other domain controllers
  15. Repeat step 5
  16. Run DFSRDIAG POLLAD on all other domain controllers
  17. SYSVOL should now replicate between all domain controllers having this issue

To force a SYSVOL replication you can use DFSR command line tool from the PDC

DFSRDIAG SyncNow /Partner:<other dc fqdn> /RGName:”Domain System Volume” /Time:5 

%d bloggers like this: