Tag Archives: Active Directory

How to: Join Windows Server 2012 Core to domain

Since Windows Server 2012 allowed add/remove of GUI “on the fly” via Uninstall-WindowsFeature/Ininstall-WindowsFeature and their aliases amount of questions “How do I do X in Server Core” decreased drastically as there is now universal lazy man response to this – temporarily add GUI do thing X and remove GUI again. Not always time efficient but effective 🙂

Anyhow almost everything can be done without GUI. Here is your option to perform domain join operation for server core box:

1) Old-school crutch sconfig 🙂 Option (1):

sconfig

You may see that it actually uses in netdom.exe in the background when it asks for password:

sconfig domain join

It even suggest you to change computer name in case you forgot do it in advance:

sconfig domain join - computer name change prompt

Assuming you entered correct password and DNS/IP settings allow you to locate and reach out domain controller you will receive reboot prompt in the end of this process:

sconfig domain join - restart prompt

Once restart is performed you can verify the results either via WMIC or PowerShell:

sconfig domain join - verify via WMIC or PS

2) Add-Computer commandlet.

3) djoin command. This one allows to perform offline domain join.

djoin

There is also related dsadd command but this can only be used to pre-create computer account in domain. This utility will create a computer account in the domain, but will not join the local computer from a workgroup to a domain.

 

Please follow and like us:
error0

How to verify AD DS FFL/DFL and how to rollback to a lower levels

Microsoft Active Directory Services evolves with each edition of Windows Server and whenever you do initial install of AD DS or upgrade your DC servers there is an option/decision for you to set/upgrade Domain and Forest functional levels (I will further refer those ad DFL and FFL respectively). Each new level introduces some new features and starting from 2008 R2 there is an option to do a rollback to lower levels. This is possible only if you not enabled certain features which require current FFL/DFL (think of AD recycle bin etc.).

In short it means that from Server 2012 R2 DFL/FFL you can rollback as far down as to Server 2008 (certain limitation are applicable here). In the following TechNet article: “Understanding Active Directory Domain Services (AD DS) Functional Levels” you can find details on features available on each functional level as well as neat table describing possible rollback options. In this blog post I want to describe how you can check your current FFL/DFL and perform rollback to lower level.

Most of the features are included in DFL, and those may have FFL requirements. To give you an idea of which features are become available with newer DFL:

Server 2008: DFS replication support for WS 2003 SYSVOL, Domain-based DFS namespaces (includes support for access-based enumeration and increased scalability), AES128/256 for Kerberos, Last Interactive Logon Information, Fine-grained password policies, Personal Virtual Desktops.

Seriver 2008 R2: Authentication mechanism assurance (packages info about logon method type into Kerberos token), automatic SPN management for services running on specific computer under the context of Managed Service Account when the name of machine account changes

Server 2008 R2 FFL: Active Directory recycle bin

Server 2012: KDC support for claims, compound authentication and Kerberos armoring

Server 2012 R2: DC-side protections for Protected Users, Authentication Pilicies, Authentication Policy Silos

Now to the practical part of this blog post. How to check current FFL/DFL:

1) GUI way. Access “Active Directory Domains and Trusts” snap-in and right click on your domain to access its properties. On General tab you will be able to see DFL/FFL:

AD DS DFL-FFL level 012) PowerShell mehod 1. This method does not require admin or domain admin rights, and can be used even with a limited user on a domain-joined workstation with Powershell v2/v3 or newer. It also does not require any third party tools or Powershell modules (e.g. Microsoft Powershell AD Module).

$dse = ([ADSI] "LDAP://RootDSE")

# Domain Controller Functional Level

$dse.domainControllerFunctionality

# Domain Functional Level

$dse.domainFunctionality

# Forest Functional Level

$dse.forestFunctionality

This script will return 3 numberic values which can be interpreted using the following table:

Value  Forest        Domain             Domain Controller

0 2000 2000 Mixed/Native 2000

1 2003 Interim 2003 Interim N/A

2 2003 2003 2003

3 2008 2008 2008

4 2008 R2 2008 R2 2008 R2

5 2012 2012 2012

6 2012 R2 2012 R2 2012 R2

3) PowerShell method 2. Requires Microsoft PowerShell AD Module.

# Get the Forest functional level 

(Get-ADForest).ForestMode

# Get the Domain functional level

(Get-ADDomain).DomainMode

This script gives easily readable output instead of numbers you get with method (2).

How to rollback to lower FFL/DFL:

While you can raise FFL/DFL via GUI using  “Active Directory Domains and Trusts” snap-in you cannot lower it using GUI and have to use PowerShell for this. Here is command you have to use:

Set-ADForestMode –Identity “yourdomain.com” –ForestMode Windows2008Forest

Set-ADDomainMode –Identity “yourdomain.com” –DomainMode Windows2008Domain

Order is important: first forest, then domain. Depending on your current DFL/FFL valuee for ForestMode/DomainMode parameters include the following: Windows 2012, Windows 2008R2, Windows2008.

As possibility to lower FFL/DFL was introduced in Server 2008 R2 you cannot go lower than Server 2008. So in case for your tests you need something like Server 2003 or Windows 2000 in terms of FFL/DFL you have to install AD DS from scratch.

Please follow and like us:
error0