Few of the articles are posted as Images, Please use Laptop / Computers to go through the articles for best experience. For phone users, switch to Web Version

Please Share with your colleagues if you found these blogs informative. Happy Learning :-)

Setting up Additional Domain Controller using IFM ( Install From Media)


Setting up a Domain Controller using IFM ( Install From Media)

There should be a good bandwidth when we are setting up an additional Domain Controller ( Default 500 Kbps). Now Imagine you are planning to add an additional DC on a remote site but the bandwidth is quite low (below 500Kbps), as a result you will not be able to add additional DC.

One solution that was used before 2008 was to take a System State backup & then transfer the media to Remote site via some external media & then using it. But taking System State backup takes long time & also it's not secure / preferable to do this way. Instead we can use Install from Media Option. 
From 2008 Onwards Microsoft introduced IFM (Install From Media) using which if we still have low bandwidth, then also we can add additional Domain Controller. In Install from Media, we basically copy NTDS.DIT ( AD Physical Database file ) & some registry settings which are required to Promote a Domain Controller.

Note - You can join Computers to domain Offline but Domain Controller can't be promoted in Offline Mode, There needs to be connectivity with a Working Writable DC for promoting a new DC. 



Steps
1. Login to any Writeable Domain Controller, Open CMD as an Administrator.
2. Follow below commands - 
ntdsutil 
activate instance ndts
ifm
create full C:IFM

Once done, it will automatically copy the AD Database & registry setting into IFM folder under C:\



3. At this Point, IFM Media is ready, now we simply need to install ADDS role onto the Remote site server which we are planning to promote as a Domain Controller.

Note - Kindly make sure, prerequisite for Promoting a Domain Controller is met. Things like IP Configuration, Primary / Secondary DNS should be properly configured etc.
Ex - DC1 is in Site 1, I am adding DC2 as additional Domain Controller in Site 2. 
Installing ADDS using Powershell, you can also do the installation via GUI.
Below is the command - 
Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
















Post installation of ADDS role, Click on Notification Tab & Start Promoting it to a Domain Controller.


















Since, we are adding additional Domain Controller, hence we will select Add a domain controller to an existing domain, Cross check the domain name & make sure user with sufficient access would be listed.
(Since i am logged in as Administrator which is Part of Domain Admins, hence it's auto populated in below field.)
































Click Next & Select Site 2, I will be setting up this DC as a Global Catalog Server & hence check marking on it, providing the DSRM password & clicking on Next.

DSRM - Directory Service Restore Mode, It's not a Administrator or any Domain ID credentials. It's a Local Password for this DC only, You can have different DSRM password for different DC's. This password is primarily  useful in activities when we are taking our DC into Restore Mode. Once such example could be taking the DC into Safe mode for Restoration from last backup.
























Now here you need to do some changes. Instead of Selecting Replicate from Option, we will check mark on Install from Media Option & browse to the IFM folder which we created from another writable domain Controller( DC1).
I have copied it in DC2 Desktop, so will be selecting accordingly.













Keep the default path for storing NTDS, Log file & Sysvol folder & click Next






























Review all the options selected & click Next, It will run a Prerequisite Check, let it complete. Once done Click on Install.























Now the Promotion process will start. Once complete, your system will be automatically restarted.




Post reboot, you will have additional DC in the Remote Site. You can cross check in AD Sites & Services, under Site 2 you will see DC2 as new entry, or in AD Users Computer under Domain Controllers OU & many other places also.







No comments:

Lingering Objects in Active Directory

 What are Lingering Objects ?

First we need to know What Tombstone Object & Tombstone Lifetime are, before we understand Lingering Objects.


Tombstone Object 

Whenever an object in AD is deleted, it is not permanently removed from AD, An Object first becomes / converted to a special object called "Tombstone Object" & they reside in AD in a special container called Deleted Objects.

Like all the objects in AD replicates, Tombstone Objects also replicates & this is to make sure other Domain Controllers in the environment also mark that object as Deleted in their database copy.
















Tombstone Lifetime 

Now the questions is how long these Tombstone objects resides in AD ? 

Tombstone object will be preserved in AD for a certain time & that time period is called "Tombstone lifetime". Once the tombstone lifetime expires, the tombstone object will be discarded / deleted permanently from AD.


To check Tombstone Lifetime - 

Login to any Domain Controller in the domain --> Run --> ADSIEDIT.MSC --> Connect --> Select  Configuration Naming Context --> Navigate to CN = Services --> CN = Windows NT --> CN = Directory Service ( Right Click ) --> Properties to see the Tombstone Lifetime.












From above snap, it's clear that Tombstone lifetime is 180 days. If required, we can edit it also. The value will then be replicated to all the DC's in the domain.

So if we delete an object today, then it will be there in AD for next 180 days before it is permanently purged from Active Directory Database.


Lingering Object

Now to understand Lingering Object, consider below example - 

Consider you have total 5 Domain Controllers [ DC1 , DC2 .... DC5 ] in your environment, today is 1st Jan . Tombstone lifetime is set to 10 Days in the domain.

Now further assume, DC1 goes down due to some Operating System issue on 2nd Jan. Other 4 Dc's are working fine. You do normal operation stuff on them ( Can be creating an object  ,deleting ,renaming etc). Suppose you have deleted 4 AD groups & 2 user account on 3rd Jan. Your DC1 is still down & as we know AD is multi meter database model, so all these deletion changes will also be replicated to other working DC.

Since the Tombstone lifetime is set to 10 days, so the objects deleted on 3rd Jan will be preserved in AD till 13th Jan ( Total 10 days ), now further assume you mange to bring back DC1 after 13th Jan. Now all 5 Dc's are operational but since the tombstone lifetime for objects deleted on 3rd Jan is already expired,, so DC2,DC3,DC4 and DC5 don't have that object in their database copy whereas DC1 will have those deleted object in it's database copy ( Simply because those objects were present before DC1 went down).

These unwanted objects will linger in the environment & hence these objects are known as "Lingering Objects".


No comments:
Subscribe to: Posts (Atom)