Archive for July, 2011

Fun with FSMO roles and Functional Levels on Server Core Domain Controllers

Sometimes, in an environment with all Server Core Domain Controllers, it is hard to migrate your Active Directory Domain Controllers from Server Core installations of Windows Server 2008 to Server Core installations of Windows Server 2008 R2.

Steps

The steps to migrate Server Core Domain Controllers on Windows Server 2008 to Windows Server 2008 R2 through Transitioning, are:

  1. Perform a system state back-up of the Windows Server 2008 Server Core Domain Controllers
  2. Run adprep.exe or adprep32.exe from the Windows Server 2008 R2 installation media (depending on the processor architecture of the Windows Server 2008 Server Core Domain Controllers, ie. x86 or x64)
  3. Install Windows Server 2008 R2 Server Core on servers and promote them to Domain Controllers for your existing domain, using dcpromo.exe 
  4. Check the dcpromo.log and dcpromoui.log files and the event viewer to search for possible problems
  5. Take care of FSMO roles and Global Catalog placement
  6. Demote your Windows Server 2008 Server Core Domain Controllers
  7. Raise the Domain Functional Level and  Forest Functional Level

For more information on these steps, read this blog post.

While many steps in the process can be performed, like one would on Full installations of these Operating Systems, other steps may be performed using the Remote Server Administration Tools (RSAT). Two steps, in particular, though, proves to be cumbersome when performing through the Remote Server Administration Tools. It turns out, these steps are actually fun to perform on the PowerShell of your Server Core Domain Controllers. These steps would be step 5 and step 7.

    

Manage FSMO roles

On a Windows Server 2008 R2 Server Core Domain Controller to transfer a Flexible Single Master Operations Role, perform one of these PowerShell one-liners:

Tip!
Don’t forget to run Import-Module Active Directory before running any of the below commands…

  • For the Schema Master FSMO role:

    Move-ADDirectoryServerOperationMasterRole -Identity FullyQualifiedDomainNameOfTheDC -OperationMasterRole SchemaMaster 

        

  • For the Domain Naming Master FSMO role:

    Move-ADDirectoryServerOperationMasterRole -Identity FullyQualifiedDomainNameOfTheDC -OperationMasterRole DomainNamingMaster 

        

  • For the Primary Domain Controller (PDC) emulator FSMO role:

    Move-ADDirectoryServerOperationMasterRole -Identity FullyQualifiedDomainNameOfTheDC -OperationMasterRole PDCEmulator 

        

  • For the RID Pool Master FSMO role:

    Move-ADDirectoryServerOperationMasterRole -Identity FullyQualifiedDomainNameOfTheDC -OperationMasterRole RIDMaster 

        

  • For the Infrastructure Master FSMO role:

    Move-ADDirectoryServerOperationMasterRole -Identity FullyQualifiedDomainNameOfTheDC -OperationMasterRole InfrasturctureMaster 

        

    To transfer all FSMO roles, obviously perform all five one-liners.

    Manage Functional Levels

    In Windows Server 2008 R2, with the new Active Directory PowerShell cmdlets, two new exiting Active Directory PowerShell command emerged:

    1. Set-ADDomainMode
    2. Set-ADForestMode

    These two commands can be used to raise the Domain Functional Level and the Forest Functional Level, respectively. Not only are they able to raise the level, they are also able to return to roll back the functional level raise. (unless one of the Optional Features has been enabled)

    To raise the Domain Functional Level to Windows Server 2008 R2, run the following command, after all the Domain Controllers in your domain run Windows Server 2008 R2:

    Set-ADDomainMode –identity domain.tld –DomainMode Windows2008R2Domain

     

    To raise the Forest Functional Level to Windows Server 2008 R2, run the following command, after all the domains in the forest have been raised to Windows Server 2008 R2:

    Set-ADForestMode –identity domain.tld –ForestMode Windows2008RForest