Sunday, December 29, 2013

Windows Server 2012 - Active Directory - NTDSUTIL, part 1

The NTDSUTIL tool can be used for various operations concerning Active Directory and the ntds.dit database. Some of the more familiar uses are transferring - or seizing - FSMO roles and restoring Active Directory objects.
 
Based on experiences with the ESEUTIL tool used on Exchange databases, I wanted to learn more about maintenance of the ntds.dit database with NTDSUTIL.
 
After some research and consultation, it looks like executing the commands that follow are usually not part of a scheduled maintenance plan. In general, the Active Directory database is rather robust and errors are not common. When they do occur, it is most often due to hardware errors such as bad blocks on a disk or perhaps improper shutdown.
 
In comparison, I encountered "SLINK" (Event ID 1025) errors in Exchange from time to time and was advised to run the following command:

Isinteg -test -alltests

If there were warnings or errors, we would attempt to resolve them with this command:

Isinteg -fix -test -alltests

I would also test database integrity with eseutil /g

The database would have to be indicated in either case but since that is not the subject of this post, I'm not going to provide all the details. The subject has been discussed more than once in the Exchange TechNet forums:

Error on database - EventID 1025 SLINK::ecupdate

So... how could we verify the health of the Active Directory ntds.dit database?


NTDSUTIL - general observations

If we have not used the NTDSUTIL tool since Windows 2003, the syntax (that changed with Windows 2008 already) may confuse us.
 
What if I want to verify the checksum of the ntds.dit database? I'll present that in just a moment but for now, let's simply attempt to run the command:

PS C:\> ntdsutil
C:\Windows\system32\ntdsutil.exe: files
Active Instance not set. To set an active instance use "Activate Instance ".
C:\Windows\system32\ntdsutil.exe: activate instance ntds
Active instance set to "ntds".
C:\Windows\system32\ntdsutil.exe: files
Service "NTDS" is running. Stop the service before binding to this Active Directory database.
C:\Windows\system32\ntdsutil.exe:

***

Here we encounter two obstacles (highlighted in red above).

First, since Windows 2008, we have to "activate" an "instance" of ntds before we can execute any commands.

Second, as with Windows 2003 (and 2000), we cannot run NTDSUTIL against an active database (except to change the Directory Service Restore Mode  password - we'll see that later). But, unlike with Windows 2003, at least we no longer need to boot into DSRM. We can stop and start Active Directory, and more precisely the NTDS service, without restarting the entire server.

For years, I would use the following combination to stop and start services (NTDS in this case):

net stop ntds
net start ntds

These commands function but there are some obstacles:

PS C:\> net stop ntds

The following services are dependent on the Active Directory Domain Services service.
Stopping the Active Directory Domain Services service will also stop these services.


   Kerberos Key Distribution Center
   Intersite Messaging
   DNS Server
   DFS Replication


Do you want to continue this operation? (Y/N) [N]: Y

The Kerberos Key Distribution Center service was stopped successfully.
The Intersite Messaging service is stopping.
The Intersite Messaging service was stopped successfully.

The DNS Server service is stopping.
The DNS Server service was stopped successfully.

.The DFS Replication service was stopped successfully.
The Active Directory Domain Services service is stopping.
The Active Directory Domain Services service was stopped successfully.



After running the NTDSUTIL commands (that we'll see in a second - I promise!), we would have to restart the Active Directory Domain Services:

PS C:\> net start ntds

The Active Directory Domain Services service is starting...
The Active Directory Domain Services service was started successfully.



***

But what about the other services that were stopped?

Apparently, they are restarted when the NTDS service is restarted - which I was not sure would be the case. What follows is a "snip" from the output of the Get-Service cmdlet:

Running  DFSR               DFS Replication
Running  DNS                DNS Server
Running  IsmServ            Intersite Messaging
Running  Kdc                Kerberos Key Distribution Center


But since we are at Windows 2012 and the recommendation is to use Powershell, let's use these cmdlets to stop and (re)start services:

PS C:\> stop-service ntds

stop-service : Cannot stop service 'Active Directory Domain Services (ntds)' because it has dependent services. It can only be stopped if the Force flag is set. [...]

So we have to force shutdown with the... -force flag.

PS C:\> stop-service ntds -force

Now - finally - we are ready to try some NTDSUTIL commands


NTDSUTIL - files

The following command verifies the "checksum" of the database:

PS C:\> ntdsutil
C:\Windows\system32\ntdsutil.exe: activate instance ntds
Active instance set to "ntds".
C:\Windows\system32\ntdsutil.exe: files
file maintenance: checksum
Doing checksum validation for db: C:\Windows\NTDS\ntds.dit.

File: C:\Windows\NTDS\ntds.dit
                     Checksum Status (% complete)
          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................

3074 pages seen.
0 bad checksums.
0 correctable checksums
905 uninitialized pages.
0 wrong page numbers.
[...]

As we can see, the database is just fine at this level.

--------

There is another command that checks the "integrity" of the database. But first, Microsoft documentation states that before running the integrity command (below) we should run the "ntdsutil files recover" command. This commands "ensures all committed transactions [...] are reflected in the data file."

 Since we are still in "ntdsutil, files" , we can simply enter the command as follows:
 
file maintenance: recover
 
Initiating RECOVERY mode...
          Log files: C:\Windows\NTDS.
         System files: C:\Windows\NTDS.
Performing soft recovery...
Database recovery is successful.
 
It is recommended you run semantic database analysis
to ensure semantic database consistency as well.

 --------

So we have not yet run the integrity check and NTDSUTIL suggests yet another test. We'll look at that in a moment. For now, let's check database "integrity" - or consistency-  with the following command:

file maintenance: integrity
Doing Integrity Check for db: C:\Windows\NTDS\ntds.dit.
Checking database integrity.

                     Scanning  Status (% complete)
          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................

Integrity check successful.

It is recommended you run semantic database analysis
to ensure semantic database consistency as well.

----------


Some notes...
  • This test scans the entire ntds.dit file, the database as a whole, so, if it is large, it can take some time, possibly 2 GB / hour.
  • It looks for binary corruption at a "low level".
  • It may be the equivalent of eseutil /g in Exchange (?)
  • Once again, it is recommended to run the "semantic database analysis" command, so with no further ado, we'll do just that:

C:\Windows\system32\ntdsutil.exe: semantic database analysis
semantic checker: go
Fixup mode is turned off
......Done.


Writing summary into log file dsdit.dmp.0
SDs scanned:            123
Records scanned:       3806
Processing records..Done. Elapsed time 0 seconds.
 



--------

Yes, after we enter "semantic database analysis" we have to enter go at the "semantic checker" prompt. The reader may have noted that there is not much data to be analyzed. That is correct. This is a test domain controller with very few objects in the ntds.dit database.
 
If errors are indicated, we can attempt to repair them with the "go fixup" command. And yes, we would enter that exactly where we entered the "go" above.

***


Here ends my first blog post about the NTDSUTIL tool. In part 2, I'll look at some other uses of the tool: resetting the DSRM password, checking for duplicate SIDs and offline defragmentation.

Reference:

NTDSUTIL Files commands







Tuesday, December 24, 2013

Windows Server 2012 - Active Directory - FSMO role transfer


Transfering the "Flexible Single Master Operations" (FSMO) roles
 

Note: if you do not know what the "FSMO" roles are, or wish to know more, please see this link:

Operations master roles

This is a well-known subject among Active Directory administrators.

Even before Windows 2012, there was no lack of choice in the methods allowing us to transfer the FSMO roles:

If there were only two domain controllers, we could simply demote one with DCPROMO. If the domain controller to be demoted held the FSMO roles, the demotion process would transfer the roles to the other domain controller.

If there were more than one domain controller, we could transfer the roles with various graphic interfaces...


Transferring roles with the graphic interface

We need to use three different "tools" to transfer all the FSMO roles.
 
  • Active Directory Users and Computers for the PDCe, RID Master and Infrastructure Master roles
  • Active Directory Domains and Trusts for the Domain Naming Master
  • Active Directory Schema - after registering a certain dll...


We'll first transfer the PDC emulator, the RID Master and Infrastructure Master in Active Directory Users and Computers (ADUC).

1. Connect to ADUC, right-click on the domain and select "Operations Masters" in the menu:




2. Attempt to change the Operations Master and observe the error message:



If we happen to be connected to the current role holder, we must first target the domain controller to which the roles will be transferred.


3. This time, select "Change Domain Controller":




4. Connect to the domain controller to which you intend to transfer the roles:




5. Now go back to the menu (as illustrated above) and select "Operations Masters".


6. We'll use the RID Master as an example below. Note that the other domain controller is now the "target" as opposed to the same domain controller. Click on "Change" and confirm. Repeat the same operations for the PDCe and the Infrastructure Master.




7. For the Domain Naming Master, we need to perform the same type of operation but in the Active Directory Domains and Trusts MMC.




8. For the Schema Master, we need to register a .dll file and then create add "Active Directory Schema to a Microsoft Management Console (mmc). We then would proceed as we did for the other roles above.




Note: there should be a confirmation message (which can be closed - not shown above) indicating that the registration was successful. I'll assume the reader knows how to add "snap-ins" to a MMC. If not, please search for instructions online.


We can confirm the new owner (or "holder") of the roles in the graphic interfaces themselves or use the concise "netdom query fsmo" command


BEFORE

PS C:\> netdom query fsmo

Schema master                 DC-001.machlinkit.biz

Domain naming master   DC-001.machlinkit.biz

PDC                                 DC-001.machlinkit.biz

RID pool manager          DC-001.machlinkit.biz

Infrastructure master      DC-001.machlinkit.biz


AFTER

PS C:\> netdom query fsmo

Schema master                 DC-004.machlinkit.biz

Domain naming master   DC-004.machlinkit.biz

PDC                                DC-004.machlinkit.biz

RID pool manager         DC-004.machlinkit.biz

Infrastructure master      DC-004.machlinkit.biz


Of course, this command could also be used to confirm successful transfers after using the command line to move the roles from one domain controller to another.



Transferring roles with NTDSUTIL (command line interface)


We can transfer the roles at the command line using ndtsutil as shown below.

But first some notes:

Since Windows Server 2008, we must activate an "instance" of ntds with the command...

activate instance ntds

This was not necessary with Windows 2003.

Second, the syntax for the Domain Naming master has changed.

With Windows 2003, we would enter:

transfer domain naming master

Since Windows 2008, we must enter

transfer naming master


Having clarified those points, let's enter the sequence of commands that transfers the roles (I will double space for readability - the text in bold represents the commands to enter):

PS C:\> ntdsutil

C:\Windows\system32\ntdsutil.exe: activate instance ntds

Active instance set to "ntds".

C:\Windows\system32\ntdsutil.exe: roles

fsmo maintenance: connections

server connections: connect to server DC-004

Binding to DC-004 ...

Connected to DC-004 using credentials of locally logged on user.

server connections: quit

Note: at this point, depending on the role we want to transfer, we enter all or any of the following:

fsmo maintenance: transfer schema master

fsmo maintenance: transfer naming master

fsmo maintenance: transfer rid master

fsmo maintenance: transfer pdc

fsmo maintenance: transfer infrastructure master



Once the command is entered (and Enter is pressed), ntdsutil produces some rather verbose output indicating which domain controller holds which roles. In the case of the Schema Master we would see something like this:

fsmo maintenance: transfer schema master

Server "DC-004" knows about 5 roles

Schema - CN=NTDS Settings,CN=DC-004,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

Naming Master - CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

PDC - CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

RID - CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

Infrastructure - CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz


In this case, we can see (if we look carefully) that DC-004 is now the Schema Master but DC-001 still holds the other operations roles.



Transferring roles with Powershell

With Powershell version 3 (part of Windows Server 2012)  and version 4 (Windows Server 2012 R2), we can use the "Move-ADDirectoryServerOperationMasterRole" cmdlet to transfer or "move" the operations roles. We can either type the entire name of the role...
 

Move-ADDirectoryServerOperationMasterRole -id DC-001 -OperationMasterRole
PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster

Or the number that represent the roles:

  • PDCEmulator = 0
  • RIDMaster = 1
  • InfrastructureMaster = 2
  • SchemaMaster = 3
  • DomainNamingMaster = 4


So if we wanted to transfer all the roles to domain controller DC-001, we would enter this:

PS C:\>Move-ADDirectoryServerOperationMasterRole -id DC-001 -OperationMasterRole 0,1,2,3,4


Despite the rather long cmdlet (of which we only need to type the first 8 letters or so, and then tab), the rest of the complete command can be rather concise if we use (and know) the numbers.

This cmdlet works quite nicely as we can see here.

At first, DC-004 holds the roles:

PS C:\> netdom query fsmo

Schema master                 DC-004.machlinkit.biz
Domain naming master    DC-004.machlinkit.biz
PDC                                  DC-004.machlinkit.biz
RID pool manager            DC-004.machlinkit.biz
Infrastructure master        DC-004.machlinkit.biz

We transfer them to DC-001...

PS C:\> Move-ADDirectoryServerOperationMasterRole -id DC-001 -OperationMasterRole 0,1,2,3,4

Move Operation Master Role
Do you want to move role 'PDCEmulator' to server 'DC-001.machlinkit.biz' ?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A

We confirm the transfers with...

PS C:\> netdom query fsmo

Schema master                  DC-001.machlinkit.biz
Domain naming master    DC-001.machlinkit.biz
PDC                                  DC-001.machlinkit.biz
RID pool manager            DC-001.machlinkit.biz
Infrastructure master        DC-001.machlinkit.biz


Move-ADDirectoryServerOperationMasterRole




Transferring the roles by domain controller demotion

Lastly, if we only have two domain controllers or have no preference for the new/future FSMO holder, we can demote the current holder and the roles will be transferred to another domain controller automatically. I will not detail the demotion of a domain controller here but this is what netdom query fsmo shows after the process:

PS C:\> netdom query fsmo

Schema master                     DC-004.machlinkit.biz
Domain naming master        DC-004.machlinkit.biz
PDC                                      DC-004.machlinkit.biz
RID pool manager                DC-004.machlinkit.biz
Infrastructure master            DC-004.machlinkit.biz

 

So after demoting DC-001, the FSMO roles are automatically transferred to DC-004. No manual intervention was necessary.

Sunday, December 22, 2013

Windows Server 2012 - Active Directory - adding a second domain controller

Best practice, concerning domain controllers, is to have at least two so if one is unavailable, clients can still authenticate to the network. Moreover, both should be global catalog servers since the presence of a global catalog server is a pre-requisite for a successful logon.

Note: if you are interested in the crucial role of the Global Catalog, here is a link with more information on the subject:

Global Catalog information

A second domain controller can be added using Server Manager (Add Roles or Features) or PowerShell cmdlets. In what will be one of my more concise blog posts, I'll demonstrate how a second domain controller can be added at the command line.

Although not strictly necessary, I'll first rename the server (that already happens to be a domain member) so its new name will reflect its status as a domain controller:

We could use the netdom /renamecomputer command but since this is Windows Server 2012, I'll opt for the Powershell cmdlet instead:


PS C:\> Rename-Computer DC-004

WARNING: The changes will take effect after you restart the computer SVR-004.

PS C:\> Restart-Computer



So we indicate the new name of the computer after the Rename-Computer cmdlet and then restart the computer with the aptly named Restart-Computer cmdlet - elementary, obvious and almost self-explanatory.

Once the computer restarts, we'll logon with domain administrator credentials and enter the following Powershell cmdlet to install the necessary files for the domain controller role:

PS C:\> Add-WindowsFeature AD-Domain-Services -IncludeManagementTools


IP address and DNS

We also need to make sure (this may be the case already) that the primary (or secondary) DNS server parameter in the TCP/IP settings designates the first domain controller:

PS C:\> Set-DnsClientServerAddress "Ethernet" -ServerAddresses 10.1.1.10

This is in the context of our single - and soon double - domain controller scenario. If there were other domain controllers, we could designate one of them as well, assuming they are also a DNS server, which is currently the most common domain controller configuration.


Promotion of the server to domain controller

Now we can promote the server to a domain controller with the following command:

Note: we enter the password for Directory Services Restore Mode when prompted.

PS C:\> Install-ADDSDomainController -DomainName machlinkit.biz -SafeModeAdministratorPassword (read-host -prompt "Password:" -AsSecureString)

Password:: **********


In my experience, the above command was enough to create a second domain controller that was also a DNS server and a Global Catalog. It seems that the domain controller promotion default values obtain this result.
 
Here, for example, we can see that the new domain controller is configured as a global catalog server by default:

PS C:\> dsquery server -isgc

"CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz"

"CN=DC-004,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz"


Various parameters can be indicated explicitly if we want. We would see many of these if we used the graphic interface to promote the server to domain controller status.
 
We can indicate the database path (or location) for the Active Directory database (the ntds.dit file and associated files):

-DatabasePath 'C:\Windows\NTDS'

We can indicate if we want the domain controller to be a DNS server also. If for some reason we did not, we could change the value below to $false

-InstallDNS:$true

This parameter will eliminate some of the informational messages displayed during the process:

-force:$true

The server will reboot automatically once the initial promotion process is complete. If we do not want the server to reboot, we can enter this:

-NoRebootOnCompletion:$false

Here we can designate the site. In this case, the default site name is used:

-SiteName 'Default-First-Site-Name'

Lastly, we can prevent a newly promoted domain controller from being a global catalog server as well with this parameter:

-NoGlobalCatalog:$false



References:

The Install-ADDSDomainController cmdlet


This link provides a complete list of various parameters, most optional, that can be used with the cmdlet.

Thursday, December 19, 2013

Windows Server 2012 - Hyper-V - installation of role, creation of a virtual server

Some time ago, I worked with VMware ESXi 4.1. Although the underlying concepts of virtualization are probably similar, Hyper-V is a new world for me. I thought I'd start by simply installing the role and creating a virtual server.

Warning: this will be very basic for anyone having more experience than I with Hyper-V so unless you are interested in how to install the role and create an virtual server, you may prefer other sources, be it other blogs or TechNet articles.


 Installation of the Hyper-V Role

First, we go to Server Manager (which may open automatically on logon) and in the upper right-hand corner, select "Manage" and then "Add Roles and Features". We can click "Next" on the "Before you begin" page. This will bring us to the "Select installation type" page which is shown (in part) below.



Select "Role based or Feature based installation".
 
Note: because of the way images are rendered on Blogger, I usually do not capture - and post - entire screenshots. It might be helpful to follow the steps with the interface open in front of you. It should also be understood that after doing whatever is necessary at a given step, we click on "Next" (or whatever the command might be). I will not waste time specifying "Click Next" for every single screenshot.


In this scenario, I have two servers on which I could install the Hyper-V role. Since "Best Practice" mandates that we "let domain controllers be domain controllers" and do not complicate their management with other roles, we'll select the other server (SVR-003) for our Hyper-V host. This will also illustrate how we can manage remote servers via Server Manager. In the following screenshots, we will, in fact, be acting on SVR-003.






Select Hyper-V for the role, note the features that will be added (include Management Tools), and click on "Next", as shown in the three illustrations below:






We can click "Next" on the "Features" page (I made no additional selections and the Hyper-V role was installed all the same):




On virtual server hosts, there is often more than one network interface (or "NIC"). One may be used for the "production" network (the network that provides services to users) and one may be part of a management network. On the following screens, we have the option to select the interfaces we want to use.




Here I select the adapter:





The next option requires some thought about the future role of the Hyper-V host. As this is a strictly practice environment in which I will not configure a cluster (or probably perform migrations) it does not matter, but in a production network we have to take the following into consideration. In summary, if the server will be part of a cluster, we should not enable the "live migration" function at this point:




On this screen, we configure the location of the virtual machine configuration files and the virtual hard disk files. I have simply created a folder on a separate physical drive of my server. In other environments, the files might be located on a SAN (Storage Area Network):




The following screens summarize the operations to be performed and offer the option to restart the server automatically:








 
Creation of a virtual server

What follows is a simple example of the creation of a virtual server in which I will use a Windows 2008 R2 DVD as the source for the operating system. In reality, it might be more likely that a .iso image file would be used.

First, we open Server Manager, go to "Tools" and select "Hyper-V Manager":



Then (in the Action pane) Actions | New | Virtual Machine:




Note: in fact, there are a couple options here:
  • We can select Action | New | Virtual Machine
  • We can right click on the SVR-003 icon (opposite left-side pane), then "New" | "Virtual Machine"
  • In the Action pane, New | Virtual Machine



The "Before you begin" page informs us that we could create a virtual machine with default values by clicking "Finish", or "Next" to configure custom options. In most cases, we would click "Next" since it is unlikely the default values would suit the various virtual machines we might wish to create. Furthermore, "Next" will allow us to see - and learn - the different options.
 



Now we select a name for the virtual machine. The assistant suggests a name that identifies the role or the operating system. I'll simply name my virtual machine "vSvr-01-W2K8":



Next, we specify the amount of memory to be allocated to the server. 1024 MB should suffice for a practice Windows 2008 (R2) server:



We have to select a virtual switch for the virtual server (the virtual switch connects virtual machines among themselves and also with the physical network):



As for storage, I'll create a virtual disk for the server on the physical E: drive of the host server:



We can install the guest operating right now or later - I'll opt for "later":



The following screen summarizes the guest server configuration:





Now I'll attempt to boot from a Windows 2008 R2 DVD (we could also use an .iso file).

In the Action Pane, select the virtual server (vSvr-01-W2K8 in our case), and choose "Start" in the options below the icon.


To see the progress of the installation, click "Connect" as shown here (in the Action pane):

 

No luck! We get an error message:

 


So we have to adjust the settings for the CD/DVD drive.

We have two choices: a virtual drive and a physical drive. The virtual drive is selected by default. Most likely, we would have a set of .iso files for the creation of virtual machines. However, the use of physical media (like a DVD) is possible. So I'll select the Physical CD/DVD drive in the settings of the guest:



Now I'll click Start again.

To see the progress of the installation click "Connect" as we already did above.

This time, the installation begins successfully:



From this point on, the installation process of the guest machine is identical to that of a physical server:



 
***

Hyper-V is a world in itself and there is a multitude of aspects that could be examined. As for me, I may take a look at some of these aspects later. For now, I need to concentrate on Active Directory, Exchange and possibly... vCenter and ESXi (for professional reasons).


Friday, November 29, 2013

Windows Server 2012 - Disk Management

In Windows Server 2012, we can manage disks with three different tools:
  • Server Manager
  • Disk Management (diskmgmt.msc)
  • diskpart.exe (command line)
I'm going to use "Disk Management". When I open the tool, by entering diskmgmt.msc at the command line (or run box in other versions of Windows), this is what I see:



First, we have one physical disk, "Disk 0", divided into two partitions: System Reserved and (C:).

Second, we have a second physical disk that has not yet been configured.

Before configuring this second disk, let's examine the different choices we have for disk configuration in Windows Server 2012. Many of these options will apply to Windows 2008 as well (ReFS is one notable exception).




Disk Configuration options

In Windows Server 2012, physical disks and logical partitions can be configured in a number of different ways:


Partition Style - or Scheme

This can be either the traditional MBR (Master Boot Record) scheme, available since the 1980s, or the more recent GPT (GUID partition table), available as an option since the late 1990s. GPT was first incorporated in Windows Server systems with Windows Server 2003 SP1.

A detailed presentation of these partition schemes is beyond the scope of this post. I'll present below what I believe are the essential points for disk configuration in Windows 2012.

  • MBR supports a maximum of four primary partitions. GPT allows for a maximum of 128 partitions. MBR does allow for the creation of more logical disks in an "extended partition" but this type of partition is apparently more prone to errors.
  • MBR supports a partition size of 2 TB (terabytes). For decades, this was more than sufficient. As hard drive sizes now surpass 2 TB, MBR is becoming obsolete. GPT supports a partition size of 9.4 ZB (zetabytes) or... 9.4 billion TB. In reality, maximum size will be much lower because Windows Server 2012 supports a maximum volume size of "only" 18 EB (exabytes) and hard drives on the market are simply not that large anyway.
  • GPT cannot be used for the boot partition unless the server (in this case) is a "UEFI based system" (as opposed to a traditional "BIOS").
  • UEFI is not a requirement if GPT is used on a simple storage partition (a partition from which the operating system does not boot).

If the terminology used above is not clear (UEFI versus BIOS), please refer to online sources for clarification. Here is one source that I consulted:


Microsoft TechNet or Wikipedia articles could also be used to clarify in greater details "MBR", "GPT", "BIOS", "UEFI" and even "boot partition".

In summary, however, if a Windows server system uses "UEFI", GPT can be used for all partitions, including the boot partition. If not, and unless the server in question has an operating system that precedes Windows 2003 SP1, GPT can be used for storage partitions. GPT for the boot partition also assumes a 64 bit operating system which is a "given" for Windows Server 2012 (as for Windows 2008 R2, there is no 32 bit version).



Disk Type (basic versus dynamic)

The "basic" disk is the default. The "dynamic" disk allows the configuration of different types of volumes such as spanned or striped, or two types of "software RAID", RAID 1 (mirroring) or RAID 5 (striping with parity).


Personally, I see limited advantages in dynamic disks:

  • Spanning volumes may resolve disk space issues but also (like striped volumes) increases the risk of data loss. The failure of any disk comprising the volume results in the loss of data. The more disks comprising the volume, the greater the risk of data loss.
  • If the data is worth protecting, it would be preferable, by far, to use hardware RAID with a high quality controller on the server itself.

Volume Types

We can have the following volume types in Windows Server 2012:
  • Simple
  • Spanned
  • Striped
  • RAID 1 (mirrored)
  • RAID 5 (striped with parity)

I've already commented on what I perceive as the limited usefulness of dynamic disks in a production environment where protection of data is paramount.


File Systems

In Windows Server 2012, we have three options:
  • exFAT
  • NTFS
  • ReFS

Only two - NTFS and ReFS - are serious choices.

ReFS means "Resilient File System" and is designed to be even more robust than NTFS. It is an excellent choice for data storage. However, it does (currently) have some limitations.
  • No EFS encryption (it is compatible with Bitlocker however).
  • No compression
  • No quotas
More importantly, it is (currently) incompatible with Active Directory to the extent that the Active Directory database, log files and SYSVOL folder should not be stored on a ReFS volume.

Furthermore, it has limited compatibility with Hyper-V since CSV must be disabled.

Windows Server 2012: Does ReFS replace NTFS? When should I use it?




Configuration of Disk 1 (the second hard drive)

Now that we are aware of the different options for disk configuration, let's configure the second hard drive of our server.

The second physical disk is offline so the very first step is to bring it online. We can simply right-click on the "Disk 1" icon and select "Online":




Now the disk is "Not initialized". Moreover, disk type is unknown and of course, there is no file system. Let's configure the disk. Right-click and select: "Initialize Disk". Here we must chose between two partition styles: MBR and GPT:



I'll select "GPT".

The status of the disk changes to "Online" but it is still "unallocated".






We'll right-click and select "New Simple Volume".



Spanned and stripped volumes increase risk of data loss and should be used with caution (or not at all). RAID 1 is an option and RAID 5 would be if there was a 3rd disk. Generally, however, "hardware RAID" is preferred to Microsoft's software RAID and the latter would typically be used as a last option.

The New Simple Volume Wizard opens. Click on next.

We specify the volume size. For this example, I'll use the entire physical disk.





Click on Next. This brings us to the "Format Partition" page.





We'll assign drive letter E:

We have to select a file system. The choice is currently between NTFS and ReFS. It would be extremely rare that one would opt for exFAT. I'll select NTFS for this example. We will keep the default "Allocation unit size". This could be changed if required or recommended for a particular application. For an Exchange 2010 DAG (Database Availability Group), the recommended allocation unit size is 64 KB. A quick format is fine for our practice environment (a "long" format would check for bad sectors which might be recommended if the drive will hold important data).

We can click on next and the following summary displays:




Here is the result in Disk Management...



And in Windows Explorer:






Thursday, November 21, 2013

Windows Server 2012 - Print Management: Part 3 - deploying printers with Group Policy Preferences

After deploying printers with what I'll call "simple Group Policy", on a per user or per machine basis, I wanted to see what Group Policy Preferences could offer.
 
Group Policy Preferences (I'll abbreviate with "GPP") were introduced with Windows Server 2008 and still exist in Windows 2012. Compared to "simple Group Policy" they extend the options for configuration of computer and user settings.
 
In theory, GPP can deploy printers.
 
In fact, I found that it simply does not work.
 
First, I'll outline the steps used to configure printer deployment via GPP.
 
Second, I'll present the error messages.
 
 
 
Here are the computers involved:                                                                 
 
- The domain controller is a Windows 2012 server
 
- The printer server, also Windows 2012
 
- Test machine running Windows 7, SP1


All machines are 64 bit.
 
 
 
Note: please keep in mind that printer deployment worked just fine using "simple Group Policy" - please see my previous posts on this subject).




Configuration of printer deployment via Group Policy Preferences


1. Printer Processor settings

Some recommend that the print processor  is set for "winprint" and "RAW".

As shown below, these were the default settings on the printer.

Note: yes, we configure this in the properties of the printer itself, not in the Group Policy.



2. Printer preferences

Create a new GPO (I'll name mine GPP-PRINT) and go to Computer Configuration | Preferences | Control Panel Settings | Printers

Note: here we are (back) on  the domain controller - or accessing the domain controller remotely.




3. Creating a printer

We need to right-click on the printer icon and select "New" and then "TCP/IP Printer".




4. We then enter the information for the printer.

Sources I found said to enter the IP address of the printer (not the print server). Because of problems encountered later on, I tried both IP addresses, but without success. Here (below) I have the IP address of the printer itself:




5.  I disable "Point and Print Restrictions"




6. I link "GPP-PRINT" to the OU containing the test computer (PC1).




7. On PC1, I reboot, I try gpupdate /force". The RSOP tool shows that the policy does apply. This is the part where "Point and Print Restrictions" are disabled.




However, the HP LaserJet 4200 is not installed. Instead, we have warning and error messages in the Event Viewer logs: EventIDs 600, 601 and 4098.

***

EventID 600
The print spooler failed to import the printer driver that was downloaded from \\SVR-004\print$\x64\PCC\ntprint.inf_amd64_33076fad6e030706.cab into the driver store for driver Microsoft enhanced Point and Print compatibility driver. Error code= 800f0247. This can occur if there is a problem with the driver or the digital signature of the driver.

***


EventID 601

The print spooler failed to download and import the printer driver from \\SVR-004 into the driver store for driver Microsoft enhanced Point and Print compatibility driver. Error code= 800f0247.

***



EventID 4098

The computer '10.0.0.18' preference item in the 'GPP-PRINT {32F99E49-5138-4A32-9956-50E8FDA2E402}' Group Policy object did not apply because it failed with error code '0x800703eb Cannot complete this function.' This error was suppressed.


***
 This is puzzling since the same drivers were just fine when we deployed the printers via Group Policy in a pervious blog post.

I'm going to look around and ask around...