Archive for March 2014

Adding Excel 2010 Add-ins for all users on an RDS Farm

plus sign

The Requirements

To make 2 x Excel 2010 Add-ins load automatically whenever anyone logged into Excel 2010 on any RDS Server in the farm using their roaming profile

  • 4 x Windows 2008 R2 Remote Desktop Servers in an RDS Farm
  • 1 x Excel 2010 installed on each RDS Server
  • 2 x Excel 2010 Add-ins
  • Roaming Profiles
  • For testing purposes the D Drive was a trusted location in Excel (Via Group Policy)
  • For testing purposes, macros were enabled without prompting (Via Group Policy)

This was actually more complicated than it first looked. We found that on a per user basis when they manually add the add-ins through Excel then it retained the settings through the roaming profile no matter what server in the farm they were on which was great but we wanted to take the user aspect out of it

Adding Excel Add-ins (Unautomated)

  • Open Excel
  • Click File > Options > Add-ins

Excel Add-ins2

  • Click Go and you will see the default add-ins which come with Excel

Excel Add-ins3

  • Browse to your Add-ins and select them
  • They should then show up

Excel Add-ins5

  • If you have a look in the registry then you will see the add-ins under the following paths. Note the first Add-in is called OPEN, the second is called OPEN1 and so on
  • HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\OPEN
  • HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\OPEN1

Excel Add-ins1

What we tested to start with

We thought it might be worth a try putting the RDS Server into Install mode and installing the Add-ins

Excel Add-ins6

  • Open Excel > File > Options > Add-ins > Go Install the Add-ins under an Admin account and then close Excel
  • Come out of Install Mode

Excel Add-ins7

  • But this didn’t work for any new users logging into the server either. The Add-ins did not appear but apparently this did work for someone who posted in a forum
  • Next we had a look to see if we could use Group Policy. Note you have to download and install the relevant Microsoft Office Templates so you can see them in GPME. See below pic

Excel Add-ins8

  • But lo and behold there was not anything relating to Excel Add-ins or exactly what we needed. Apparently you are meant to be able to customise every aspect of Excel through GP but it sometime requires specialist knowledge and programming experience which we didn’t particularly want to get into.
  • Just as a note, we searched the web for a simple resolution to this and although you can find people with the same problem, we couldn’t find anyone who had this working
  • Next we will show you how we got this working via 3 methods. There may be other better solutions but these worked for us!

Working Solution 1 (Write a batch script containing reg syntax)

Bear in mind that this will be a brand new user logging into a server and opening Excel so we need to take into account that some of the necessary Office registry keys will not exist and we are using Office 2010.

The first thing we thought we could would be to write a short batch script which added the keys into the registry as per next 6 lines.

Note: If writing the below into Notepad then DO NOT USE WORD WRAP and note the “\” which enclose any path which has spaces

  • REG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\ /f
  • REG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ /f
  • REG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\ /f
  • REG ADD “HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\ \Options\ /f
  • REG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\ /v OPEN /t REG_SZ /d “\”D:\Program Files (x86)\ibm\cognos\tm1\bin\tm1p.xla”\” /f
  • REG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\ /v OPEN1 /t REG_SZ /d “\”D:\Program Files (x86)\ibm\cognos\tm1\bin\ManCalcv2.xlam”\” /f
  • Here is what it looks like

regadd script

  • You can the save this as a .bat file and load it into a Group Policy to run at Startup or User Logon

The Second solution (PowerShell Script)

I found this PowerShell Script which adds Excel Addins. Thanks to Jan Egil Ring

http://poshcode.org/1811

  • Copy the script into a notepad file
  • Change the name of your Add-in (Circled below)
  • Change the Path to your Add-in (Circled below)
  • Save script with a .ps1 suffix

PowerShellexcel

  • Next go to Group Policy
  • Create a new User Group Policy
  • Navigate to User Configuration > Windows Settings > Scripts (Logon/Logoff)

powershell02

  • Double click on Logon
  • Click on PowerShell Scripts

powershell03

  • Click Add

powershell04

  • Click Browse
  • From here, I click Add, and click Browse. The Add a Script dialog appears. The Browse button opens a Windows Explorer window that is centered on the SysVol share for the domain. I then dragged and dropped my tm1p.ps1 script into the Logon script folder (SysVol Share)

powershell05

  • You should then see your script as per below screenprint

powershell06

  • Click Apply and OK
  • Go to the scope of the Policy and make sure the users or groups are selected for the policy
  • Open cmd.exe and type gpupdate /force
  • Try logging on as a brand new user to the server and see if the script runs and adds your Excel Add-in

The third Solution (Creating a Macro enabled Excel Template)

Thanks to Nicholas Cohen for providing this information

  • Open Excel 2010 on one of your RDS Servers
  • Press ALT F11 to open Visual Basic for Applications
  • Right click on VBAProject (Book1) and select Insert > Module

Excel Add-ins9

  • You will then need to copy and paste the following code into the module box

Sub InstallAddIn(strFileName As String)
Dim AI As Excel.AddIn
Set AI = Application.AddIns.Add(Filename:=strFileName)
AI.Installed = True
End Sub

Sub Auto_Open()

‘replace stuff in quotes with the network path to the add-in
‘this path obviously must be accessible by the user
InstallAddIn (“D:\Program Files (x86)\ibm\cognos\tm1\bin\tm1p.xla”)
InstallAddIn (“D:\Program Files (x86)\ibm\cognos\tm1\bin\ManCalcv2.xlam”)

‘replace below code with the name of the macro that you want to run when it’s open. You need to know names of what’s inside the Add-in to put here which is why this is commented out as an example but it will run anyway with the below path
‘code/routines in add-in tm1p.xla
‘code/routines in add-in Mancalcv2.xlam
‘repeat ad-infinitum….

End Sub

  • It should look like the below

Excel

  • Now go back to Excel and do File > Save As >
  • Give it a name and save it as an Excel Macro-Enabled Template to the desktop or wherever convenient

Exceladdins21

  • Now the next task will be to put this Excel Template into the users roaming profile path under the XLSTART Folder which in most people’s case will be either of these 2 paths
  • \\server\Profiles\AppData\Roaming\Microsoft\Excel\XLSTART
  • \\server\Home\AppData\Roaming\Microsoft\Excel\XLSTART
  • Note: We redirect our users AppData folder to their home folder
  • This can then be scripted and put in a Group Policy

Exceladdins22

  • Next I’ll look at a script to do this but I haven’t got round to it yet as the PowerShell script seemed neater.

The Fourth Solution

This next solution was an added requirement to adding Excel Add-ins in a Terminal Server environment.

We had developers who logged into 2 different Terminal Server Farms and used different add-ins on each one. What we found is that the above scripts would sometimes overwrite existing add-ins when swapping from one farm to the next so we needed a script which checked if any of the Excel OPEN keys had values to start with, ignore them and add the Excel add-ins to the next available OPEN Key

Thanks very much to oBda of Experts Exchange for this script.

@echo off
setlocal enabledelayedexpansion
set AddinList[1]="D:\Program Files (x86)\ibm\cognos\tm1\bin\tm1p.xlam"
set AddinList[2]="D:\Program Files (x86)\ibm\cognos\tm1\bin\ManCalcv.xlam"
set Key=HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options
set Quiet=0
set LastIndex=10
for /f "tokens=1* delims==" %%a in ('set AddinList[') do (
	if %Quiet%==0 echo Processing '%%b'
	set Value=
	set FoundAt=
	set Data=%%b
	set CompareData=!Data:"=!
	for /l %%i in (0, 1, %LastIndex%) do (
		if %%i==0 (set TestValue=OPEN) else (set TestValue=OPEN%%i)
		reg.exe query "%Key%" /v "!TestValue!" >NUL 2>&1
		if errorlevel 1 (
			if "!Value!"=="" (
				if %Quiet%==0 echo !TestValue! ... free.
				set Value=!TestValue!
			)
		) else (
			if %Quiet%==0 echo !TestValue! ... already used.
			for /f "tokens=2*" %%o in ('reg.exe query "%Key%" /v "!TestValue!"') do set CompareDataExisting=%%p
			set CompareDataExisting=!CompareDataExisting:"=!
			if /i "!CompareData!"=="!CompareDataExisting!" set FoundAt=!TestValue!
		)
	)
	if "!Value!"=="" (
		echo ERROR: Unable to find an empty index in the range of 0..%LastIndex%
		goto :eof
	)
	if "!FoundAt!"=="" (
		reg.exe add "%Key%" /v "!Value!" /t REG_SZ /d "!Data:"=\"!" /f >NUL
		if errorlevel 1 (
			echo ERROR: Could not create value '!Value!' with data '!Data!' at '%Key%'
		) else (
			if %Quiet%==0 echo Value successfully added.
		)
	) else (
		if %Quiet%==0 echo Found data in '!FoundAt!', nothing added.
	)
)

Installing the Microsoft Remote Desktop Gateway Role Service

gw

What is Microsoft Remote Desktop Gateway?

A Remote Desktop Gateway (RD Gateway) server is a type of gateway that enables authorized users to connect to remote computers on a corporate network from any computer with an Internet connection. RD Gateway uses the Remote Desktop Protocol (RDP) along with the HTTPS protocol to help create a more secure, encrypted connection.

In earlier versions of Remote Desktop Connection, people couldn’t connect to remote computers across firewalls and network address translators because port 3389—the port used for Remote Desktop connections—is typically blocked to enhance network security. However, an RD Gateway server uses port 443, which transmits data through a Secure Sockets Layer (SSL) tunnel.

Benefits of an RD Gateway server

  • Enables Remote Desktop connections to a corporate network from the Internet without having to set up virtual private network (VPN) connections.
  • Enables connections to remote computers across firewalls
  • Allows you to share a network connection with other programs running on your computer. This enables you to use your ISP connection instead of your corporate network to send and receive data over the remote connection.

How does RD Gateway work?

When a client makes a connection, RD Gateway first establishes SSL tunnels between itself and the external client. Next, RD Gateway checks the client’s user (and optionally the computer) credentials to make sure that the user / computer are authorized to connect to RD Gateway. Then RD Gateway makes sure the client is allowed to connect to the requested resource. If the request is authorized then RD Gateway sets up an RDP connection between itself and the internal resource. All communication between the external client and the internal endpoint goes through RD Gateway

Connections to RD Gateway use the RDGSP protocol. RDGSP creates two SSL tunnels (one for incoming data and one for outgoing data) from the external client to RD Gateway. Once the tunnels are established the client and RD Gateway establish a main channel over each tunnel. Data between client and the destination machine is sent over the channels and RD Gateway sits in the middle proxying the data back and forth

RD Gateway2

RDGSP uses a transport to create the channels.  In Windows Server 2008 R2, RDGSP used the RPC over HTTP transport. RPC over HTTP is still available for down-level RDP clients, but whenever available, RDP 8.0 clients will use the new and much more efficient HTTP transport. The difference is this: RPC over HTTP makes RPC calls for every data transfer to and from the client. This adds significant CPU overhead. The new HTTP transport does not have this overhead so it’s possible to accommodate up to twice as many RDP sessions on the same hardware.

Important Notes about Certificates

The certificate must meet these requirements:

  • The name in the Subject line of the server certificate (certificate name, or CN) must match the DNS name that the client uses to connect to the TS Gateway server, unless you are using wildcard certificates or the SAN attributes of certificates. If your organization issues certificates from an enterprise CA, a certificate template must be configured so that the appropriate name is supplied in the certificate request. If your organization issues certificates from a stand-alone CA, you do not need to do this.
  • The certificate is a computer certificate.
  • The intended purpose of the certificate is server authentication. The Extended Key Usage (EKU) is Server Authentication (1.3.6.1.5.5.7.3.1).
  • The certificate has a corresponding private key.
  • The certificate has not expired. We recommend that the certificate be valid one year from the date of installation.
  • A certificate object identifier (also known as OID) of 2.5.29.15 is not required. However, if the certificate that you plan to use contains an object identifier of 2.5.29.15, you can only use the certificate if at least one of the following key usage values is also set: CERT_KEY_ENCIPHERMENT_KEY_USAGE, CERT_KEY_AGREEMENT_KEY_USAGE, and CERT_DATA_ENCIPHERMENT_KEY_USAGE.
  • The certificate must be trusted on clients. That is, the public certificate of the CA that signed the TS Gateway server certificate must be located in the Trusted Root Certification Authorities store on the client computer

Checklist to install the Remote Desktop Gateway Role

  1. Install the Remote Desktop Gateway role service.
  2. Obtain a certificate for the RD Gateway server.
  3. Create a Remote Desktop connection authorization policy (RD CAP)
  4. Create a Remote Desktop resource authorization policy (RD RAP)
  5. Configure the Remote Desktop Services client for RD Gateway.

Install the Remote Desktop Gateway Role

  • Open Server Manager and select Add Roles and Features. You will get the Before you begin page. Click Next

rdgateway1

  • Select Installation Type. Choose Role based or Feature based Installation

rdgateway2

  • Select Destination Server

rdgateway3

  • Select Server Roles. Choose Remote Desktop Services

rdgateway4

  • Click Next on Features

rdgateway5

  • Click Next on Remote Desktop Services Page
  • On the Select Role Services, choose Remote Desktop Gateway

rdgateway7

  • Click Add Features

rdgateway8

  • On the Network Policy and Access Screen, click Next

rdgateway9

  • Leave Network Policy Server checked

rdgateway10

  • Confirm Installation Selections and click Install

rdgateway11

  • Next launch Remote Desktop Gateway Manager by going to Server Manager > Tools > Terminal Services > Remote Desktop Gateway Manager

rdgateway12

  • Select the Servername and you will see several messages to further configure this server

rdgateway13

  • Select View or modify certificate properties
  • You do not need a certification authority (CA) infrastructure within your organization if you can use another method to obtain an externally trusted certificate that meets the requirements for TS Gateway. If your company does not maintain a stand-alone CA or an enterprise CA and you do not have a compatible certificate from a trusted public CA, you can create and import a self-signed certificate for your TS Gateway server for technical evaluation and testing purpose
  • I am going to use a Self-Signed Certificate. Select Create and Import Certificate.

rdgateway14

  • The following screen will come up

rdgateway15

  • It will pop up with a confirmation box below

rdgateway16

  • In the Server Farm tab, enter the name of the Remote Desktop Gateway Server and click Add
  • The add the second Remote Desktop Gateway Server etc if you have one

rdgateway17

  • Now have a look at the other settings
  • Look at General

rdgateway20

  • Look at Transport Setttings

rdgateway18

  • Next is RD CAP Store

rdgateway19

  • Look at Messaging

rdgateway21

  • Look at SSL Bridging

rdgateway22

  •  Look at Auditing

rdgateway23

  • Now we need to define Connection Authorization Policy. Select Create connection authorization policy.

rdgateway24

  • Click Requirements and add your User Groups or Computer Groups

rdgateway25

  • Click on Device Redirection

rdgateway26

  • Click on Timeouts

rdgateway27

  • Next go back to the main console and create a resource authorization policy

rdgateway28

  • Click User Groups and add a group or groups

rdgateway29

  • Click Network Resource

rdgateway30

  • Click Allowed Ports

rdgateway31

  •  Complete
  • Now test your mstsc access!

Useful Step by Step Guide from Microsoft

http://technet.microsoft.com/en-us/library/cc771530%28v=ws.10%29.aspx

PDF Guide

TS Gateway Step by Step Guide

Useful Notes about Certificates

http://go.microsoft.com/fwlink/?LinkID=74577

Useful RD Gateway Firewall Blog

http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx

Resolving Issues

  • You must make sure you have the correct certificates. You must use a certificate with a SAN (Subject Alternative Name) and this must match the internal FQDN.

RDWEB4

  • You must make sure you have set up the correct RAPs and CAPs
  • You used password authentication but the TS Gateway server is expecting smart card authentication (or vice versa
  • Make sure you haven’t limited connections
  • Check DNS for individual servers and RDS Farms
  • Check Event Viewer on the Gateway Server > Event Viewer > Applications and Services Logs > Microsoft > Windows > TerminalServices-Gateway > Operational
  • You may have a Port assignment conflict. You can use netstat tool to determine if port 3389 (or the assigned RDP port) is being used by another application on the Remote Desktop server
  • Users must be a member of the Remote Desktop Group on the servers they want to connect to

If using RD Gateway with RD Web Access then it can be useful to check the following

  • If you are using a Terminal Server Farm, you need to make sure the Start > All Programs > Administrative Tools >  Remote Desktop Services > Remote Desktop Session Host Configuration has the following set for Networking

RDWEB1

RDWEB2

  • Sometimes you may need to check NIC Order in Network Connections

RDWEB3

  • In RemoteApp Manager check you have a FQDN in your RemoteApp Deployment Settings and the port is correct
  • Check RD Gateway Settings are correct. Note I have blanked out the FQDN but this should be the case in these fields

RDWEB5

  • Make sure on each individual RDS Server in a farm that you have the Connection Broker Server and the RD Web Access Server.

Using Registry Keys using REG Commands

Cog

Using the REG Commands

There are a lot of options and switches for the REG command. There are options to query, add, and delete keys, subkeys, and value names

reg add 2

The reason I have blogged about this is that we had to set some keys at my work and this works quite nicely if you write a bat script containing your relevant REG commands and add this to a GPO at User Logon

reg add

Writing a quick bat script

This is an example of something quick and easy to use

  • Open Notepad
  • Type Echo Off at the top to stop users seeing the script scrolling through
  • Look at the script below and see some of the switches and where to put quote marks etc

TestApp

  • The various switches you can use are listed in the screeprint above
  • You can then put this script for example on the C:\ of the server
  • Open Group Policy Management and create a new GPO
  • Navigate to User Configuration > Policies > Administrative Templates > System > Logon > Run these programs at user logon

app2

  • Click Show and type in the name of your script

app1

  • Link GPO to the Computer OU you need this applied to
  • Finish

Running a Hyper V VM within VMware vSphere 5.5

Windowsicon

The Issue

I wanted to set up 2 Microsoft Server 2012 Hyper V Hosts within my VMware 5.5 test environment but found that when it came to going through the Add Features > Hyper V component and selecting Hyper V that I received the message below

HypervErrror

The Fix

  • Shutdown the VM
  • Go into the VMware Datastore and locate your Hyper V Folder
  • You need to locate the .vmx file and download it to your desktop

hyperverror2

  • Open the vm.vmx file in Notepad and you will need to add the following 3 strings to the VM.vmx file
  • hypervisor.cpuid.v0 = “FALSE”
  • mce.enable = “TRUE”
  • vhv.enable = “TRUE”
  • See file screeprint below

hyperverror4

  • Power the machine on
  • Open Server Manager
  • Add Roles and Features
  • Select Hyper V

hyperverror5

  • You now should be able to install Hyper V

 

Group Policy and Microsoft Office Templates on Server 2008 R2

Policy

Managing Group Policy ADMX Files

Microsoft Windows Vista® and Windows Server 2008 introduce a new format for displaying registry-based policy settings. Registry-based policy settings (located under the Administrative Templates category in the Group Policy Object Editor) are defined using a standards-based, XML file format known as ADMX files. These new files replace ADM files, which used their own markup language. The Group Policy tools; Group Policy Object Editor and Group Policy Management Console remain largely unchanged. In the majority of situations, you won’t notice the presence of ADMX files during day-to-day Group Policy administration tasks.

ADMX files provide an XML-based structure for defining the display of the Administrative Template policy settings in the Group Policy tools. The Group Policy tools will recognize ADMX files only if you are using a Windows Vista–based or Windows Server 2008–based computer.

Unlike ADM files, ADMX files are not stored in individual GPOs. For domain-based enterprises, administrators can create a central store location of ADMX files that is accessible by anyone with permission to create or edit GPOs. Group Policy tools will continue to recognize custom ADM files you have in your existing environment, but will ignore any ADM file that has been superseded by ADMX files: System.adm, Inetres.adm, Conf.adm, Wmplayer.adm, and Wuau.adm. Therefore, if you have edited any of the these files to modify existing or create new policy settings, the modified or new settings will not be read or displayed by the Windows Vista–based Group Policy tools.

The Group Policy Object Editor automatically reads and displays Administrative Template policy settings from ADMX files that are stored either locally or in the optional ADMX central store. The Group Policy Object Editor will automatically read and display Administrative Template policy settings from custom ADM files stored in the GPO. You can still add or remove custom ADM files with the Add/Remove template menu option. All Group Policy settings currently in ADM files delivered by the Windows Server 2003, Windows XP, and Windows 2000 will also be available in Windows Vista and Windows Server 2008 ADMX files.

Note: I have tested the Co-Existence of the 2007 Microsoft Office Templates and the 2010 Microsoft Office Templates and they seem to work together nicely. See pic below. The same process applies to adding a second lot of templates

Office2007templates

Procedure

officegpo11

  • The central store is a folder structure created in the Sysvol directory on the domain controllers in each domain in your organization. You will need to create the central store only once on a single domain controller for each domain in your organization. The File Replication service then replicates the central store to all domain controllers in a domain. However, it is recommended that you create the central store on the primary domain controller. Group Policy Management Console and Group Policy Object Editor can use ADMX files more quickly because Group Policy tools connect to the primary domain controller by default.
  • Create a subfolder of \\dacmt.local\sysvol\domain\Policies\PolicyDefinitions\en-us for each language your Group Policy administrators will use. Each subfolder is named after the appropriate ISO-style Language/Culture Name. E.g %domain%\sysvol\domain\policies\PolicyDefinitions\en-us

officegpo12

  • Run the Office 2010 Administrative Template exe as per below and save the 3 folders into a temp folder

officegpo1

  • Save into a temp folder for now

officegpo2

  • You should now see the following 3 folders

officegpo3

  • Go to your downloaded Office 2010 files and copy the admx files into the %domain%\sysvol\domain\policies\PolicyDefinitions folder
  • Go to your downloaded files and copy the adml files into the %domain%\sysvol\domain\policies\PolicyDefinitions\EN-US Folder
  • You now need to go to c:\Windows\Policy Definitions and copy what is in here into the \\dacmt.local\sysvol\domain\Policies\PolicyDefinitions\ folder and the \\dacmt.local\sysvol\domain\Policies\PolicyDefinitions\en-us folder as this will allow you to see the existing Administrative Templates along with the new Office ones

officegpo13

  • Open Group Policy Management console and you should now see the following

officegpo14

If you then navigate into each Office Setting. For example, go into Microsoft Office, you can suppress the initial box which pops up saying Welcome to Microsoft Office etc

officegpo10

  • And this is the Group Policy below which will stop the above screen

officegpo9

  • Now you can go through any which you need to apply
  • Voila 🙂

Useful Links

http://technet.microsoft.com/en-us/library/cc748955%28v=ws.10%29.aspx

http://technet.microsoft.com/en-us/library/gg490629%28v=office.14%29.aspx

Understanding Active Directory Domain Services (AD DS) Functional Levels

level

What are Functional Levels?

Functional levels determine the available Active Directory Domain Services (AD DS) domain or forest capabilities. They also determine which Windows Server operating systems you can run on domain controllers in the domain or forest. However, functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest.

When you deploy AD DS, you need to set the domain and forest functional levels to the highest value that your environment can support. This way, you can use as many AD DS features as possible. For example, if you are sure that you will never add domain controllers that run Windows Server 2003 to the domain or forest, select the Windows Server 2008 functional level during the deployment process. However, if you might retain or add domain controllers that run Windows Server 2003, select the Windows Server 2003 functional level.

When you deploy a new forest, you are prompted to set the forest functional level and then set the domain functional level. You cannot set the domain functional level to a value that is lower than the forest functional level. For example, if you set the forest functional level to Windows Server 2008, you can set the domain functional level only to Windows Server 2008. In this case, the Windows 2000 native and Windows Server 2003 domain functional level values are not available. In addition, all domains that you subsequently add to that forest have the Windows Server 2008 domain functional level by default.

You can set the domain functional level to a value that is higher than the forest functional level. For example, if the forest functional level is Windows Server 2003, you can set the domain functional level to Windows Server 2003or higher.

Guidelines for raising domain and forest functional levels

  • You must be a member of the Domain Admins group to raise the domain functional level.
  • You must be a member of the Enterprise Admins group to raise the forest functional level.
  • You can raise the domain functional level on the primary domain controller (PDC) emulator operations master only. The AD DS administrative tools that you use to raise the domain functional level (the Active Directory Domains and Trusts snap-in and the Active Directory Users and Computers snap-in) automatically target the PDC emulator when you raise the domain functional level.
  • You can raise the forest functional level on the schema operations master only. Active Directory Domains and Trusts automatically targets the schema operations master when you raise the forest functional level.
  • You can raise the functional level of a domain only if all domain controllers in the domain run the version or versions of Windows Server that the new functional level supports.
  • You can raise the functional level of a forest only if all domain controllers in the forest run the version or versions of Windows Server that the new functional level supports.
  • You cannot set the domain functional level to a value that is lower than the forest functional level, but you can set it to a value that is equal to or higher than the forest functional level.
  • With versions of Windows Server that are earlier than Windows Server 2008 R2, you cannot roll back or lower a functional level under any circumstances. If you have to revert to a lower functional level with a version of Windows Server that is earlier than Windows Server 2008 R2, you must rebuild the domain or forest or restore it from a backup copy.
  • After you set the domain functional level, you cannot roll back or lower the domain functional level except in the cases listed in the following table. The domain functional level can be lowered only by using Windows PowerShell

Rollback

  • Make sure replication is working properly

Checking Replication

  • repadmin /replsum

replication1

  • repadmin /showrepl

replication2

  • repadmin /bridgeheads

replication3

  • dcdiag /v (checking overall health of the domain)

replication4

Checking what Domain Controllers and FSMO roles you have

fsmo

Features available at Forest Function Levels

Windows 2003

  • Domain rename
  • Linked-value replication. Linked-value replication makes it possible for you to change group membership to store and replicate values for individual members instead of replicating the entire membership as a single unit. Storing and replicating the values of individual members uses less network bandwidth and fewer processor cycles during replication, and prevents you from losing updates when you add or remove multiple members concurrently at different domain controllers.
  • The ability to deploy a read-only domain controller (RODC)
  • Improved Knowledge Consistency Checker (KCC) algorithms and scalability. The intersite topology generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than AD DS can support at the Windows 2000 forest functional level. The improved ISTG election algorithm is a less-intrusive mechanism for choosing the ISTG at the Windows 2000 forest functional level.
  • The ability to create instances of the dynamic auxiliary class named dynamicObject in a domain directory partition
  • The ability to convert an inetOrgPerson object instance into a User object instance, and to complete the conversion in the opposite direction
  • The ability to create instances of new group types to support role-based authorization.
    These types are called application basic groups and LDAP query groups.
  • Deactivation and redefinition of attributes and classes in the schema. The following attributes can be reused: ldapDisplayName, schemaIdGuid, OID, and mapiID.
  • Domain-based DFS namespaces running in Windows Server 2008 Mode, which includes support for access-based enumeration and increased scalability.

Windows 2008

All of the features that are available at the Windows Server 2003 forest functional level, but no additional features are available. All domains that are subsequently added to the forest, however, operate at the Windows Server 2008 domain functional level by default.

Windows 2008 R2

  • All of the features that are available at the Windows Server 2003 forest functional level, plus the following features:
  • Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running.
  • All domains that are subsequently added to the forest will operate at the Windows Server 2008 R2 domain functional level by default.
  • If you plan to include only domain controllers that run Windows Server 2008 R2 in the entire forest, you might choose this forest functional level for administrative convenience. If you do, you will never have to raise the domain functional level for each domain that you create in the forest.

Windows 2012

  • All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.
  • All domains that are subsequently added to the forest will operate at the Windows Server 2012 domain functional level by default

Windows 2012 R2

  • All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.
  • All domains that are subsequently added to the forest will operate at the Windows Server 2012 domain functional level by default

Features available at Domain Function Levels

Windows Server 2003

  • Universal groups for both distribution and security groups.
  • Group nesting
  • Group conversion, which allows conversion between security and distribution groups
  • Security identifier (SID) history
  • The domain management tool, Netdom.exe, which makes it possible for you to rename domain controllers
  • Logon time stamp updates
    The lastLogonTimestamp attribute is updated with the last logon time of the user or computer. This attribute is replicated within the domain.
  • The ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects
  • The ability to redirect Users and Computers containers
    By default, two well-known containers are provided for housing computer and user accounts, namely, cn=Computers,<domain root> and cn=Users,<domain root>. This feature allows the definition of a new, well-known location for these accounts.
  • The ability for Authorization Manager to store its authorization policies in AD DS
  • Constrained delegation
    Constrained delegation makes it possible for applications to take advantage of the secure delegation of user credentials by means of Kerberos-based authentication.
    You can restrict delegation to specific destination services only.
  • Selective authentication
    Selective authentication makes it is possible for you to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest

Windows Server 2008

  • All of the default AD DS features, all of the features from the Windows Server 2003 domain functional level, and the following features are available:
  • Distributed File System (DFS) replication support for the Windows Server 2003 System Volume (SYSVOL)
    DFS replication support provides more robust and detailed replication of SYSVOL contents.
  • Beginning with Windows Server 2012 R2, File Replication Service (FRS) is deprecated. A new domain that is created on a domain controller that runs at least Windows Server 2012 R2 must be set to the Windows Server 2008 domain functional level or higher
  • Domain-based DFS namespaces running in Windows Server 2008 Mode, which includes support for access-based enumeration and increased scalability. Domain-based namespaces in Windows Server 2008 mode also require the forest to use the Windows Server 2003 forest functional level.
  • Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol. In order for TGTs to be issued using AES, the domain functional level must be Windows Server 2008 or higher and the domain password needs to be changed.
  • Last Interactive Logon Information
  • Fine-grained password policies make it possible for you to specify password and account lockout policies for users and global security groups in a domain
  • Personal Virtual Desktops

Windows Server 2008 R2

  • All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus the following features:
  • Authentication mechanism assurance, which packages information about the type of logon method (smart card or user name/password) that is used to authenticate domain users inside each user’s Kerberos token. When this feature is enabled in a network environment that has deployed a federated identity management infrastructure, such as Active Directory Federation Services (AD FS), the information in the token can then be extracted whenever a user attempts to access any claims-aware application that has been developed to determine authorization based on a user’s logon method.
  • Automatic SPN management for services running on a particular computer under the context of a Managed Service Account when the name or DNS host name of the machine account changes

Windows Server 2012

  • The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level.

Windows Server 2012 R2

  • DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer: Authenticate with NTLM authentication, Use DES or RC4 cipher suites in Kerberos pre-authentication, Be delegated with unconstrained or constrained delegation, Renew user tickets (TGTs) beyond the initial 4 hour lifetime
  • Authentication Policies: New forest-based Active Directory policies which can be applied to accounts in Windows Server 2012 R2 domains to control which hosts an account can sign-on from and apply access control conditions for authentication to services running as an account.
  • Authentication Policy Silos: New forest-based Active Directory object, which can create a relationship between user, managed service and computer, accounts to be used to classify accounts for authentication policies or for authentication isolation.

NTDSUTIL

This tool can remove old AD DC metadata which can stop the raising of Functional Levels

https://technet.microsoft.com/en-us/library/cc728068%28WS.10%29.aspx

ntdsutil

The GUI Metadata Cleanup Utility

The GUI Metadata Cleanup Utility removes Active Directory domain controller metadata left behind after a domain controller is removed improperly or unsuccessfully

https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3

Forest Recovery Information

https://technet.microsoft.com/en-us/library/8e3e4377-ef54-4a70-9215-a5d2ba4d0eb9%28v=ws.10%29#BKMK_ResetTrustPassword

http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx

Useful Microsoft Link

https://technet.microsoft.com/library/understanding-active-directory-functional-levels%28WS.10%29.aspx

Questions?

  • Once you have upgraded the Domain functional level, how long should you wait before upgrading the forest functional level?

The change should take effect immediately as soon as the operation completes on the server. if you have multiple DC’s or domain, it may take longer. If you have plenty of time and want to play it safe, wait 24 hours but normally 15 minutes is fine. if you have multiple DC’s, you can log into each DC and verify the functional level.

  • By raising the root domain functional level, will this automatically raise any child domains or do we need to raise the level on the PDC of the root domain then raise the level on the PDC in the child domain? Or do we do the child first then the root domain?

Each individual domain PDCe is responsible for maintaining it’s domain functional level.  Because of this, where you raise the domain functional level first, does not matter (parent domain or child domain).  Each domain’s DC’s will operate at the domain functional level of it’s PDCe (so long as it is supported).  The Forest Functional Level affects all domains.  As such all domains must be operating at or above the proposed Forest Functional Level.

  • What is the best way to recover if things don’t go to plan? For e.g With a root domain with 2 DCs and a child domain with 5 DCs?

Before Windows Server 2008 R2, the only ways to recover are rebuild or restore from backup.

As the PDCe is responsible for the Domain Functional Level and the Schema Operations Master is responsible for the Forest Functional Level, first, you would have to restore the server that holds the Schema Operations Master in the Parent domain (if you will be reverting to a Domain Functional Level less than allowed by the Forest Functional Level). Then you would restore the server that holds the PDCe FSMO role for each child domain.

  • If we are running at Windows 2000 native domain level with all Windows 2008 R2 servers, can we raise the domain functional level straight to Windows Server 2008 R2?

If all of your DC’s are running Windows Server 2008 R2 then yes.