To change the password policy we’ll have first to open Group policy management which is located in “Administrative Tools” on your DC
Right click on “Default Domain Policy” in order to change the password policy for all users within a domain.
This will open the Group Policy Management editor as you can see below where you will have to navigate to “Computer configuration -> Security Settings -> Password Policy” and there you can disable the password complexity, adjust it or change any other settings.
Next when the Group policy opens up the configuration I will go to “Account Policies” and disable the “Password must meet complexity requirements” since this is what I simply want do in my case.
After changing the policy you will need to force updating the policy on all the domain joined clients by using the command line GPupdate /force
When this is finished, all clients must be restarted in order for the group policy change to take effect.
While I was doing a cross forest migration in a customer’s environment I had to make sure that of some computers’ logged in users before starting the migration process due to the customer’s policy how Computer hostnames are used.
There was about 500 computers, most of these computers don’t use their users’s names but company’s name and then a number e.g. (PC5123).
Luckily Mark Russinovich has provided the great PSTOOLS for administrators to work remotely and find out everything about user’s computers in domain without having to go physically or interact with the users.
So I had to download the tools from this link and use the following command to get the logged in user.
wmic /node:”smart0498″ ComputerSystem GET UserName
The server where you install ADMT can run any supported version of Windows Server, including Windows Server 2012 R2 and Windows Server 2012.
The source and destination domain controllers must be writeable, but they can run any supported version of Windows Server with a user interface (not Server Core), including Windows Server 2012 R2 and Windows Server 2012.
The source and destination domains must be at Windows Server 2003 domain functional level or higher.
The computers that can be migrated can run any supported version of Windows, including Windows 8.1.
You can use any version of SQL Server for the ADMT database.
The account you run ADMT under will need to have administrative rights in both the source and destination domain. You may decide to create a user specifically for the ADMT Migration, or you may use an existing user e.g. the default administrator account. I will create a user called ADMT and assign this user the correct permissions. This is the account we will use for the entire migration.
It is recommended that you make the user account in the destination domain and make it a member of the domain administrators group.
In the source domain add the same user to the builtin administrators group (you will be unable to add it to the domain administrators group).
You should install ADMT and SQL onto a member server in the destination forest. Use the ADMT service account explained in the previous post to install SQL and ADMT.
ADMT requires a preconfigured instance of SQL Server for its underlying data store, so we’ll go ahead and install SQL 2008 SP1 Express on ADMT.contoso.com
This error is purely within SQL Express 2008 and is not really to do with ADMT 3.2. The issue is fixed in “Cumulative update package 4 for SQL Server 2008”.
Unhelpfully, this error is identified in KB975055 as being only for Windows 7 and that it was fixed by SP1 – both incorrect. The issue does affect Win2008 R2 and is only fixed by the cumulative update.
Before installing SQL Server Express 2008 with SP1 (which will fail), first install:
Set an account for the SQL service to run under (use your ADMT Service Account).
Set a SQL administrator, choose the user account you plan to run ADMT under- be aware that this user account will need to have local administrative rights in the source domain (this will be discussed further in the series).
For this series I will be using ADMT 3.2, which is the supported version for Server 2008 R2. Use ADMT 3.1 for installation on a Server 2008 non-R2 server, or ADMT 3.0 for Server 2003. If you need to migrate a 2000 Domain Server, you will need to use ADMT version 3.1 or earlier.
Update Junes 2014 – ADMT 3.2 now supports Windows Server 2012 / 2012 R2.
Next you can leave the default value be used for the SQL installation.
Since this is a new installation then I won’t need to be importing any data from a previous database and will continue with the normal options.
The Installation of the ADMT tool is finished and next we’ll be preparing Permission in the next series and starting migration of users, Groups, Computers and i’ll talk about the issues that I had during the migration.
In the second part of this series (DC cross forest migration) I will demonstrate some major required steps for the migration from the old DC (lab.com) to the new DC (Contoso.com)
SQL Servers and their applications can’t be migrated due to SQL permissions and Schema mismatch.
Requirements are :
Destination DC Forest Function and domain function level must be set to at least 2008 R2 for ADMT3.2 to work
And a health check must be performed on the FSMO roles to make sure everything is functioning properly on the Source DC.. PDC, SchemaMaster..etc
The checks I will perform are
Check replication (In case there’s more than one DC In the source forest).
DC health (DCDiag tool)
Check the reachability of the PDC.
Netdom query FSMO ( this command will show you which DC in the source forest holds the roles exactly)
1- For Checking replication you can use the repadmin command line which checks replication between sites, DCS and reports any errors in between. in case you have one server in pace the following outcome should be printed for you.
Repadmin.exe helps administrators diagnose Active Directory replication problems between domain controllers running Microsoft Windows operating systems.
2- Check DC health using DCDIAG tool
Analyzes the state of domain controllers in a forest or enterprise and reports any problems to help in troubleshooting
as they are multiple types of tests that can be applied with dcdiag depending on the parameter used. I will start with the DNS.
If the DNS is healthy then it should show as following. and we can continue to the next test.
For an extensive test, you can use the parameter /v along with this sign >c:\dcdiag.txt to export the test to a file and look at it line by line.
If everything sounds good and healthy we shall move on to the next step which is DNS configuration
DNS replication between both domains
Installing Windows 2008 R2 for ADMT 3.2
Setting up domain trust between forests.
DNS replication between the source and target domain
In order for the trust to be created between both forests, you either have to create a conditional forwarders that will copy the source zones to the destination DNS server and vice versa or you can create a secondary forwarder zone in destination DC for the source DC and vice versa.
In my case I will go for creating a secondary zone and to do this I will go to each DNS server and allow Zone to be transferred.
You can include only the IPs of the Source and Destination servers in the zone transfer and any additional DNS servers.
Now I a have created a secondary zone DNS and trying to resolve FQDNs from the source server as in the below snapshot.
Same will be done on the destination server.
Checking Name Resolution for both domains:
Once the nslookup works as expected from both servers then we’ll ahead with creating forest trust between both DCs.
Creating Forest trust between Source and Destination Domain.
In order for the trust to be created between both source and destination domains the PDC on the Destination Domain must be available.
1. Open the Active Directory Domains and Trusts, right click on the domain and click properties.
We will have to validate trust after creating it to make sure that trust in both ways are validated.
Now since trust is created and already validated both ways, we’ll have to add a GPO policy to update all clients with the new Domain name in the DNS suffix search list to resolve netbios names.
Updating DNS Suffix Search list:
DNS suffix search list:
In order to add the source and destination domains suffix to the dns suffix search list we will have to open GPO on the destination Domain (Contoso.com)
On the target domain (contoso.com) we’ll have to open GPO .
Right Click on default domain policy / Edit
Go to (Computer Configuration \ Policies \ Administrative Templates \ Network \ DNS client
Double click on the DNS Suffix Search list to open it and enable it.
Click ok and apply the police and see how it should show in the report.
Once this is done and policy is applied among all clients you should have no problem and it should show first on the DC where you applied the policy.
– Enable User Data and Profiles mentioned above is the setting which drives the control of Folder Redirection and Remote User Profiles.
The above configuration by Default is set to NO. Once enabled (set to YES), it passes the control of Folder Redirection, Offline Files, and Remote User Profiles to WMI and stores this configuration under the registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UserState\UserStateTechnologies\ConfigurationControls
TCP/IP crashes and errors: Hotfix released to correct a crash in TCP/IP.
Microsoft Active Directory 2008R2 with Exchange 2010
Requirements for migration
1- New Windows Server 2012 R2 server to be prepared.
2- Join the new Server to the old Dc.
First I will be Installing the new Server windows 2012 R2 which I will migrate all the roles to after preparing it and joining it to the domain as in the following snapshots.
Below I will add the server to the current existing DC.
Here I will leave the default settings but will have to enter the DSRM password as it’s mandatory.
to migrate the AD Operations Master roles. The simplest way to move these roles is via PowerShell. On Server 2012 AD PowerShell modules, this can be done from anywhere. Simply run the following command to view you current configuration, and change them:
PS C:\> netdom query FSMO
In order to Migrate all the roles from the DC (Kibtek.local) to the new Server I will use the following powershell cmdlet.