Sunday, 28 September 2014

How to rename a domain controller in Windows server 2008/R2

Understanding the concept

There are often scenarios that you need to rename your domain controllers, it can be either a primary domain controller or any of secondary controllers. This can be achieved by either through GUI or command line. However the recommended way to achieve this is through the command line using the command netdom. The netdom command updates the Service Principal Name (SPN) attributes in Active Directory Domain Services (AD DS) for the computer account. This command also registers Domain Name System (DNS) resource records for the new computer name. The SPN value of the computer account must be replicated to all domain controllers in the domain, and the DNS resource records for the new computer name must be distributed to all the authoritative DNS servers for the domain name. If the updates and registrations have not occurred before the removal of the old computer name, some clients might not be able to locate this computer using the new name or the old name. The only problem that may occur is that the corresponding nTFRSMember or msDFSR-Member object is not renamed automatically, but the reference attributes are correctly set so SYSVOL replication is not impacted. The potential problem with not renaming these objects is that if another domain controller is created at a later date with the same NetBIOS name of the old domain controller, then a conflict can occur. In order to avoid this conflict you can refer the MS article and avoid the issue that may occur in future.

Note: If you are renaming any of the secondary domain controllers please make sure that there is no replication issues between the domain controllers else you may face various issues during these steps.

Renaming the domain controller

Now let us consider that I am renaming my primary domain controller and its host name is that 'server-1' which we need to rename to 'server-001' and my domain is ''. To summarize the actions that we are going to perform, firstly we will add a secondary host name to the server which i want to rename and promote that secondary name as the primary host name of that server. Once it is done we will delete the old host name. 
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator.
2.  type the following command to add the new domain controller name, and then press ENTER: The syntax is netdom computername CurrentComputerName/add:NewComputerName

<netdom computername> Manages the primary and alternate names for a computer.
<CurrentComputerName> The current, or primary, fully qualified DNS name of the computer that you are renaming.
</add:> Specifies that a new alternate DNS name should be added.
<NewComputerName> The new fully qualified DNS name for the computer that you are renaming.

In my case the command become,
netdom computername server-1 / and press ENTER. Successfully executing the command will add a new domain controller name to your computer.

3. Now the domain controller has got two names. Make that secondary name of the server as its primary name for the domain controller.
netdom computername CurrentComputerName /makeprimary:NewComputerName
i.e, netdom computername server-1 / and press ENTER.
Once the command is executed successfully you need to restart the server to make effect the changes. Please restart it and logon again.
4. If you check the domain controller's name you can observe that it's name has changed. Now you need to remove the old domain controller name. Once again open command prompt as administrator and execute the below command.
netdom computername NewComputerName /remove:OldComputerName
And here the command become, netdom computername /
So that’s it the rename process of your domain controller is completed.
Note: During the execution of any of the command above if you may receive and error 'Element not found'. In that case make sure that you have specified the NewComputerName and OldComputerName as Fully qualified domain name.

Renaming the domain controller using GUI

As described earlier you can achieve the same graphically. Renaming a domain controller in this way may result in Active Directory replication latency, making it more difficult for clients to locate or authenticate the domain controller under its new name so the recommended method to rename the domain controller is using the command netdom. Lets see how to do this,

1. Right click My computer and select properties. Click Change settings and change button from System properties window. Now you will receive the warning message as below and click OK to continue with rename operation.
2. Edit the text box under computer name and you have to click OK button to apply the changes. Restart the domain controller to take effect the changes and this completes the process. 

How to configure DHCP superscope in Windows server 2008

Understanding the concept

superscope is an administrative feature of DHCP servers  that you can create and manage for configuring multiple scopes as a single administrative entity or you can say It allows you to add more than one scope (called child scopes, or member scopes) under one umbrella.  With this feature a DHCP server can:
  • Support DHCP clients on a single physical network segment (such as a single Ethernet LAN segment) where multiple logical IP networks are used. When more than one logical IP network is used on each physical subnet or network, such configurations are often called multinets.
  • Support remote DHCP clients located on the far side of DHCP and BOOTP relay agents (where the network on the far side of the relay agent uses multinets).
  • The available address pool for a currently active scope is nearly depleted and more computers need to be added to the physical network segment.
  • Clients need to be migrated to a new scope.
Always feel free to refer the MS article to get more knowledge on this which has described the roles with relevant images and tables.

Let us consider one of the scenario described above. The growth of the your company has surpassed beyond your expectations and obviously this will lead to larger network structure and networking devices. When the company has started as a small business with 100 PCs a few years ago, the 254 IP addresses a Class C subnet offered seemed more than enough for a long time. But now it's a different story. The company growth obviously leads to short of IP addresses and you need to get this resolved immediately. So what are the considerations here? Making another physical LAN(and thus another subnet)but that means you need to buy another router or another DHCP server but does that really required as it will increase the administrative tasks and expenses? Another possibility is changing to another IP address class, may be class B or class A which will provide you with more addresses but again not a very attractive one. This time you'll have to justify purchasing this address range from your ISP and then face the prospect of migrating from the existing address range (scope) to the new one. So here you can consider the creating superscope and over come the difficulties without much administrative headache and expenses.

Configuring superscope

1. Open DHCP console from administrative tools-> DHCP. Expand the server name and right click on IPV4-> New Superscope. 
2. Now the welcome windows will appear and click Next to start the configuration.
 3. Specify the name that you would like to assign for super scope and click Next.
4. Now it will automatically detect the presently available scopes in your DHCP server and you need to select the scope that you would make under superscope. Here I have two scopes and I want to set super scope only for one scope. Select the scope which you want and click Next.
5. Click Finish to create the superscope and once it is created you will notice that particular scope will be listed under the super scope that we defined.
That completes the super scope configuration on server. You can either create new scope under the new super scope by selecting the newly created super scope and select New scope. This will get you through the creation of new scopes in DHCP and completion of the same will result in adding the new scope under Super scope. Let me notify you once more thing. Once the super set is configured as above then we can say the network is multinets as described earlier.

If you wish to add any of the existing scopes to super scope, just right click the scope and you will have the option Add to super scope. Select the super scope name that you would like to add and click OKNow you will notice that the scope is listed undersuper scope that you selected.

The same way can be followed to remove a scope from Superscope. From the superscope select the scope that you would like to remove from super scope and you will have the option Remove from Superscope. Confirm the same by selecting Yes and the scope will be removed from superscope.
So that’s it the configuration of superscope and feel free to post your queries.

Saturday, 12 July 2014

How to installing and configuring windows deployment services

Understanding the concept

Windows deployment service(WDS) is the later and advanced version of remote installation service (RIS) which is introduced in Windows server 2008 onwards. This service allows  PXE BIOS enabled computers to remotely execute boot environment variables and install the various windows operating system. The main advantage of using WDS is, it reduces the complexity and cost when compared to manual installations. There are some prerequisites installation and configuration of WDS and that are listed below,
1. A Windows Deployment Services server must be either a member of an AD DS domain or a domain controller for an AD DS domain OR it can be on a standalone server.
2. You must have a working DHCP server with an active scope on the network because Windows Deployment Services uses PXE, which relies on DHCP for IP addressing.
3. The server running Windows Deployment Services requires an NTFS file system volume for the image store.
4. You must have a working DNS server on the network before you can run Windows Deployment Services.

Let us consider the scenario that when you are preparing a data center or an organization for first time, it is really necessary to have multiple computers with necessary operating system. It's a headache for administrators to get it done manually on each computer and WDS will help you to get it done automatically.

Installation and configuration

1. It’s a server role and you can  get it installed from server manager. Open Server manager and click on Add roles.
2. Click Next if you are presented with Before you begin window. Tick the check box against Windows deployment service on the window select server roles. 

3. Click Next on Over view of Windows deplyoment service. 

4. Now you have two options to select Transport Server and Deployment Server. Deployment Server enables the end-to-end Windows Deployment Services deploTrayment solution. nsport Server is a platform that you can use to create a custom multicast deployment solution. If you would like to know more about these services you can look at the MS article . I would suggest to select both the option and click Next to continue.

5. Click Install on confirm installation selections window and wait for it to complete. Once completed, close the window. 

6. So this completes the installation of WDS roles. Now you need to configure the server and the below steps will help you. From start menu Administrative tools->Windows deployment service. Expand servers and right click on your server->Configure Server. 

7. We have already discussed in the prerequisites of WDS and next windows repeat the same. Simply click Next to if you have already met these. 

8. Now you need to specify where you want to save the configuration files that includes boot image, install image and network drivers which is called as remote installation folder. By default remote installation folder will be pointing to windows system drive(C:\)but it is not recommended to install remote installation folder on this drive. So I am changing the folder to H drive ,create a new folder named as 'Remoteinstall' and browse the location over here and click Next.
You can keep the default location as well but make sure to click YES on the System volume warning to continue. The problem that you may face in this case is that whenever the number of boot image, Install image and network drivers are increasing the free space on system volume will reduce and this can cause performance issues. 

9. You need to specify the PXE server initial settings. This defines the response of PXE server when a client is requesting for an image. The three options are as below,
Do not respond to any client computers- This defines WDS servers to do not respond to any clients and you cannot get any of the WDS operations as active.
Respond only to known clients computers- WDS will respond only to the clients that are known. We will define the clients as known or unknown based on its entry in active directory. You can authorize a client computer as known based on the clients MAC address or GUID and this process is known as Prestaging . I believe this link will help you to get it done.
Respond to all client computers(known and unknown)- WDS will respond to all clients which are requesting for PXE bot. For additional security you can tick the check box below to that. I am going got this option as it is easy to manage. Click Next, 

10. Now the configuration process will start and wait for it to complete. Click Finish on operation complete window. Untick the default option Add images to the server now and cli ckFinish. 
So the above steps completes basic configuration of WDS server. Now you need to specify the boot image and install Image.
Boot images- Boot images are Windows PE images that you boot a client computer into to perform an operating system installation. A boot image will contain the complete contents and structure of a Computer storage media.
Install images- Install images are the operating system images that you deploy to the client computer. From operating system Windows Vista onwards we have the pre-packed within product CD. For earlier versions of windows you must create a custom install image. If you need to do this you can follow the MS link which is pretty simple,

To add the install image

1. Open windows deployment service and expand your server name. Right click the section Add install image. 

2. You can specify the install image group as required. Since I am creating the install image for first time select an existing image group will be disabled. Specify an install image group and click Next. 

3. The install image(install.wim) will be available inside the source folder of operating system CD. Browse the file and click Next. 

4. My install image contains multiple images inside it. Clear the check boxes for the images that you do not want to add to the server. You should add only the images for which you have licenses. Since I have the license only for Standard edition I have selected only standard and this option can be up to you based on the license that you have. Please note that the available image will be depending on your product CD. Click Next, 

5. Review the details on the summary window and click Next to continue with the configuration. Else press Back to change any of your previous selection. 

6. This will start the configuration. When it finishes click Finish to close the window. 

7. Once you click Finish you can see the install images are added into WDS console. This completes the steps for adding install image and below steps will help you to add the boot image.

 Adding the boot image

1. From windows deployment service console right click Boot images and select Add boot image. 

2. Browse and locate the boot.wmi file from the product CD and click Next. 

3. Based on the boot.wmi details the image name and image description will be named automatically. You can either keep the same or edit these details, Click Next. 

4. Select the image on summary page and click Next and Finish when it completes. 

5. You can see the boot image is added on WDS. 
This completes the configuration of windows deployment service server configuration. Now reboot the client and make sure that you are pressing F12 to boot the hardware into PXE. 

If you have failed to press F12 the operation will fail with the below error.
Restart the computer once again and press F12 whenever it required

Sunday, 22 June 2014

How to install and configure remote desktop server(terminal server) in windows server 2008 part 2

I believe the part 1 has helped you to understand more about the remote desktop installation. Now let us see more about the detailed configuration of RDS.

1. Remote desktop web access configuration

This is the user interface that the client will interact with. In order to access this at first time you can Start->Administrative tools->Remote desktop services-> Remote desktop web access configuration. It will open the web page and when you login as an administrator user, there are three tabs to look at namely RemoteApp programes, Remote desktop and configuration.
RemoteApp programes- Here is where the users can see and access their virtualized applications. These applications are defined by RDS administrators.
Remote desktop- When you are accessing the remote desktop service from outside your network, you may need to get the services other than the virtual application. In this case you can remote into other computers that are allowed though RDS and its data based on the Remote desktop resource authorization policy(RD RAP).
Configuration- Use these settings to specify the source that provides the RemoteApp programs and desktops that are displayed to users through RemoteApp and Desktop Connection. Users can access RemoteApp and Desktop Connection through the Start menu on a computer that is running Windows 7 or through the RD Web Access Web site. Note that this can be edited only by administrator users. 

2. RemoteApp manager
You can Open it from Start->Administrative tools->Remote desktop services-> Remote desktop web access configuration. Initial stages of this will have some warning and error messages as below and this is because we have not defined some settings and below steps will help you to overcome those.

2.1. Consider the Digital signature settings, This warning message is because the SSL certificate is not defined and it can be achieved by clicking Change-> Tick the check box Sign with digital certificate-> Under digital certificate details click Change. It will automatically list out the certificate that are installed on your server's certificate, select the desired one and press OK. Once done click Apply->OK.

2.2. Distribution with RD web access- The warning message is because the TS web access computer list is empty. You can add the computers that are going to access the applications remotely. If you have installed remote desktop service in an active directory server you should add the computer group in Active directory users and computers. Open active directory users and computers-> From the container Users and double click on TS web access computers->Members->Click on Add button and specify the computers that are going to access remote desktop services. Click Apply->OK(If remote desktop service(RDS) is installed on a member server you need to add the computer details on the Local users and groups). Now get back to the screen of remoteapp manager and click refresh. Now you can see this warning message also resolved.
2.3. You can see the error The remoteapp program list is empty, this is because you have not specified any of the application for terminal server users. On the same window Remoteapp manager, at the bottom right click on the space Remoteapp program and select Add remoteapp program. Click Next on welcome screen,
Select the applications that are required to allow for users remotely and click Next.
Review the programs list that are shared and click Finish
So here we completed the configuration of remoteapp manager and the window will be as below,

How to install and configure remote desktop server(terminal server) in windows server 2008- part 1

Understanding the concept

The Remote desktop service(RDS) in windows server 2008 R2 is the renamed and advanced version of terminal server service that is available in windows server 2003. This feature enable users to access Windows-based programs that are installed on a terminal server or to access the full Windows desktop. Users can access a remote desktop server within the corporate network or from the Internet. When a user accesses a program on a terminal server, the program execution occurs on the server and only keyboard, mouse and display information are transmitted over the network. Each users sees only their individual session and the session is managed transparently by the server operating system, it is independent of any other client session. Remote desktop service is useful especially when you have programs that are frequently updated, infrequently used, or difficult to manage. Let us consider the scenario that, your organization has got its own application which is private and you need to access it from outside the organization, or deployment of multiple versions of an application, especially if installing multiple versions locally would cause conflicts and many other cases. The more details are described here in MS tech center,

When you are planning to implement remote desktop service, there are few terms that you must understand.
1. Remote Desktop Session Host(Terminal server)
Remote desktop session host is the server where we hosts the application that are required for TS clients.  Users can connect to a terminal server to run programs, to save files, and to use network resources on that server. So the servers that have this feature installed will act as your remote desktop server.
2. Remote Desktop Licensing(TS Licensing)
The RD licensing will manages the Remote Desktop Services client access licenses (RDS CALs) that are required for each device or user to connect to a Remote Desktop Session Host or Remote Desktop Virtualization Host server. You use RD Licensing to install, issue and track the availability of RDS CALs on a Remote Desktop license server. The grace period of this service is 120 days and a permanent RDS CAL should be purchased. There are several methods to purchase the license and those are mentioned on MS article(  The License Server role can be installed on your Session Host server or in a dedicated server.  If we install Remote Desktop Licensing role on a dedicated server any additional RD Session Hosts that we add in the future can share this service. However this roles is not required to be configured with initial stages as we have a trial license for 120 days.
3. RD Web Access(TS web access)
RD Web Access allows the users to get access with the applications and server desktop that are allowed to the clients. In order to achieve this, users can visit the web site that are configured by remote desktop administrators through their web browsers(IE, chrome, Firefox etc.). When the users starts a RemoteApp program, a terminal Services session is started on the terminal server that hosts the RemoteApp program. When you deploy RD Web Access, you can specify which terminal server to use as the data source to populate the list of RemoteApp programs that appears on the Web page.
4. Remote Desktop Gateway(TS gateway)
This role enables authorized remote users to connect to resources on an internal corporate network from any Internet-connected device that can run the Remote Desktop Connection (RDC) client. RD gateway improves the security by establishing an encrypted connection between remote users on the Internet and the internal network resources(hosted on Remote desktop server). Note that, RD Gateway role service require other  roles to be installed for its functionalities(Ex: Network policy and access service ,Web Server (IIS)) and those will be  installed automatically during the role installation.
5. RD Connection Broker(TS session broker)
RD Connection Broker have one of the vital role in remote desktop service. It keeps track of user sessions in a load-balanced terminal server farm. You can make use of Windows failover clustering feature to achieve this. The RD connection broker saves session state information, associated user of particular session and server where each session exists. When a user who has existing session connects back to terminal server the RD connection broker identifies it and redirects to the server where its session exists.  This prevents the user from being connected to a different server in the farm and starting a new session.
6. Remote Desktop Virtualization Host
RD Virtualization Host integrates with Hyper-V to provide virtual machines that can be used as personal virtual desktops or virtual desktop pools. If a user is assigned and requests a personal virtual desktop, RD Connection Broker redirects the user to this virtual machine. If the virtual machine is not turned on, RD Virtualization Host turns on the virtual machine and then connects the user.
I hope the above information is good enough to understand the various roles that comes under remote desktop service. Now let us see how to install and configure these roles,

Installation and configuration

In my environment I am going to install the roles  Remote Desktop Licensing, Remote Desktop Gateway,  RD Connection Broker,  RD Web Access and Remote Desktop Session Host on the same server and I don't want the service remote Desktop Virtualization Host as I don't have Hyper V installed.
Note: It is not recommended to install and configure RDS on an active directory server as it can reduce the security and decrease performance of server, however you can do it if required.
It is recommended to install remote desktop session host before you install any applications that you want to make available to users. Else the application may not work as expected for clients.

1. Log on to the server where you want to install RDS as the user who has administrator and enterprise admin rights.
2. Open Server Manager, click Start-> Administrative Tools->Server Manager.
3. Under the Roles Summary heading, click Add Roles.
4. In the Add Roles Wizard, if the Before You Begin page appears, click Next.
5. On the Select Server Roles page, select the Remote Desktop Services check box, and then click Next.

6. On the Remote Desktop Services page, click Next. This is just a brief idea about remote desktop services.

7. On the Select Role Services page, select Remote Desktop Licensing, Remote Desktop Gateway,  RD Connection Broker,  RD Web Access and Remote Desktop Session Host. If you are installing Remote Desktop Session Host on the active directory server you will have the warning message as it is not recommended, Click  install Remote Desktop Session Host (not recommended) and select the other features. As described earlier, You may need to install additional features to support  Remote Desktop Gateway so select Add required role services when it prompts. Click Next to continue,

8. On the Uninstall and Reinstall Applications for Compatibility page, click Next. Hopes you have got the message.

9. Next step describes you about the level of authentication that you require for RDS(remote desktop service). It is recommended to enable  network level authentication and you can select the option as required. If you have Windows XP clients to access RDS you should not enable Network level authentication as it is not having the upgraded version of remote desktop connection client. You can select network level authentication if your clients are at lease windows 7 or later. Click Next,

10. You need to specify the licensing mode that you want to use for using RDS. It can be purchased either for per user or per computer. Else you can install the license later as we have 120 days trial period. I am selecting as trial and continue where as you can install the license now or later.

11. Select the user groups that can access the remote desktop server and its services. I am selecting all the users of my domain and you can achieve the same by clicking on Add button. If you have a specific set of users that have to access terminal server you can create a group in active directory and add the groups to this list later as well.
Note: Administrator users are default in this operation and cannot be removed.

12. Now you can specify the client experience, this settings are optional and select as required. Please note that, when we enable more functionalities that can lead to high system and bandwidth usage which may affect the performance RD session host server. So reduce the feature if it is really not required.

13. Next you need to specify the discovery scope for RD licensing. It is used by RD session host servers to automatically identify and discover the licensing server. Leave the selection as default and you can the RD licensing database location if required. It would be really worth if you can click on the link More about licensing directory to get much better experience on this.

14. You must have a certificate for SSL communication. It is recommended to get the certificate from a trusted certificate authority(CA) especially when you have to access the RD session from outside network. In my case I have one self signed certificate installed on my server and it is list automatically here. If you do not have any certificate installed on server it will not list and you can import that now by clicking Import button. If you want to create a SSL certificate now, you must select the second option create a self-signed certificate for SSL encryption or you can select the third option choose a certificate for SSL encryption. Make sure that the SSL certificate is attached to HTTPS binding on your IIS.
If you have any doubt about creating SSL certificate. I believe this link will be useful
I will continue with my existing SSL certificate. Click Next to continue,

15. Now on you need to specify the authorization policies that will control the RD session host clients with the way it is allowed to connect. There are two important terms to understand in this concept, that are Remote desktop connection authorization policy(RD CAP) and Remote desktop resource authorization policy(RD RAP). In simple words, RD CAP describes the users that can connect to this RD gateway server and RD RAP allows us to specify which terminal server is allowed for users to connect  from network. Until we configure RD RAP and RD CAP users will not be able to connect to RD server, so I will configure this policies now. Select Now under create authorization policies and click Next.

16. Under User group membership (required), click Add button, and then specify a user group whose members can connect to the TS Gateway server. You must specify at least one user group and I have allowed it for all my domain users. In this session you might be little confused as we have already configured the user groups that can access the RD server at step 11. All you want to understand is, step 11 is defined for RD session host server and as you know RD gateway is an additional security feature for RD server here you are specifying the users that are allowed to connect through RD gateway. Hence the same user group is mentioned here as well, Click Next to continue.

17. In the above step we have specified the user group that can connect. Here you must specify a name for RD CAP and specify at lease one way of authentication that are required for users. You will have a default name and it can be edited if required, for example, if you are allowed users of a particular group to access the RD server it would be worth to customize the RD CAP name which will help us to identify the policies easily in future. Windows authentication can be either password or smartcard which determines how the users are authenticated to get the access to RD server. In my case I am setting the RD CAP name as default and authentication method only Password. Click Next,

18. Here you want to specify the details for RD RAP. The RD RAP can be either the default or customized one as per your choice. Here you must specify the network resources that the RD users can connect through, When a RD user connects and we need to set him the limitation of accessing the computers you can specify this settings here. For example, When the user 'Livin' connects through RD gateway and he needs to access only a group of computers, you can select the second option Allow user to connect only to computers in the following groups and set the group. In my scenario I have allowed all of my domain users to use RD service and I am not settings the limitation for this so selecting Allow users to connect to any computer on the network. Define the settings as required for you and click Next.

19. As discussed above, for RD gateway to function properly we need to have certain features to be installed. That are  Network policy and access service ,Web Server (IIS). Now you will have the introduction and confirmation to install these features, simply click Next to get it done.

20. Now we will have the summary of the configurations that we done so far. Review those and click install to start the installation.

21. Once the installation is completed you can close the window and you must restart the server to complete this operation.

22. Once the server is rebooted, you must login and the installation will continue which will end up in below window, Click Close.

This completes the installation and basic configuration of Remote desktop server. The advanced level of configuration can be viewed on this link.