Active Directory

VMware Guest Customization Specification, Configure Domain Joining

I recently worked to correct an outstanding support issue of VMware Guest Customization Specification not joining guests to Active Directory Domains. I thought I’d share my setup so it might help others facing similar issues.

Log into the vSphere console, navigate to the Home page section

From the Home page click the Customization Specification Manager

Once in the Customization Specification Manager Click on “+” symbol to create VMware Guest Customization Specification.

Select the operating system either Windows or Linux from the drop-down on target VM operating system and Specify the name for the Customization Specification. Enter the description of the customization specification. Click on Next.

Provide your registration information and click Next.

I use the computer name of guest OS as same as the virtual machine name. It simplifies the identification of the virtual machine in the vCenter inventory. Select “Use the virtual machine name” to use the computer name as same as virtual machine name and click Next.

Enter the windows licensing information for this copy of the guest operating system; if you are using a KMS server for activation you don’t have to type a key here.

Specify the administrator password and auto-login option for the administrator account of Windows operating system. Click Next.

Select your time zone and continue.

If you need to run some commands on the first log on, put them here and when your done click Next.

On the Configure Network, you can specify the network settings for the guest operating system. Either you can use DHCP or specify the custom network settings.

To specify the custom network settings, Click on Edit “Pencil Icon”… In this section is where I specify the DNS suffix to add to the Windows operating system. Click on OK.

This allows me to communicate to a specific Active Directory Domain Service (ADDS), and include the domain suffix. Once Network settings are specified in customization specification. Click on Next.

Under Set Workgroup or Domain, choose “Windows Server Domain”, specify FQDN and specify the user account and credentials information that has permission to add a computer to the domain.
The user account is in the format of user@domain.tld
Click on Next.

Select the checkbox “Generate New Security ID (SID)” to generate a new security identity for the windows virtual machine. This option is important to generate the new SID from the source machine. Click Next.

Finally, review all the settings specified in VMware customization specification and click on Finish

Now you can Deploy Templates Using VMware Guest Customization Specification, and join the guest to your Active Directory Domain without issue.

Windows Server 2016 Core: Active Directory Domain Services

To lower my memory footprint in my home lab I decided to move from into Windows Server 2016 Core.  That said running Active Directory Domain Service seems to be the perfect candidate to start with my new architectured lab environment.

There are several prerequisites required for enabling ADDS, but I am not going to get into those here as if your reading this, there is a good chance you already know what those are.

We will be installing what is commonly referred to as a new forest/domain.

Step 1: Validate your hostname, IP address, and DNS settings

  1. Log into the console of your Windows Server 2016 Core System
    You need to log in as an administrator and should arrive at a command prompt
  2. Enter the command Sconfig and press enter
    The Server Configuration tool interface should be displayed
  3. Use the setting options to validate your host’s configuration

 

Step 2:  Installing Domain Services 

  1. From the Windows Server 2016 Core command prompt type: powershell then press enter.
    This will change your shell mode to PowerShell allowing you to use additional commands.
  2. Type Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
    This will install the ADDS roles on the Windows Server 2016 Core System
  3. When completed type: Install-ADDSForest -DomainName yourdomain.tld
    Here is where you choose the name of your domain to be installed.
  4. You will be required to provide a recovery password, please enter one and take note of it
  5. Next, you will be asked to confirm the pending changes and allow the server host to be restarted
    Click yes to continue
  6. Your server will be restarted and return as a Domain Controller

 

Step 3: Validate DC Services

  1. From the Windows Server 2016 Core command prompt type: powershell then press enter.
    This will change your shell mode to PowerShell allowing you to use additional commands.
  2. Issue the following command line: Get-Service adws,kdc,netlogon,dns
    This will return details on the installed services 
  3. Issue the command Get-SmbShare
    This returns details about available shares, specifically the systvol and netlogon shares
  4. Use the get-eventlog command to review logs
    Example: get-eventlog “Directory Service” | select entrytype, source, eventid, message

 

Which Active Directory Group Policies are being Applied to your Accounts

Playing a bit of detective, I started reviewing Active Directory Group Policies that had been applied to workstations, in an attempt to resolve a few reported concerns regarding polices being applied successfully.

Using the gpresult command I was able to output all of the polices applied. The command requires the specification of scope to be issued correctly.  Example below:

 

Policies applied to your user account:

gpresult /Scope User /v

 

Policies applied to your Computer:

gpresult /Scope Computer /v

Ref: https://technet.microsoft.com/en-us/library/dn265978(v=ws.11).aspx

Only settings that have been applied to your machine and user account will show up.

 

Oh! And yes there is Graphical Interface for this tool.
You can get to it by executing the following steps below:

Type rsop.msc into the run box , then hit enter

A pop-up dialog will show while querying your system.

Once the console opens you will be able to see which settings have been applied to your PC.

 

 

How to demote a Windows Server 2012 Domain Controller

In this short write up I will go over steps to demote a Server 2012 domain controller.

If you have worked in Active Directory and Windows Domain Administration over the years you may recall that in previous version of Windows Server that you would use the command line tool of ‘DCPROMO’ to promote or demote a server. Since Server 2012, the use of DCPROMO has been deprecated. In fact, if you attempt to use it you will be inform of this via the Active Directory Domain Service Installed.

In Server 2012 and later versions the use of Server Manager or PowerShell is required to promote / demote a server to/from a Domain Controller (DC). Below I provide steps on how to demote a server with some illustration along the way. Also, here is a quick YouTube video on the process: https://youtu.be/sBK2_APaDdg

Log into the domain controller you intend on demoting and Launch the Server Manager, select the Manage drop down menu, select Remove roles and features.

On the server selection page, select the desired server from the pool.

On the Remove Roles and Features Wizard, un-tick the Active Directory Domain Services box

The Remove Roles and Features dialog box will open. Click Remove features

On the Remove Roles and Features Wizard dialog box Validation Results box will appear. The domain controller must be demoted before continuing. Click on Demote this domain controller.

On the Active Directory Domain Services Configuration Wizard enter the required credentials to demote this server, click Next.

You will have several removal options. From the forced remove of failed domain member, to removing of the last domain in your forest. Make the selections which is appropriate for your remove task and click Next

Finally you will arrive on the New Administrator Password, enter and confirm the new local administrator account password, click Next.

On the Review Options verify the information is correct and click Demote.

After the server has restarted it will no longer be a domain controller

And that is it.

PowerShell: Unlock Active Directory Users Account

Use:

 

  • Listing account lockouts in Active Directory
  • Unlocking locked out accounts

# Open PowerShell or PowerShell ISE with an account with rights to unlock accounts
# Import the Actice Directory Module to PowerShell
#
Import-Module ActiveDirectory
#
# Run the Search-ADAccount command to search for accounts that are locked out
# Accounts locked out will be displayed
#
Search-ADAccount -LockedOut
#
#
# To unlock multiple {All} accounts the following command can be used
Search-ADAccount -LockedOut | Unlock-ADAccount
#

This could be useful if you wanted to somehow send an email to a ticket system so that you log and create IT tickets of account lockouts. A good way for your IT staff to track those types of activities that they do spend time on.