In order to reorganize an Active Directory forest, with multiple child domains into a single domain, I used the ADMT (Active Directory Migration Tool) 3.2 from Microsoft. This modification is an intraforest migration because all domains are in the same forest.
While ADMT supports an intraforest migration, I encountered a specific issue for migrated computers from a child domain to the parent domain: “The security database on the server does not have a computer account for this workstation trust relationship“
Security database trust relationship
Well, I was very perplex by this error, because the ADMT agent reported an successfully operation, and the computer account existed in the new Active Directory domain.
In fact, you will get this error each time you want to migrate a computer with an intraforest and the target operating system is Windows Server 2012 R2. Let’s see why and how to resolve this issue.
Sometimes, you may need to check the information stored in the Active Directory Global Catalog. This can happen if you want to check that the replication between GC located in separate site is done.
We can easily view the information in GC with ADSI Edit:
Let’s see how to connect to a GC using ADSI Edit.
During an Active Directory migration, I needed to do an inventory of the computers to migrate. Because some computers do not exist anymore but not removed from Active Directory. I created a Powershell script based on the Last Logon Timestamp property.
CSV file from the script
This powershell script creates a CSV file with the computer name, the last logon property and the operating system. Some domains were based on Windows Server 2003 or 2008, I could not use Active Directory commandlets, so I used the LDAP Search.
When Bitlocker is enabled on workstation/ laptop in your entreprise, you must have a solution to get the recovery key of the hard drive. In some cases, Bitlocker can prompt to the user the Recovery key if it detects a specific behavior like partition changes.
The easiest solution is to use Active Directory Users And Computers console. This can only be possible if you set in the GPO to store Recovery Key into Active Directory.
With Active Directory Users And Computers, we can:
- Display Bitlocker Recovery key for one computer.
- Search in all Active Directory for a Password ID.
- Delegate Rights to display confidential information.
Since Windows Server 2008, we can use Group Policy Preferences to set a password for Local Administrator on all workstations in an OU. In May 2014, Microsoft released a patch to remove this feature. KB2962486
In fact, the password was stored insecurely. It was crypted using a key which is now public MSDN. This is a security leak, password are sent in “clear” and several time by day, using GPO application. If KB2928120 is installed on your system, you can’t no more use GPO to define password for:
- Drive Maps.
- Local Users.
- Scheduled Tasks.
- Data Sources.
With the Security patch, Microsoft provided a Powershell script to change local password remotely.
Since few days, Microsoft released a new tool: Local Administrator Password Solution (LAPS). With this tool, computers are able to randomly change password for local administrator and store it in Active Directory attribute.
Do you know that you can force a remote bulk gpupdate since Windows Server 2012.
It is really simple and we can do it using :
- Group Policy Management Console, GPMC
Before Windows Server 2008, there was a limitation about password management: only one password policy and lockout policy could be applied to all users in the domain. Therefore, some organizations created several domains to manage different set of user / password policy.
With Windows Server 2008, Microsoft integrated Fine-Grained password policy. With this object, you can now create multiple password policy in the same domain and assign it to a specific user group. However, there was no built-in GUI to create Fine-Grained policy. We had to use ADSIEdit and Attribute Editor to assign a policy to a user group.
Windows Server 2012 uses Active Directory Administrative Center to give us the possibility to create Fine-Grained policy with a wizard. Let’s see how to do that easier.
Windows Server 2008R2 introduced a new feature in domain: Active Directory Recycle Bin. A great feature, but it was the first version, so we had to use Powershell to enable the feature, and to restore deleted item.
With Windows Server 2012 R2, Microsoft released a GUI for the Recycle Bin. It is integrated in the Active Directory Administrative Center. With ADAC, you can enable and restore deleted item easily. Of course, you can still do it with Powershell cmdlet.
Sometimes, you need to create a lot of Organization Units into your Active Directory.
To do this, you can use the Active Directory Users and Computers but it can be quickly time consuming depends on the number of OU.
Hopefully, Microsoft integrated a powershell module with Active Directory. So, we can create a script to do this for us.