Your basic ITPro blog... What's going on at work, what I'm interested in.

Wednesday, March 20, 2013

DFS Testing In A Lab–Part 2

Here in part two, I am going to add two file servers and a client computer to the lab network. I discovered that I also want to test another feature on my lab.

Our current file server is running Win08. I have a disk on my SAN that is being passed-through to the file server VM and used to store my file shares. I want to test turning up a Win12 file server and moving the disk over. It will be great if this is a fairly simple operation.

Another thing I will want to test is upgrading a Win08 domain to a Win12 domain. This would be a true test of upgrades in our environment. More blog posts to come!

In any case, here are the steps I am taking to add file servers, clients, and DFS in to the environment:

  • Add a Win08 file server to domain.
  • Add a Win12 file server to domain.
  • Add a Win8 client computer to domain.

Simple enough.

The Win08 file server had the File Services Role on it. I am basically following the steps outlined on the website (listed below under Resources) to implement DFS.

  • Add the DFS Role Service
  • Using DFS Management tool, create the namespace
    • First decision, which server to make the namespace host. First thought was the file server itself. But, decided to go with my DCs after reading a bit online.
    • Left all namespace host related options at default.
  • Opted for domain-based namespace.
  • Once the namespace was created, I added my other DC as another namespace server.
  • Add two folders to the namespace, my ‘groups’ folder and my ‘users’ folder.
    • Add a folder called ‘groups’
    • Selected the ‘groups’ shared folder on FS01
    • Did the same for my ‘users’ shared folder
  • Enable access-based enumeration on the namespace
    • Right-click on namespace and select ‘Properties’
    • Advanced Tab | checkbox to ‘Enable access-based enumeration for this namespace’
  • From a second file server, I added second folder target to the ‘groups’ DFS folder.
    • I was hoping that DFS would aggregate the available folders from the multiple targets into a single namespace, for example:
      • FS01
        • groups\folder1
        • groups\folder2
      • FS02
        • groups\folder3
        • groups\folder4
      • <domain>\groups\
        • folder1
        • folder2
        • folder3
        • folder4
    • But, it does not seem to work this way.
    • I was able to create a replication group with these two folders in it. Now, both servers have identical data on it.

Some thoughts-

  • There are no DFS-related Powershell cmdlets for Win08, only Win8/Win12. In my production environment, we are Win08 (at the domain and file server). This could be a compelling reason to upgrade.
  • Moving to DFS won’t be as straightforward as I was initially anticipating. I will have to do some design work to implement DFS, rather than just install it and point it to my current shares.
    • I will likely want just a subset of my shared folder replicated between my sites. This will require that I break things out a bit and design an appropriate DFS namespace/folders.

There is still a lot to learn about DFS. But, this was a good introduction. As always, please add your comments/experiences below.


Wednesday, March 13, 2013

Upgrading A Fileserver (and domain) from Win08 to Win12–Part 3

In Part 3 here, I am going to look at upgrading my domain from Win08R2 to Win12. I shut all my test VMs off, snapped them, and then started them back up.

Now, there are likely a number of things to consider before doing an upgrade like this. I am sure I could go to <insert preferred search engine> and quickly find countless articles and blogs on this process. But, I figured I would just put the Win12 DVD in one of my DCs and run setup. Let’s see what happens.

So, setup runs, asks for a key, has me pick a version, runs a compatibility report… and STOPS! It looks like I need to run ADPREP before installing. Doing that now; running ADPREP /FORESTPREP

Failure. ADPREP could not verify that schema master has replicated AD to all DCs… or some such error. I used Sites and Services to replicate and tried again. SUCCESS! Running setup.exe again.

Fail! Need to run ADPREP /DOMAINPREP as well. (For some reason, I would have figured that these steps would have been more automated). Command was a success. Third time’s a charm?

Compatibility Check gives me a NEXT button, rather than a CLOSE button. Looking good. Installing. Rebooting. Getting ready. Another reboot.


Logging in, I see that DNS, DHCP, AD all look good. So, to update my functional level to Win12, I need to upgrade my second DC as well. Doing that now. Heh. No need to run ADPREP again…  :/

Upgrade was successful. I tried updating the forest functional level, but it said that there were DCs in my domain that were not on the correct Windows version. Both DCs have been upgraded to Win12. Maybe server reboots will help?

Active Directory Domains and Trusts will not let me raise the forest or domain functional level. But, using the Active Directory Administrative Center lets me do it. Oops. Actually that failed too. It looks like this was a replication issue between the DCs again. Like before, I used AD Sites and Services to manually replicate between DCs. After replication, AD-D&T let me raise the functional level without a problem.

So, from this test, it looks like the basic steps are:

  • From the Win12 disk on first DC
    • run setup.exe
  • Check and make sure services are working
  • From the Win12 disk on next DC
    • run setup.exe
    • repeat as necessary
  • Make sure DCs have all replicated with each other and are all up-to-date with domain info
  • Raise the forest/domain level to Win12
  • Double-check everything


Of, course… you should make sure that you have good, usable backups of your domain/DCs. Also, as notes on the article listed below, you should probably run some checks to make sure there are no problems with your domain.



Tuesday, March 12, 2013

Upgrading A Fileserver (and domain) from Win08 to Win12–Part 2

NOTE: This blog post is primarily my notes on this test. While I hope you find it informative (and feel free to ask any questions about it), I am mainly using this to keep my information straight. Thanks.

Here in Part 2 of my little test, I have completed setting up the environment. I have:

  • 2x Win08 domain controllers
  • 1x Win08 file server
  • 1x Win12 file server
  • 1x Win7 client

My next steps are these:

  • Record folder share and security information
  • Shut down both file servers
  • Move the VHD containing my actual data from old file server to new file server
  • Bring up the new file server
  • Make sure the new file server can see the data VHD
  • Re-create the shares on the new file server
  • Test access and connectivity from the client computer

The process to manage shares is a little different in Win12 than in Win08.

  • Computer Management | Storage | Disk Management
    • Bring disk online
    • Assign drive letter (E:)
    • Share folders, using the same settings as on the old file server
    • Enable ABE
      • Server Manager | File and Storage Services | Shares
      • Right-click on share | select Properties
      • Settings | Enable access-based enumeration

Things look good from my client. Too easy!

Now, in production, there are other steps of course. Modifying logon scripts, drive mappings, backups (new base in AppAssure, OUCH!). But it looks like I can get our file serving moved onto a Win12 box without too much difficulty.

As I think more about it, the ‘backups’ question may prove to be a tough one… We use AppAssure for backups. Our repository does not have enough room to do ANOTHER base image of our main file server. Moving this data to a new Win12 box would, I think, trigger a new base image to be taken. Looking at AppAssure, I may be able to delete old base images of our old file server and see if that won’t free up enough room to take the new base. Once the new file server is up and running and have some backup history in place, I can then clear out the rest of the old file server images.

Now, to look at Win08-to-Win12 domain upgrade.

Monday, March 11, 2013

Upgrading A Fileserver (and domain) from Win08 to Win12–Part 1

I am setting up another quick lab to test two things out…

  1. Upgrading my fileserver from Win08 to Win12. I will actually be creating a new file server and just moving a disk from the SAN to the new server. At least, I am hoping this will work smoothly.
  2. Upgrading my domain from Win08R2 to Win12.

I should be able to do both tests with a very simple lab environment. The lab will consist of:

  • DC01 (Win08)
  • DC02 (Win08)
  • FS01 (Wino8)
  • FS03 (Win12)
  • Client02 (Win7)

I will test the file server upgrade first and the domain upgrade second. The plan is simple… Set up a file server with a few shares, files and folders using security groups for access permissions, ABE, etc. Your standard fare, and a fair representation of what we have in production. I will then turn up the Win12 file server and see about moving the disk from the old to the new. I am guessing that I will need to duplicate the share configuration on the new server. But, the NTFS permissions should ‘just work’. (famous last words). Then, just tell everyone the new server name (hoping that, someday, DFS will alleviate this step).

Once I get this file server migration tested, I am then going to look at the DC upgrade and domain migration. Fun!

Thursday, March 7, 2013

DFS Testing In A Lab–Part 1

I have never used DFS before. This changes now.

As noted in a previous blog post, we have a small lab setup in place. My plan is to build out a Windows 2012 domain and do some DFS testing. My thinking for an initial setup is the following:

  • Networks
    • Lab LAN01
    • Lab LAN02
  • Servers
    • Win12-DC01
      • AD, DNS, DHCP for
    • Win12-DC02
      • AD, DNS, DHCP for
    • Win12-RRAS
    • Win12-FS01
    • Win12-FS02
    • Win7-Client01
      • DHCP Client

The setup will be pretty basic, but I am hoping it will allow me to install, configure, and test the features of DFS. The domain will have two sites on two subnets. DFS will be configured and used on both file servers. In this Part 1 post, O will be setting up the RRAS server and the two domain controllers. Here are the actual configuration steps I am taking:

  • Create VMs (differencing disks from a base Win12 install)
  • Configure RRAS server first
    • Rename server.
    • This server has two NICs. Give each its IP address. Only configure IP address and subnet mask.
    • Installed the ‘Remote Access’ Role (which added other roles and features as needed).
      • Made sure the ‘Routing’ Role service was selected
    • Open RRAS console.
      • Right-click on server and select ‘Configure and Enable Routing and Remote Access’
      • Enable LAN-to-LAN routing
    • Enable ‘Allow PING’ in firewall
  • Configure first DC
    • Configure IP address
    • Rename server
    • Enable ‘Allow PING’ in firewall
    • Install ADDS Role
    • Promote server to DC
      • Create new domain: DFSLab.local
    • Install DHCP Role and configure to hand out IP addresses for clients on the 192.168.1.x network
  • Configure second DC
    • Configure IP address
    • Rename server
    • Enable ‘Allow PING’ in firewall
    • Install ADDS Role
    • Promote server to DC
      • Add to existing domain
        • Had to move the server onto the same subnet as my first DC
        • Had to add a DNS server address in the IP config
    • Put server back on its own subnet
  • Set up two Sites and subnets in Active Directory Sites and Services
  • Test connectivity

In Part 2, I will be adding the two file servers and a client computer.

I would love to hear your thoughts and recommendations regarding this. I am in new waters here and any guidance/thoughts/hints would be wonderful.

Wednesday, March 6, 2013

Name Migration Between IIS Servers

We are migrating our current Arena server’s name to our new Arena server. Our initial thought was to simply remove the old server from the network and modify the DNS record for OLDARENA to point to the IP address of NEWARENA. When we did this, we found our new server would challenge us for AD credentials.

The problem turned out to be with SPNs. Even with the changes listed above, the SPNs for OLDARENA were still associated with the actual OLDARENA server. Deleting these SPNs resolved the auth/credentials/kerberos issues. For completeness, we added the SPNs to the associate with the NEWARENA server.

We used the “setspn” command line tool to accomplish this. See for information:

This blog post put me on the right track:


Other item of note:
DNS record replication between DNS servers. When making static changes, records are having a hard time replicating. Looks to be a timing issue. As troubleshooting steps, I deleted the DNS record and then rebooted the server, hoping (correctly) that it would trigger a DNS record add/update. Replication then occurred to my other DNS servers after a short period of time.

UPDATE: A much better account of this:

Additional Info

My photo
email: support (AT) mangrumtech (DOT) com
mobile: 480-270-4332