How to uninstall Active Directory from Windows Server 2008?

Or, How to decommission Active Directory.

Or, How to demotion Domain Controller in Windows server 2008?

Steps followed on Window server 2008 DC

Go to run type command “dcpromo”. Then Click on “Next”

Click on “OK” to Start Active Directory uninstall.

Click on “Delete the Domain because this server is the last domain Controller in the domain” and then click on “Next” to proceed.

Note - If you have forest domain available on another server then don’t select this option. It should be uncheck and click on next.

Click on “Next”.

Select “Delete all application directory partitions on this active directory domain controller”. Then click on “Next”.

Enter – Password (Domain Controller Authorization password to start Uninstallation), Then Click on “Next”.

Click on “Next”

Active Directory uninstall wizard will open. 

After Click on “Finish” tab. Remove Active Directory Domain Services from Server roles for removing Binaries.

And restart the server.

List of default users and Security Group of Domain Controller.

This details are very essential for System administrator, Be having knowledge of this groups you can manage server infrastructure to ensure server level security and rights management.

Administrators - Built-in account for administering the computer/domain Controllers.

RODC Password Replication Group - Members in this group can have their passwords replicated to all read-only domain controllers in the domain.

Cert Publishers - Members of this group are permitted to publish certificates to the Active directory in forest as well as domain level.

Denied RODC Password Replication Group - Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain.

Dns Admins – Members of this group have Administrator access to DNS server service.

Dns Update proxy – Member of this group are DNS clients who are permitted to perform dynamic updates on behalf of some other clients.

 Domain Admin – User accounts who is Member of this group are domain Administrators. But they can’t work on forest level. So only in a Particular Domain they have full control to administrator.

Domain Computers – By Default any Server or workstations or computers joined to domain becomes member of this group.

Domain Controllers – List of all domain controller you can find in this group.

Domain Guest – List of Domain Guest.

Domain users – Any users created in Domain becomes member of this group by default. This group represent all users in Domain.

Enterprise Admins – Members of this group have full access to all domains in forest. This group is a member of all domain controllers administrator group by default. We can say them Super Admins group.

Enterprise Read-only Domain Controllers - Members of this group are Read-Only Domain Controllers in the enterprise or read only Forest Level Domain controllers.

Group Policy Creator Owners - Members in this group can modify group policy for the domain. So we can add users to allow them to modify Group Policy for domain.

RAS and IAS Servers - Servers in this group can access remote access properties of users.

Read-only Domain Controllers - Members of this group are Read-Only Domain Controllers in the domain. Workstation and server add to this group becomes Read only Domain Controllers.

Schema Admins - Designated administrators of the schema, So members of this group can modify Active Directory Schema.

Below if the reference screenshot where you can see all the default users created in Active Directory.

Trusted Zone List Group Policy Update Failed With Error.

Or, Group Policy Update Error “Windows failed to apply the Internet Explorer Zonemapping settings. Internet Explorer Zonemapping settings might have its own log file. Please click on the “More information” link” while updating Group Policy after applying “Internet Explorer Zonemapping settings.” Through GPO.

Error Details:

----------------------------------------------------------------------------------------------------------------------------------------------------------

C:\Users\test12>gpupdate

Updating policy…

Computer Policy update has completed successfully.

User Policy update has completed successfully.

The following warnings were encountered during user policy processing:

Windows failed to apply the Internet Explorer Zonemapping settings. Internet Explorer Zonemapping settings might have its own log file. Please click on the “More information” link.

For more detailed information, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

C:\Users\test12>

---------------------------------------------------------------------------------------------------------------------------------------------------------

Error Screenshot:

The Solution worked for me:

After trying lots of KBs here and there I noticed, I am not configuring the URLs listing properly. I was giving the URLs name correctly but was not filling the sequence numbers for all the URLs I was entering. So the trick worked for me is, I just given the sequence numbers in Value filed of the Site to Zone Assignment List and that worked for me like a charm…

Below is the screenshot of correctly deploying the Site to Zone Assignment List URLs list. In my case, I have used *.thedomainname.com etc… you can use URLs like http://thedomainname.com as well…that’s your choice…

Cheers.. Please write me back if you have any query or feedback..

How to enable Active Directory Recycle Bin?

Or, Enabling Recycle Bin in Active Directory Windows Server 2012 R2.

Or, Easiest way to recover accidentally deleted items in Active Directory.

Guys, all we know that Microsoft has introduced a loving feature of active directory which is known as “Active Directory Recycle Bin”.  By using this feature, you can recover accidentally deleted items like Users, OU, and Computers from AD within few seconds. Afraid of imagining the recovery process of these objects now using traditional method of System State Backup and recovery.

Here are Steps to enable Active Directory Recycle Bin:

Open Server Manager > Go to Tools > Click on Active Directory Administrative Center

Select your domain > In the Right side task area, Click on Enable Recycle Bin

How to check all configured settings in Group Policy Object (Active Directory)?

Or, How to see all defined settings in a Group Policy Object (Active Directory)?

Steps:

Open Group Policy Management Console > Go to Group Policy Objects > Select any of the Group Policy Object (in my case, it’s “Logon Message Policy” > Go to Settings tab > Click on “Show All”.

Now, you will be able see all defined policies of that particular Group Policy Object. Please refer the below screenshot for GUI view of the above explained settings:

Group policy to deploy screensaver on domain computers.

Or, How to create screensaver Group Policy in Windows server 2012 R2?

Steps:

Login to your Domain Comtroller Server > Open Group Policy Management Console > Create a New Group Poliy Object > Go to User Configurations > Policies> Administrative Templates > Personalization

Enable the policy options as shown in below screenshots, you can choose more policy options as per your individual need.

In my case Screensaver time out value is 300 seconds (5 minutes)

Here you need to give complete shared path of the .scr file you have created.

Run gpupdate /force  on Server and Client both to update the policy immediately.

Good Luck, please write me back for any query of feedback…

How to create a common folder all users across domain using Group Policy?

Or, Create a folder in all user’s profile using Group Policy.

Steps:

Login to your Domain Controller Server > Open Group Policy Management Console > Create a New Group Policy Object > Go to User Configurations > Preferences > Windows Settings > Folders> Right Click and Select New Folder > Select the action Create in this case or any action you want (Update/Delete etc..) > Select path where you want this folder to be created > Run gpupdate /force to update the policy forcefully.

Example: if the path is C:\users\testfolder , a Folder with the name “testfolder” will be created under every user’s computers path C:\Users.

You may refer the below screenshot for your reference:

How to Copy files across all domain computers using Group Policy?

Or, Group Policy to delete or copy files across all domain computers.

Note: If you want to copy all files from a specific source, use *.* at end the files path. e.g. \\SharedFolder\*.*

Steps:

Login to your Domain Controller Server > Open Group Policy Management Console > Create a New Group Policy Object > Go to User Configurations > Preferences > Windows Settings > Files > Right Click and Select New File > Select the action you want (Update/Create/Delete etc..) > Select Source and Destinations > Run gpupdate /force to update the policy forcefully.

You may refer the below screenshot for your reference:

Cheers, please write me back if you have any query or feedback on this article…

What is Group Policy in AD?

Or, What is use of Group Policy in Active Directory?

Group Policy is a GUI interface from where you can change registry values of one/multiple machines from a central management console.

It is used to push user or computer defined policy in domain environment whether it is restrictions, privilege or deployments.

What is IFM in Active Directory?

IFM Stands for "Installation From Media".

It is used to reduce the time taken in installing new ADCs in a domain. Installation of AD using IFM is much faster than traditional installation method..

How to export Computers List from AD?

Or, How to Export Computers List From Specific OU of AD (Active Directory)?

The simplest way of exporting computers list from an OU of Active Directory is: Right Click on OU > Click Export List > Save the .txt file wherever you want

Reference screenshot is as below:

How To Integrate vSphere 6.0 With AD ?

Or, How To Integrate vSphere 6.0 With Active Directory?

1. Make sure your vCenter Server is joined in your domain; it should not be part of Workgroup.

2.  If it is not already joined in domain, please join it in domain.

3. Open CMD with Administrative privilege:

    Go to Search> Type CMD > Right Click on it and Say Run as Administrator

4. Locate to directory “C:\Program Files\VMware\vCenter Server\VMware Identity Services\scripts” By typing on CMD:

cd C:\Program Files\VMware\vCenter Server\VMware Identity Services\scripts

      5. Type below command and hit Enter:

sso-add-native-ad-idp.cmd vmware.com

6. Wait for this command to be completed.

You can verify it now in vCenter vSphere console if the domain name is being highlighted in access rights management section or not.

It should look like below reference screenshot(your domain name should be appearing there):