Active Directory Week: Essential Steps for PowerShell when Upgrading
Summary: Learn three essential steps for Windows PowerShell when upgrading from Windows Server 2003.
Microsoft Scripting Guy, Ed Wilson, is here. Today we have the final post in the series about Active Directory PowerShell by Ashley McGlone. Before you begin, you might enjoy reading these posts from the series:
- Get Started with Active Directory PowerShell
- Explore Group Membership with PowerShell
- Active Directory Week: Stale Object Cleanup Guidance—Part 1
- Active Directory Week: Stale Object Cleanup Guidance—Part 2
Over the years Microsoft has released a number of new features to enhance Active Directory functionality. (For more information, see Active Directory Features in Different Versions of Windows Server.) If you are just now upgrading from Windows Server 2003, you have much to be thankful for. You will get to use new features like the Active Directory Recycle Bin and “Protect from accidental deletion.” But first you must raise the forest functional level to at least Windows Server 2008 R2. Let’s look at how to turn on these features.
Raise the functional level
In the Windows Server 2008 R2 era, many new Active Directory features were dependent on domain or forest functional level. One significant change with Windows Server 2012 R2 and Windows Server 2012 is that the product group tried to reduce the dependency on functional level for new features. At a minimum, you want to move your forest functional level to the Windows Server 2008 R2. You can raise it to Windows Server 2012 R2 if all of your domain controllers are on the current release.
Of course, these steps can be done in the graphical interface, but this post is about Windows PowerShell. It is actually quite easy to do from the Windows PowerShell console. First, let’s check the current functional modes:
PS C:\> (Get-ADDomain).DomainMode
PS C:\> (Get-ADForest).ForestMode
Note If you are running these commands on Windows Server 2008 R2, you must first run this line:
DomainMode and ForestMode are properties of the ADDomain and ADForest, respectively. Lucky for us there is a cmdlet to set each of these. Look at this syntax:
$domain = Get-ADDomain
Set-ADDomainMode -Identity $domain -Server $domain.PDCEmulator -DomainMode Windows2012Domain
$forest = Get-ADForest
Set-ADForestMode -Identity $forest -Server $forest.SchemaMaster -ForestMode Windows2012Forest
Note You must target the PDC Emulator for domain mode changes and the Schema Master for forest mode changes.
The following table shows the available domain and forest mode parameter values:
Here are some points to consider:
- If you raise the forest functional level, it will automatically attempt to raise the level of all the domains first.
- Generally, these commands only raise functional level. You cannot lower the level. (There is a minor exception, which is documented in How to Revert Back or Lower the Active Directory Forest and Domain Functional Levels in Windows Server 2008 R2.)
- All domain controllers must be at the same or higher operating system level as the functional mode.
- Be sure that you have a good backup of the forest for any possible recovery scenario afterward.
For more information about raising functional level, see What is the Impact of Upgrading the Domain or Forest Functional Level?
Enable the Active Directory Recycle Bin
Hopefully, this feature is old news to you by now. The key point is that it is not automatic. You must enable the Active Directory Recycle Bin before you can restore a deleted account. Here is the easiest way to enable the Active Directory Recycle Bin from Windows PowerShell:
Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet `
-Target (Get-ADForest).RootDomain -Server (Get-ADForest).DomainNamingMaster
This command is written so that it will work in any environment. Note that it must target the forest Domain Naming Master role holder.
For more information and potential troubleshooting steps, see:
Now you can use the Restore-ADObject cmdlet or the Active Directory Administrative Center (ADAC) graphical interface to recover deleted objects. This is so much easier than an Active Directory authoritative restore!
Protect from accidental deletion
Have you noticed a theme yet? “Recycle bin” and “accidental deletion”…
We want to help you recover faster. The “Protect from accidental deletion” feature will hopefully keep you from needing the Recycle Bin. The following image shows the check box for the setting in the graphical interface:
With the Active Directory cmdlets, we can find the status by using the ProtectedFromAccidentalDeletion object property like this:
Get-ADuser ProtectMe -Properties ProtectedFromAccidentalDeletion
This value will be True or False, depending on whether the box is selected. To turn on the protection, we can use this syntax:
Get-ADUser -Identity ProtectMe | Set-ADObject -ProtectedFromAccidentalDeletion:$true
It would be inefficient to do this one-at-a-time for all objects, wouldn’t it? Here are some commands you could use to turn it on more broadly across your environment:
Get-ADUser -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true
Get-ADGroup -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true
Get-ADOrganizationalUnit -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true
The next logical question would be, “OK. Then how do I delete something when it is not an accident?”
I am glad you asked. We can turn off the protection and delete an object like this:
Get-ADUser ProtectMe |
Set-ADObject -ProtectedFromAccidentalDeletion:$false -PassThru |
Notice that we use the -PassThru switch to keep the user object moving through the pipeline after the Set command.
This delete protection is not enabled by default. It must be explicitly set on each object that you want to protect. For information about how to make this automatic for new objects, you can read the comments that follow this post on the Ask the Directory Services Team blog: Two lines that can save your AD from a crisis.
Note If you would like to know more about how this feature works, we explain this topic in greater detail in Module 7 of the Microsoft Virtual Academy videos, Active Directory Attribute Recovery With PowerShell.
In this post, we discussed three essentials steps when upgrading from Windows Server 2003:
- Raise the domain and forest functional level
- Enable Recycle Bin
- Protect from accidental deletion
Of course, there are many other new features to leverage. I recommend that you check out the following resources in the Microsoft Virtual Academy videos:
- In Module 7, we discuss a recovery strategy that uses Active Directory snapshots. This is a friendly way to recover corrupted Active Directory properties without the hassle of a full authoritative restoration. I recommend that all customers start taking Active Directory snapshots (not to be confused with virtual machine snapshots) on a regular basis to aid in the recovery process.
- In Module 8, we discuss three tips to help you deploy domain controllers faster during your upgrade. Note that DCPROMO was depreciated in Windows Server 2012 R2.
In addition, you should consider migrating SYSVOL from NTFRS to DFSR replication. This is another benefit after the functional level change, and it requires a manual step to turn it on. This is not addressed in the videos, but these steps are documented on TechNet and in a number of blog posts. For example, see, SYSVOL Replication Migration Guide: FRS to DFS Replication.
Congratulations on your move from Windows Server 2003! You will find that the later operating systems have many more features and tools to help with routine administration, maintenance, and security. With the tips from this post, you have a jumpstart for automating new features to aid in recovery scenarios.
Watch my free training videos for Active Directory PowerShell on Microsoft Virtual Academy to learn more insider tips on topics such as getting started with Active Directory PowerShell, routine administration, stale accounts, managing replication, disaster recovery, domain controller deployment.
And that ends our series about Active Directory PowerShell by Ashley McGlone! Join me tomorrow when I seek a way to find the latitude and longitude for a specific address.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at firstname.lastname@example.org, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy