{"id":273,"date":"2014-11-28T00:01:00","date_gmt":"2014-11-28T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2014\/11\/28\/active-directory-week-essential-steps-for-powershell-when-upgrading\/"},"modified":"2022-06-13T10:21:25","modified_gmt":"2022-06-13T17:21:25","slug":"active-directory-week-essential-steps-for-powershell-when-upgrading","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/active-directory-week-essential-steps-for-powershell-when-upgrading\/","title":{"rendered":"Active Directory Week: Essential Steps for PowerShell when Upgrading"},"content":{"rendered":"<p><b style=\"font-size:12px\">Summary<\/b><span style=\"font-size:12px\">: Learn three essential steps for Windows PowerShell when upgrading from Windows Server 2003.<\/span><\/p>\n<p>Microsoft Scripting Guy, Ed Wilson, is here. Today we have the final post in the series about Active Directory PowerShell by Ashley McGlone. Before you begin, you might enjoy reading these posts from the series:<\/p>\n<ul>\n<li><a href=\"https:\/\/devblogs.microsoft.com\/scripting\/active-directory-week-get-started-with-active-directory-powershell\/\" target=\"_blank\" rel=\"noopener\">Get Started with Active Directory PowerShell<\/a><\/li>\n<li><a href=\"https:\/\/devblogs.microsoft.com\/scripting\/active-directory-week-explore-group-membership-with-powershell\/\" target=\"_blank\" rel=\"noopener\">Explore Group Membership with PowerShell<\/a><\/li>\n<li><a href=\"https:\/\/devblogs.microsoft.com\/scripting\/active-directory-week-stale-object-cleanup-guidancepart-1\/\" target=\"_blank\" rel=\"noopener\">Active Directory Week: Stale Object Cleanup Guidance\u2014Part 1<\/a><\/li>\n<li><a href=\"https:\/\/devblogs.microsoft.com\/scripting\/active-directory-week-stale-object-cleanup-guidancepart-2\/\">Active Directory Week: Stale Object Cleanup Guidance\u2014Part 2<\/a><\/li>\n<\/ul>\n<p>Over the years Microsoft has released a number of new features to enhance Active Directory functionality. (For more information, see <a href=\"http:\/\/social.technet.microsoft.com\/wiki\/contents\/articles\/19037.active-directory-features-in-different-versions-of-windows-server.aspx\" target=\"_blank\" rel=\"noopener\">Active Directory Features in Different Versions of Windows Server<\/a>.) If you are just now upgrading from Windows Server 2003, you have much to be thankful for. You will get to use new features like the Active Directory Recycle Bin and \u201cProtect from accidental deletion.\u201d But first you must raise the forest functional level to at least Windows Server 2008 R2. Let\u2019s look at how to turn on these features.<\/p>\n<h2>Raise the functional level<\/h2>\n<p>In the Windows Server 2008 R2 era, many new Active Directory features were dependent on domain or forest functional level. One significant change with Windows Server 2012\u00a0R2 and Windows Server 2012 is that the product group tried to reduce the dependency on functional level for new features. At a minimum, you want to move your forest functional level to the Windows Server 2008 R2. You can raise it to Windows Server 2012 R2 if all of your domain controllers are on the current release.<\/p>\n<p>Of course, these steps can be done in the graphical interface, but this post is about Windows PowerShell. It is actually quite easy to do from the Windows PowerShell console. First, let\u2019s check the current functional modes:<\/p>\n<p style=\"margin-left:30px\">\n  PS C:\\> (Get-ADDomain).DomainMode\n<\/p>\n<p style=\"margin-left:30px\">\n  PS C:\\> (Get-ADForest).ForestMode\n<\/p>\n<p><strong>\u00a0 \u00a0Note\u00a0<\/strong> If you are running these commands on Windows Server 2008 R2, you must first run this line:<\/p>\n<p style=\"margin-left:30px\">\n  Import-Module ActiveDirectory\n<\/p>\n<p><strong>DomainMode<\/strong> and <strong>ForestMode<\/strong> are properties of the ADDomain and ADForest, respectively. Lucky for us there is a cmdlet to set each of these. Look at this syntax:<\/p>\n<p style=\"margin-left:30px\">\n  $domain = Get-ADDomain\n<\/p>\n<p style=\"margin-left:30px\">\n  Set-ADDomainMode -Identity $domain -Server $domain.PDCEmulator -DomainMode Windows2012Domain\n<\/p>\n<p style=\"margin-left:30px\">\n  $forest = Get-ADForest\n<\/p>\n<p style=\"margin-left:30px\">\n  Set-ADForestMode -Identity $forest -Server $forest.SchemaMaster -ForestMode Windows2012Forest\n<\/p>\n<p><strong>\u00a0 \u00a0Note\u00a0<\/strong> You must target the PDC Emulator for domain mode changes and the Schema Master for forest mode changes.<\/p>\n<p>The following table shows the available domain and forest mode parameter values:<\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"180\" valign=\"top\">\n<p>\n          <b>Set-ADDomainMode<\/b>\n        <\/p>\n<\/td>\n<td width=\"222\" valign=\"top\">\n<p>\n          <b>Set-ADForestMode<\/b>\n        <\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"180\" valign=\"top\">\n<p>\n          Win2003Domain\n        <\/p>\n<p>\n          Win2008Domain\n        <\/p>\n<p>\n          Win2008R2Domain\n        <\/p>\n<p>\n          Win2012Domain\n        <\/p>\n<p>\n          Win2012R2Domain\n        <\/p>\n<\/td>\n<td width=\"222\" valign=\"top\">\n<p>\n          Windows2000Forest\n        <\/p>\n<p>\n          Windows2003InterimForest\n        <\/p>\n<p>\n          Windows2003Forest\n        <\/p>\n<p>\n          Windows2008Forest\n        <\/p>\n<p>\n          Windows2008R2Forest\n        <\/p>\n<p>\n          Windows2012Forest\n        <\/p>\n<p>\n          Windows2012R2Forest\n        <\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Here are some points to consider:<\/p>\n<ul>\n<li>If you raise the <em>forest<\/em> functional level, it will automatically attempt to raise the level of all the <em>domains<\/em> first.<\/li>\n<li>Generally, these commands only <em>raise<\/em> functional level. You cannot <em>lower<\/em> the level. (There is a minor exception, which is documented in <a href=\"http:\/\/social.technet.microsoft.com\/wiki\/contents\/articles\/850.how-to-revert-back-or-lower-the-active-directory-forest-and-domain-functional-levels-in-windows-server-2008-r2.aspx\" target=\"_blank\" rel=\"noopener\">How to Revert Back or Lower the Active Directory Forest and Domain Functional Levels in Windows Server 2008 R2<\/a>.)<\/li>\n<li>All domain controllers must be at the same or higher operating system level as the functional mode.<\/li>\n<li>Be sure that you have a good backup of the forest for any possible recovery scenario afterward.<\/li>\n<\/ul>\n<p>For more information about raising functional level, see <a href=\"\/b\/askds\/archive\/2011\/06\/14\/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx\" target=\"_blank\" rel=\"noopener\">What is the Impact of Upgrading the Domain or Forest Functional Level?<\/a><\/p>\n<h2>Enable the Active Directory Recycle Bin<\/h2>\n<p>Hopefully, this feature is old news to you by now. The key point is that it is not automatic. You must enable the Active Directory Recycle Bin before you can restore a deleted account. Here is the easiest way to enable the <span>Active Directory\u00a0<\/span>\u00a0Recycle Bin from Windows PowerShell:<\/p>\n<p class=\"Code\" style=\"margin-left:30px\">\n  Enable-ADOptionalFeature &#8216;Recycle Bin Feature&#8217; -Scope ForestOrConfigurationSet `\n<\/p>\n<p class=\"Code\" style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -Target (Get-ADForest).RootDomain -Server (Get-ADForest).DomainNamingMaster\n<\/p>\n<p>This command is written so that it will work in any environment. Note that it must target the forest Domain Naming Master role holder.<\/p>\n<p>For more information and potential troubleshooting steps, see:<\/p>\n<ul>\n<li><a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/dd392261(v=WS.10).aspx\" target=\"_blank\" rel=\"noopener\">Active Directory Recycle Bin Step-by-Step Guide<\/a><\/li>\n<li><a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/dd379481(v=ws.10).aspx\" target=\"_blank\" rel=\"noopener\">Step 1: Enable Active Directory Recycle Bin<\/a><\/li>\n<\/ul>\n<p>Now you can use the <a href=\"http:\/\/go.microsoft.com\/fwlink\/p\/?linkid=291104\" target=\"_blank\" rel=\"noopener\">Restore-ADObject<\/a> cmdlet or the Active Directory Administrative Center (ADAC) graphical interface to recover deleted objects. This is so much easier than an Active Directory authoritative restore!<\/p>\n<h2>Protect from accidental deletion<\/h2>\n<p>Have you noticed a theme yet? \u201cRecycle bin\u201d and \u201caccidental deletion\u201d&#8230;<\/p>\n<p>We want to help you recover faster. The \u201cProtect from accidental deletion\u201d feature will hopefully keep you from needing the Recycle Bin. The following image shows the check box for the setting in the graphical interface:<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/4555.1.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/4555.1.PNG\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p>With the Active Directory cmdlets, we can find the status by using the <strong>ProtectedFromAccidentalDeletion<\/strong> object property like this:<\/p>\n<p class=\"Code\" style=\"margin-left:30px\">\n  Get-ADuser ProtectMe -Properties ProtectedFromAccidentalDeletion\n<\/p>\n<p>This value will be True or False, depending on whether the box is selected. To turn on the protection, we can use this syntax:<\/p>\n<p class=\"Code\" style=\"margin-left:30px\">\n  Get-ADUser -Identity ProtectMe | Set-ADObject -ProtectedFromAccidentalDeletion:$true\n<\/p>\n<p>It would be inefficient to do this one-at-a-time for all objects, wouldn\u2019t it? Here are some commands you could use to turn it on more broadly across your environment:<\/p>\n<p class=\"Code\" style=\"margin-left:30px\">\n  Get-ADUser -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true\n<\/p>\n<p class=\"Code\" style=\"margin-left:30px\">\n  Get-ADGroup -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true\n<\/p>\n<p class=\"Code\" style=\"margin-left:30px\">\n  Get-ADOrganizationalUnit -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true\n<\/p>\n<p>The next logical question would be, \u201cOK. Then how do I delete something when it is not an accident?\u201d<\/p>\n<p>I am glad you asked. We can turn off the protection and delete an object like this:<\/p>\n<p class=\"Code\" style=\"margin-left:30px\">\n  Get-ADUser ProtectMe |\n<\/p>\n<p class=\"Code\" style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 Set-ADObject -ProtectedFromAccidentalDeletion:$false -PassThru |\n<\/p>\n<p class=\"Code\" style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 Remove-ADUser -Confirm:$false\n<\/p>\n<p>Notice that we use the <strong>-PassThru<\/strong> switch to keep the user object moving through the pipeline after the <strong>Set<\/strong> command.<\/p>\n<p>This delete protection is not enabled by default. It must be explicitly set on each object that you want to protect. For information about how to make this automatic for new objects, you can read the comments that follow this post <span>on the Ask the Directory Services Team blog:<\/span>\u00a0<a href=\"\/b\/askds\/archive\/2013\/06\/04\/two-lines-that-can-save-your-ad-from-a-crisis.aspx\" target=\"_blank\" rel=\"noopener\">Two lines that can save your AD from a crisis<\/a>.<\/p>\n<p style=\"margin-left:30px\">\n  <b>Note<\/b>\u00a0\u00a0If you would like to know more about how this feature works, we explain this topic in greater detail in Module\u00a07 of the Microsoft Virtual Academy videos, <a href=\"\/b\/ashleymcglone\/archive\/2014\/04\/24\/oh-snap-active-directory-attribute-recovery-with-powershell.aspx\" target=\"_blank\" rel=\"noopener\">Active Directory Attribute Recovery With PowerShell<\/a>.\n<\/p>\n<h2>Bonus tips<\/h2>\n<p>In this post, we discussed three essentials steps when upgrading from Windows Server 2003:<\/p>\n<ol>\n<li>Raise the domain and forest functional level<\/li>\n<li>Enable Recycle Bin<\/li>\n<li>Protect from accidental deletion<\/li>\n<\/ol>\n<p>Of course, there are many other new features to leverage. I recommend that you check out the following resources in the <a href=\"https:\/\/aka.ms\/MvaPsAdHsg\" target=\"_blank\" rel=\"noopener\">Microsoft Virtual Academy<\/a> videos:<\/p>\n<ul>\n<li>In Module 7, we discuss a recovery strategy that uses Active Directory snapshots. This is a friendly way to recover corrupted Active Directory properties without the hassle of a full authoritative restoration. I recommend that all customers start taking Active Directory snapshots (not to be confused with virtual machine snapshots) on a regular basis to aid in the recovery process.<\/li>\n<li>In Module 8, we discuss three tips to help you deploy domain controllers faster during your upgrade. Note that DCPROMO was depreciated in Windows Server\u00a02012\u00a0R2.<\/li>\n<\/ul>\n<p>In addition, you should consider migrating SYSVOL from NTFRS to DFSR replication. This is another benefit after the functional level change, and it requires a manual step to turn it on. This is not addressed in the videos, but these steps are documented on TechNet and in a number of blog posts. For example, see, <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/dd640019(v=WS.10).aspx\" target=\"_blank\" rel=\"noopener\">SYSVOL Replication Migration Guide: FRS to DFS Replication<\/a>.<\/p>\n<p>Congratulations on your move from Windows Server 2003! You will find that the later operating systems have many more features and tools to help with routine administration, maintenance, and security. With the tips from this post, you have a jumpstart for automating new features to aid in recovery scenarios.<\/p>\n<p>Watch my free training videos for Active Directory PowerShell on <a href=\"https:\/\/aka.ms\/MvaPsAdHsg\" target=\"_blank\" rel=\"noopener\">Microsoft Virtual Academy<\/a> to learn more insider tips on topics such as getting started with Active Directory PowerShell, routine administration, stale accounts, managing replication, disaster recovery, domain controller deployment.<\/p>\n<p>~Ashley<\/p>\n<p>And that ends our series about Active Directory PowerShell by Ashley McGlone! Join me tomorrow when I seek a way to find the latitude and longitude for a specific address.<\/p>\n<p>I invite you to follow me on\u00a0<a href=\"http:\/\/bit.ly\/scriptingguystwitter\" target=\"_blank\" rel=\"noopener\">Twitter<\/a>\u00a0and\u00a0<a href=\"http:\/\/bit.ly\/scriptingguysfacebook\" target=\"_blank\" rel=\"noopener\">Facebook<\/a>. If you have any questions, send email to me at\u00a0<a href=\"mailto:scripter@microsoft.com\" target=\"_blank\" rel=\"noopener\">scripter@microsoft.com<\/a>, or post your questions on the\u00a0<a href=\"http:\/\/bit.ly\/scriptingforum\" target=\"_blank\" rel=\"noopener\">Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n<p><strong>Ed Wilson, Microsoft Scripting Guy\u00a0<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: Learn three essential steps for Windows PowerShell when upgrading from Windows Server 2003. Microsoft Scripting Guy, Ed Wilson, is here. Today we have the final post in the series about Active Directory PowerShell by Ashley McGlone. Before you begin, you might enjoy reading these posts from the series: Get Started with Active Directory PowerShell [&hellip;]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,313,56,3,45],"class_list":["post-273","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-ashley-mcglone","tag-guest-blogger","tag-scripting-guy","tag-windows-powershell"],"acf":[],"blog_post_summary":"<p>Summary: Learn three essential steps for Windows PowerShell when upgrading from Windows Server 2003. Microsoft Scripting Guy, Ed Wilson, is here. Today we have the final post in the series about Active Directory PowerShell by Ashley McGlone. Before you begin, you might enjoy reading these posts from the series: Get Started with Active Directory PowerShell [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/273","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=273"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/273\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=273"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=273"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=273"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}