Import Trusted Root Certification Authorities

Internet Options->Content->Certificates

cert (1)


cert (2)


cert (3)

Browse to certificate location.

cert (5)

Click Place all certificates in the following store and click Browse…

cert (6)

Select Trusted Root Certification Authorities and click OK.

cert (7)


cert (8)

Click Finish

cert (9)

Do you want to install this certificate?  Click Yes.

cert (10)

Verify imported certificate.

cert (11)

Group Policy Object

Computer Configuration/Policies/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certificate Authorities

Once the certificate is imported, your certificate will appear on right side.  See image.

GPO certificate

Update Policy



Raise Forest Functional Level

Raise Forest Functional Level from Windows Server 2003 to Windows Server 2008 R2.

From Active Directory Domains and Trusts, right click the root and select Raise Forest Functional Level…

ScreenHunter_653 Jul. 20 11.49


Select an available forest functional level, Windows Server 2008 or Windows Server 2008 R2.  OK to confirm.

ScreenHunter_653 Jul. 20 13.20


The functional level was raised successfully.

ScreenHunter_653 Jul. 20 11.21

Raise Domain Functional Level

Raise Domain Functional Level from Windows Server 2003 to Windows Server 2008 R2.

From Active Directory Users and Computers, right click the domain and select Raise domain functional level…

ScreenHunter_653 Jul. 20 11.48

Select an available domain functional level, Windows Server 2008 or Windows Server 2008 R2.   OK to confirm.

ScreenHunter_653 Jul. 20 11.53

The functional level was raised successfully.

ScreenHunter_651 Jul. 20 11.15

DCPROMO – New Credentials Dialog

Demoting a Domain Controller, a dialog box prompts for New Credentials during demotion.  All EnterpriseAdmin credentials had been applied but to no avail.

ScreenHunter_648 Jul. 16 08.39

However, this Domain Controller is marked for Protect object from accidental deletion.  In Active Directory Sites and Services\NTDS Settings, uncheck this option to gracefully execute dcpromo!

ScreenHunter_649 Jul. 20 10.07

NTDSUTIL: metadata cleanup

Removal of Failed DomainController in Windows server 2003 environment using NTDSUTIL
– First take failed DC offline.
– Steps are, connect to a healthy DC, list, select, and remove failed DC.
– From a domain computer (Windows 7 Pro) in cmd prompt.
– Required DomainAdmin or EnterpriseAdmin account.

Note: related article on New Credentials

ntdsutil: metadata cleanup
metadata cleaup: connections
server connections: connect to server healthy-dc1
Binding to healthy-dc1 …
Connected to healthy-dc1 using credentials of locally logged on user.
server connections: quit
metadata cleanup: select operation target
select operation target: list domain
Found 1 domain(s)
0 – DC=DomanName,DC=com
select operation target: select domain 0
No current site
Domain – DC=DomanName,DC=com
No current server
No current Naming Context
select operation target: list sites
Found 1 site(s)
0 – CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DomanName,DC=com
select operation target: select site 0
Site – CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DomanName,DC=com
Domain – DC=DomanName,DC=com
No current server
No current Naming Context
select operation target: list servers in site
Found 6 server(s)
0 – CN=FAILED-DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DomanName,DC=com
1 – CN=FAILED-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DomanName,DC=com
2 – CN=HEALTHY-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DomanName,DC=com
3 – CN=HEALTHY-DC5,CN=Servers,CN=Default-First-Site-NameName,CN=Sites,CN=Configuration,DC=DomanName,DC=com
4 – CN=HEALHTY-DC6,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DomanName,DC=com
5 – CN=HEALTHY-DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DomanName,DC=com
select operation target: select server 0 (FAILED DC)
Site – CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DomanName,DC=com
Domain – DC=DomanName,DC=com
Server – CN=FAILED-DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DomanName,DC=com
DSA object – CN=NTDS Settings,CN=FAILED-DC3,CN=Servers,CN=Default-First-Site-Name,CN=sites,CN=
DNS host name –
Computer object – CN=FAILED-DC3,OU=Domain Controllers,DC=DomanName,DC=com
No Current Naming Context
select operation target: quit
metadata cleanup: remove selected server
-> server remove confirmation dialog <-
Are you sure you want to remove the server object
“DC=DomanName,DC=com”?  This is not the last server for domain
Warning:The server in question should already be off-line permanently and never return
to service. If it comes back on-line, the server object will be revived.

Transferring / Seizing FSMO roles off the selected server.
Removing FRS metadata for the selected server.
Searching for FRS members under “CN=FAILED-DC3,OU=Domain Controllers,DC=DomanName,DC=com”.

Removing FRS member “CN=FAILED-DC3,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=DomanName,DC=com”.
Deleting subtree under “CN=FAILED-DC3,OU=Domain Controllers,DC=DomanName,DC=com”.

The attempt to remove the FRS settings on CN=FAILED-DC3,CN=Servers,CN=Default-First-Site-Name,CN=sites,
CN=Configuration,DC=DomanName,DC=com failed because “Element not found.”;
metadata cleanup is continuing…
“CN=FAILED-DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,”DC=DomanName,DC=com” removed from server “healthy-dc1
metadata cleanup: quit

Test Replication: Show replication from inbound neighbors by running this command repadmin /showrepl

netstat /?

C:\>netstat /?

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-t] [interval]

-a            Displays all connections and listening ports.
-b            Displays the executable involved in creating each connection or
listening port. In some cases well-known executables host
multiple independent components, and in these cases the
sequence of components involved in creating the connection
or listening port is displayed. In this case the executable
name is in [] at the bottom, on top is the component it called,
and so forth until TCP/IP was reached. Note that this option
can be time-consuming and will fail unless you have sufficient
-e            Displays Ethernet statistics. This may be combined with the -s
-f            Displays Fully Qualified Domain Names (FQDN) for foreign
-n            Displays addresses and port numbers in numerical form.
-o            Displays the owning process ID associated with each connection.
-p proto      Shows connections for the protocol specified by proto; proto
may be any of: TCP, UDP, TCPv6, or UDPv6.  If used with the -s
option to display per-protocol statistics, proto may be any of:
IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
-r            Displays the routing table.
-s            Displays per-protocol statistics.  By default, statistics are
shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
the -p option may be used to specify a subset of the default.
-t            Displays the current connection offload state.
interval      Redisplays selected statistics, pausing interval seconds
between each display.  Press CTRL+C to stop redisplaying
statistics.  If omitted, netstat will print the current
configuration information once.