Hello World,
As you can imagine, I’m quite busy lately. I do not have much time to post articles or blog about our favorite topics (i.e. IT). However, I managed to get some free time today and we will speak about IFM (Installation From Media) and how you could use powershell (and a task scheduler) to automate the IFM Creation process.
What’s IFM ?
IFM or Installation from Media is an option that allows you to create an “offline” installation media of your Active Directory. By using the IFM approach, you will be able to “dump” the content of the Active Directory (Database/SYSVOL Contents) and copy this “installaion media” to the future domain controller.
IFM was designed in order to minimize replication traffic while performing promotion of domain controllers. Nowadays, we assume that the network speed is just enough to perform such operation but in some environment; you still have really slow link between locations where domain controllers are placed. Sometime, the link is so slow that a normal DCPROMO operation simply times out and you are not able to promote your remote server to a domain controller.
I’ve seen in other environment that the IFM was used as a disaster recovery solution. The customer was generating every 30 days a new IFM file. If a disaster would occur, this customer would use the IFM files to promote the domain controller and thus minimizing the downtime.
How to you create an IFM ?
To obtain more information about how to use IFM and how to install Domain controller from IFM, please refer to the following location. We will not explain in detail how the IFM works given that this is not the purpose of this post.
You will simply use the ntdsutil.exe command in order to generate the IFM media. Since Windows 2008, the ntdsutil has been improved. You can now decide to create the following type of IFM media :
- IFM of a full writable domain controller
- IFM of a RODC (Read-Only)
- IFM of a Full writable domain controller + SYSVOL files (you need windows 2008 R2)
- IFM of a RODC + Sysvol files (you need windows 2008 R2)
To create a IFM of a writable domain controller and have a copy of the Sysvol files, you would issue the following commands in a command prompt (with elevated privileges)
ntdsutil
activate instance ntds
ifm
create sysvol full <%DriveLetter%>\<%Folder%>
Note :
you could create the IFM files through a single command line by typing the following :
ntdsutil “activate instance ntds” ifm “create sysvol Full $IFMPath” q q q
Using PowerShell to create an IFM ?
As explained above, one customer had specifically replication traffic issue and it was not possible to perform promotion of domain controller through the network. This customer also wanted to include the IFM solution as a disaster/recovery solution. Because the replication link was so slow, time to time, remote domain controller account was not able to authenticate against other domain controllers and lead to replication errors. The reset of domain controller account through the netdom utility was working some times and not working the other time. So, there was a need to demote/promote the domain controller.
The IFM files were used to perform the first stage of the promotion process. Then, the final bits of the replication was performed through the network. Actually, I have to say that this approach was not perfect but worked most of the time and helped the organization to minimize the impact of such situation.
As requested by the customer; we had created a quick and dirty Powershell Script that would perform the following actions :
- The script checks if an existing IFM folder exists. If yes, the script will delete the folder.
- The script then perform the IFM operation
IFM Script
And finally, here is the script. Please use it at your own risk ! If you copy/past the script; ensure that you have no cropped lines.
#-----------------------------------------------------------------------------# # Script_Name : AutomateIFM.ps1 # # Description : Script used to automate the IFM Creation # # Date : June 2013 # # Created By : Griffon - Version 1.0 # #-----------------------------------------------------------------------------#
#-- MODIFY AS REQUIRED ----- #
$IFMPATH="E:\IFM" #-- DELETE FOLDER IFM/ This part could be improved ---#
If (Test-Path $IFMPATH -eq $True ) { $Folders=Get-Childitem $IFMPATH -recursive |where {$_.PsContainer -eq $True} $Folders | Foreach { $strName = $_.Fullname $acl = get-acl $strName $acl.SetAccessRuleProtection($false,$false) $rule=New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","Full","ContainerInherit,ObjectInherit","NoPropagateInherit","Allow") $acl.AddAccessrule($rule) set-acl $strName $acl } Remove-item $IFMPATH -Force -Recurse } @" .................................................................. .................................................................. ................. SCRIPT TO CREATE IFM FILES ..................... .................................................................. .................................................................. Process is about to start ....................................... This Process can take about 15 minutes........................... The IFM Files will be stored on ........... $IFMPATH "@ $IFM = ntdsutil "activate instance ntds" ifm "create sysvol Full $IFMPath" q q q @" .................................................................. .................................................................. ................ IFM FILES CREATION COMPLETED ................... .................................................................. .................................................................. Output of IFM Opertaion .......................................... "@ $IFM IF ($IFM -like "*IFM media created successfully*") { write-output "The script successfully created the IFM Media Set" `r $Success = "True" }
Final Notes
And Voila ! You have now a script that can be used to automate the IFM creation process. Obviously, you will need to use a mechanism to schedule the operation. In our case, we have used scheduled tasks on our domain controllers because we can have a full control over the IFM Creation process.
Now, It’s up to you to test and see if this can help you
Till next time
See ya