You can always learn more about Active Directory replication!
Read on from the Ask the Directory Services Team blog -
Showing posts with label Active Directory. Show all posts
Showing posts with label Active Directory. Show all posts
Monday, February 15, 2010
Monday, November 02, 2009
Windows Server 2008 R2 Service and Virtual Accounts
One of the best reasons for upgrading to R2, is the new account types for managing services. Changing user account passwords being used for running services, scheduled tasks and application pools are often a real pain and consequently, often being skipped. And wouldn’t it be nice if it was handled automatically like a computer account? Well, that is exactly what R2 offers.
Two new types of service accounts are available in Windows Server® 2008 R2 and Windows® 7—the managed service account and the virtual account. The managed service account is designed to provide crucial applications such as SQL Server and IIS with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the service principal name (SPN) and credentials for these accounts. Virtual accounts in Windows Server 2008 R2 and Windows 7 are "managed local accounts" that can use a computer's credentials to access network resources.
Read the Service Accounts Step-by-Step Guide for more information.
DFS, IPv6 and – sort of – disabling it
Ask the Directory Services Team has a good article on troubleshooting DFS links (DFS Referrals and IPv6: Outta site!) as well as a discussion of how not to disable IPv6 (unbinding it from an adapter) and how to do it correctly (KB929852).
In case you really need to disable IPv6, consider using a Group Policy Preference or automate it with PowerShell -
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters DisabledComponents 0xffffffff -type dword
Useful information.
Friday, April 10, 2009
Automated Maintenance of Directory Service Restore Mode Password
With Windows Server 2008 SP2 or SP1/RTM with hotfix KB961320 you can make administration of the DSRM password completely automatic. The approach is this: You create an unprivileged account in Active Directory, set the password and using a scheduled task you execute the new sync from domain account xxxx command.
This nice approach is documented in the Directory Services blog. Read the complete story here.
Thursday, November 06, 2008
ILM "2"
MIIS is a great engine for synchronization but the lack of a decent interface - for the administrator as well as for the end user - have made it necessary to either create a lot of code yourself or invest in other systems like Omada.
With ILM "2" (what a nice name...) the game has changed. While not as complete as Omada, ILM "2" seems to have a bunch of very useful features. I just attended an instructor led lab session here in Barcelona and the way and how easy you can do workflows and dynamic groups, makes a pure ILM "2" implementation possible - at least as a starting point or for simpler things. I haven't digged into ILM "2" too deep (yet), but what I have seen, seems ok.
Pull down an VHD with the RC-code from http://technet.microsoft.com/en-us/evalcenter/cc872861.aspx
With ILM "2" (what a nice name...) the game has changed. While not as complete as Omada, ILM "2" seems to have a bunch of very useful features. I just attended an instructor led lab session here in Barcelona and the way and how easy you can do workflows and dynamic groups, makes a pure ILM "2" implementation possible - at least as a starting point or for simpler things. I haven't digged into ILM "2" too deep (yet), but what I have seen, seems ok.
Pull down an VHD with the RC-code from http://technet.microsoft.com/en-us/evalcenter/cc872861.aspx
Wednesday, June 11, 2008
Creating More Efficient Microsoft Active Directory-Enabled Applications
I just found this MSDN article about optimizing your queries. Besides good advice on how to create optimal queries, you can also instruct Active Directory to log expensive queries and even control the threshold value of when a query is expensive!
Furthermore, the ANR search is explained e.g. how you can search for 'Sam' when you do not know whether it is a name, a SAM account name etc. Just like the GUI search in Users and Computers.
And while you are at it, I can also recommend reading How Active Directory Searches Work.
Thursday, February 14, 2008
Get Active Directory object GUID one-liner
[guid]((([directoryservices.directorysearcher] "(samaccountname=theuser)").findall())[0].properties.getenumerator() | ? { $_.name -eq "objectguid"}).value[0]
Comments -
- Construct a DirectorySearcher with an LDAP search filter
- Surround expression with parenthesis to use the returned value (this technique is used multiple times)
- Find all objects
- Take the first (and only) by indexing with [0]
- Get the properties
- Convert to an enumerator, so they are available in name-value pairs
- Filter out anything but objectGuid using Where-Object (?)
- Get the first value, as the value is always a collection
- Convert the value - it is a byte[] to a guid, by type-casting it with [guid]
Wednesday, September 19, 2007
Wake Active Directory from the Dead
So you have this 10-server test setup with multiple domains, multiple domain controllers, member servers and clients. It is running Virtual Server and for some months ago you left it and now it is time to use it again.
You power it back on and everything works - - - Not (If you seen Borat you know what I mean!)
The object changes I made in the child domain did not appear in the GC on the parent domain!?
Looking into the problem, I found this event -
Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 2042
Date: 19-09-2007
Time: 11:37:04
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SRV02
Description:
It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.
The reason that replication is not allowed to continue is that the two machine's views of deleted objects may now be different. The source machine may still have copies of objects that have been deleted (and garbage collected) on this machine. If they were allowed to replicate, the source machine might return objects which have already been deleted.
Time of last successful replication:
2007-04-12 15:57:10
Invocation ID of source:
032bf6c8-f6b8-032b-0100-000000000000
Name of source:
d063611f-7ff1-4445-a7bf-45bd0066dcc6._msdcs.dlt-root.as
Tombstone lifetime (days):
60
The replication operation has failed.
User Action:
Determine which of the two machines was disconnected from the forest and is now out of date. You have three options:
1. Demote or reinstall the machine(s) that were disconnected.
2. Use the "repadmin /removelingeringobjects" tool to remove inconsistent deleted objects and then resume replication.
3. Resume replication. Inconsistent deleted objects may be introduced. You can continue replication by using the following registry key. Once the systems replicate once, it is recommended that you remove the key to reinstate the protection.
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
Oh no - do I have to rebuild it all? Fortunately not. Doing a series (the message says registry key, but it is a value) of -
reg \\server\HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v "Allow Replication With Divergent and Corrupt Partner" /t reg_dword /d 1
(one line, but may be wrapped here)
and restarting the domain controllers solved the problem.
Read more in Event ID 2042: It has been too long since this machine replicated
You power it back on and everything works - - - Not (If you seen Borat you know what I mean!)
The object changes I made in the child domain did not appear in the GC on the parent domain!?
Looking into the problem, I found this event -
Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 2042
Date: 19-09-2007
Time: 11:37:04
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SRV02
Description:
It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.
The reason that replication is not allowed to continue is that the two machine's views of deleted objects may now be different. The source machine may still have copies of objects that have been deleted (and garbage collected) on this machine. If they were allowed to replicate, the source machine might return objects which have already been deleted.
Time of last successful replication:
2007-04-12 15:57:10
Invocation ID of source:
032bf6c8-f6b8-032b-0100-000000000000
Name of source:
d063611f-7ff1-4445-a7bf-45bd0066dcc6._msdcs.dlt-root.as
Tombstone lifetime (days):
60
The replication operation has failed.
User Action:
Determine which of the two machines was disconnected from the forest and is now out of date. You have three options:
1. Demote or reinstall the machine(s) that were disconnected.
2. Use the "repadmin /removelingeringobjects" tool to remove inconsistent deleted objects and then resume replication.
3. Resume replication. Inconsistent deleted objects may be introduced. You can continue replication by using the following registry key. Once the systems replicate once, it is recommended that you remove the key to reinstate the protection.
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
Oh no - do I have to rebuild it all? Fortunately not. Doing a series (the message says registry key, but it is a value) of -
reg \\server\HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v "Allow Replication With Divergent and Corrupt Partner" /t reg_dword /d 1
(one line, but may be wrapped here)
and restarting the domain controllers solved the problem.
Read more in Event ID 2042: It has been too long since this machine replicated
Monday, July 23, 2007
Finding Virtual Servers in a domain
John Howard wrote an article of how to do it from vbscript. I couldn't resist doing it with PowerShell -
Get-VirtualServerFromAD.ps1 -
Could it be much easier?
Update: the software ate the vertical bars etc.
Get-VirtualServerFromAD.ps1 -
param([switch]$nameOnly)
$ds=[system.directoryservices.directorysearcher] "(&(objectCategory=serviceConnectionPoint)(cn=MS Virtual Server))"
$servers=$ds.findall()
if ($nameOnly) {
$servers | % { $_.path.split("=,")[3] }
}
else {
$servers
}
Could it be much easier?
Update: the software ate the vertical bars etc.
Tuesday, May 02, 2006
What drink should I serve?
Wednesday, March 08, 2006
DoS'ing ISA by modifying a user object in AD
The other day, one of the contributers to this blog unwillingly made a Denial-of-Service on our ISA server. It went on like this –
“I wonder if it is possible to hand out a static route to a user, when a VPN is established?”
So this admin found his user object, tabbed to Dial-in, enabled Apply Static Routes and clicked Static Routes. Added the wanted route and saved it all. Next, the user reconnected the VPN – and things started to go wrong…
After messing things back to normal, I – sorry, the admin - began reading the help text –
Hmmm, the answering server – the ISA server in this case – does this. It is not handed to the client. Bad luck!
The worse part of this – and the reason I’m writing this – is to warn you. If you grant you helpdesk, decentral admins etc. the permissions to change these settings on your user objects having VPN access, you risk they make your ISA server unavailable!
The GUI settings corresponds to these LDAP properties –
1> msRADIUSFramedRoute: 8.8.8.0/24 0.0.0.0 1;
1> msRASSavedFramedRoute: 8.8.8.0/24 0.0.0.0 1;
So if someone has change access to these properties – i.e. they have full permissions on the user, explicit permissions for the properties or implicit permissions you are at risk. Beware that the RAS-Information a.k.a “Remote Access Information” property set includes these properties. Note that the default for Active Directory is to give the built-in Account Operators group permissions to update these.
“I wonder if it is possible to hand out a static route to a user, when a VPN is established?”
So this admin found his user object, tabbed to Dial-in, enabled Apply Static Routes and clicked Static Routes. Added the wanted route and saved it all. Next, the user reconnected the VPN – and things started to go wrong…
After messing things back to normal, I – sorry, the admin - began reading the help text –
Hmmm, the answering server – the ISA server in this case – does this. It is not handed to the client. Bad luck!
The worse part of this – and the reason I’m writing this – is to warn you. If you grant you helpdesk, decentral admins etc. the permissions to change these settings on your user objects having VPN access, you risk they make your ISA server unavailable!
The GUI settings corresponds to these LDAP properties –
1> msRADIUSFramedRoute: 8.8.8.0/24 0.0.0.0 1;
1> msRASSavedFramedRoute: 8.8.8.0/24 0.0.0.0 1;
So if someone has change access to these properties – i.e. they have full permissions on the user, explicit permissions for the properties or implicit permissions you are at risk. Beware that the RAS-Information a.k.a “Remote Access Information” property set includes these properties. Note that the default for Active Directory is to give the built-in Account Operators group permissions to update these.
Friday, June 10, 2005
Good overview of AD enhancements in SP1
Just a quick note - I found a nice overview of the New Active Directory features in Windows Server 2003 with Service Pack 1 (SP1).
Wednesday, June 08, 2005
SAP Enterprise Portal 5.0 / AD Schema conflict
SAP Enterprise Portal 5.0 requires schema changes in Active Directory and if you have SAP installed with EP 5.0 SP5 Patch 3 hotfix 2 and higher or EP 5.0 SP6 Patch 1 then it is supported on Windows 2003 - but the schema changes made by SAP Portal conflicts with the Windows 2003 schema upgrade process. During the adprep /forestprep process you will get a failure with an error like "cn=uid,cn=schema,cn=configuration windows 2000 schema and extended schema does not match" and a message to contact your supplier/vendor responsible for the schema changes for assistance.
SAP Note Number 640923 addresses this and the solution is basically to change the DN from uid to SAP-UID and add some entries to SAP Portal that tells it where to look for its usergroupmap.
SAP Note Number 640923 addresses this and the solution is basically to change the DN from uid to SAP-UID and add some entries to SAP Portal that tells it where to look for its usergroupmap.
Friday, December 10, 2004
Using a Dedicated AD Site for Exchange
Microsoft just released a new paper on this. When running Microsoft® Exchange Server 2003 or Exchange 2000 Server in larger environments, the frequency of queries to the Active Directory® directory service can be very high. Exchange Server uses its directory access component to communicate with Active Directory domain controllers and global catalog servers to perform tasks such as e-mail address lookups, distribution group expansion, Microsoft Outlook® client proxy, and referral services. With such a heavy load being placed on domain controllers, Microsoft IT optimized the performance of Exchange when communicating with Active Directory by creating a new Active Directory site and isolating domain controllers and global catalog servers just for Exchange. Get it here.
Friday, November 19, 2004
Domain Controllers in a Virtual Environment
My normal strategy for handling failed domain controllers is to re-built it from scratch. This is a simple and safe strategy - restores are complex. Virtual environments (and imaging) increases at the risk of having a domain controller restored in an unsupported fashion. The 875495 hotfix is required by Microsoft, if you want support of your virtualized domain controller. If you have plans for virtual DCs, you must read the whitepaper, it also contains other important issues - e.g. remember that your virtual disk must be just as safe as a physical one.
Tuesday, November 02, 2004
Force FRS replication from command line!
Finally – a pre Windows Server 2003 FRS update contains several fixes and an important new command argument to ntfrsutl called forcerepl.
Thursday, October 21, 2004
You Must Rename the SYSVOL Member Object to Rename a Windows Server 2003 Domain Controller
Looking for information about File Replication Service (NTFRS) I found this interesting KB.
In Windows Server 2003, administrators can change the computer name of a Windows Server 2003 domain controller by using My Computer or Netdom.exe, but neither method renames the domain controller's corresponding NTFRSmember object for SYSVOL from the old computer name to the new computer name. The difference between a domain controller's NetBIOS name and the common name for its NTFRSmember object does not break any functionality until a new domain controller is promoted into the forest with the old NetBIOS name of the renamed domain controller. When this behavior occurs, the new domain controller deletes the existing (duplicate) NTFRSmember object and recreates a new NTFRSmember object for itself. The renamed domain controller that originally created the NTFRSMember object ends up without an NTFRSmember object.
Read the rest in this KB
In Windows Server 2003, administrators can change the computer name of a Windows Server 2003 domain controller by using My Computer or Netdom.exe, but neither method renames the domain controller's corresponding NTFRSmember object for SYSVOL from the old computer name to the new computer name. The difference between a domain controller's NetBIOS name and the common name for its NTFRSmember object does not break any functionality until a new domain controller is promoted into the forest with the old NetBIOS name of the renamed domain controller. When this behavior occurs, the new domain controller deletes the existing (duplicate) NTFRSmember object and recreates a new NTFRSmember object for itself. The renamed domain controller that originally created the NTFRSMember object ends up without an NTFRSmember object.
Read the rest in this KB
Wednesday, October 06, 2004
ADModify.NET is here!
Cool new tool from Microsoft – spotted at You Had Me At EHLO...
ADModify is a tool that was (and is still) developed and maintaned out of our Support Services (aka PSS) team, and was created to make it easier to modify / import / export objects in Active Directory in bulk .... ADModify.NET (v2.0) was written from the ground up using Visual C# .NET 2003. When benchmarked against its predecessor, it made the same modifications in less than half the time. Its new feature set allows administrators to bulk modify any AD attribute from any AD partition with almost limitless flexibility.
Active Directory Data Store Tools and Settings
A quick overview of the tools, registry entries, Group Policy settings, Windows Management Instrumentation (WMI) classes, and network ports that are associated with the data store.
Subscribe to:
Posts (Atom)