John Policelli's Blog

Microsoft recently released an update for the Active Directory Domain Services Best Practices Analyzer (AD DS BPA) in Windows Server 2008 R2. This update adds the following 8 new rules to the AD DS BPA:

Read the rest of this entry »

I came across a post on the Ask the Directory Services Team Blog, which provides some great links on additional reading for Active Directory. The post can be read here, and is has several useful links which are worth a read.

Windows Server 2008 and Windows Server 2008 R2 include improvements to bridgehead server selection, which are not very well known. In fact, Microsoft only recently published an article on TechNet to explain the improvements to bridgehead server selection in Windows Server 2008 R2. What follows is an in-depth look at these improvements.

Read the rest of this entry »

As I mentioned in a previous post, Microsoft recently released ADMT 3.2, which fully supports Windows Server 2008 R2. The ADMT Migration Guide was also recently updated into include ADMT 3.1 and ADMT 3.2. The ADMT Migration Guide can be downloaded here and read online here.

Virtualization is no longer simply a hot topic, but rather it has become vital in most enterprises today. The virtualization of domain controllers is no exception. I’ve personally had several clients express an interest in virtualizing their production domain controllers, and have first hand experience in doing so.

Read the rest of this entry »

Microsoft released the Active Directory Migration Tool (ADMT) 3.2, which fully supports Windows Server 2008 R2. A little late in my opinion, especially since Windows Server 2008 R2 went RTM almost one year ago, but nonetheless it is available now.

Read the rest of this entry »

As I’ve mentioned on my blog before, a TechNet Magazine article that I wrote had some errors in it. When I was informed of these errors, I fixed them and asked the TechNet Magazine team to revise the online version of this article. This was a few weeks after it was published. After several repeated attempts, and several months, the online version of this TechNet Magazine article has been updated.

The link to the article is http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx.

Some additional information on this subject:

• Clearing the Air: My TechNet Magazine Article – AdminSDHolder, Protected Groups and SDPROP
• TEC 2010 Presentation: In Depth Look at AdminSDHolder, Protected Objects, and SDPROP
• Understanding AdminSDHolder and Protected Groups

If you’ve had to get technical information on the Windows Time Service, you probably found yourself digging through several KB articles, which contained conflicting information. Microsoft recently centralized this information into the Windows Time Service Technical Reference, and updated it to include Windows Server 2008 R2 and Windows 7.

The Windows Time Service Technical Reference can be found here: Windows Time Service Technical Reference.

I came across a good blog post which talks about the next generation of AD performance analysis. More specifically, the author covers configuration and management of Active Directory Diagnostics Data Collector Sets. Data Collector Sets are the next generation of a utility called Server Performance Advisor (SPA).

The post can be found here.

For those of you that are interested, the presentation I gave at The Experts Conference 2010 in L.A. last week can be downloaded from http://policelli.com/Files/TEC2010_John_Policelli_AdminSDHolder_ProtectedObjects_SDPROP.pdf.

You can also find more information on this topic on my blog post: http://policelli.com/blog/?p=136

The Active Directory Documentation Team blog has a post on it titled Other places to find good information. The post states:

I want to take the opportunity to thank the people who are out there providing information everyday to people using Active Directory. As I say thank you, I will link to their sites, so our readers can find them easily

I was pleased to see Kurt Hudson included me on this ‘thank you.’

Thanks Kurt

During one of Dean Wells’ TEC 2010 presentations, I learned that MS will be releasing updates for Best Practices Analyzer. This is a great thing .

Dean mentioned that we should see updates every 6 months or so.

At present, there’s 7 updates available for BPA…none yet for AD DS though. These updates can be found here.

More information on the Best Practices Analyzer in Windows Server 2008 R2 can be found here:

• Best Practices Analyzer
• A First Look at the Active Directory Domain Services Best Practice Analyzer in the Windows Server 2008 R2 Beta
• A First Look at the DNS Server Best Practice Analyzer in the Windows Server 2008 R2 Beta

A post of the MS Exchange Team Blog does a great job of providing guidance on triaging Exchange performance issues related to Active Directory performance, networking, and DNS.

The post can be found here: http://msexchangeteam.com/archive/2010/02/03/453931.aspx.

DCDiag.exe is an extremely useful built-in troubleshooting tool. I stumbled across a KB from Microsoft that explains that in certain environments, and under certain conditions, DCDiag.exe may take an excessive amount of time to run on computers with Windows Server 2008 R2 or Windows 7 installed. The good news is that MS has released an updated version of DCDiag.exe which fixes this issue. The KB and download can be found here: http://support.microsoft.com/?kbid=979294.

Microsoft has acknowledged an issue with the Active Directory garbage collection process, which may cause a domain controller to run slow or stop responding.

Read the rest of this entry »

I was very happy to hear that I was selected to present at TEC 2010 in Los Angeles.

TEC was previously known as DEC (Directory Experts Conference). The conference has been expanded to include training on Exchange and SharePoint, and effectively renamed to TEC. Here’s a snippet for the TEC 2010 Website:

For the 9th consecutive year, the TEC team will deliver expert-led, 400-level training on vital Microsoft technologies. In addition to its highly-acclaimed training on Microsoft Directory & Identity technologies, TEC 2010 will bring back a full agenda of Exchange training, staging the world’s leading authorities on Microsoft’s powerful messaging platform. And, this year, for the first time ever, we are pleased to introduce an entirely new TEC for SharePoint training conference!

I will be presenting in the Directory & Identity track. My session is called An In-Depth Look at AdminSDHolder, Protects Groups, and SDPROP.

Here is the abstract for my session:

Active Directory includes a number of built-in controls, which collectively provide an additional level of security for members of privileged groups. Even though these controls have been in place since the inaugural release of Active Directory a decade ago, administrators are still impacted by this functionality regularly. In this session, John Policelli will dive into the AdminSDHolder object, Protected Groups, and the Security Descriptor Propagator. Real-world examples, demos, and theory will be used to provide you with a comprehensive understanding of how these built-in controls interoperate and how you can use them to further secure members of privileged Active Directory groups.

I’ve attended DEC/TEC for several years, and it has proven invaluable each time. I have yet to find any comparable conferences. For more information on TEC 2010, please go to http://www.theexpertsconference.com/. I hope to see you there!

Microsoft recently published an article that addresses a hot topic – whether or not you should place several RODCs in the same Active Directory site. In my opinion, this article does a good job of giving you the information you’ll need to determine RODC placement. The article can be read here: http://technet.microsoft.com/en-us/library/ee522995(WS.10).aspx

I stumbled across a good post on Ulf B. Simon-Weidner’s Blog:

http://msmvps.com/blogs/ulfbsimonweidner/archive/2009/11/11/using-ad-powershell-to-protect-ous-from-accidental-deletion.aspx

NOTE: I revised this article to fix some mistakes and to include new content from Windows Server 2008 R2.

Active Directory has built-in processes that exist to secure users that are members of privileged groups. These processes have been around for quite some time, but Active Directory administrators still get stumped by them regularly. What follows, is a updated look at AdminSDHolder, Protected Groups, and SDPROP. Windows Server 2008 R2 specific content has been added.

This article will provide you with the following information:

• Overview
• How AdminSDHolder Works
• Default ACL on the AdminSDHolder Object in Windows Server 2008 R2
• Default Protected Groups and Users
• Modifying How Often the AdminSDHolder Background Process Runs
• How to Determine if a User or Group is Protected by AdminSDHolder
• Orphaned AdminSDHolder Objects
• Security Descriptor Propagator
• How to Force AdminSDHolder to Run
• Additional Resources

Read the rest of this entry »

Microsoft has made Group Policy cmdlets for Windows PowerShell available. These cmdlets, roughly 25 in total, can be used to:

• Maintain GPOs (create, remove, backup, reporting, and import)
• Associate GPOs with AD DS containers (link, update, and remove)
• Set inheritance and permissions on AD DS OUs and domains
• Configure registry-based settings and Group Policy Preferences Registry settings

Read the rest of this entry »

There’s no doubt that virtualization is hot these days. The following articles, posted on the Dirteam.com Blog, will answer virtually all (no pun intended) questions that you have when it comes to Active Directory in Hyper-V environments.

• Active Directory in Hyper-V environments, Part 1
• Active Directory in Hyper-V environments, Part 2
• Active Directory in Hyper-V environments, Part 3
• Active Directory in Hyper-V environments, Part 4
• Active Directory in Hyper-V environments, Part 5
• Active Directory in Hyper-V environments, Part 6

Update June 19, 2010: Microsoft has released ADMT 3.2, which fully supports Windows Server 2008 R2. Please see the following post for more details: http://policelli.com/blog/?p=550.

As you may have heard, Microsoft is working on ADMT 3.2, which will be fully supported for Windows Server 2008 R2. However, ADMT 3.2 is still under development and there is no official release date as of yet.

In the interim, a KB has been released that discuss the use of ADMT 3.1 on Windows Server 2008 R2 DCs. The KB points out the following supported scenarios for ADMT 3.1 on Windows Server 2008 R2 DCs:

• ADMT 3.1 must be run from a Windows Server 2008-based computer. The computer must be a member server or a domain controller.
• ADMT can be installed on any computer that is running Windows Server 2008, unless the computers are Read-Only domain controllers or in a Server Core configuration.
• The target domain must be based on Windows 2000 Server, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2.
• The source domain must be based on Windows 2000 Server, Windows Server 2003, or Windows Server 2008.
• The ADMT agent, which is installed by ADMT on computers in the source domains, can operate on computers that are running Windows 2000 Professional, Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, or Windows Server 2008 R2.

Before you go ahead and use ADMT 3.1 with Windows Server 2008 R2 DCs, you should be aware of the known issues, which can be read by going to http://support.microsoft.com/kb/976659.

The Active Directory Recycle Bin is a handy new feature in Windows Server 2008 R2. Once enabled, it is now easier to recover accidentally deleted Active Directory objects.

Read the rest of this entry »

Windows Server 2008 R2, released to manufacturing in July, introduces a number of new features, including a host of new Active Directory Domain Services features. We look at the seven that pack the most powerful punch.

Read the rest of this entry »

For more details, see post on the Microsoft Exchange Team Blog: The fix for installation of Exchange 2007 SP2 with Windows 2008 R2 Domain Controllers is now available.

Since the release of Exchange Server 2010 RC1, there’s been a lot of debate over some ACEs that are added to the AdminSDHolder object by /PrepareDomain in Exchange 2010 RC1. For more information on this, see Exchange 2010 Modification of AdminSDHolder ACL Can Result in Elevation of Privilege and Exchange 2010 RC1 and AdminSDHolder.

A post was added to the Microsoft Exchange Team Blog this morning that confirms that this has been resolved in the RTM version of Exchange Server 2010. More specifically:

• /PrepareDomain no longer applies ACEs granted to Exchange Windows Permissions USG on the AdminSDHolder container.  If /PrepareDomain detects the ACEs granted to Exchange Windows Permissions USG on the AdminSDHolder container, /PrepareDomain will remove them.
• /PrepareDomain no longer applies the extended right ACE User-Change-Password to the Exchange Servers USG on the AdminSDHolder container.  If /PrepareDomain detects this ACE granted to Exchange Servers USG on the AdminSDHolder container, /PrepareDomain will remove it.
• /PrepareDomain no longer applies the extended right ACE User-Change-Password to the Exchange Servers USG on the domain partition.  If /PrepareDomain detects this ACE granted to Exchange Servers USG on the domain partition, /PrepareDomain will remove it.
• /PrepareDomain no longer applies an unscoped DeleteTree and WriteDACL ACEs on the domain partition.  Instead, these ACEs are replaced by scoping them specifically to user and inetOrgPerson class objects.

A post was added to the Microsoft Exchange Team blog yesterday that identifies an issue where Exchange 2007 SP2 Setup fails if all domain controllers are running Windows Server 2008 R2.

Read the rest of this entry »

UPDATE: This has been resolved in the RTM version of Exchange Server 2010. Please see Exchange 2010 and Resolution of the AdminSDHolder Elevation Issue for more details.

The PrepareDomain setup phase of Exchange 2010 RC1 adds several Access Control Entries (ACEs) to the Access Control List (ACL) of the AdminSDHolder object. One of these ACEs, Write Property for member, can be used to elevate privileges from Exchange Organization Administrator to Enterprise Admins.

Read the rest of this entry »

I came across a great post on the Ask the Directory Services Team blog, which covers the new AD Recycling Bin (ADRB) feature that is included with Windows Server 2008 R2. The post covers the following points and is a must read for anyone wanting to learn more about this new feature:

• Understanding how ADRB works under the covers.
• What the requirements are and how to turn ADRB on.
• Using ADRB, along with some best practices.
• Troubleshooting common issues people run into with ADRB.

The post can be read by going to http://blogs.technet.com/askds/archive/2009/08/27/the-ad-recycle-bin-understanding-implementing-best-practices-and-troubleshooting.aspx

One powerful feature in Windows Server 2008 R2 is its ability to recover objects from Active Directory, which is very handy in those "Uh oh" moments. John Policelli, author of Active Directory Domain Services 2008 How-To, explains what the Active Directory Recycle Bin does and how to use it.

Read the online article by going to: http://www.informit.com/articles/article.aspx?p=1374789

Remote Server Administrations Tools (RSAT) for Windows 7 are RTM. They can be downloaded here: http://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en.

Note: This only runs on Windows 7 Business, Professional, and Ultimate

Ensure you remove any previous admin tools (RSAT for Windows 7 Beta/RC, RSAT for Windows Vista, AdminPack for Windows Server 2003).

Kurt Hudson, from the MS Active Directory Documentation Team, reminded us recently about a great article that describes how to use the Repadmin.exe tool to monitor, diagnose, and troubleshoot common replication problems in your Active Directory environment. All the information in the document applies to computers running the Windows 2000 Server and Windows Server 2003 operation systems.

The document includes the following topics:

Read the rest of this entry »

Are you having problems with Access Control Lists and permissions? It may be related to AdminSDHolder. Learn exactly what AdminSDHolder is, how it works—and how you can tweak it to better meet your organization’s needs.

Published in the September 2009 issue of Microsoft TechNet Magazine.

Back in May of 2008, I posted an entry on my blog regarding the built-in automated metadata cleanup in Windows Server 2008. Microsoft added similar content to its Windows Server 2008 TechNet library.

Here are some links:

• Windows Server 2008 Active Directory Domain Services Metadata Cleanup
• Clean Up Server Metadata
• Windows Server 2008 and Windows Server 2008 R2 Automate Metadata Cleanup

I recently prepared an existing Windows Server 2003 forest for Windows Server 2008 and started to see an error reported in DCDiag. When I did some research on the error I was seeing in DCDiag, I found that it was a known issue that I could ignore.

Read the rest of this entry »

You’ve probably heard that Windows Server 2008 R2 was released to manufacturing (RTM) on July 22nd. One of the major changes in Windows Server 2008 R2 it is the first Windows operating system to be offered for only 64-bit processors. So what if you need to prepare an existing Active Directory Domain Services forest/domain for Windows Server 2008 R2, and your existing servers run 32-bit versions of Windows Server? You may think that you’re SOL, but Microsoft planned ahead on this one.

Read the rest of this entry »

Windows Server 2008 R2 includes a new server role, called Active Directory Web Services (ADWS), which is a prerequisite to use the Active Directory Module for Windows PowerShell and the Active Directory Administrative Center. Until recently, you were unable to use the Active Directory Module for Windows PowerShell and the Active Directory Administrative Center unless you were managing a Windows Server 2008 R2 machine. However, Microsoft released the Active Directory Management Gateway Service (ADWGS) in early June to extend this functionality to Windows Server 2008 SP1 (and later versions) and Windows Server 2003 SP2 (and later versions).

Read the rest of this entry »

The Essential Business Server (EBS) team released the Microsoft IT Environment Health Scanner earlier this month. Active Directory health is one of those things that you cannot ignore. Let’s face it, Active Directory is the glue that ties virtually all Microsoft, as well as a significant number of third-party, products and technologies together. Having a good handle on your Active Directory health is a necessity.

Read the rest of this entry »

In case you haven’t heard, Microsoft released security bulletin MS09-018 to address vulnerabilities in Active Directory and Active Directory Application Mode (ADAM). It is important to note that this vulnerability DOES NOT apply to Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) in Windows Server 2008.

Read the rest of this entry »

I posted an article on the Microsoft Identity and AD blog on Network World’s Microsoft Subnet community.

The blog entry is titled How-To Administer Active Directory Domain Services Groups Using Windows PowerShell and can be read by going to: http://www.networkworld.com/community/node/42601

In an ideal world, users are directed to the appropriate domain controller for Active Directory authentication, but this is not necessarily what happens in most organizations due to IP subnet information not being properly defined in Active Directory. This article presents a solution to ensure users locate the appropriate DC for authentication—a catch-all subnet to catch the authentication from clients on subnets are not defined in Active Directory.

Published in the June 2009 issue of Microsoft TechNet Magazine.

If your organization has multiple Active Directory forests, you need to manage multiple Active Directory schemas and ensure consistency between schemas. Check out our step-by-step guide to comparing and synchronizing Active Directory schemas in multi-forest environments.

Published in the April 2009 issue of Microsoft TechNet Magazine.

In conjunction with Pearson Education, Microsoft Subnet is giving away 15 copies of the hot title "Microsoft Active Directory Domain Services 2008 How-To" by John Policelli and published by Sams (a $39.99 value). Deadline for entries is June 30, 2009.

How to enter to win: 

Read the rest of this entry »

The folks over at IT Knowledge Exchange have been kind enough to post a chapter of my Active Directory Domain Services 2008 How-To book on their IT Bookworm Blog.

The free chapter is Chapter 11: Manage Fine-Grained Password and Account Lockout Policies. You can also click here to download the PDF for this chapter.

I posted an article on the Microsoft Identity and AD blog on Network World’s Microsoft Subnet community.

The blog entry is titled How-To Search Active Directory Domain Services Password and Account Settings Using Windows PowerShell and can be read by going to: http://www.networkworld.com/community/node/42303

I ran across a post on the Ask the Directory Services Team blog that mentions a known issue with ADMT 3.1 and Windows Server 2008 R2. The blog entry can be read here: http://blogs.technet.com/askds/archive/2009/05/22/admt-3-1-and-windows-server-2008-r2.aspx.

Read the rest of this entry »

I posted an article on the Microsoft Identity and AD blog on Network World’s Microsoft Subnet community.

The blog entry is titled How-To Administer Active Directory Domain Services User Accounts Using Windows PowerShell and can be read by going to: http://www.networkworld.com/community/node/42218

I posted an article on the Microsoft Identity and AD blog on Network World’s Microsoft Subnet community.

The blog entry is titled Introducing the Active Directory Module for Windows PowerShell and can be read by going to: http://www.networkworld.com/community/node/42157

Network World’s Microsoft Subnet site has posted Chapter 1: Introduction to Active Directory Domain Services of the SAMS Active Directory Domain Services 2008 How-To on their Website.

I have been asked to blog for Network World’s Microsoft Subnet community. The Network World blog I will be posting on is called Microsoft Identity and AD, and can be found here.

I added my first post on this blog, which is titled Introducing the New Active Directory Domain Services in Windows Server 2008 R2.

Here’s an excerpt from the post:

Windows Server 2008 introduced the most significant changes to Active Directory Domain Services (AD DS) since its inaugural release in Windows 2000 Server. Microsoft has continued along this path with Windows Server 2008 R2, making it the most noteworthy interim release of Windows Server.

AD DS in Windows Server 2008 R2 includes a number of important new features, including:

• Active Directory Recycle Bin
• Active Directory Module for Windows PowerShell
• Active Directory Administrative Center
• Active Directory Best Practices Analyzer
• Active Directory Web Services
• Authentication Mechanism Assurance
• Offline Domain Join

• Managed Service Accounts

Let’s take a closer look at each of these new features

The rest the post can be read here: http://www.networkworld.com/community/node/42051.

Windows Server 2008 R2 includes an Active Directory Module for Windows PowerShell. This new feature enables you to perform Active Directory administrative tasks by using PowerShell.

The following is a first look at the Active Directory Module for Windows PowerShell that is included with the Windows Server 2008 R2 Release Candidate.

Read the rest of this entry »

In Windows Server 2008 R2, you can now roll back (lower) the domain functional level (DFL) and forest functional level (FFL). There are a couple of conditions and limitations to this new functionality, which I discuss below.

Read the rest of this entry »

The Active Directory Documentation Team has pointed out what “I” consider as a vulnerability with the built-in Active Directory Account Operators group, which applies to Domain Controllers. Under certain conditions, which are very common, the Account Operators group retains the Full Control permission on the computer object for a domain controller. As you could imagine, this is not desired in almost every case.

Read the rest of this entry »

Discover the most recent Active Directory Domain Services user interface improvements.

Read the rest of this entry »

My second book, Active Directory Domain Services 2008 How-To, is nearing publication. Below are some details on this publication:

Specifics:

• Author: John Policelli
• Published May 18, 2009 by Sams.
• Copyright 2009
• Dimensions 5-3/8 X 8-1/4
• Pages: 528
• Edition: 1st.
• ISBN-10: 0-672-33045-8
• ISBN-13: 978-0-672-33045-2

Read the rest of this entry »

Microsoft has expanded their Windows Server 2008 Active Directory Domain Services (AD DS) Planning and Architecture collection to included AD DS in the perimeter network. More specifically, the new guide covers the following:

• Determining whether AD DS is appropriate for your perimeter network
• The various models for deploying AD DS in perimeter networks
• Planning and deploying read-only domain controllers (RODCs) in perimeter networks

The guide can be downloaded by going to http://technet.microsoft.com/en-us/library/dd728034.aspx.

Have you ever been in a situation where you needed the Ldap-Display-Name of an Active Directory attribute or class, but all you had was the CN? I have found myself in this scenario many times. Virtually every time, I had to use multiple sources to determine the Ldap-Display-Name of the attribute or class, which was inefficient to say the least. I finally got fed up and developed a reusable process so that I can streamline the resolution of CN to Ldap-Display-Name for Active Directory attributes and classes.

Read the rest of this entry »

International Authority in Windows Technologies, Widely Acknowledged Networking Expert, Best-selling Author and Certification Exam Contributor, Microsoft Most Valuable Professional.

This interview was subsequently featured on a number of websites, including:

Read the rest of this entry »

This new feature in Windows Server 2008 allows you to start, stop, and restart Active Directory Domain Services on a domain controller, thus facilitating more streamlined operations for performing offline tasks on a domain controller.

Read the rest of this entry »

Recovery processes for Active Directory Domain Service and Active Directory Lightweight Directory Services have been revamped in Windows Server 2008. Major new feature include point-in-time snapshots and stored data database mounting.

To read the article, please go to http://www.enterpriseitplanet.com/networking/features/article.php/3812086.

The Directory Services Restore Mode (DSRM) account is used to log on to a domain controller in Directory Services Restore Mode to perform maintenance and recovery tasks. This account is often forgotten by most AD administrators, which results in a significant security risk. If exploited, this security risk can cause high impact.

I have ran Active Directory security assessments for a number of small, medium, and large sized companies over the years. In almost every case, I have identified the DSRM account as a risk, because it was not being secured adequately. I felt compelled to use this post to emphasize the importance of securing the DSRM account.

This is not a post that describes how-to change the password on a DSRM account; there’s thousands of such articles on the web. This post aims to give you a thorough understanding of the risks associated with not properly securing DSRM accounts, the impact of exploited DSRM accounts, and my recommendations to secure DSRM accounts.

Read the rest of this entry »

I stumbled across a GUI-based tool which provides the ability to manage fine-grained password and account lockout policies. I couldn’t help install the tool to take a closer look. I have to admit that this simplistic tool does a much better job than the native tools at managing fine-grained password policies.

The tool is called Specops Password Policy BASIC and is available from Special Operations Software. It can be downloaded here.

For a detailed look at using the native tools for managing fine-grained password policies, see my posts Fine-Grained Password Policies in Windows Server 2008 and Manage Shadow Groups in Windows Server 2008.

Tim Springston, from Microsoft’s Customer Services and Support division (formerly Product Support Services), published a great explanation on titled “Gauging Size Differences in AD Databases”. This is a good read for those who have wondered, or have been asked, why the size of the AD database differs between domain controllers.

Tiim’s blog entry can be found here.

Microsoft has released a new feature for Windows Server 2008 that allows you to synchronize the Directory Services Restore Mode (DSRM) password with the password of a domain user account.

Read the rest of this entry »

Discover how read-only domain controllers provide improved security, faster logon times and an expanded set of administrative roles.

To read the article, please go to http://www.enterpriseitplanet.com/networking/features/article.php/3803831

With the advent of Windows Server 2008, password management made a substantial leap. Learn how to improve security and craft policies for just about any situation.

To read the article, please go to http://www.enterpriseitplanet.com/networking/features/article.php/3800436.

The Windows Server 2008 R2 Beta includes a new Active Directory data management tool, called the Active Directory Administrative Center (ADAC). ADAC is a replacement of the Active Directory Users and Computers (ADUC) console. You can find more information on ADAC at my A First Look at the Active Directory Administrative Center in the Windows Server 2008 R2 Beta post.

I’ve been using ADAC as I evaluate the Windows Server 2008 R2 Beta, and what follows is a list of user interface enhancements and changes between ADAC and ADUC.

Read the rest of this entry »

Windows Server 2008 R2 includes a new Recycling Bin feature for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

The following is a first look at the Active Directory Recycling Bin that is included with the Windows Server 2008 R2 Beta.

NOTE: Updated May 8, 2009 to include information for the RC build of Windows Server 2008 R2.

Read the rest of this entry »

Windows Server 2008 R2 includes a Best Practice Analyzer (BPA) for a limited number of server roles, including Active Directory Domain Services.

The following is a first look at the Active Directory Domain Services Best Practice Analyzer (AD DS BPA) that is included with the Windows Server 2008 R2 Beta.

Read the rest of this entry »

Learn how the expanded auditing options offer new levels of insight, granularity and control.

To read the article, please go to http://www.enterpriseitplanet.com/networking/features/article.php/3797931

Microsoft has released a new Active Directory data management tool in Windows Server 2008 R2, which is now called the Active Directory Administrative Center.

What follows is an initial look at the new Active Directory Administrative Center (ADAC).

Read the rest of this entry »

The following is a step-by-step guide to installing Active Directory Domain Services in the Windows Server 2008 R2 Beta.

Read the rest of this entry »

There are a number of new Active Directory Domain Services features in Windows Server 2008. These new features improve auditing, security, and the management of Active Directory Domain Services and show Microsoft’s commitment to evolving Active Directory Domain Services. The following is an overview of the new Active Directory Domain Services features that are in Windows Server 2008.

To read the article, please go to http://www.enterpriseitplanet.com/networking/features/article.php/3796561

Microsoft’s Windows Server 2008 R2 Resources site contains a number of useful guides, presentations, and links to newsgroups and forums.

I stumbled across a presentation titled “Windows Server 2008 R2 Active Directory Updates” that gives a good overview on the changes to AD DS in Windows Server 2008 R2.

I’ve run across a few newsgroup posts lately where people have pointed out they cannot find Replmon.exe on Windows Server 2008. I finally got around to checking for myself and was surprised to see the tool is really gone. Read the rest of this entry »

Microsoft previously published an article that lists 11 fairly significant known issues for deploying RODCs. The known issues that are listed in abovementioned KB article include the following:

• Group Policy fails to access Windows Management Instrumentation (WMI) filters on an RODC.
• Internet Protocol security (IPsec) policies fail to apply from an RODC.
• The Windows Time service (W32time) in Windows XP and Windows Server 2003 does not recognize an RODC.
• Unsecure domain join fails
• Domain join using RODC in the perimeter network fails.
• Password changes fail in the perimeter network when only an RODC is available.
• The RODC fails to retrieve or create a public key certificate.
• Spooler does not reflect the correct printer publish state.
• The Find Printer user interface (UI) hangs when a computer that runs Windows XP or Windows Server 2003 can contact an RODC but not a writable domain controller.
• Active Directory Service Interfaces (ADSI) in Windows XP and Windows Server 2003 requests a remote writable domain controller instead of a local RODC.
• Domain controllers running Windows Server 2003 perform automatic site coverage for sites with RODCs.

The KB article provides additional details on the scope and impact of each known issue. Additionally, there are workarounds listed for 6 of the 11 known issues.

However, Microsoft does recommend you install the Windows Server 2008 RODC Compatibility pack for Windows Server 2003 and Windows XP client computers that interact with RODCs. Additional information on this compatibility pack can be found here. It is important to note that Windows XP Server Pack 3 does not include this compatibility pack.

Let me start by stating that this article is NOT intended to be used to break Active Directory or for any malicious reasons. This article is intended to show that the use of built-in security groups, coupled with failing to follow the Principal of Least Privilege, is a HORRIBLE practice and can cause significant impact to your Active Directory environment.

In 2005 I provided a demonstration for a user group that showed that the use of built-in security groups, coupled with failing to follow the Principal of Least Privilege, could cause a domain-wide outage. In recent months, I have seen individuals posting in newsgroups and forums who have mistakenly exposed themselves to this same issue. Even more recently, I received an email from someone who attended my presentation in 2005 informing me that they too were impacted by this issue.

I decided to extract the relevant information from my 2005 demonstration and post it online. Again, my intent is not to show how you can break Active Directory. Rather, I intend to show you that by using built-in groups and failing to follow the Principal of Least privilege, you can make it very easy for someone to intentionally or unintentionally cause a domain-wide outage. I have updated my original content to include Windows Server 2008, as this risk also applies to Windows Server 2008.

In this article, I demonstrate how someone with membership in the built-in Account Operators group can (intentionally or unintentionally) exploit a system limitation and prevent all users in your domain from logging on. I start by providing some background information before the demonstration. I then provide some additional information on why the risk exists and what you can and cannot do about it. I conclude with some general recommendations and best practices to avoid such outages. Read the rest of this entry »

Having worked in the financial sector for a number of years, I have repeatedly saw the need for time to be synchronized down to the second or millisecond. Financial applications, such as trading applications, rely heavily on high accuracy time. The fact of the matter is that the Windows Time Service was not designed for high accuracy time. Microsoft designed the Windows Time Service to 1) make the Kerberos Version 5 authentication protocol work and 2) provide loose sync time for client computers.

I stumbled across a post from Microsoft’s Directory Services Team that outlines Microsoft’s position on high accuracy time requirements and the Windows Time Service. The post can be found here. This article is a good read of you want to understand what the Windows Time Service was and was not designed to do.

Microsoft has published an article that lists the improvements in Windows Server 2008 R2. The article can be downloaded here.

There are a few key AD DS improvements that are highlighted. Some of the improvements will apply to all Active Directory server roles in Windows Server 2008, while others will apply to the Active Directory Domain Services server role only.

Here is a list of the improvements in Windows Server 2008 R2:

• New Forest Functional Level
• PowerShell cmdlets
• Improvements to automated monitoring and notification
• Recovery of deleted objects (built-in Recycling Bin feature)
• Offline domain join support
• Managed service accounts
• Active Directory Administrative Center (goodbye ADUC)

Read the rest of this entry »

Windows Server 2008 introduces a new feature that allows you to create and view snapshots of data that is stored in AD DS and AD LDS. The Active Directory database mounting tool (Dsamain.exe) was referred to as Snapshot Viewer and Active Directory data mining tool during the beta releases of Windows Server 2008.

Microsoft states that the Active Directory database mounting tool is useful to simplify the forest recovery process and to audit modified and deleted objects. These are two very useful reasons to learn more about the Active Directory mounting tool. What follows is a step-by-step on how to use the Active Directory database mounting tool.

Read the rest of this entry »

I ran across a document from Microsoft that lists maximum limits for Active Directory. This document pertains to Windows 2000 Server and Windows Server 2003. There is no reference to Windows Server 2008 in the document. However, the majority of the limits also apply to Windows Server 2008.

Below is a summary of the maximums. The full details, including rationale, can be found here: http://technet.microsoft.com/en-us/library/cc756101.aspx. Read the rest of this entry »

Microsoft has included a new feature, the Attribute Editor, in Windows Server 2008 which allows you to view and modify attributes through two of the native Active Directory snap-ins (Active Directory Users and Computers and Active Directory Sites and Services). This is especially valuable when you need to view and/or modify attributes that are not part of the base schema, such as custom attributes. In the Windows 2000 Server and Windows Server 2003 versions of Active Directory, these attributes could only be modified programmatically or by using the ADSI Edit console. However, in Windows Server 2008, you can now modify custom attributes by using the native tools.

Read the rest of this entry »

The white paper that discusses schema management at Microsoft was recently updated and has been posted on Microsoft’s IT Showcase website. The technical white paper can be found here. The TechNet Webcast can be found here.

Read the rest of this entry »

The MCITP Self-Paced Training Kit (Exam 70-647): Windows Server® Enterprise Administration was published yesterday. The 70-647 Training Kit should be available through retailers by June 28th. The 70-647 Training Kit will also be included with the MCITP Self-Paced Training Kit (Exams 70-640, 70-642, 70-643, 70-647): Windows Server® 2008 Enterprise Administrator Core Requirements Training Kit. Both can be pre-ordered through retailers.

Read the rest of this entry »

Windows Server 2008 introduces a new option designed to protect Active Directory Domain Services Objects (AD DS) objects from accidental deletion. I know of a number of companies that have experienced an impact on business continuity that could have been avoided by using this option. In my experience, the accidental deletions that have created the most impact were Organizational Unit (OU) deletions. This is likely why Microsoft has decided to enable this option by default when OUs are created through the Active Directory Users and Computers (ADUC) console.

Read the rest of this entry »

Microsoft released the Planning and Deploying Read-Only Domain Controllers guide last week. The guide can be found by going to the following link: http://go.microsoft.com/fwlink/?LinkId=120840. According to Brian Puhl’s post, this is the first chapter in the RODC guide.

Working with large enterprise Active Directory environments, I am a frequent user of scripts and command-line tools. I can’t say enough good things about the Microsoft DS tools (Dsadd, Dsget, Dsmod, Dsmove, Dsquery, and Dsrm) along with the infamous AdFind and AdMod tools. I often find myself creating and refining my scripts over and over again, until they work just as I want them to. I also frequently review and refine scripts that others create. I was amazed at how a few tweaks to a specific set of scripts resulted in such a positive impact. Read the rest of this entry »

Microsoft has added an additional method to perform Active Directory Domain Services metadata cleanup (the process of removing data in AD DS after an unsuccessful domain controller demotion) in Windows Server 2008. We now have the ability to perform metadata cleanup using the Active Directory Users and Computers console in Windows Server 2008. Moreover, this new functionality significantly reduces the number of steps required to perform this task.

Read the rest of this entry »

Recommendations regarding the placement of the infrastructure master role have been confusing and contradicting since the introduction of Active Directory in Windows Server 2000. Most of the confusion stems from ambiguous wording. In some documentation you will read that the infrastructure master can never be placed on a server that hosts the global catalog. In other documentation you will read that the infrastructure master role can be placed on a global catalog server provided that all domain controllers in the domain are global catalog servers. Read the rest of this entry »

There is not necessarily a domain controller in every site, which is when automatic site coverage comes in to play. For various reasons, it is possible that no domain controller exists for a particular domain at the local site. Through automatic site coverage, each domain controller checks all sites in the forest and then checks the replication cost matrix. A domain controller advertises itself (registers a site-related SRV record in DNS) in any site that does not have a domain controller for that domain and for which its site has the lowest-cost connections. This process ensures that every site has a domain controller that is defined by default for every domain in the forest, even if a site does not contain a domain controller for that domain. The domain controllers that are published in DNS are those from the closest site (as defined by the replication topology). Read the rest of this entry »

In Windows Server 2008, fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups. Fine-grained password policy cannot be applied to an organizational unit (OU) directly. To apply fine-grained password policy to users in an OU, you can use a shadow group. Read the rest of this entry »

With the new fine-grained password policies feature in Windows Server 2008, we can finally create multiple password policies and account lockout policies for users in the same domain. The fact that the fine-grained password policies feature in Windows Server 2008 maps password policies to users and/or groups means that we have virtually unlimited flexibility when it comes to password policy and account lockout policy requirements. Read the rest of this entry »