Virtualization is no longer simply a hot topic, but rather it has become vital in most enterprises today. The virtualization of domain controllers is no exception. I’ve personally had several clients express an interest in virtualizing their production domain controllers, and have first hand experience in doing so.
Category Archives: AD DS
ADMT 3.2 Released – Windows Server 2008 R2 Supported
Microsoft released the Active Directory Migration Tool (ADMT) 3.2, which fully supports Windows Server 2008 R2. A little late in my opinion, especially since Windows Server 2008 R2 went RTM almost one year ago, but nonetheless it is available now.
Newly Released Windows Time Service Technical Reference
If you’ve had to get technical information on the Windows Time Service, you probably found yourself digging through several KB articles, which contained conflicting information. Microsoft recently centralized this information into the Windows Time Service Technical Reference, and updated it to include Windows Server 2008 R2 and Windows 7.
The Windows Time Service Technical Reference can be found here: Windows Time Service Technical Reference.
The Next Generation of AD Performance Analysis
I came across a good blog post which talks about the next generation of AD performance analysis. More specifically, the author covers configuration and management of Active Directory Diagnostics Data Collector Sets. Data Collector Sets are the next generation of a utility called Server Performance Advisor (SPA).
The post can be found here.
Updates for Best Practices Analyzer
During one of Dean Wells’ TEC 2010 presentations, I learned that MS will be releasing updates for Best Practices Analyzer. This is a great thing 
.
Dean mentioned that we should see updates every 6 months or so.
At present, there’s 7 updates available for BPA…none yet for AD DS though. These updates can be found here.
More information on the Best Practices Analyzer in Windows Server 2008 R2 can be found here:
DCDiag take a long time to run on Windows Server 2008 R2 and Windows 7
DCDiag.exe is an extremely useful built-in troubleshooting tool. I stumbled across a KB from Microsoft that explains that in certain environments, and under certain conditions, DCDiag.exe may take an excessive amount of time to run on computers with Windows Server 2008 R2 or Windows 7 installed. The good news is that MS has released an updated version of DCDiag.exe which fixes this issue. The KB and download can be found here: http://support.microsoft.com/?kbid=979294.
Active Directory Garbage Collection Causes DCs to Run Slow or Stop Responding
Microsoft has acknowledged an issue with the Active Directory garbage collection process, which may cause a domain controller to run slow or stop responding.
Placing Several RODCs in the Same Site
Microsoft recently published an article that addresses a hot topic – whether or not you should place several RODCs in the same Active Directory site. In my opinion, this article does a good job of giving you the information you’ll need to determine RODC placement. The article can be read here: http://technet.microsoft.com/en-us/library/ee522995(WS.10).aspx
Understanding AdminSDHolder and Protected Groups
NOTE: I revised this article to fix some mistakes and to include new content from Windows Server 2008 R2.
Active Directory has built-in processes that exist to secure users that are members of privileged groups. These processes have been around for quite some time, but Active Directory administrators still get stumped by them regularly. What follows, is a updated look at AdminSDHolder, Protected Groups, and SDPROP. Windows Server 2008 R2 specific content has been added.
This article will provide you with the following information:
- Overview
- How AdminSDHolder Works
- Default ACL on the AdminSDHolder Object in Windows Server 2008 R2
- Default Protected Groups and Users
- Modifying How Often the AdminSDHolder Background Process Runs
- How to Determine if a User or Group is Protected by AdminSDHolder
- Orphaned AdminSDHolder Objects
- Security Descriptor Propagator
- How to Force AdminSDHolder to Run
- Additional Resources
Group Policy Cmdlets in Windows PowerShell
Microsoft has made Group Policy cmdlets for Windows PowerShell available. These cmdlets, roughly 25 in total, can be used to:
- Maintain GPOs (create, remove, backup, reporting, and import)
- Associate GPOs with AD DS containers (link, update, and remove)
- Set inheritance and permissions on AD DS OUs and domains
- Configure registry-based settings and Group Policy Preferences Registry settings
Active Directory in Hyper-V Environments
There’s no doubt that virtualization is hot these days. The following articles, posted on the Dirteam.com Blog, will answer virtually all (no pun intended) questions that you have when it comes to Active Directory in Hyper-V environments.
Using ADMT 3.1 to Migrate to a Domain that Contains Windows Server 2008 R2 DCs
Update June 19, 2010: Microsoft has released ADMT 3.2, which fully supports Windows Server 2008 R2. Please see the following post for more details: http://policelli.com/blog/?p=550.
As you may have heard, Microsoft is working on ADMT 3.2, which will be fully supported for Windows Server 2008 R2. However, ADMT 3.2 is still under development and there is no official release date as of yet.
In the interim, a KB has been released that discuss the use of ADMT 3.1 on Windows Server 2008 R2 DCs. The KB points out the following supported scenarios for ADMT 3.1 on Windows Server 2008 R2 DCs:
- ADMT 3.1 must be run from a Windows Server 2008-based computer. The computer must be a member server or a domain controller.
- ADMT can be installed on any computer that is running Windows Server 2008, unless the computers are Read-Only domain controllers or in a Server Core configuration.
- The target domain must be based on Windows 2000 Server, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2.
- The source domain must be based on Windows 2000 Server, Windows Server 2003, or Windows Server 2008.
- The ADMT agent, which is installed by ADMT on computers in the source domains, can operate on computers that are running Windows 2000 Professional, Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, or Windows Server 2008 R2.
Before you go ahead and use ADMT 3.1 with Windows Server 2008 R2 DCs, you should be aware of the known issues, which can be read by going to http://support.microsoft.com/kb/976659.
The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting
I came across a great post on the Ask the Directory Services Team blog, which covers the new AD Recycling Bin (ADRB) feature that is included with Windows Server 2008 R2. The post covers the following points and is a must read for anyone wanting to learn more about this new feature:
- Understanding how ADRB works under the covers.
- What the requirements are and how to turn ADRB on.
- Using ADRB, along with some best practices.
- Troubleshooting common issues people run into with ADRB.
The post can be read by going to http://blogs.technet.com/askds/archive/2009/08/27/the-ad-recycle-bin-understanding-implementing-best-practices-and-troubleshooting.aspx
Monitoring and Troubleshooting with Repadmin
Kurt Hudson, from the MS Active Directory Documentation Team, reminded us recently about a great article that describes how to use the Repadmin.exe tool to monitor, diagnose, and troubleshoot common replication problems in your Active Directory environment. All the information in the document applies to computers running the Windows 2000 Server and Windows Server 2003 operation systems.
The document includes the following topics:
Microsoft Publishes Windows Server 2008/2008R2 Automated Metadata Cleanup Documentation
Back in May of 2008, I posted an entry on my blog regarding the built-in automated metadata cleanup in Windows Server 2008. Microsoft added similar content to its Windows Server 2008 TechNet library.
Here are some links:
DCDiag Fails for NCSecDesc Test on Windows 2008 Domain Controllers
I recently prepared an existing Windows Server 2003 forest for Windows Server 2008 and started to see an error reported in DCDiag. When I did some research on the error I was seeing in DCDiag, I found that it was a known issue that I could ignore.
How to Prepare an Existing 32-bit Active Directory Domain Services Forest for the 64-bit Windows Server 2008 R2
You’ve probably heard that Windows Server 2008 R2 was released to manufacturing (RTM) on July 22nd. One of the major changes in Windows Server 2008 R2 it is the first Windows operating system to be offered for only 64-bit processors. So what if you need to prepare an existing Active Directory Domain Services forest/domain for Windows Server 2008 R2, and your existing servers run 32-bit versions of Windows Server? You may think that you’re SOL, but Microsoft planned ahead on this one.
The Active Directory Management Gateway Service is now Available for Windows Server 2008 and Windows Server 2003
Windows Server 2008 R2 includes a new server role, called Active Directory Web Services (ADWS), which is a prerequisite to use the Active Directory Module for Windows PowerShell and the Active Directory Administrative Center. Until recently, you were unable to use the Active Directory Module for Windows PowerShell and the Active Directory Administrative Center unless you were managing a Windows Server 2008 R2 machine. However, Microsoft released the Active Directory Management Gateway Service (ADWGS) in early June to extend this functionality to Windows Server 2008 SP1 (and later versions) and Windows Server 2003 SP2 (and later versions).
Microsoft Releases Free Active Directory Health Scanner
The Essential Business Server (EBS) team released the Microsoft IT Environment Health Scanner earlier this month. Active Directory health is one of those things that you cannot ignore. Let’s face it, Active Directory is the glue that ties virtually all Microsoft, as well as a significant number of third-party, products and technologies together. Having a good handle on your Active Directory health is a necessity.
Critical Security Bulletin for Active Directory and ADAM (MS09-018)
In case you haven’t heard, Microsoft released security bulletin MS09-018 to address vulnerabilities in Active Directory and Active Directory Application Mode (ADAM). It is important to note that this vulnerability DOES NOT apply to Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) in Windows Server 2008.
ADMT 3.1 and Windows Server 2008 R2
I ran across a post on the Ask the Directory Services Team blog that mentions a known issue with ADMT 3.1 and Windows Server 2008 R2. The blog entry can be read here: http://blogs.technet.com/askds/archive/2009/05/22/admt-3-1-and-windows-server-2008-r2.aspx.
A First Look at the Active Directory Module for Windows PowerShell in the Windows Server 2008 R2
Windows Server 2008 R2 includes an Active Directory Module for Windows PowerShell. This new feature enables you to perform Active Directory administrative tasks by using PowerShell.
The following is a first look at the Active Directory Module for Windows PowerShell that is included with the Windows Server 2008 R2 Release Candidate.
Roll Back / Lower Active Directory Functional Levels in Windows Server 2008 R2
In Windows Server 2008 R2, you can now roll back (lower) the domain functional level (DFL) and forest functional level (FFL). There are a couple of conditions and limitations to this new functionality, which I discuss below.