Active Directory

76K

Solutions

39K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is required to start the all services normally
0
 

Expert Comment

by:Praveen Patten
Comment Utility
Super Jinesh
1
Lab Topology
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
1
 

Expert Comment

by:PriteshW
Comment Utility
Good Article, setup on my lab and works well.
0
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
0
 
LVL 22

Expert Comment

by:Walter Curtis
Comment Utility
Great information. Thanks! Recommended reading for all SharePoint people. This should be submitted as an article.

Have a good one...
1
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
0
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
0
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, code portability, maintainability and platform agnosti
0
Synchronize a new Active Directory domain with an existing Office 365 tenant
1
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
0
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
1
Resolve DNS query failed errors for Exchange
2
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogged down in the details.
6
 
LVL 66

Expert Comment

by:Jim Horn
Comment Utility
Nice article on a large Active Directory and SQL Server permissions issue that DBA's work with a lot.  Nicely illustrated as well.  Voting Yes.
0
 
LVL 8

Expert Comment

by:Yashwant Vishwakarma
Comment Utility
Nice article Joseph :)
got some idea about active directory concepts.
Voted YES.
1
Active Directory replication delay is the cause to many problems.  Here is a super easy script to force Active Directory replication to all sites with by using an elevated PowerShell command prompt, and a tool to verify your changes.
3
 
LVL 9

Expert Comment

by:Senior IT System Engineer
Comment Utility
Hi Michael,

Do I need to run the Powershell that you mention above in the PDC emulator role or it has to be from the DC where I have made the changes ?
0
 
LVL 5

Author Comment

by:Michael Christly
Comment Utility
I run this in powershell (as admin) from my desktop. It would be fine to run on any dc. However I have remote admin tools installed on my machine. If your domain is large this type of forced replication could cause a significant network traffic until replication is complete. My domain has 4 dc at two physical sites and it takes about 20 to 40 seconds to complete.
1
Domain split
Previously I had a customer who was preparing to be split into two separate businesses. The disruption to the IT infrastructure was going to be huge, and the timeline to complete the work was tight - very tight. With the help of EE I managed to find a way to do this quickly and cleanly.
6
 
LVL 25

Expert Comment

by:Luciano Patrão
Comment Utility
Good article!
0
 
LVL 66

Expert Comment

by:Jim Horn
Comment Utility
Nice case study you've written here, and well illustrated.  Voting Yes.
0
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lot of time with Jeremy Moskowitz's GP books.
0
Several part series to implement Internet Explorer 11 Enterprise Mode
1
Not many admins are aware that GPOs can be activated and deactivated time-based. Time to change that :)
6
Ever wondered why Windows 8 and 10 don't seem to accept your GPO-based software deployment while Windows 7 does? Read on.
13
 
LVL 15

Expert Comment

by:LockDown32
Comment Utility
Thanks McKnife. I caught the part about the fast boot. It was interesting and clear. What wasn't clear was the fix.
0
 

Expert Comment

by:IT Guy
Comment Utility
Excellent article
0
Hi all.
 
The other day I had to change the passwords for a bunch of users on the fly. Because they were so many, I decided to do it in an automated way and I would like to share it with you all.
 
If you are not doing it directly in a Domain Controller (DC) you need to install and import the Active Directory (AD) module and you also need the required privileges to change passwords.
 
This script will check the users in a specified Organizational Unit (OU) without specifying any user, so be careful if you decide to use it.
 
Warning: If you decide to use this script test it first in a lab environment. Do it at your own risk.
 
This script will check the users in a specified Organizational Unit (OU) and then generate a random alphanumeric password with 8 char length.
Of course we can do more stuff but I don't want to complicate and I just want to show you how it can be done. This is just one way of doing it.
 
#This is the file that will be generated with the users account ID and the password generated.
[String]$path= ".\NewPass.txt"

#This will check if the file exist and will delete that file so a new one can be created from the scratch
#If the doesn't exist will through an error saying that the file doesn't exist and will continue.
if ($path -ne $null){Remove-Item $path}


<# Required Assembly to Generate Passwords #>
Add-Type -Assembly System.Web
#In my case I created a OU for test purposes here it is.
#You need to change it to meet your requirements.

Open in new window

2
 
LVL 12

Author Comment

by:David Paris Vicente
Comment Utility
Hi all,

Thank you all for your comments.
@robert for you to be able to do that with the code above you will need to use regexp, but I believe you can achieve it in a more easy way, check the example below.

In my code I have:
$NewPassword=[Web.Security.Membership]::GeneratePassword(8,3)

Open in new window


If you change it to:
$NewPassword = -join ((97..122) | Get-Random -Count 10 | % {[char]$_})

Open in new window


This will generate a random char only with lower cases.

If you also want to capital letters you need use the ASCII table to check the value of each char, lets see an example.

$NewPassword = -join ((65..90) + (97..122) | Get-Random -Count 10 | % {[char]$_})

Open in new window


The output will be a random string.

Now if you want to add numbers, you can do it by adding the ASCII value related with numbers. Lets check it.

$finalpass=''
$NewPassword =  ((0..8) + (65..90) + (97..122) | Get-Random -Count 10 | % {[int32]$_}) 
Foreach($pass in $NewPassword){
 if ($pass -le 8){
    $finalpass+= $pass 
 }else {
 $finalpass+= [char]$pass 
 }
}
Write-Host $finalpass

Open in new window



I believe this can do the trick, I didn't had to much time to tested it, but I can see that some random passwords could only have letters.

Then you can export it to a csv file piping the  variable $finalpass
$finalpass|Export-CSV c:\NewPass.csv -Append  

Open in new window


With this little code you already have the tools to start tweaking and accomplish your goal.

I hope it helps.

Cheers.

D.
1
 

Expert Comment

by:rob ert
Comment Utility
alright i managed to make it generate lowercase letter + letters using ur code and it works perfectly thanks alot ..
i have another question i hope im not being annoying ... the exported csv shows like Capture.PNG ... how can i make it like this Capture2.PNG ... if you notice the users and not consecutive they should be ige1 ige2 ige3 ige4 ige5 etc instead of userID: and password: in every row... plus is there a way to select specific users from that OU ?
your help is much appreciated ...
0
We receive many questions about how to disable the Exchange ActiveSync feature by default so that once an email account is created, the ActiveSync feature is disabled by default for that account, and since this is not configurable neither by Exchange server settings nor by any script, I will share with you the best practice to work around this issue.

We will do the below configuration:
 
  1. Configure on the Exchange server a policy named DisableMobileAccess to allow a maximum of zero mobile devices to connect through ActiveSync or through OWA for devices per user, and apply it on the organization level. Thus, when we create a user with a mailbox, even if the ActiveSync is enabled for it by default, the user will not be able to connect via ActiveSync since the allowed number of devices for him is zero by default! (He will not be able to connect through OWA for Devices feature either.)
     
  2. Configure on the Exchange server a policy named EnableMobileAccess to allow a maximum of a specified number of mobile devices to connect through ActiveSync per user, and apply it on the users level, so for each user we want to grant him an ActiveSync access, we will add his account to that policy, in my example, the specified number will be 50 which is the default number in the default policy settings on the Exchange Server 2013.

To Create the DisableMobileAccess policy, log on to your Exchange Server 2013, open the Exchange …
1
 
LVL 7

Author Comment

by:Marwan Osman
Comment Utility
Great, thank you
0
Unless you've been hiding under a rock you know that Microsoft will be releasing a new version of Windows this summer (2015). As administrators of Active Directory and managers of group policy we use WMI filtering to set and apply group policy objects to different versions of Windows, clients / servers, desktops and laptops. For instance, we want the policy to be applied only to laptops and not desktops, or to client operating systems and not server operating systems.

The examples below might be familiar as it is a common way to apply a GPO to all Versions of Windows after 7. It would also automatically work for Windows 8 and Windows 8.1 but it will fail for Windows 10.
select * from Win32_OperatingSystem where Version >= “6.1”
Unfortunately, WMI does the comparison as a string and not a number. This means that Version “10” is actually lower than “6.0” as 1 is lower that 6. So now we have to change our previously working WMI filter to:
select * from Win32_OperatingSystem where Version like “10.%” or Version >=”6.1″
Note: The same is also true for Windows Server 2016 as it has the same OS version number. This is why I've created this new article

WMI Filtering is another tool to put in your active directory toolbox. Order of execution of Group Policy Objects
Policies in hierarchy are located. (L-S-D-OU)
WMI Filters are checked.
Security settings are checked.
Only then after everything has passed does the policy …
5
The Need
In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more than five minutes, network login and authentication fails. I am not sure if anyone has ran into this problem or not. There seems to be various reasons for time sync problems, but I found this an odd problem\solution. Recently, as part of the move off of Windows Server 2003 domain controllers, I had to move the FSMO roles from our 2003 DC’s to 2008. The 2003 server was set to sync its time, and therefore the domain, against a Cisco switch. I made a screen capture of the current settings as shown below:

NTP1.jpgAs per a number of Microsoft Knowledge Base articles, I manually configured the new time servers via the command line with the following command:
 
W32tm /config /manualpeerlist: /syncfromflags:manual /reliable:yes /update
Net stop w32time
Net start w32time

Open in new window


However, two days later, I receive a call about authentication problems. It seems the time on all of the systems was off by 20 minutes, even the time on the new PDC Emulator. When running the command:
 
w32tm /query /status

Open in new window

 the server indicated it was performing its synchronization from the local CMOS clock.

ntp2.jpgSince this server was running in a virtual environment, my first thought was to verify it was not syncing against the host, which is was not. Next, I checked the configuration via the command line, which also indicated it was receiving the information from the local CMOS clock. 

ntp3.jpgntp4.jpg
6
 

Expert Comment

by:Narges Doosthosseini
Comment Utility
Thanks for your article.
I've added the 0x8 on the registry configuration. After restarting Windows time in services, the time source changes to "Local CMOS CLOCK" again!
0
 
LVL 32

Author Comment

by:Rodney Barnhardt
Comment Utility
Is this by chance a virtual machine? If so, it may be configured to sync with the host. The setting depends on the type of hypervisor, but that can cause problems on a PDC emulator running NTP if it is set that way.
0
Recently, I got a chance to renew certificates on Active Directory Federation Services (ADFS) servers. I read lot of articles, but doing it in production is totally different. Hence, I am sharing all steps; I performed to successfully renew/replace the Service Communications, Token-Signing, and Token-Decrypting Certificates.

I had four ADFS servers: Two ADFS Proxy in the DMZ and Two ADFS Main Server in a farm with a SQL back-end database.

Step 1. Request New Certificate.
  • Generate a new certificate request with same primary key from Primary ADFS Server in your farm. You can use IIS or Certificate snap-in to generate the new certificate request.

    Note:  You also need root and intermediate certificate.
Step 2. Import New Certificate in Certificate Store.
  • Import New Certificate into Certificate Store on ADFS Primary server with Private Key.
  • Launch MMC>File>Add/Remove Snap-in>Certificates>Add>Computer Account>Local Computer>Finish.
  • Browse to Personal Store and import the certificate.
    1
  • Right Click on new certificate > All Tasks>Manage Private Keys > Add ADFS Service Account > Give Read Permission.
    2
  • Browse to Intermediate Certificate Store and import intermediate certificate.
  • Browse to Trusted Root and import root certificate.
  • Now Export Certificate with Private Key and import on other ADFS Server. 3Note: Make sure to add Service account permission on all ADFS server. Not required for ADFS Proxy.
Step 3. Apply new Certificate in ADFS snap-in.
  • Login to Primary ADFS Server.
4
 

Expert Comment

by:Dimitar Atanasov
Comment Utility
Very useful indeed, thank you very much for your efforts to create this detailed guide.
Appreciated!
0
 
LVL 45

Author Comment

by:Amit
Comment Utility
Thanks for appreciating my efforts.
0
This is a common requirement where IT administrators face the ultimate challenge. How do you lock down a workstation but open up certain functions to make them practical? For instance, the most common requirement is to give users the right to install Local Printers for a mobile workforce (roaming or "road warriors") without opening up the whole domain PC/laptop to full administrative access for that user.
 Let's face it: If it were up to us, we wouldn't even let our users power the darn things on! But, since we all have jobs to do, including our users, this guide will enable you to deploy a group policy to an organisation unit that will enable the (selected) domain users within that unit to install local printers. (Say, they have a beautiful HP inkjet at home they wish to use, or that laserjet in their remote office they travel to.)

This guide is also suitable for enabling programs that require the creation of a Printer Driver during operation, such as Adobe Acrobat Standard/Professional and Pegasus Opera II Enterprise client (for example). In fact, this guide was written specifically to solve the problem for the latter!

Pre-requisites:
  • Create a Domain Security Group of the desired Domain Users who will be given rights to install the printers e.g. “Printer Users”; add all desired members to this group.
  • Optionally, create a Domain Security Group "Printer Computers" with desired machines/computers as
4

Summary


This procedure describes the steps necessary to backup & recover an entire Windows 2008 R2 forest from bare metal backup images. The source machines can be either physical or virtual, however the restored machine will be virtual. The VM technology used is VMware ESX. This example uses a forest design of an empty root domain with three child domains. We use this procedure in a Disaster Recovery test scenario where we need to re-create Active Directory at the test site.
 
Backup steps:
Issue ‘wbadmin start backup’ command on source DC’s
 
Recovery steps:
Create a VM with no OS
Boot the new VM off the Win 2008 R2 DVD
Enter the ‘Repair your computer’ environment booted off the Win 2008 DVD
Start networking service and connect to network location containing backup image
Execute the restore via command line
Perform post-recovery steps
 

Backup Procedure


Establish a share on the local LAN of the DC that will receive the bare-metal backup. The share example used below is \\ADBKP.child1.root.com\ADBKP
 
Perform a backup  on at least 1 DC from each domain in the forest, preferably 2, by issuing the following command on each DC:
 
wbadmin start backup -backupTarget:\\ADBKP.child1.root.com\ADBKP -allCritical -user:USERNAME -password:PASSWORD -quiet

Recovery Procedure


Prerequisites


Name of machine you will be
3
 
LVL 4

Expert Comment

by:Felicia King
Comment Utility
Per this TechNet article https://technet.microsoft.com/en-us/library/cc730683(v=WS.10).aspx FRS burflags is set by the restore operation. It's nice to know what the keys and values are. Thanks for sharing.
0
Let me start with a history of how I came to find this information. This history should provide a good example of why this process may be necessary for you.

My organization is part of a state-wide Active Directory system. As a sysadmin for a single, smallish county among 58 counties, my clout to have the state upgrade its system is non-existent. My powers are limited to being an Organizational Unit administrator for my county's OU.

Our county's web security service (a series of proxies run by Cisco) recently disabled support for all versions of SSL and TLS 1.0. 200 users were suddenly unable to use the web. Active Directory 2003 doesn't have the necessary GPO settings to enable TLS 1.1 and 1.2. I had to be tenacious with Microsoft Support that there MUST be a way to get these GPO settings in my 2003 environment. It took escalation to a Tier III Microsoft support engineer to find this information.

If you're still running a Windows 2003 Domain Controller, then you won't have the proper options in that GPO. Here is the way to get Windows Server 2012 GPO's and GPO options in a Windows 2003 Domain:

1.      Have a Windows Server 2012 member server.*
2.      Use the Server Manager to “Add Roles and Features”
3.      Add the Active Directory Domain Services feature, and restart.
4.      Copy all of the files inside your Windows Server 2012’s C:\WINDOWS\PolicyDefinitions\ folder to a Windows 2003 Domain Controller’s C:\WINDOWS\SYSVOL\domain\Policies\PolicyDefinitions\ …
2
 
LVL 5

Author Comment

by:R. Toby Richards
Comment Utility
Actually, Steps 6 and 7 are only required if you're going to work in the GPMC immediately (before replication occurs). I'll update the article with that; however, the article is not intended as an in-depth look at the concept of the GPO central store. Perhaps that's an idea for an article that you could write. Meanwhile, I will add your link to the article.
0
 
LVL 41

Expert Comment

by:Mahesh
Comment Utility
Just wanted to highlight that You have not faced problem due to 2003 DC server, but it is due to GPO central store already deployed in your domain.
As a result Domain controllers start connecting to central store and since required admx files are not copied there, you got a problem.
If GPO central store is not deployed already, admx files would get loaded from 2012 server local policydefinations folder and you even never noticed this issue as well as mentioned in my very 1st comment
0

Active Directory

76K

Solutions

39K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software