Active DirectorySponsored by jamf

76K

Solutions

39K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our own log.

This simple approach can be used to create a log whenever a user logged in / logged out in any network computer, using GPO logon/logout scripts, and logging provided by IIS.

This tip is focusing on using IIS log instead of writing your own log file, which involves some complications like using shares, locking, user rights ... etc.
 
In brief what you need to do is the following:
1- Make a simple website and host it in any computer (you can use any DC) only one blank .htm page  is needed in that site
2- Enable logging for that site
3- Make a logon/logout script that make a request to that site
4- Attach and deploy those scripts to the GPO

I will not discuss in detail (maybe another article if I get the requests) how to do the 1,2,4 but I will include the script file used, assuming that they dummy site is on 192.168.0.15 port 8595 and the dummy page name default.htm

The parameter passed to the script can be "LoggedOn" when script is used as logon script and the word "LoggedOut" when it is used for Logout, the query string is built in a way that you can use the log file as comma delimited when importing it to excel for example.

Sample log output:

2011-02-27 12:36:17
1
I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more!

With Windows Server 2008 – or, more specifically, the Group Policy Management Console for Vista / Server 2008 – Microsoft introduced Group Policy Preferences.  The server-side configuration can be done in the GPMC in Windows Vista / Server 2008 and above, meaning you don't need Server 2008 to use GP Preferences.  On the client side, the extensions are included natively in Vista and above, and can be installed as an add-on to Windows XP (available here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e60b5c8f-d7dc-4b27-a261-247ce3f6c4f8&displaylang=en).

There's one big difference between standard Group Policy and Group Policy Preferences.  With standard Group Policy, an administrator defines a set of policies that apply to a user or workstation, and they cannot be modified on the client.  An example would be turning on the Windows Firewall.  If this is set by Policy, the ability to turn this off is disabled for users.  On the other hand, Preferences can be modified by the user.  An example of this would be setting the default IE home page.  We can set it to http://www.company.com for all our users, but if they want to change it, they are not prevented from doing so.

To get started, install the Group Policy Management Console,…
21
 

Expert Comment

by:brtl1000s
Comment Utility
Wattstek: In order for this to work  with XP have to install the optional client side extension

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=3628

run gpupdate and reboot.
0
 
LVL 6

Expert Comment

by:Ricardo Martínez
Comment Utility
First of all, your article was really helpful. I have a question, do you know how can i create a file tough that Active Directory policies in a folder with write permission blocked? i can create folders anywhere, but i can't create a file inside them (for example C:\Windows\Myfolder\myfile.txt) the problem is under Windows XP clients. Thanks.
0
This is my first article in EE and english is not my mother tongue so any comments you have or any corrections you would like to make, please feel free to speak up :)

For those of you working with AD, you already are very familiar with the classical MMC snap-in which makes you everyday tasks possible, ADUC (Active Directory Users & Computers). Unfortunately, ADUC still lacks features; especially prior to 2008. I have noticed recently that few System Administrartors are familiar with LDP despite being as useful as ADSIEdit. Both offer additional access to data that is difficult to see in ADUC.

As Microsoft describes:  “Ldp.exe is a Windows 2000 Support Tools utility you can use to perform Lightweight Directory Access Protocol (LDAP) searches against the Active Directory for specific information given search criteria. This also allows administrators to query data that would otherwise not be visible through the Administrative tools included in the product. All data that is returned in LDP queries, however, is subject to security permissions.”

So basically you can use this to search for specific attributes and specify search criteria in order to find out what you need regarding certain objects. LDP.exe doesn’t take much time to learn and it will help you analyze AD issues. I use it a lot during migrations to locate AD objects. You can also use LDP.exe to view other LDAP catalogs that are not Active Directory.

As I mentioned, I use this in migrations and in …
1
The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a little bit of time and do some learning these tools can make your life much easier and ease your stress as an Active Directory admin.

In my everyday work I spend a large amount of time working with Active Directory services. This article is written with the Active Directory admin in mind. This is by no means a definitive list of Active Directory tools, merely the ones that I find myself using on an almost daily basis and recommending to others in solutions on this board. For the most part these tools are available for free download.  If you feel that I missed an important tool please feel free to add a post and let everyone know.

The DS series of tools
These tools for active directory are probably one of my favorites. This is a set of 6 command line executables that allow you to query, modify, and delete Active Directory objects via command line.

These tools come with many others bundled, available free from Microsoft at the following locations depending on your OS.

Windows XP, 2k3 - http://www.microsoft.com/downloads/en/details.aspx?FamilyId=86B71A4F-4122-44AF-BE79-3F101E533D95&displaylang=en 
Windows Vista - …
23
 
LVL 1

Expert Comment

by:mrah
Comment Utility
Great resource.  Some I've used/been using and a couple of new ones to add to the artilery!
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Nice article some additional tools that can also come in handy

Wireshark (or Netmon works too)
SysProSoft's Policy Reporter - Great for reading usernv and other log files
PortQry  - great scanner to help troubleshoot port issues, telnet is another nice tool in this space
Active Directory Utilities on CodePlex  ReplDiag being a nice one in that set, written by a Microsoft PFE
PAL Tool - Another nice tool written by a Microsoft PFE, helps diagnose performance logs
0
My last post dealt with using group policy preferences to set file associations, a very handy usage for a GPP. Today I am going to share another cool GPP trick, this may be a specific scenario but I run into these situations frequently in my activities.

Currently I am employed by a construction company, at any given time we can have between 30-40 small jobsites running. These are usually small field offices of 4-5 users connected either by a site to site VPN or MPLS T1. For the duration of a construction job they work out of this field office and they expect to be able to perform their job duties the same as if they were sitting in the main office.

In the past one of the annoying problems we ran into was how to properly deploy and manage printers at these jobsites. We basically had two choices

1.      Install and share the jobsite printer on our print server at the headquarters. This allowed for easy printer installation by the user but slow printing over the WAN connection and inability to print if that connection ever went down.
2.      Configure the printer locally and have users print via TCP/IP. This method allows much faster printing since all the data remains in the LAN, it is also unaffected by a down WAN link.  The downside to this is installation requires administrator rights and must be completed individually per user and printer. A site with 2 printers and 5 users would require 10 printer installations to be completed by a technician.

Using group policy …
1
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
If you have a room with 30 computers in it and you want to apply the printer to all those computers regardless of who logs in, this is a much more efficient way of doing it.
0
 

Expert Comment

by:Tech_Services
Comment Utility
So to deploy a printer using its IP address in group policy, you first must setup a printer server and add the printer.

If this is "only used for the initial printer installation after all print jobs will route directly to the TCP/IP printer" as quoted above, if I then disable the print server or it lost its connection would the PC's connection to the printer still work as it was setup using the IP address and not UNC?

Thanks,

Andy
0
There are two modes of restricted groups GPOs.

1. Replacing mode




2. Additive mode



How do they work?
Replacing mode: Everything (users, groups, computers) that is member of the local administrators group will be cleared out. After that, the policy is evaluated and applied. This means: The accounts or groups that are specified in the GPO ("Members of this group") will be added to the local administrators group of that particular client. The local administrator always stays in the local administrators group, even if you don't specify him. The same applies to domain admins.

Additive mode: Every account that is member of the local administrators group will stay member of the group. The group defined in the policy ("Group Name") will be added to the local administrator group of this particular client that applies the GPO.

How do they work exactly?
Replacing mode: changes the file
\\<dc>\SYSVOL\gurumeditation.local\Policies\{GPO-GUID}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

Open in new window


at the position
*S-1-5-32-522__Members = ...

Open in new window

on the domain controller.

This has the following effect: When the group policy is applied, every account or group that isn't specified will be erased from the local administrators group.
When you have a multilingual setup, the local administrators group can be …
4
 
LVL 17

Expert Comment

by:Premkumar Yogeswaran
Comment Utility
I haven't seen a concept of "additive restricted group"..

Could you share a link for that?
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
Premglitz,

It's a fairly basic concept.  You either replace or update.

When you look at the properties if the restricted group you either specify the members of the group you enter or specify the group is a member of.

The members of the group option specify the members of the group, anything not listed will be removed.

Specifying the group listed is a member of "another group" will add the group to a group that already exists without modifying the contents of the group.

Which bit are you not clear with?
0
At some point in your work you may run into a need to globally assign a specific file type to open using a specific program. I recently was tasked with completing this objective. In my case it was setting the TSV file association to open with Excel. Below are the steps to follow if you need to do a similar file extension modification using GPP.

I had originally been hesitant to use GPP's because I thought they required a 2008 domain controller. This is not the case. These GPP's can be easily used assuming you meet the prerequesites below.

1. You will need to create the GPP on a Vista, 7, or Server 2008 machine with the Group policy management console available.
2. Your clients will need to have the group policy preferences client side entensions installed on them. These come installed by default on Vista and 7. For XP you will need to download them here. This update can also be pushed to your clients via WSUS.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e60b5c8f-d7dc-4b27-a261-247ce3f6c4f8&DisplayLang=en
3. Microsoft reccomends installing XMLlite on the machine as well. http://www.microsoft.com/downloads/en/results.aspx?pocId=&freetext=XMLLite&DisplayLang=en 
I did not have to do install this for the GPP to work on my XP machine.

nce you have the 3 pre-requesites above covered simply open up the GPMC. Right click the group policy object container and select new or open an existing group policy.

In the new policy you created navigate to …
8
 

Expert Comment

by:HelpDeskGeiger
Comment Utility
This was EPIC! I've been trying to get .tif files associated with MODI on a Server 2008 R2 box and I just couldn't find any good information till I checked here. Your guide was exactly what I needed. THANKS!
0
 

Expert Comment

by:Josh Libby
Comment Utility
Did you have Office installed on the DC where you edited your policy in order to have the associated class available in your drop down?
0
At least once a month I see a Question in one of the Windows Server related Zones asking about Best Practices for GPO Security.  I have been in IT for 20 years, and a Sys Ad for over 15.  I know this will sound cliché, but this is mostly a preference question.  I mean, technically, if you want to be secure, you should lock the machine the point it would only be good for a boat anchor.  I am sure that some DoD security specialist would still think it needs to be coated in concrete after all the cables into it are severed.  

I currently work in a division of the DoD.  I will tell you that we are HIGHLY secure on our standards.  No users have administrative rights on their machines.  Technicians who need admin rights have separate accounts which are audited frequently.   In the past I have worked in the Health Care industry as well as the Financial industry.  Each has specific needs.  So, how do you come up with a Best Practice?

First, decide: What are your business' legal needs?

There are many industries that have specific laws applied to them.  The Healthcare industry has to deal with HIPAA.  Publicly traded companies have to deal with SOX.  Government entities have to deal with DISA.  If you do not work in a field with sensitive, regulated data (financial, health, government, etc), you have more leverage, but as a System Administrator you need to make it your business to know your business.  That means you need to know the applicable laws which regulate it.
 
8
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
Very good article..I like the way of explanation..coz there is no best practices for GPO, it depends how we use it for maximum effect with minimum GPO...Thumbs up for the article.
0
 
LVL 31

Author Comment

by:Justin Owens
Comment Utility
Thank you, Awinish.  Your kind words are appreciated.
0
I came across this issue when setting up a two way forest level trust. so here's the scenario:

A company wildcards acquired another company, bizworks ( both Fictitious).

Wild cards: windows 2003 Domain & forest functional levels - Ad domain name:Wildcards.com
Exchange server 2007 - Mail domain: wildcards.com

Bizworks:  windows 2000 domain & forest functional levels AD domain:bizworks.local
Linux based Mail server - Mail domain: Bizworks.com

Both have Mx records on service providers DNS. both domains connected over VPN/ MPLS/ PTP or any other form.

Since one of the domains was a windows 2000 we decided to create a two way forest trust and for DNS resolution we created secondary zones, altough with 2003 we could have used conditional forwarders. when this happened. All the emails from Bizworks to wildcards started getting queued up.

The reason we found was:since Bizworks has the same AD and Mail domains. and since we had enabled secondary zones and enabled zone transfers the secondary zone for wildcards.com on the Bizworks DNS was acting as an authoritative zone and none of the queries were going to the external Mx. Now Exchange does not need an Mx on the internal DNS for its own domain, it relies on Host records and Active directory.

since we cannot create records on the secondary zones, we created an Mx records on the Primary. now this gets interesting, we pointed this Mx to the public IP. If we create Mx pointing to internal IP of the exchange server, …
0
 
LVL 1

Expert Comment

by:Dhaval Pandya
Comment Utility
As i can understand is you want to make dual entry pointing to same server through different IP's for the link fail over.

In such case i guess you have to set 2 mx records with different priorities. i.e. direct connectivity IP you can set high priorities and for internet link IP you can set very low priorities.

I hoping this will help.
0
 
LVL 13

Author Comment

by:Kini pradeep
Comment Utility
That would be a good strategy if you have multiple IP (public) what happens if your DNS server does not query the public DNS at all as it finds an authoritative zone on the Internal DNS server ?
0
One of the major disadvantages of still running XP in production is its lack of Internet Explorer Favourites directory redirection. If your users frequently roam between computers, the usual workaround is to enable Roaming Profiles to have the favourites roam with them. This usually works, until Windows Vista or 7 is introduced into the environment.

The newer Microsoft operating systems from Vista onwards do not support the old, legacy format of the XP profile. Instead, users logging on to a modern OS for the first time will be given a new roaming profile with ".V2" appended to their username in the roaming profile share. This is the version 2 profile, used by Vista up and totally isolated from the XP profile, including total isolation of the data it contains. In a phased roll-out of the newer Microsoft operating systems, you must follow best practices by using folder redirection to redirect user data on all systems to a common network location. This removes the data from the profiles, maintains consistency and ensures the user experience is the same on all network stations, without concerns over which OS is installed and therefore which profile and data the user will have access to. Plus, roaming profiles are just too slow for storing lots of user data anyway.

Unfortunately, Windows XP does not support redirection of the Favourites directory; this support was added in Windows Vista. One workaround I have seen is the built-in Vista redirection configured to …
6
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
Very Informative..
0
 
LVL 58

Author Comment

by:tigermatt
Comment Utility
Thanks, Awinish. I appreciate your feedback.

Matt
0
If you've spent any time administering Active Directory, you've probably come across the concept of Flexible Single Master Operations (FSMO) roles. Their introduction is arguably one of the most important but misunderstood changes to Active Directory in the last ten years.

Take a trip down memory lane

In the days of Windows NT, one may recall the Primary Domain Controller (PDC) and Backup Domain Controller (BDC) concept. The directory was structured such that every DC, whether a PDC or a BDC, had a copy of the directory database, but only the PDC could make changes to that database. The model was inefficient, negatively impacted growth and desperately needed improving if the product had any chance of surviving.

Enter Windows 2000. The Directory Service went through one of its largest scale rebuilds to date. Replication and management was significantly improved and the concept of having a multi-master directory was introduced. Although this design has been tweaked over the years, fundamentally, it has remained the same through the versions - because it works. Any DC anywhere in the domain can execute virtually any update to the directory. This scales beautifully, even on large, geographically dispersed networks with many thousands of users.

However, notice I said virtually any change. Since a change can take effect at any DC, there is the possibility that a conflicting change will be made in two locations …
54
 
LVL 26

Expert Comment

by:MidnightOne
Comment Utility
The best discussion I've heard on FSMO seizures:

Him: You're the president, I'm the vice president.
Me: Okay.
Him: You have all the stuff you can do (the FSMO roles) that I can't.
Me: Right.
Him: BANG! You're dead, and I get to take over.
Me: Close - what allows the vice-president to take over?
Him: He gets sworn in
Me: Correct - and that's what seizing the roles does - it swears in another domain controller as the FSMO role holder.
Him: So, Nixon leaving office was a role transfer?
Me: And Kennedy being killed was a role seizure.

I have to hand it to him - it's brilliant.
0
 
LVL 18

Expert Comment

by:Life1430
Comment Utility
Wow Great article
0
Have you ever wondered why the Administrator account is allowed to do certain things and other accounts aren't?  Probably not unless you're an insomniac like me, but the reason is actually pretty simple and mastering the ability to assign User Rights, Windows' method of determining what users can do what, can grant system administrators a great deal of control over their environment.

This article will delve deep into the dark reaches of User Rights to give you a good enough understanding of this simple system of user management that you'll be able to build a more secure, stable, and efficient Active Directory environment with little effort at all.

The Place

To control the rights that any user has, you'll need to find the right place to take control of it. The User Rights Assignment section of Windows Policy is where you get to manage this stuff.

To see for yourself, open the default domain controllers Group Policy Object (GPO) or run gpedit.msc. With the policy management window open, navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. This part of Windows Policy is where you determine which accounts can do what and which ones can't. Each right listed grants a specific type of operation to any user that is granted a right. When you first look at this section, you'll notice that "Administrators" is listed in almost every line. This is why Administrators can do everything they can do.

The What

1
 
LVL 22

Expert Comment

by:Joseph Moody
Comment Utility
I really enjoyed reading this! Setting up a proper service account is cool!
0
Managing Your Accounts the Right Way

One of the most important roles a Systems Administrator has is user management. Depending on the size of your network, it can be really simple or horribly daunting.  Luckily, there are strategies for handling permissions to accounts, so you don't have to spend your entire life applying permissions to each user.  This is the purpose of Security groups, and there are some best practices associated with handling them.

The Best Practice

Somewhere along the line, back in the age of NT, Microsoft developed a group and account management strategy called AGDLP.  The underlying purpose for this strategy was to handle account access between domains.

Accounts were added to Global groups, and the global groups were added to Domain Local groups.

The Domain Local groups were given permissions to files, processes, and anything else that needed access.  The whole purpose of this strategy was to prevent administrators from having to assign permissions to individual users in each domain (which can take forever in large environments).  With Windows 2000, Microsoft also added the Universal group and AGDLP became AGUDLP.
 
The strategy continues today, in the world of Windows 2008 (if you've gotten there yet).  So let me explain what each of these group types do.

The Skinny on the Group Types

We'll start from the bottom of the list and work our way up in defining the group types

Local Groups Local groups …
5
 
LVL 5

Expert Comment

by:FunkyBrown
Comment Utility
Spells it out pretty solid - the clarification on universal groups is very useful.  An easy mnemonic or memory trick for AGUDLP is to think of Sgt. Pepper's Lonely Hearts Club Band - that was A GUD (good) LP.
0
 
LVL 50

Expert Comment

by:DanRollins
Comment Utility
Nice! ... but what about "Houses of the Holy" and "Are you Experienced?"  those were also GUD :-)
0
Hi guys,
I’m going to talk today about the ADMT 3.1 and the complete process of migrating users accounts and passwords supported with snapshots. Active Directory Migration tool “ADMT 3.1” is the latest version that can be run on Windows 2008.

This task will demonstrate with snap shots the process of setting up the ADMT, configuring user’s migrations, setting password export server on the source domain, migrating users’ passwords and SID history.

First step: installing ADMT 3.1 on Windows 2008 Domain Controller
1-installation

Installing ADMT

ADMT installation file can be downloaded from
here:
    Active Directory Migration Tool version 3.1

During installation, the installation Wizard will ask about the database to be used by ADMT, the wizard can use existing SQL 2005 instance or it can install a new instance of SQL 2005 Express, in our case we choose to install a new SQL 2005 instance.
2-sql setupThen, the wizard will prompt us if we need to import data from any previous ADMT database, since this is a new installation we choose not to import any data
3-import previous settingsImporting previous ADMT data.
Then the installation Wizard completes successfully
4-finish installationSecond Step: Installing Password Export Server

In order to be able to export the users' passwords, we need to install the …
3
 
LVL 3

Expert Comment

by:TechGoddess82
Comment Utility
Precise documentation! Thanks!
0
 
LVL 5

Expert Comment

by:Paul Wagner
Comment Utility
The ADMT manual says that you have to migrate service accounts and global groups first. Does this article infer that those steps were already done?
0
Here is my process for pre-populating a domain profile on a desktop computer WITHOUT having the user login. This works well for those summer replacements when all the teachers are off.

Change ServerName and DomainName, DC=Domain,DC=Domain to your appropriate values or your appropriate OU.  When the user logs in they will have the same desktop folders and data as well as their bookmarks.  It will go through the initial configuring of Internet Explorer, etc., but the saved data will still be there.

User home directory is on the server, but sometimes folks save stuff to the desktop.  Prior to reimaging the machine, I copy Desktop and favorites from the user's profile.

After the script below  is run the desktop and favorites folder are copied into the user's profile folder.  To create the profile folders and grant rights to the user's AD account I run the following script:
'* Stage Profile written by Scott D 3-31-10
'* Usage: After a machine has been migrated or imaged,
'* this script creates a local profile to which saved data can be copied
'* without the user having to login first.
'* The script creates the registry entries under 
'* HKLM\Software\Microsoft\Windows NT\Current Version\ProfileGUID 
'* and HKLM\Software\Microsoft\Windows NT\Current Version\ProfileList
'* in the form of the users AD Guid and Sid
'* The script also creates the user folder under Documents and Settings.
'* The script copies SubInAcl.exe to the machine and uses it 

Open in new window

0
 
LVL 5

Author Comment

by:sgdought
Comment Utility
Every thing that is preceded by a '* is a comment.  I thought the comments at the top explained it very well.  Feel free to delete it.  I just thought that someone searching for pre stage a profile might find it use full.  I found numerous people  looking for an answer, but never actually found one, so I thought I would post it here.  With all the code comments, it is assumed a vbscripter would be able to customize it.
0
 

Expert Comment

by:NewbieTechi
Comment Utility
Hi
I tried your script but did not have any luck. I got "...no domain available...." message after running your script and when I tried to logon.
I am providing user's logon name as input to the script. The script finds the user account in AD, creates the profile folder and all the registry values properly except HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-x-xx-yyyyyyyyy-zzzzzzzzzz-xxxxxxxxxx-zzzzz\Guid. The HexToDecStr function is not properly converting the GUID value. So instead of {xxxxxxxx-zzzzz-yyyy-xxxx-zzzzzzzzzzzz} format I am seeing {xxxxxxxxzzzzzyyyyxxxxzzzzzzzzzzzz} and the left side of xx & zz string set are not correct, and the reason why I am saying that is because I did a GUID comparison for the same domain user on two different PCs, one where I ran this script and the other where I actually logged on using that same domain user account.
Any ideas on how to fix this?
thanks    
0
Looking at the Forums, I noticed a significant number of people complaining about slow logon speeds.  This can be irritating at the best of times.  However, I always have the feeling that home time is a more valuable time given our crazy pace of life.

So, if you are struggling with slow logons from home, consider the following:
Is your laptop in a domain?
Does it have wireless?
Does your home network IP Addressing Scheme overlap with your corporations IP Addressing Scheme (e.g. RFC 1918 addresses 10.x.y.z, 127.16.y.z - 172.31.y.z; 192.168.y.z)

If the above are yes, yes & yes, then try disabling your wireless card on your laptop while you are booting it up and logging on from home.  Only turn on your wireless once you are logged on.

After a successful domain logon, information is cached; this means that later a user can log on to the computer with the domain account even if the domain controller that authenticated the user is not available. Because the user has already been authenticated, Windows uses the cached credentials to log the user on locally. For example, if a mobile user logs on to a portable computer that is a domain member with a domain account and then takes the portable computer to a location where the domain is unavailable, Windows will attempt to use the cached credentials from the last successful logon with a domain account to locally log on the user and allocate access to local computer resources.
6
Where did all of these domains come from?  Why do we need so many domains?  What is the cost of administering each of our domains?  Is there a way around this?

So, first things first.  Forget about everything you have at the moment.  What would the ideal Architecture look like?  The ideal goal is “Single Forest, Single Domain”.  Any decision to deviate from this ideal goal should be thoroughly questioned as the costs and technical complexity of a multi-forest or multi-domain environment are significant and generally lead to technical catastrophes without a roc solid Operations Framework.  Another way of stating Single forest, Single Domain might be the following “Provide a secure, fault tolerant, high performance IT infrastructure to all geographic areas of the organization for as little cost a possible.”  Strong statement?  It’s the truth…

What do you really need?  Here are some ideas which include cognisance of your branch offices:

Base Services
•Directory services
•DHCP services
•Name resolution services
•File services
•Print services
•Base client services
•Base management services
Extended Services
•Application services
•Web caching
•Messaging services
•Collaboration services
•Extended management services
•Extended monitoring services
•Branch network access services
Don’t confuse the Physical Architecture with the Logical Architecture.  The Physical Architecture is merely where you place your servers, while the Logical Architecture is “what will …
0
 
LVL 2

Expert Comment

by:zsaurabh
Comment Utility
unable to find part2
0
There existed a problem in Windows 2000 and Windows Server 2003 prior to Service Pack 1 where the NTDS Settings container was not removed after successful demotion of a domain controller until after 14 days.  This would prevent a domain controller of the same name being introduced into Active Directory.

This problem can also be seen in newer versions of Active Directory Services if the replTopologyStayOfExecution setting has been set, so all domain administrators may benefit from this article.


Cause

Active Directory objects that are deleted are normally moved to the 'Deleted Objects' container.  Attributes that are not required for replication are removed.

The Active Directory object representing domain controllers (nTDSDSA object), however, is not moved to the 'Deleted Objects' container until after 14 days and retains all attributes fully populated.

As the object in Active Directory that represents the domain controller (the nTDSDSA object) is not moved to the 'Deleted Objects' container, but remains in its default location Configuration container > Sites > sitename > Servers > {servername} marked as iSDelete3d=TRUE (and thereby invisible in the user interface) , the name of a demoted or deleted domain controller must not be re-used until the nTDSDSA objects have been moved to the 'Deleted Objects' container and replication to all domain controllers has completed.


Resolution

It is possible to change the default value of the time …
6
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
Your article solved the problem of one of the user, i knew the answer,but didn't have document, so i pointed to your article & it worked.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26614850.html

Brilliant..:)
0
 
LVL 7

Author Comment

by:ms-pro
Comment Utility
Super :)
0
I recently ran into a question where someone wanted to deploy SCOM in two different domains.  The problem was that the two sites they used were two domains, and while they trusted each other, they were not in the same forest.   The person asking the question wanted to install the remote agent at his other site, but the installation was failing.

The solution to the question was to deploy a gateway server at the remote site as described in this Technet Article:

http://technet.microsoft.com/en-us/library/bb432149.aspx

The procedural overview as laid out in that article is to:

Request certificates for any computer in the agent, gateway server, management server chain.
Import those certificates into the target computers by using the Operations Manager 2007 MOMCertImport.exe tool.
Distribute the Microsoft.EnterpriseManagement.gatewayApprovalTool.exe to the management server.
Run the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe tool to initiate communication between the management server and the gateway.
Install the gateway server.
The detailed directions for each step are laid out there in a simple to understand fashion.
This is actually a very good solution for conditions which require Cross Forest SCOM deployments.  While my personal preference would be to bring both domains into a single forest, there are many reasons (mostly legal or political) to not do so.  In the…
0
A Little on Standard Group policy Processing
Before we look at how loopback processing works it may be beneficial to have a quick refresh on how standard group policy processing works.

Group Policy Objects (GPO) are a collection of configurable policy settings that are organised as a single object and contain Computer Configuration policies which are applied to computers during Startup and User Configuration policies which are applied to users during logon.


All about Scope
The term in scope is used to refer to any GPO that applies to an object (computer account or user account).

Group policies can be applied at four separate points within a domain structure (Local, Site, Domain and Organisational Unit (OU)) and are applied one after the other in precedence order for each step.

So the in scope GPOs for an account consist of all Local policy GPOs, all of the Site GPOs, all of the Domain GPOs and all GPOs linked to each OU in the path of the account object. At each stage a new GPO applies it will overwrite any conflicting settings with its own settings; the final set of policies applied is known as the Resultant Set of Policies (RSoP) and can be viewed on a client device via the RSoP.msc console.

Any GPO that has been denied apply rights or filtered out via WMI Filtering is considered to be Out of scope


Why Loopback
The User Group Policy loopback processing mode option available within the computer configuration node …
38
 
LVL 19

Expert Comment

by:Raheman M. Abdul
Comment Utility
Good article
0
 
LVL 26

Expert Comment

by:yo_bee
Comment Utility
I think I am going to flag this and promote your article.
0
How to manage Active Directory Partition

This article will show you how to create, delete, set replication and modify partitions with ease. I will also provide you with some knowledge to give you a better understanding of Application partition. Here are some quick facts about Active Directory Application Partition:
 
Active Directory Application Partition have their own namespace for example if you have a single domain called iris.internal and you create an application partition named App the namespace would be app.iris.com
 
You may also set it same level as the root domain such as app.com
 
You may create Child partition and the namespace would followed suite. From the above example if your create an application within app called child1 it would be child1.app.iris.com
Note: Windows 2000 does not support active directory partitions.


Creating an Application partition within Active Directory.

There are a few ways of creating active directory partition you can use the LDAP command, NTDSUTIL or ADSIEDIT. We will be using NTDSUTIL as it's a great and easy tool. Now lets break it down.
 
On the server open a command prompt and type
NTDSUTIL
 
Then type
domain management
 
Connect to the server that you wish to create the active directory partition by typing
connections
connect to server DC1.domainname.com
q
 
To create a partition type.
Create NC Application.domainname.com DC1.domainname.com
0
It happens to all of us.  Once in a while Active Directory information gets a little "out of date".  People tend to change departments, get married and change their last names, change cell phone numbers or change addresses.  Maintaining this information can be a challenge when you have a lot of users, but it can also be very beneficial to an organization as a whole.

This is my little "trick" to bulk updating user attributes and information in Active Directory, based on data from a Microsoft Excel sheet.  The sheet uses formulas to produce a command line.  The command line employs Dsquery.exe and Dsmod.exe, utility programs which are included in the Windows Server 2003 Administration Tools Pack.

An example of a command line to modify a user, using these tools, might look something like this.
 
dsquery user -samid "DJohns" | dsmod user -tel "555-555-5555"

Open in new window

...so Dsquery.exe finds the user whose "samid" = djohns, and the "DistinguishedName" result is piped directly into Dsmod.exe where we use the telephone parameter with the new value.

To produce this command line in MS Excel, I primarily use the "Concatenate" function.
In a cell, you can type the formula =concatenate("foo","bar") and the result would be: foobar
This works on cells that have information too, for example =concatenate(A1,B1,C1) would join the strings that exists in cells A1, B1 and C1.

Example:  
 
=CONCATENATE("dsquery user -samid"," """,A2,"""," | dsmod user -tel ",B2)

Open in new window


The result would be: dsquery user -samid "DJohns" | dsmod user -tel "555-555-5555"
5
 
LVL 25

Author Comment

by:Ron Malmstead
Comment Utility
The functionality for setting a NEW password (-pwd), was intentionally left out of this sheet, but could be added if needed.
0
 
LVL 1

Expert Comment

by:omzz
Comment Utility
There are some third party tools available to bulk create users and mailboxes.
One such tool is Synchronize from Imanami.
0

One of the tasks that every Active Directory administrator has to learn is how to remove a failed or offline Domain Controller (DC) from the environment.  The easiest method is to use DCPROMO, however if the DC is already offline or had a catastrophic failure this is not going to be an option.  You also don't want to leave it to the Garbage Collection process as you will have nagging issues within Active Directory (AD).  What you need to do is remove the DC's metadata info from AD.  This involves using a command called NTDSUTIL.  NTDSUTIL is a command line tool that allows you to perform some of the more advanced Active Directory maintenance tasks.

Below are the steps needed to remove a failed or offline Domain Controller from your environment.  I have included additional steps that are needed to remove the leftover data in Active Directory Sites and Services as well as DNS.  Those two areas are often overlooked.

Step by Step Procedure

1. Open the Command Prompt

2. Type:
ntdsutil

Open in new window

(all the commands will be entered via this command prompt)

3. Type:  
metadata cleanup

Open in new window


TIP: NTDSUTIL does not require the full command to be entered; you only have to enter enough of the command that is unique.  For Example, instead of typing metadata cleanup you could just type met cle or better yet m c.

4. Type:  
connections

Open in new window


5. Type:
connect to server <ServerName>

Open in new window

replace <ServerName> with the name of a functional DC in your environment, even if you are logged in locally.  

6. Type:
quit 

Open in new window


7. Type:  
select operation target 

Open in new window


8. Type:
lists sites 

Open in new window


9. Type:

Open in new window

23
 
LVL 14

Expert Comment

by:Hedley Phillips
Comment Utility
Hi,

Shouldn't Step 7:

Type select operations target

read:

Type select operation target

0
Hopefully some of you have been playing with Server 2008 R2 while it has been in Beta.  One of the features I'm looking forward to most is the AD Recycle Bin.  Yes you heard me correct.  We now have an easy method for restoring accidentallydeleted objects.  

In the past our only recovery method out of the box was to perform an authoritative restore of an object. That method had several issues that always rubbed me the wrong way.  First you had to be in Directory Services Restore Mode (DRSM).  And ever since Server 2003 we could use tombstone reanimation but that removed most of the non-link-valued attributes.  This lead to additional work after the restore. The default tombstone lifetime was 180 days with Server 2003 and 2008.

AD Recycle Bin DisabledYou are probably already familiar with tombstones and the garbage collection process.  If not read Gil's excellent article on that here http://technet.microsoft.com/en-us/magazine/cc137800.aspx.  With Server 2008 R2 you will need to now become aware of Deleted Object and Recycled Object.  The first thing to realize here is that the AD Recycle Bin is not enabled by default with Server 2008 R2.  The following steps/requirements must first be met:

Step 1 - Raise the Forest Functional Level to Server 2008 R2
Step 2 - Enable AD Recycle Bin (my example uses PowerShell&get use to it now)
Step 3 - Enable-ADOptionalFeature -Identity "CN=Recycle Bin …
1
 
LVL 18

Expert Comment

by:WaterStreet
Comment Utility
Nice layout and graphics.  What did you use to generate the graphics?
0
 
LVL 20

Author Comment

by:Brian
Comment Utility
PowerPoint 2007 SmartArt.  It's on the Insert tab of the ribbon.
0
Hi,

It seems that most of people face problems with lingering objects in domain and because of incorrect troubleshooting involving AD replication, tombstone lifetime problem increases.

I request everybody to read the following information to avoid such issues:

Problem: Event id 2042
You have AD replication issues. Example: 10 DCs and one of them fails to replicate. The box has crossed the TSL (Tombstone Lifetime) time period.

Behaviour
By design, Server do not replicate beyond Tombstone time period as it can introduce lingering objects.

Checks:
Do we have Strict Replication Consistency enabled?:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Value Name: Strict Replication Consistency
Data type: REG_DWORD
Value data: 1
Note: By default, W2k3 domain upgraded from W2k will have loose replication.

Enable strict replication consistency on All DCs
More info on: http://technet2.microsoft.com/WindowsServer/en/library/ea3330c4-1d58-457e-9ad6-97f1573999ff1033.mspx?mfr=true

Find what caused the replication problem? Was it DNS?? If yes, you may want to fix it first..

W2k3 domain with W2k3 DCs:
You have two options:
Set the Strict Repl Cons to 1 on all the boxes and put in the following value and set it to 1:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters
REG_DWORD Value: Allow Replication With Divergent…
4
 
LVL 21

Expert Comment

by:alainbryden
Comment Utility
You article needs to be greatly expanded. You lack context and elaboration, the grammar used is ambiguous and erroneous in some cases, and you jump right into acronyms like AD replication without ever defining them. What is AD replication, what are tombstones, who has to worry about such problems (why only domain users, what kind of domains, how do they creep up?) What defines a replication problem, and why is it a problem? I could go on an on and on. One would be an expert in domains just to figure out how to follow the steps you cite, and if they have that much expertise, they probably don't even need the advice. Meet novice users half way so that they have a chance of making use of your advice.
0
 
LVL 5

Expert Comment

by:GG VP
Comment Utility
Yes, the article needs more in depth explanation!
0

Active DirectorySponsored by jamf

76K

Solutions

39K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software