Get started with Active Directory

Active Directory Domain Services Overview
http://technet.microsoft.com/en-us/library/hh831484.aspx

What is Active Directory?
http://www.microsoft.com/en-in/server-cloud/windows-server/active-directory-overview.aspx

Active Directory Services Overview (wiki)
http://social.technet.microsoft.com/wiki/contents/articles/1026.active-directory-services-overview.aspx

Microsoft Active Directory: An Introduction (Microsoft Virtual Academy video series)
http://channel9.msdn.com/Series/IntroToAD

Wiki: Active Directory Domain Services (AD DS) Portal (Fantastic!)
http://social.technet.microsoft.com/wiki/contents/articles/13752.wiki-active-directory-domain-services-ad-ds-portal.aspx

Wiki: Active Directory Features in Different Versions of Windows Server
http://social.technet.microsoft.com/wiki/contents/articles/19037.active-directory-features-in-different-versions-of-windows-server.aspx

AskDS / AskPFEPlat

The AskDS blog remains the most amazing place on the internet to find deep technical answers to all of your AD questions. Here are links to some of their best articles related to learning Active Directory. Each of these posts contain links to key Active Directory information that every admin should know.
http://blogs.technet.com/b/askds/archive/2010/07/27/post-graduate-ad-studies.aspx
http://blogs.technet.com/b/askds/archive/2009/01/30/seeing-the-domains-through-the-forest-what-you-need-to-know-to-build-your-career-in-directory-services-technologies.aspx
http://blogs.technet.com/b/askds/archive/2010/06/25/friday-mail-sack-1970-s-conversion-van-edition.aspx (scroll to bottom)
And here are two bonus posts that I couldn’t pass up.
http://blogs.technet.com/b/askds/archive/2011/12/08/effective-troubleshooting.aspx
http://blogs.technet.com/b/askds/archive/2011/09/02/accelerating-your-it-career.aspx

First, Do No Harm (DCPROMO checklist, highly recommended)
http://blogs.technet.com/b/askpfeplat/archive/2012/08/06/first-do-no-harm.aspx

White Paper Downloads

Active Directory Domain Services Operations Guide
http://www.microsoft.com/download/en/details.aspx?id=16849

Best Practice Guide for Securing Active Directory Installations
http://www.microsoft.com/download/en/details.aspx?id=16755

Best Practices for Delegating Active Directory Administration
http://www.microsoft.com/download/en/details.aspx?id=21678

Windows Server 2008: Planning for Active Directory Forest Recovery
http://www.microsoft.com/download/en/details.aspx?id=16506

Windows Server 2003 Active Directory Branch Office Guide
http://www.microsoft.com/download/en/details.aspx?id=5838

Read-Only Domain Controller (RODC) Branch Office Guide
http://www.microsoft.com/download/en/details.aspx?id=3608

Planning and Deploying Read-Only Domain Controllers
http://www.microsoft.com/download/en/details.aspx?id=11003

Infrastructure Planning and Design: Active Directory Domain Services
http://www.microsoft.com/download/en/details.aspx?id=732

Active Directory Migration Tool (ADMT) Guide: Migrating and Restructuring Active Directory Domains
http://www.microsoft.com/download/en/details.aspx?id=19188

TechNet Library

How Active Directory Replication Topology Works
http://technet.microsoft.com/en-us/library/cc755994(WS.10).aspx

How Operations Masters Work
http://technet.microsoft.com/en-us/library/cc780487(WS.10).aspx

How the Windows Time Service Works
http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx

How the Data Store Works
http://technet.microsoft.com/en-us/library/cc772829(WS.10).aspx

Active Directory Maximum Limits – Scalability
http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(WS.10).aspx

How Domain and Forest Trusts Work
http://technet.microsoft.com/en-us/library/cc773178(v=WS.10).aspx

Capacity Planning for Active Directory Domain Services
http://social.technet.microsoft.com/wiki/contents/articles/14355.capacity-planning-for-active-directory-domain-services.aspx

Understanding FSMOs

Phantoms, tombstones and the infrastructure master
http://support.microsoft.com/kb/248047

FSMO placement and optimization on Active Directory domain controllers
http://support.microsoft.com/kb/223346

Windows 2000 Active Directory FSMO roles
http://support.microsoft.com/kb/197132

Support KBs

Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows
http://support.microsoft.com/kb/822158

Service overview and network port requirements for the Windows Server system
http://support.microsoft.com/kb/832017

Things to consider when you host Active Directory domain controllers in virtual hosting environments
http://support.microsoft.com/kb/888794

DNS

How DNS Works
http://technet.microsoft.com/en-us/library/cc772774(WS.10).aspx

How DNS Support for Active Directory Works
http://technet.microsoft.com/en-us/library/cc759550(WS.10).aspx

DNS Technical Reference
http://technet.microsoft.com/en-us/library/dd197461(WS.10).aspx

DNS in Small Networks Step-by-Step Guide
http://www.microsoft.com/download/en/details.aspx?id=11156

DNS Best Practices
http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx
Scroll half way down the article.

DNS Scavenging

Managing the aging and scavenging of server data
http://technet.microsoft.com/en-us/library/cc776907(WS.10).aspx

Optimizing your network to keep your DNS squeaky clean
http://blogs.technet.com/b/networking/archive/2009/02/09/optimizing-your-network-to-keep-your-dns-squeaky-clean.aspx

Don’t be afraid of DNS Scavenging. Just be patient.
http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

A Complicated Scenario Regarding DNS and the DC Locator SRVs
http://blogs.technet.com/b/ad/archive/2008/08/08/a-complicated-scenario-regarding-dns-and-the-dc-locator-srvs.aspx

How DNS Scavenging and the DHCP Lease Duration Relate
http://blogs.technet.com/b/askpfe/archive/2011/06/03/how-dns-scavenging-and-the-dhcp-lease-duration-relate.aspx

PowerShell

Any administrator worth their salt MUST know PowerShell. Here are some great links to help you get started.

Windows PowerShell: Learn It Now Before It’s an Emergency
http://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx
This five-part video series by Ed Wilson, the Microsoft Scripting Guy, is a fantastic place to start.

Windows PowerShell: Scripting Crash Course
http://technet.microsoft.com/en-us/magazine/hh551144.aspx

List of Free PowerShell eBooks
http://www.hofferle.com/archives/624

GoateePFE – PowerShell for Active Directory
http://blogs.technet.com/b/ashleymcglone
Yes. I am promoting my own blog as your source for learning how to use PowerShell with Active Directory.

Miscellaneous

Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1)
http://www.microsoft.com/download/en/details.aspx?displayLang=en&id=7887
This download gives you the admin tools on Windows 7. Enable them from Control Panel – Programs – Turn Windows features on or off – Remote Server Administration Tools.

MCITP Certification & Exams
http://www.microsoft.com/learning/en/us/certification/mcitp.aspx#tab2
Use the exam guides linked here for a great list of topics to measure your knowledge. If you see a term you don’t recognize, then study it.

TechNet Virtual Lab: Windows Server 2008 R2: What’s New in Active Directory
https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032437246&culture=en-us
This is a free online lab where you can practice with Windows Server 2008 R2 and Active Directory. It includes a 2008 R2 domain controller, a Server Core member server, and a Windows 7 client.

Windows Command Reference
http://www.microsoft.com/download/en/details.aspx?id=2632
Wow! This CHM (compressed HTML) help file contains syntax and examples of nearly every Windows command line utility, including Active Directory commands. Every administrator needs a copy of this. Note: After downloading the file be sure to unblock it (Right click the file, Properties, click the Unblock button, OK). Then you will be able to view the contents.

Password protected Excel file – Prompt Twice for password for Copy & Original

Issue:

I recently noticed every time I open a password protected file in Excel 2010 it prompts for a password for the original file and a password to open a separate copy of the same file! If I want to open a password protected file called for example "Books.xlsx" the dialog box pops up to enter my password then another dialog box pops up asking me to enter password for "copy of Books.xlsx also (the copy of file is whatever name your original file name is with the words "copy of" in front) It happens on all my password protected files. This is rather new for me I have been password protecting files in Excel for the last four versions of office and have never seen this before. I think it is related to a new update or something because the same thing happens on my laptop. I am running Windows 7 and Office 2010 home and business on both computers. Please help! It’s kind of scary!

Resolution:

The preview pane essentially opens a new instance of the Application, in order to ‘show’ the file.
You can quickly toggle the preview pane display ON/OFF with [Alt] P
although you could have a routine which tells whether an Excel file is password-protected or not, it would be difficult to have this operate with the preview pane.

AD Slow Authentication and prompting for credentials again and again

It’s a most common issue in a complicated Active Directoryenvironment, before am going to discuss about the authentication issues, I would like to discuss about the Active Directory basics like Pass throughauthentication, AD secure channel, NTLM and Kerberos

Pass through authentication

If you are worked on multi Domain/Forest environment or environment designed with user forest and resource forest, an Exchange Serverresource forest topology has two forests. One forest contains the all the user accounts for your organization. This forest is called the user forest (accounts forest). The other forest does not contain any user accounts. It only contains the Exchange Server and disabled user accounts, in simple you have one Active Directory forest where your user accounts live and another Active Directoryforest where your application are lives (Exchange server, File server)

In the above scenario Domain controller receiving the request from Exchange/file server to verify the user access, this must pass the request to Domain controller in the user forest, we should have the trust between domain of the server (called the resource domain/forest) and the domain of the user account (called the account domain/forest)

User from Domain A try to access application on server from Domain B, application server in Domain B doesn’t have user detail, it will check the local Domain controller on Domain B through workstation secure channel, and Domain controller on Domain B check the Domain controller on Domain A through trusted domain secure channel and Domain A return back theauthentication to Domain B it’s called the pass through authentication since the user authentication request been passed to user domain.

Secure Channel

I have discussed about the secure channel, what is secure channel? It’s a communication channel provides more secure communication path between the domain controller and the workstations or member servers. It can also be used to retrieve domain-specific information, handling NTLMauthentication pass-through to the domain controller or from DC to DC for the same.

Two Forest or Domain connected through Forest trust / Domain trust, trust establishment is a shared secret (called a trust password) that domain controller use in the two domains for computing the session key that is used for protecting the secure channel traffic. By using this secure channel, the DC in the resource domain can pass logon requests securely to the DC in the account domain, in the same way that the server passed the logon request to the former DC. The secure channel between DCs in two domains that are connected via a trust relationship is called a trusted domain secure channel. In contrast, the secure channel between the member server and the DC in the resource domain is called a workstation secure channel

While adding a computer to domain, computer account has been created in Activity directory and password been generated for computer account, computer account password been changed every 30 day’s and stored in computer and domain controller, while power on the computer, Netlogon service on computer use the computer account password from the computer is authenticated against the password on the Domain Controller and establishes a secure channel with that DC, same way server creates a secure channel with that DC it get authenticated

For Domain controller, Netlogon service sets up secure channels with all the trusted domains (one Domain controller in each trusted domains) you can check this using Nltest command

To check the current secure channel with a particular Domain

nltest /sc_query:Domain Name

To reset secure channel to different Domain Controller (this will randomly select the Domain Controller)

nltest /SC_RESET: Domain Name

To reset secure channel to a particular Domain Controller

nltest /SC_RESET: Domain Name\ Domain Controller Name

You can change the Domain and Domain Controller Name as per your requirement

For remote server you can add

/server: server name

NTLM and Kerberos

NTLM and Kerberos are the protocols used for authentication, we all know NTLM is outdated and Kerberos is the new protocols used forauthentication, Kerberos can impersonate a user when trusted, so no need to contact Domain controller every time in order to authenticate access to a resource, If the client is logged on to a domain, the browser never prompts the user for credentials; it simply uses the user’s default logon credentials.

We are not using NTLM any more? No still some areas where we have to use NTLM for the sake of compatibility, RPC over HTTP to connect to an Exchange mailbox. ISA for web proxy servers, let’s go in deep how it’s works

Client opens a URL through browser

Client browser sent a request to proxy server with integrated authentication credentials

The proxy server needs to verify the user credentials, by sending the authentication request to the domain controller is has a secure channel

That domain controller responds to the proxy server

The proxy server answers the client with the requested internet page

Seems to be simple however for each web connection from a client, the proxy server needs to verify the user credentials by sendingauthentication request to the DC, this will increase the high volume of NTLMauthentication

Think the similar scenario in multi Domain/Forest environment, user in one Forest and proxy server in other Forest, this will increase the NTLM Pass through authentication traffic

NTLM authentication handled by Netlogon service, passing NTLM authentication requests to a domain controller that can handle them, and receiving them on that domain controller to be handled, you can enable debug logging for the Net Logon service to see what happen on the proxy server / domain controller, like which user getting authenticated to which domain controller

We have number of threads which will authentication request, like number of concurrent NTLM authentications processed by the server, the defaults are typically 1 for this, meaning that there is one thread to hand off, receive and process these requests, we can re-configure this through MaxConcurrentApi

The MaxConcurrentApi thread can only deal with oneauthentication at a time, in normal scenario it is very quick. So the high volume of authenticationtransactions must be handled by one or two threads (by default) and this will be a bottleneck, which resulting the delay and the authentication request have to wait longer than a remote client can tolerate

Due to this delay, client browser would ask for a credential prompt rather than the web page he want to open, so this might be the issue for slow Authentication and prompted for credentials again and again

We can resolve this by increasing the MaxConcurrentApi value on proxy server, if it’s a multi Domain/Forest environment, then we needs to increase the MaxConcurrentApi value on resource forest Domain Controller, it depends on the configuration

First we have to understand current issue

Enable the Netlogon logs on proxy server and Domain Controller authenticating proxy server or the proxy server secure channelled Domain Controller

Analysis the log for authentication failure and delay

We can monitor the current secure channel traffic through the perfmon by adding the counters, Semaphore Waiters, Semaphore Holders, Semaphore Acquires, Semaphore Timeouts, Average Semaphore Hold Time

Logon to Domain Controller authenticating proxy server

Open perfmon, add counters – select Netlogon on performance object

And select Average Semaphore Hold Time

If you don’t find the counters, need to installhttp://support.microsoft.com/kb/928576 hot fix, this adds New performance counters for Windows Server 2003

If the Average Semaphore Hold Time is greater than normal, Average Semaphore Hold Time should normally be very quick. Longer hold times mean that a potential bottleneck is occurring, it will delay authenticationprocess and the authentication request has to wait longer than a remote client can tolerate, it will slowdown the authentication and prompted for credentials to re-initiate the authentication process

To calculate MaxConcurrentApi for your environment

http://support.microsoft.com/kb/2688798

It depends on the outcome, you should add more servers to service the legacy authentication load or increase the MaxConcurrentApi registry value

Warning rules:

Average Semaphore Hold Time > 0.2 should be a yellow warning.

Average Semaphore Hold Time > 0 should be a red warning.

Semaphore waiters > 1 should be a yellow warning.

Semaphore waiters> 4 should be a red warning.

Any Semaphore Timeouts is a red warning.

Conclusion:

Slow Authentication might be due to many issues, like client to DC connectivity, network, subnet and site configuration, DNS SRV configuration, Profile, logon script and GPO, so you have to analysis properly to find the root case, this is the one of the scenarios which I have faced many times in a complex environment, hope this will help you to understand the Active Directory Authentication and troubleshooting procedures see you soon in an another article.

Source:

http://www.windowstricks.in/2013/12/ad-slow-authentication-and-prompting.html

Active directory Troubleshooting (Part1 – Diagnostics Logging)

Troubleshooting Active Directory issues like authentication failures, performance issues and logon issues, we can use different methods to monitor the AD, I will discuss more about enabling diagnostics logging, adding related counters on performance monitor to monitor the AD, Enabling debug logging for the Net Logon service

As an Active Directory Administrator did any one asked the questions like, how many search operations Active Directory performed and who searched from which server? Number of secure channel connection to which Domain and Domain controller? Number of Kerberos authentications on the server per second? Number of connected LDAP client sessions

While doing the troubleshooting you may have this question or some one asked the question to resolve the issue, am going discuss how to find the answer for this

Active Directory Diagnostics logging

To get more data about the directory service we have to enable Active Directory Diagnostics logging to respective Domain controllers in the registry (HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\)

We have below values in Diagnostics logging, when enabled, it will dump additional events into the DC event log to assist with troubleshooting. You can change these values from zero to five, the default value is zero, meaning minimal verbosity, and a setting of five will dump more than you want, normally I use four (if require five)

Note: Make sure to reset the value to zero when troubleshooting is completed

The most common values for Active Directory Diagnostics logging:

• 1 Knowledge Consistency Checker
• 10 Performance Counters
• 13 Name Resolution (this is DNS related)
• 15 Field Engineering
• 18 Global Catalog
• 2 Security Events
• 5 Replication Events
• 8 Directory Access
• 9 Internal Processing

I have used 15 Field Engineering value many times to find the inefficient LDAP queries including the client who was the source of the query with query string and the root of the query. This is important because one of the headaches related to AD is the LSASS process (Local System Authority Subsystem Service) using up enough resources to hang or crash a DC and cause client log on delays. Inefficient LDAP queries by a user or by an application or Linux client log on will put a huge load on LSASS. Enabling this diagnostic log will quickly identify the affected system or IP address in your network that casing the problem, so you will know which system searching the AD (querying the info from AD) and what info the system searching, this will help you to find the root cause of the issue, it helped me in many occasions

Example Events:

You will receive Event ID: 1643 if the value of 15 Field Engineering set to 4

Event Type: Information
Event Source: NTDS General
Event Category: Field Engineering
Event ID: 1643
Date: 28/05/2012
Time: 1:35:26 p.m.
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: server1
Description:

Internal event: Active Directory performed the following number of search operations within this time interval.

Time interval (hours):
12

Number of search operations:
30937

During this time interval, the following number of search operations were characterized as either expensive or inefficient.

Expensive search operations:0

Inefficient search operations:0

You will receive Event ID: 1644 if the value of 15 Field Engineering set to 5

If you set the value to 5 you will see an event entry for each search against the directory that breaches the inexpensive and/or inefficient search thresholds.

Event Type: Information
Event Source: NTDS General
Event Category: Field Engineering
Event ID: 1644
Date: 28/05/2012
Time: 10:06:25 a.m.
User: TM\Administrator
Computer: server1
Description:
Internal event: A client issued a search operation with the following options.

Client:
192.168.100.1

Starting node:
DC=test,DC=com

Filter: ( & (objectClass=user) (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=test,DC=com) (sn=z*) )

Search scope:

subtree

Attribute selection:

sAMAccountName

Server controls:

Visited entries:

24579

Returned entries:

25

For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.

Conclusion:

But you won’t actually see anything in the event log until you have enabled diagnostics logging by modifying the registry.

Like that for replication troubleshooting, you can enable 1 Knowledge Consistency Checker and 5 Replication Events, The 9 Internal Processing value is for getting additional details for DS events that indicate an internal error has occurred. This will often cause additional events that will aid in diagnosing the problem

Come back to see the next part of Active Directory Troubleshooting article, hope this will help you

Source:

http://www.windowstricks.in/2013/06/active-directory-troubleshooting-part1.html

Windows Server 2008 Step-by-Step Guides

Microsoft has provided guides which we can be download from the site.
Below is the link for Windows Server 2008 Step-by-Step Guides

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=518d870c-fa3e-4f6a-97f5-acaf31de6dce

Microsoft Webcasts

Microsoft Webcasts are great resources freely available for people who have quest for learning. This is an honest attempt to share some Webcasts’ which helped me a lot to understand Active Directory Services. These webcasts can be downloaded using the Windows Live ID

Active Directory Fundamentals

http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032264002&EventCategory=5&culture=en-US&CountryCode=US

Active Directory Logical Concepts

http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032316691

Active Directory Physical Concepts

http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032316700

Installing and Managing DNS

http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032259127&EventCategory=5&culture=en-US&CountryCode=US

DNS Features and Configuration

http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?culture=en-US&EventID=1032259129&CountryCode=US

Active Directory Replication and the Operations Masters Role

http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?culture=en-US&EventID=1032259125&CountryCode=US

Group Policy Management Console and Software Restriction

http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?culture=en-US&EventID=1032259135&CountryCode=US

Replication Features and Forest to Forest Trusts

http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?culture=en-US&EventID=1032259135&CountryCode=US

Deployment and Interoperability with NT 4.0 and Windows 2000

http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?culture=en-US&EventID=1032259135&CountryCode=US

Create Delegation using dnscmd command

The following illustrates creating a new delegation on command line using dnscmd command.
1. Assume the dns zone to which new delegation record need to be added is "myrootdns.com", childdomain for which the delegation is to be done is "subdomain.myrootdns.com", The new authoritative server for the new delegated zone "subdomain.myrootdns.com" isto be "dnsserver", and FQDN of the "dnsserver" is "dsnserver.myrootdns.com".
2. Now run the following command to create new delegation.

dnscmd myrootdns.com subdomain NS dnsserver.myrootdns.com

Thus the "subdomain" node has been created in the "myrootdns.com" dns zone.

Repadmin Examples

Example 1: Display the replication partners of a server

The following example uses the showrepl operation of Repadmin to display the replication partners of Server1. This command is also used to find the objectGUID and InvocationID for a server for use with other operations.

No parameters are required for the showrepl operation. A remote connection is assumed; therefore, the server name (DC in the syntax) is included.

Type the following at the command prompt:

repadmin /showrepl server1.microsoft.com

Press Enter and the following output is displayed:

Copy

repadmin /showrepl server1.microsoft.com

Building7a\server1

DC Options : IS_GC

Site OPtions: (none)

DC object GUID : 405db077-le28-4825-b225-c5bb9af6f50b

DC invocationID: 405db077-le28-4825-b225-c5bb9af6f50b

==== INBOUND NEIGHBORS ======================================

CN=Schema,CN=Configuration,DC=microsoft,Dc=com

 Building7b\server2 via RPC

 objectGuid: e55c6c75-75bb-485a-a0d3-020a44c3afe7

 last attempt @ 2002-09-09 12:25.35 was successful.

CN=Configuration,DC=microsoft,Dc=com

 Building7b\server2 via RPC

 objectGuid: e55c6c75-75bb-485a-a0d3-020a44c3afe7

 last attempt @ 2002-09-09 12:25.10 was successful.

DC=microsoft,Dc=com

 Building7b\server2 via RPC

 objectGuid: e55c6c75-75bb-485a-a0d3-020a44c3afe7

 last attempt @ 2001-09-09 12:25.11 was successful.

Example 2: Initiate a replication event between two replication partners

The following example uses the replicate operation of Repadmin to make Server2 initiate replication of the domain directory partition for microsoft.com from Server1. In this example, Server1 is the source server and Server2 is the destination server.

The required parameters for the replicate operation are the name of the server that will receive changes (DestDC in the syntax), the name of the directory partition (NamingContext in the syntax), and the name of the server that will send the changes (SrcDC in the syntax).

Type the following at the command prompt:

repadmin /replicate server2.microsoft.com server1.microsoft.com dc=microsoft,dc=com

Press Enter and the following output is displayed:

Copy

server2.microsoft.com

Sync from server1.microsoft.com to server2.microsoft.com completed successfully.

Example 3: Initiate a replication event for a specified directory partition with all of its replication partners

The following example uses the syncall operation of Repadmin to make Server1 initiate replication of the domain directory partition for microsoft.com from all of its source replication partners in the same site and to make all of the source replication partners initiate replication for microsoft.com from all of their source replication partners in the same site, and so on.

The required parameter for the syncall operation is the server name (DC in the syntax). The name of the directory partition (NamingContext in the syntax) that will be synchronized is also included in this example. If this name is not included, only the configuration partition is synchronized.

Type the following at the command prompt:

repadmin /syncall server1.microsoft.com dc=microsoft,dc=com

Press Enter and the following output is displayed:

Copy

repadmin /syncall server1 dc=microsoft,dc=com

Syncing partition: dc=microsoft,dc=com

CALLBACK MESSAGE: The following replication is in progress:

 From: fea22f1d-a456-4f70-aa06-bedbda29e7eb._msdcs.microsoft.com

 To : 5c02bcaf-86d9-4bed-811e-d17a5cebf8bb._msdcs.microsoft.com

CALLBACK MESSAGE: The following replication completed successfully:

 From: fea22f1d-a456-4f70-aa06-bedbda29e7eb._msdcs.microsoft.com

 To : 5c02bcaf-86d9-4bed-811e-d17a5cebf8bb._msdcs.microsoft.com

CALLBACK MESSAGE: SyncAll Finished.

SyncAll terminated with no errors.

Example 4: Display the highest Update Sequence Number on a server

The following example uses the showutdvec operation of Repadmin to show the highest USNs for a specified directory partition on each replication partner. In this example, there are only two replication partners and the directory partition is the domain directory partition for the microsoft.com domain.

The only required parameter for the showutdvec operation is the distinguished name of the directory partition (NamingContext in the syntax). A remote connection is assumed so a server name (DC_LIST in the syntax) is also included.

Type the following at the command prompt:

repadmin /showutdvec . dc=microsoft,dc=com server2.microsoft.com

Press Enter and the following output is displayed:

Copy

repadmin running command /showutdvec against server localhost

Caching GUIDs.

..

Building7b\Server1 @ USN 295458 @ Time 2002-09-09 19:33:42

Building7b\Server2 @ USN 338194 @ Time 2002-09-09 19:38:16

Example 5: View unreplicated changes between two servers

The following example uses the showchanges operation of Repadmin to view changes that have not yet replicated between Server1 and Server2. In this example Server1 is the source server and is sending the changes while Server2 is the destination server and is receiving the changes.

This is one implementation of the showchanges operation. For another implementation of this operation see Example 6: Create a file to determine what changes have occurred over a period of time.

The required parameters for this version of the showchanges operation are the objectGuid of the directory partition on the source server (referred to as SourceDCObjectGUID in the syntax line) and the name of the directory partition (referred to in the syntax line as NamingContext). A remote connection is assumed so the destination server name (referred to in the syntax line as DestDC) is also included.

Type the following at the command prompt:

repadmin /showchanges server2.microsoft.com 5c02bcaf-86d9-4bed-811e-d17a5cebf8bb dc=microsoft,dc=com

Press Enter and the following output is displayed:

Copy

server2.microsoft.com

Building starting position from destination server rktlabdc2.rktlabdom.com

Source Neighbor:

dc=microsoft,dc=com

==== INBOUND NEIGHBORS ======================================

dc=microsoft,dc=com

 Building7b\Server1 via RPC

 DC object GUID: 5c02bcaf-86d9-4bed-811e-d17a5cebf8bb

 Address: 5c02bcaf-86d9-4bed-811e-d17a5cebf8bb._msdcs.microsoft.com

 DC invocationID: 064152bc-f8e8-404f-bd64-cdd9bb3958cb

 SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE

 USNs: 296048/OU, 296048/PU

 Last attempt @ 2002-09-09 20:03:53 was successful.

Destination's up-to-date vector:

064152bc-f8e8-404f-bd64-cdd9bb3958cb @ USN 296163

fea22f1d-a456-4f70-aa06-bedbda29e7eb @ USN 338287

==== SOURCE DC: 5c02bcaf-86d9-4bed-811e-d17a5cebf8bb._msdcs.microsoft.com ====

No Changes

Example 6: Create a file to determine what changes have occurred over a period of time

The following example uses the showchanges operation of Repadmin to create a file that records replication changes. By running the showchanges operation later you can compare the file created earlier to the current replication state.

This is one implementation of the showchanges operation. For another implementation of this operation see Example 5: View unreplicated changes between two servers.

The only required parameter for this version of the showchanges operation is the name of the directory partition (NamingContext in the syntax) on which the check should be performed. In this example, the check is performed remotely so the server name (SourceDC in the syntax) is included as well as the /cookie: parameter, along with the name of the file to be created.

Type the following at the command prompt:

repadmin /showchanges dc=microsoft,dc=com server2.microsoft.com /cookie:microsoft.txt

Press Enter and the following output is displayed:

Copy

pDcList->szSp.. server2

Using cookie from file test.txt (132 bytes)

==== SOURCE DC: server2 ====

Objects returned: 2

(0) modify CN=00000000000000000000000000000000,CN=VolumeTable,CN=FileLinks,CN=Sy

stem,DC=rktlabdom,DC=com

 1> objectGUID: c4955e2f-ab7c-4f96-bdb6-bf29b97ce3df

 1> instanceType: 0x4 = ( IT_WRITE )

 1> seqNotification: 130

(1) modify DC=..SerialNo-server1.microsoft.com,DC=microsoft.com,CN=MicrosoftDN

S,CN=System,DC=microsoft,DC=com

 1> objectGUID: 0422b130-bf39-4549-aeea-64ed264d10c2

 1> instanceType: 0x4 = ( IT_WRITE )

 1> dnsRecord: <32 byte blob>

New cookie written to file microsoft.txt (132 bytes)

Example 7: Display the connection objects for a server

The following example uses the showconn operation of Repadmin to show connection objects for a server.

No parameters are required for showconn operation. In this example, a remote connection is assumed so the server name (DC_LIST in the syntax) is specified. All connection objects for Server2 are shown.

Type the following at the command prompt:

repadmin /showconn server2.microsoft.com

Press Enter and the following output is displayed:

Copy

repadmin running command /showconn against server server2.microsoft.com

Show Connection Objects

Base DN: CN=Building7b,CN=Sites,CN=Configuration,DC=microsoftDc=com

==== KCC CONNECTION OBJECTS ============================================

Connection --

 Connection name : b415ba00-8d8d-429b-8a3d-21fd06a99a6c

 Server DNS name : server2.microsoft.com

 Server DN name : CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=Building7b,CN=Sites,CN=Configuration,DC=microsoft,DC=com

 Source: Building7b\Server2

 No Failures.

 TransportType: intrasite RPC

 options: isGenerated

 Reason: RingTopology

 Replica link has been added.

 ReplicatesNC: DC=DomainDnsZones,DC=microsoft,DC=com

 Reason: RingTopology

 Replica link has been added.

 ReplicatesNC: CN=Configuration,DC=microsoft,DC=com

 Reason: RingTopology

 Replica link has been added.

 ReplicatesNC: DC=microsoft,DC=com

 Reason: RingTopology

 Replica link has been added.

 ReplicatesNC: CN=Schema,CN=Configuration,DC=microsoft,DC=com

 Reason: RingTopology

 Replica link has been added.

Connection --

 Connection name : 2357ff7a-4e54-46e2-a387-2e35b0560ab7

 Server DNS name : server2.microsoft.com

 Server DN name : CN=NTDS Settings,CN=RKTLABDC2,CN=Servers,CN=Building7b,CN=Sites,CN=Configuration,DC=microsoft,DC=com

 Source: Building7b\Server2

 No Failures.

 TransportType: intrasite RPC

 options: isGenerated

 ReplicatesNC: DC=DomainDnsZones,DC=microsoft,DC=com

 Reason: RingTopology

 Replica link has been added.

 ReplicatesNC: DC=ForestDnsZones,DC=microsoft,DC=com

 Reason: RingTopology

 Replica link has been added.

 ReplicatesNC: CN=Configuration,DC=microsoft,DC=com

 Reason: RingTopology

 Replica link has been added.

 ReplicatesNC: DC=microsoft,DC=com

 Reason: RingTopology

 Replica link has been added.

 ReplicatesNC: CN=Schema,CN=Configuration,DC=microsoft,DC=com

 Reason: RingTopology

 Replica link has been added.

2 connections found. 

Example 8: Display the replication signature for a server

The following example uses the showsig operation of Repadmin to show the replication signature for a server.

No parameters are required for the showsig operation. In this example, a remote connection is assumed so the server name (DC_LIST in the syntax) is specified.

Type the following at the command prompt:

repadmin /showsig server1.microsoft.com

Press Enter and the following output is displayed:

Copy

server1.microsoft.com

Building7a\server1

Current DC invocationID: 415db077-1e28-4588-b255-c5bb9af6f50b (current)

No retired signatures.

Example 9: Display the context handles for the replication process

The following example uses the showctx operation of Repadmin to show the open connections to the server that are established by remote servers.

No parameters are required for the showctx operation. This example specifies the server name (DC_LIST in the syntax) on which the check should be performed.

Type the following at the command prompt:

repadmin /showctx server2.microsoft.com

Press Enter and the following output is displayed:

Copy

server1.microsoft.com

Caching GUIDs.

..

3 open context handles.

NTDSAPI client @ 10.193.36.209 (PID 1528) (Handle 0x20b8a38)

 bound, refs=1, last used 2002-09-09 14:21:41

Building7a\Server1 @ 10.193.36.210 (PID 460) (Handle 0x20b8c40)

 bound, refs=1, last used 2002-09-09 14:23:22

NTDSAPI client @ 10.193.36.210 (PID 2976) (Handle 0x20bb960)

 bound, refs=2, last used 2002-09-09 14:23:28

Example 10: Showing the replication status of a forest using replsummary and wildcard characters.

The following example uses the replsummary operation and a wildcard character to show a summary of the replication status for all the domain controllers in the forest with a name beginning with ‘FOURTH’.

Type the following at the command prompt:

repadmin /replsummary FOURTH*

Press Enter and the following output is displayed:

Copy

repadmin /replsummary FOURTH*

Replication Summary Start Time: 2002-09-18 14:54:49

Beginning data collection for replication summary, this may take awhile:

Source DC largest delta fails/total %% error

 FOURTH-CLT-DC-01 54m:57s 0 / 9 0

 FOURTH-DC-05 41m:23s 0 / 175 0

 FOURTH-DC-06 55m:08s 0 / 66 0

 FOURTH-DC-07 09m:29s 0 / 97 0

 FOURTH-DC-08 18h:05m:02s 56 / 56 100 (1722) The RPC server is unavailable.

 FOURTH-DC-09 56m:47s 0 / 12 0

 FOURTH-DC-10 55m:10s 0 / 13 0

 FOURTH-DC-11 56m:48s 0 / 46 0

 FOURTH-DC-12 57m:09s 0 / 34 0

 FOURTH-DC-13 55m:52s 0 / 64 0

 FOURTH-DC-14 55m:52s 0 / 85 0

 FOURTH-DC-15 09m:21s 0 / 50 0

 FOURTH-DC-16 58m:02s 0 / 37 0

 FOURTH-DC-17 57m:00s 0 / 48 0

 FOURTH-DC-18 57m:00s 0 / 22 0

 FOURTH-DC-19 58m:02s 0 / 22 0

 FOURTH-DC-20 08m:05s 0 / 22 0

 FOURTH-DC-21 05m:43s 0 / 22 0

 FOURTH-DC-22 09h:06m:29s 0 / 199 0

 FOURTH-DC-23 09m:29s 0 / 34 0

 FOURTH-DC-24 56m:48s 0 / 184 0

 FOURTH-DC-25 41m:22s 0 / 71 0

 FOURTH-DC-26 08m:16s 0 / 108 0

 FOURTH-DC-30 55m:13s 0 / 47 0

 FOURTH-DC-31 41m:23s 0 / 56 0

 FOURTH-SVC-DC-40 57m:02s 0 / 9 0

 FOURTH-TK-DC-27 07m:02s 0 / 54 0

 FOURTH-TK-DC-28 08m:01s 1 / 161 0 (8461) The replication operation was preempted.

 FOURTH-TK-DC-29 55m:10s 0 / 115 0

Experienced the following operational errors trying to retrieve replication information:

 58 - fourth-dc-08.fourthcoffee.com

Example 11: Showing the attributes of a specific object.

The following example uses the showattr operation to show the attributes of a specific object in the Active Directory.

Type the following at the command prompt:

repadmin /showattr fsmo_dnm: ncobj:config: /subtree /filter:(objectClass=crossRef) /atts:nCName,dnsRoot,net,dnsRoot,net,biosname,systemFlags /homeserver:FOURTH-DC-26

Press Enter and the following output is displayed:

Copy

repadmin running command /showattr against server aseanl-test2.fourthcoffee.com

DN: CN=Enterprise Configuration,CN=Partitions,CN=Configuration,DC=fourthcoffee,DC=com

 1> nCName: CN=Configuration,DC=fourthcoffee,DC=com

 1> dnsRoot: fourthcoffee.com

 1> systemFlags: 0x1 = ( FLAG_CR_NTDS_NC )

DN: CN=fourthcoffee,CN=Partitions,CN=Configuration,DC=fourthcoffee,DC=com

 1> nCName: DC=fourthcoffee,DC=com

 1> dnsRoot: fourthcoffee.com

 1> systemFlags: 0x3 = ( FLAG_CR_NTDS_NC | FLAG_CR_NTDS_DOMAIN )

DN: CN=Enterprise Schema,CN=Partitions,CN=Configuration,DC=fourthcoffee,DC=com

 1> nCName: CN=Schema,CN=Configuration,DC=fourthcoffee,DC=com

 1> dnsRoot: fourthcoffee.com

 1> systemFlags: 0x1 = ( FLAG_CR_NTDS_NC )

DN: CN=866c366e-7877-49e5-8121-67eefd488551,CN=Partitions,CN=Configuration,DC=fourthcoffee,DC=com

 1> nCName: DC=DomainDnsZones,DC=fourthcoffee,DC=com

 1> dnsRoot: DomainDnsZones.fourthcoffee.com

 1> systemFlags: 0x5 = ( FLAG_CR_NTDS_NC | FLAG_CR_NTDS_NOT_GC_REPLICATED )

DN: CN=a07b7cea-1754-478c-84a5-c7b127ba5024,CN=Partitions,CN=Configuration,DC=fourthcoffee,DC=com

 1> nCName: DC=ForestDnsZones,DC=fourthcoffee,DC=com

 1> dnsRoot: ForestDnsZones.fourthcoffee.com

 1> systemFlags: 0x5 = ( FLAG_CR_NTDS_NC | FLAG_CR_NTDS_NOT_GC_REPLICATED )

The Case of the Two IT Pros: the Magician and the Fireman

There are two types of IT professionals. Magicians and firemen. When I first started in IT, I was fireman. I enjoyed the never ending problems and that superman like feeling when I saved the day with just seconds to spare. After a few years, I realized that I wasn’t making any progress. I was still fixing the same problems every day. I felt chained to the helpdesk. I realized that my work style was completely wrong!

Are you a Magician or a Fireman?

The easiest way to define yourself is to look at how you spend the majority of your day. Day in and day out, the fireman will run from one problem to the next. Always fixing problems but rarely really solving them. This barrage of issues dictate a reactive work style. If you were to clump most of their daily tasks together, the tasks would be urgent but not important.

The magician will spend most of the day working remotely, automating processes, and introducing efficiency. As problems are automated (and forever fixed), more time is made available to automate. This rather pleasant cycle lends itself to a proactive and flexible work style. If you were to clump most of their daily tasks together, the tasks would be important but not urgent.

Both types have overlap. Unanticipated problems will ruin any magician’s day. And a fireman will have that all too rare day where nothing breaks. If you are a fireman, you might be wondering how to be a magician. The secret is compounding time. The more problems you automate, the more time you will have to automate!

Funny Effects with Slight of Hand

For a practical example, let’s see the power of compounding time. You help dozens of users every day. On average, it takes you three minutes to get a computer name from a user and you have to ask six users a day for their computer name. That is 18 minutes a day spent on finding this single piece of information. If you work 260 days a year, you will spend two work weeks on just finding computer names! Imagine how much could get done if it only took you 10 seconds to find a computer name?

By making small changes like this, you slowly start to see your day getting easier. You suddenly start to feel like you are getting ahead of issues and actually making progress! But here is the crucial step in this whole process. Any time saved must be used to save more time. If you script a process that saves you an hour a week, that hour must be used to script another process or to learn a new tool. Otherwise, your up front effort is is wasted!

When you compound time for a few months, you will notice a few funny effects. First, your day will be a lot less stressful! Second, you will enjoy your work quite a bit more. Finally, you might start to worry about your job.

Can I Work Myself Out of a Job?

This is a topic often debated within our profession. My firm belief is that it is possible to work yourself out of a job if two conditions exist. First, you continue to automate but never show what you are doing. As with any job, you must show results to remain relevant.

An easy way to show results is to focus your projects on end user problems. Figure out a way to save a department time and show that department what you’ve done. By doing this, you will quickly gain staff members that sing your praises every day!

The second condition is to have idiotic management. It is possible to have a manager that thinks, “Well – no huge problems have popped up lately and our budget has been cut. Guess I will have to let someone go.” If that person was you, consider yourself lucky! You have spent time learning incredibly valuable skills like scripting, Group Policy, deployments, etc. Where you co-workers might have spent the day goofing off, you developed some serious talent! With this toolset, you have the ability to work anywhere (and probably get a raise in the process)!

So Where Do You Fall?

The times, they are a changing. The world of IT is becoming more and more automated. Because of this, I believe that the magician style of work is the easiest way to stay ahead of changes and trends. So where do you fall on this spectrum? Do you think I am right or wrong about this breakdown? Are there other roles or work styles that I completely missed?

Active Directory – ADUC and LDAP Attributes refrence

ADUC Field	LDAP Attribute Name	ADUC Tab
Account expires	accountExpires	Account
Account is locked out	lockoutTime	Account
Logon Hours	logonHours	Account
User logon name (pre-Windows 2000)	sAMAccountName	Account
Account options	userAccountControl	Account
User logon name	userPrincipalName	Account
Log On To	userWorkstations	Account
Country/region	c	Address
Country/region	co	Address
Country/region	countryCode	Address
City	l	Address
Zip/Postal Code	postalCode	Address
P.O. Box	postOfficeBox	Address
State/province	st	Address
Street	streetAddress	Address
Description	description	General
Display name	displayName	General
First name	givenName	General
Initials	initials	General
E-mail	mail	General
Phone Number (Others)	otherTelephone	General
Office	physicalDeliveryOfficeName	General
Last name	sn	General
Telephone number	telephoneNumber	General
Web Page Address (Others)	url	General
Web page	wWWHomePage	General
Member of	memberOf	Member Of
Primary group	primaryGroupID	Member Of
Canonical name of object	canonicalName	Object
Object class	objectClass	Object
Update Sequence Numbes (USNs)/Current	uSNChanged	Object
Update Sequence Numbes (USNs)/Original USN	uSNCreated	Object
Modified	whenChanged	Object
Created	whenCreated	Object
Company	company	Organization
Department	department	Organization
Direct reports	directReports	Organization
Manager	manager	Organization
Job Title	title	Organization
Home folder: Local path	homeDirectory	Profile
Home folder: Connect	homeDrive	Profile
User profile:Profile path	profilePath	Profile
User Profile: Logon script	scriptPath	Profile