Category: Active Directory

New AD Replication Status Tool

Microsoft has released a new Active Directory replication diagnostics tool called ADREPLSTATUS.  Features include:

  • Auto-discovery of the DCs and domains in the Active Directory forest to which the ADREPLSTATUS computer is joined
  • “Errors only” mode allows administrators to focus only on DCs reporting replication failures
  • Upon detection of replication errors, ADREPLSTATUS uses its tight integration with resolution content on Microsoft TechNet to display the resolution steps for the top AD Replication errors
  • Rich sorting and grouping of result output by clicking on any single column header (sort) or by dragging one or more column headers to the filter bar. Use one or both options to arrange output by last replication error, last replication success date, source DC naming context and last replication success date, etc.)
  • The ability to export replication status data so that it can be imported and viewed by source domain admins, destination domain admins or support professionals using either Microsoft Excel or ADREPLSTATUS
  • The ability to choose which columns you want displayed and their display order. Both settings are saved as a preference on the ADREPLSTATUS computer
  • Broad OS version support (Windows XP -> Windows Server 2012 Preview)

Check out the original blog post by Microsoft to learn much more.

Broken AD replication has proven to be a bit of a curse in the past. I’m amazed at how many sites (not small ones either) don’t monitor this stuff, relying on cheapware ping-based monitoring rather than the application-layer monitoring of something like System Center 2012 – Operations Manager.  They end up with fragmented AD, all sorts of weird crap happening, etc.  If you’re a consultant in a site and you’re deploying/configuring something with a reliance on AD, then here’s a handy warning sign: the customer “approves” security updates manually, and the last update to their PCs/Servers was the most recent Service Pack for the OS (usually for Windows XP).  Take a little time and check the AD replication status before you proceed Smile

Note that this new tool does not support Windows Server 2000 – that’s long since left extended support.

Virtual Domain Controllers and Windows Server 2012 Improvements

There have been a number of concerns when it comes to virtualising domain controllers.  The biggest of these is KB888794, which is an updated version of an article that I first encountered years previously, maybe in 2004.

USN Rollback

Basically, we had to treat any virtual domain controller like it was a physical installation.  That meant:

  • No snapshots
  • No recovering the DC from VM (host/storage level) backups
  • Don’t do anything to manipulate the virtual DC’s VM storage, such as copy/clone/etc

This was because the VM would “time travel”, effectively screwing up the USNs that are used to track AD object replication and possible cause the reuse of RID pools – in other words, completely frakking your AD and making you wish that you had paid up for that Microsoft Premier support contract.

Physical DC Required

One of the frustrating things, especially for small medium enterprises (SMEs) or smaller branch offices was that they need a local physical domain controller to enable a Hyper-V cluster.  This company might only need to hosts, but had to add another physical machine (small as it was) to enable the cluster to function.

That was the scenario up to now.  Enter Windows Server 2012.

Bootstrapping

Windows Server 2012 Failover Clusters have a new feature called bootstrapping.  It’s been mentioned in public but I’ve not seen any documentation on it yet.  In short, this allows a failover cluster to power up and start working without the presence of a physical domain controller.  The premise is that you instead run virtual domain controllers, hosted on the Hyper-V cluster itself.

That means that you don’t need the physical domain controller.  That’s a major saver for the SME or the branch office.

Virtual DCs are OK

If we’re OK with the idea of virtual domain controllers, then how do we deal with them?  How do we back them up easily?  In a true cloud where there might be a one-size-fits-all backup policy, how do admins (with zero knowledge of VM contents/roles) safely backup virtual domain controllers that might be created legitimate by the cloud’s tenants?

VM-GenerationID and Safe DC Virtualisation

Microsoft has come up with a new mechanism called VM-GenerationID (also seen documented on TechNet and blogged as Generation ID, VM Generation ID, VM-Generation ID and GenID).  It is an attribute called msDS-GenerationID of the DC’s computer object in AD.  This is normally kept in sync with the directory information tree (DIT) if everything is OK with the replication of the DC.

If something happens to the DC VM like a snapshot is applied or a backup of the VM is restored, then the VM effectively travels back in time, potentially causing a USN rollback and enabling RID reuse.  But, the DC compares the VM-GenerationID and the DIT version number.  If they are different then the DC is aware there is a problem.  The RID pool is discarded, a new one created, and a USN rollback is prevented.

Windows Server 2012 Hyper-V is the only hypervisor at this time to support this feature, and the virtual DCs must be running Windows Server 2012.

But There’s More – Rapid Deployment of DCs

Wouldn’t it be nice if you could clone domain controllers?  Normally you cannot.  But this new VM-GenerationID feature, combined with some other work done by Microsoft in WS2012, enabled you to export/import virtual DCs to clone new DCs with very little effort.

The process is simple enough:

  1. Have a PDC Emulator that is running WS2012.  This DC will not be cloned.
  2. Create a new virtual DC running WS2012. 
  3. Add the new template DC to a domain security group called Cloneable Domain Controllers.  This allows domain admins to restrict which (if any) DCs can be cloned.
  4. On the template DC Run Get-ADDCCloningExcludedApplicationList to see if any installed programs/services on the DC can be cloned (check with vendors).  Uninstall any that cannot support cloning.
  5. Run Get-ADDCCloningExcludedApplicationList –GenerateXml on the template DC
  6. Back on the template DC, run New-ADDCCloneConfigFile to create an XML answer file to configure name, IP, etc, for the new DC VM that you are about to create.#
  7. The last step creates a file called DCCloneConfig.xml.  Place this in either the directory where the DIT resides, %windir%NTDS, or the root of a removable media drive (maybe a SCSI attached blank VHD?)
  8. Stop and export the template VM.
  9. Import the VM to crate a new DC VM.
  10. Start the new VM, and you should now have a new DC.

I haven’t had a chance to try this out yet.  I’ll try to update this if I find the MSFT TechNet page is lacking.

Summary

What all this means is that with Windows Server 2012 and a hypervisor that is VM-GenerationID aware (WS2012 Hyper-V) then you can safely virtualise your domain controllers, and treat them just like any other VM, something that is of great importance in a true cloud.

 

Before You Install System Center … Clean Up Those Computer Accounts

First, I hope you’ve done some planning/architecture/proof of concept.  Next, clean up the environment.  Products that deploy agents, such as System Center Essentials (SCE), Configuration Manager (SCCM/ConfigMgr), and Operations Manager (SCOM/OpsMgr), will allow you to track the success of agent deployment.  And if your network is like most others I’ve encountered over the years, nobody has bothered to clean up the inactive/obsolete computer accounts.  The computer discovery process will use some sort of discovery process, most likely based on computer accounts found in Active Directory.  It may find computer accounts that have been there since 2000 and no longer are valid.  It may find 50% more computer accounts than actually exist.

Before you deploy agents you need to do some spring cleaning.

Computer Accounts

My favourite tool for this in the past was oldcmp.  The page doesn’t list Windows 2008 or 2008 R2.  I last used it with Windows Server 2008 in a lab and it worked fine.  It allowed you to work with user and computer accounts:

  • Report only
  • Disable
  • Move and disable (to a “disabled” OU)
  • Delete

The last time I was an admin of a large environment I was very fussy about inactive accounts.  We used to run oldcmp as a scheduled task on a monthly basis.

If you want something that is supported then try this.  Identify & disable computer accounts that were inactive for the last 4 weeks:

dsquery computer -inactive 4 | dsmod computer -disabled yes

Then you can identify and delete computer account that have been inactive for the last 8 weeks:

dsquery computer -inactive 8 | dsrm computer

Put that in a script and run it every month and you’ll automate the cleanup nicely.  Inactive machines for the last 4 weeks will be disabled and you can re-enable them if a user complains.  After 8 weeks, they get completely removed.  If you have people away for longer periods then you can extend this, e.g. disable after 26 weeks and delete after 52 weeks.  Or you might bundle that caution about deleting with a secure mindset, e.g. disable after 4 weeks and delete after 52 weeks.

Note: dsquery, dsmod, and dsrm can be easily used for lots more, e.g. user accounts. Check the help (at command prompt) and test-test-test before putting it into use.  You probably can do all of this with PowerShell and the useful –whatif flag.

DNS Records

I hate stale DNS records because they can lead to all sorts of false positives when there is IP address re-use, especially when trying to remotely manage/connect to PCs in a DHCP environment.  You can configure DNS scavenging of stale records on a DHCP server (for all zones) or on a per zone basis.

image

Be careful with this one.  I’ve been especially careful with the intervals since the 2003 days when I had a Premier support call open.  Scavenging didn’t like me using smaller intervals, even if they were correctly configured.

Once you have the environment cleaned up, you can start deploying agents.  Now when you see a “failed” message, you know you can take it seriously and schedule a human visit.

Note: I don’t think I’ve ever used ConfigMgr to build collections of users.  Users roam and I don’t want to install software needlessly.  But ConfigMgr 2012 will have a more reliable user-centric approach that detects a user’s primary PC.  Therefore, you’ll want to do a user clean up before deploying it … and that should be standard security practice anyway.

Microsoft IT Environment Health Scanner

Credit to John McCabe for finding this useful looking tool. 

“The Microsoft IT Environment Health Scanner is a diagnostic tool that is designed for administrators of small or medium-sized networks (recommended up to 20 servers and up to 500 client computers) who want to assess the overall health of their network infrastructure. The tool identifies common problems that can prevent your network environment from functioning properly as well as problems that can interfere with infrastructure upgrades, deployments, and migration.
When run from a computer with the proper network access, the tool takes a few minutes to scan your IT environment, perform more than 100 separate checks, and collect and analyze information about the following:

  • Configuration of sites and subnets in Active Directory
  • Replication of Active Directory, the file system, and SYSVOL shared folders
  • Name resolution by the Domain Name System (DNS)
  • Configuration of the network adapters of all domain controllers, DNS servers, and e-mail servers running Microsoft Exchange Server
  • Health of the domain controllers
  • Configuration of the Network Time Protocol (NTP) for all domain controllers

If a problem is found, the tool describes the problem, indicates the severity, and links you to guidance at the Microsoft Web site (such as a Knowledge Base article) to help you resolve the problem. You can save or print a report for later review. The tool does not change anything on your computer or your network”.

Microsoft Active Directory Design Guide

Microsoft has published an Active Directory design guide

“This guidance provides general recommendations for the design, deployment and management of an Active Directory environment in a healthcare organization according to current best practices. The purpose of this guidance is to accelerate Active Directory design and deployment in a healthcare organization, and provide a framework for a more consistent network operating environment”.

Active Directory Management Gateway Service

Microsoft has released the AD Management Gateway Service AKA the Active Directory Web Service for Windows Server 2003 and Windows Server 2008.

Windows Server 2008 R2 includes a new role called the Active Directory Web Service.  This is an interface for MS native PowerShell based tools to it interact with and manage Active Directory, i.e. Active Directory Administrative Center (ADAC) and the PowerShell module for Active Directory.  Obviously you need to locate installations of this service close to your AD administrators.  What if they are running legacy domain controllers?  What’s where the Active Directory Management Gateway Service comes in.  Here’s what MS says in the download page:

“The Active Directory® Management Gateway Service provides a Web service interface to Active Directory domains and instances of Active Directory Lightweight Directory Services (AD LDS) or Active Directory Application Mode (ADAM) that are running on the same server as the Active Directory Management Gateway Service.

You can download and install the Active Directory Management Gateway Service on servers and domain controllers running the following operating systems:

  1. Windows Server® 2003 R2 with Service Pack 2 (SP2)
  2. Windows Server 2003 SP2
  3. Windows Server 2008
  4. Windows Server 2008 SP2

Note: You can install the Active Directory Management Gateway Service on writable domain controllers as well as Read-only domain controllers that are running Windows Server 2008 or Windows Server 2008 SP2.

After it is installed on any of these operating systems, the Active Directory Management Gateway Service runs as the Windows Server 2008 R2 Active Directory Web Services (ADWS) service and provides the same functionality. For more information about ADWS, see What’s New in AD DS: Active Directory Web Services.

Note: The Active Directory Management Gateway Service does not support instances of the Active Directory Database Mounting Tool running on Windows Server 2008–based servers.

The Active Directory Management Gateway Service enables administrators to use the Active Directory module for Windows PowerShell and the Active Directory Administrative Center running on Windows Server 2008 R2 or Windows 7 to access or manage directory service instances that are running on Windows Server 2008 or Windows Server 2003 operating systems in the previous list.

Note: Installing the Active Directory Management Gateway Service on your Windows Server 2008–based or Windows Server 2003–based servers does not make it possible for you to install the Active Directory module or the Active Directory Administrative Center (which is available only on Windows Server 2008 R2 or Windows 7 operating systems) on these servers.

If the Active Directory Management Gateway Service on your Windows Server 2008 or Windows Server 2003 server is stopped or disabled, client applications, such as the Active Directory module or the Active Directory Administrative Center will not be able to access or manage any directory service instances that are running on this server.”

How To Deploy VPN/RAS Connections Using Scripting and GPO

This download documents how to use PowerShell and Group Policy to configure RAS/VPN connections on Windows clients if you are using the native technologies for RAS/VPN.

“This article describes how to use Group Policy, Powershell and the Remote Access Service (RAS) application programming interfaces (APIs) to configure and deploy VPN connection settings to client computers ready for use by users. The solution also describes how the Task Scheduler service can be used to configure scripts or programs that are run whenever a VPN connection is made to the VPN server. The advantage of this solution is that it is not platform specific, and can be used on all of the currently supported versions of Windows.”

Microsoft IT Environment Health Scanner

I regularly see people asking for “monitoring” solutions.  They often can’t afford a OpsMgr or a SCE solution.  I also regularly see people with AD/authentication issues.  Those can be nasty to isolate.  Microsoft may have just released something to help small-medium businesses.  It’s called the Microsoft IT Environment Health Scanner.

“The Microsoft IT Environment Health Scanner is designed for administrators who want to assess the overall health of their Active Directory and network infrastructure. The tool identifies common problems that can prevent your network environment from functioning properly.

The Microsoft IT Environment Health Scanner is a diagnostic tool that is designed for administrators of small or medium-sized networks (recommended up to 20 servers and up to 500 client computers) who want to assess the overall health of their network infrastructure. The tool identifies common problems that can prevent your network environment from functioning properly as well as problems that can interfere with infrastructure upgrades, deployments, and migration.

When run from a computer with the proper network access, the tool takes a few minutes to scan your IT environment, perform more than 100 separate checks, and collect and analyze information about the following:

  • Configuration of sites and subnets in Active Directory
  • Replication of Active Directory, the file system, and SYSVOL shared folders
  • Name resolution by the Domain Name System (DNS)
  • Configuration of the network adapters of all domain controllers, DNS servers, and e-mail servers running Microsoft Exchange Server
  • Health of the domain controllers
  • Configuration of the Network Time Protocol (NTP) for all domain controllers

If a problem is found, the tool describes the problem, indicates the severity, and links you to guidance at the Microsoft Web site (such as a Knowledge Base article) to help you resolve the problem. You can save or print a report for later review. The tool does not change anything on your computer or your network.

The computer where you run this tool must be joined to your Active Directory domain. You must use an account that is a member of the Domain Admins group (or, when prompted, provide appropriate credentials) to scan the network environment.

This tool uses Windows Management Instrumentation (WMI) to collect information from the servers on your network. Before you scan the environment, make sure that WMI is enabled on the servers and that Windows Firewall is configured to allow traffic on the TCP ports that are required for remote WMI access. In most cases, these are TCP ports 135 and 445 as well as dynamically assigned ports in the range 1024 to 1034”.

Planning Active Directory Forest Recovery

The scouts say something about preparation.  I can’t remember what it was but the idea is that it’s better to have done the work to be prepared for a disaster rather than save some time and then get bit*h-slapped by the disaster.  For example, what do you do when something nasty happens to your Active Directory Forest?  Microsoft posted a guide on this.

I can’t recommend having a lab for your production network enough.  Get yourself a TechNet account for this.  Set up a single server running something like Hyper-V and create an internal network that matches your production network (or networks).  Do a P2V of things like some of your DC’s and other critical systems.  This gives you an identical copy of your production system.   You may need to do an AD metadata cleanup to remove the DC’s you don’t P2V.  You can easily use it for test and development from then on.

I used to do that in the past.  I spent 80% of my time on the test systems.  For example, when redesigning our AD delegation, I scripted it all using DSACLS.  I tested it over and over.  When we were ready for production I simply ran the scripts on the production network.  Days of work on the test system and minutes of work on the production network with predictable results.  We did the same with GPO work and SMS 2003 software deployment.

I’d definitely recommend you do this with processes such as AD disaster recovery testing and for testing backup/recovery.

Group Policy Reference Sheet For Internet Explorer 8

This spreadsheet lists the policy settings for computer and user configurations included in the administrative template files (admx/adml) delivered with Windows Internet Explorer 8. The policy settings included in this spreadsheet cover Internet Explorer 5, Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8. These files are used to expose policy settings when you edit Group Policy objects (GPOs) using Group Policy Object Editor (also known as GPEdit).