a blog about nothing

This weekend I attended at the NIC2012 conference in Oslo.

Many interesting sessions were on the schedule like DS MVP Brian Desmond’s “What’s new in Windows Server 8 Active Directory” and “Kerberos uncovered”.

Key notes from WinServer 8 AD:

• USN Rollback preventions when restoring a snapshot (PDCe needs to be on a Win Server 8 DC)
• Support for cloning DCs (handy when you have to deploy dozens of them)
• GUI for the AD Recycle Bin and Fine Grained Password Policy
• Dcpromo.exe is gone (you promote a DC from the server manager)
• AD delivers the mechanism for file server access with Claims Based Authentication
• A huge amount of new Powershell cmdlets

Unfortunately it looks like the video for this session is missing, though I’d recommend you to have a look at some other sessions like:

“Kerberos uncovered” by Brian Desmond:
http://vimeo.com/nicconf/review/35059113/4695c41e86

”How to Not Screw Up Your PKI Environment“ by Brian Komar:
http://vimeo.com/nicconf/review/35053082/aaff51b192

“What’s new in Windows 8 Hyper-V” by Ronald Beeklaar:
http://vimeo.com/nicconf/review/35059126/939388d621

 

All sessions: http://www.nic2012.com/nic2012_agenda

 

 

No, you do not!

Unless:

• You have Exchange 2000/2003 and want to preserve full functionality. Changing a domain password with OWA 2003, export/import with Exmerge and Outlook clients prior to 2003, all requires WINS.
• You have a large sub netted network, NETBIOS broadcast may not work between the networks.
• You have a 3.party program that requires WINS.

I assume you don’t have any NT servers or Win98 clients 🙂 

If you do have a WINS server in play, you could use “Performance Monitor” to monitor WINS queries (“Successful Queries/sec”).

 

If you have a lot of queries, you should take into consideration if NETBIOS name query broadcasts are acceptable. Just take into mind that broadcasts will increase the load on your network.

References:

http://technet.microsoft.com/en-us/library/cc784180(WS.10).aspx
http://support.microsoft.com/?kbid=837391

Applies to Server 2003/2008. Not for Windows 2000.

Time is crucial in an Active Directory domain. If there are i.e. more than 5 minutes offset between a DC and a client computer, the Kerberos protocol used for authentication will fail.

You may also see problems with AD replication if two DCs are out of time sync, since attributes that are changed are time stamped when the change occurred. The time stamp is one of three functions to prevent replication/attribute conflicts.

When a user logs on to his/her workstation and authenticates, the computer will synchronize its time with the authenticating DC.

This DC, if it’s not the PDC role holder, synchronizes its time with the domain’s PDCe role holder.

The PDCe holder should synchronize its time with a reliable time source. You could find a NTP server close to you HER.
If the DC holding the PDC dies, the role is transferred or siezed you have to configure the time source on the new PDCe.
Configuring the external time source can be a mess, and maintaining it might be even more messy

The MS DS team made a blog entry about this some time ago and I must say it’s a really elegant approach!!

In short terms they create a GPO, sets an external time source, configures a WMI filter so the GPO only applies to the domains PDCe role holder, and link the GPO to the Domain Controller container.

Open the GPMC and create a new WMI filter:

 

 

 

 

 

 

 

 

 

Query: Select * from Win32_ComputerSystem where DomainRole = 5

Create a new GPO and set the external time source:

Computer Configuration/Administrative Templates/System/Windows Time Service/Time Providers/Configure Windows NTP Client

You set the NtpServer you prefer and change the type to NTP.

 

 

 

 

 

 

 

 

 

Activate the WMI filter to this GPO:

 

 

 

 

 

 

 

 

 

 

and link the GPO to the Domain Controllers container:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

To see how the DCs is synchronizing their time, run: w32tm / monitor

 

 

 

Here dc01test.spurs.local (the PDCe holder) uses its HW clock while dc4test.spurs.local is synchronizing with dc01test.

Restart the time service (net stop w32time && net start w32time) and force a Group Policy update (gpupdate /force or wait 5 minutes)

Now the newly created GPO is applied and now dc01test is synchronizing with the external time source.

 

 

 

 

You can also see this in the System Event log:

 

 

 

 

 

 

 

 

So what happens if I transfer the PDCe role from dc01test to dc4test?

I wait for 5 minutes (and run w32tm /monitor just to check):

 

 

 

 

As you can see dc4test is now synchronizing with the external time source, while dc01test is synchronizing with dc4test.

You don’t have to think of configure the time source if your PDCe is transferred.
You even don’t have to clean the old PDCe holder as the registry don’t gets tattooed by this!!!
If you configure the time with a GPO, the registry settings will be located here:

HKLM/Software/Policies/Microsoft/Windows/W32time

If you don’t use a GPO, the settings will be set here:

HKLM/System/CurrentControlSet/Services/W32time

The first one takes precedence over the second one.

References:

http://www.pool.ntp.org/en/

http://support.microsoft.com/kb/816042

http://blogs.technet.com/b/askds/archive/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering.aspx

Have you ever felt that sometimes your girlfried is crumpy but still says everything is fine? You feel a tension in the air.
You: Something wrong?

Her: No (*gosh* she thinks. Why can’t he read my mind that senseless bastard)

You: Cool!
(but you isn’t 100 per cents comfortable with the answer. You feel that there is something in the air, but you can’t tell what it is)

Four days goes by. You have just got home from a football game (Tottenham vs Liverpool: 2-1). Happy as you can be, but you notice your girlfriend is on fire!!

Her (shouting): Why did you say no to visiting my parents two weeks ago? You and your brainless soccer.

You (thinking): it’s called “football” not “soccer”, but wisely you keep your mouth shut.

Her: You spend more time with your Tottenham compared to me and bla,bla,bla…

You (thinking): ahhh.. that’s what was in the air a week ago…

Everything in the OSI model below layer 7 is straight forward and well documented. It’s “layer 8” that is the most complex layer and hardest to understand.
In Active Directory this is not a case, unless you’re not dealing with a “Slow logon problem” (which can be a layer 8 problem).
If you feel there is something wrong in AD, you’ll get a straight forward answer by asking your domain what’s the problem. You just need the tools and syntax to do the questions for you.

Here are the tools and syntaxes I use most of the time to get the answers:

The MS Support Tools package. This is a “must have” package as long as you have a Domain Controller (<= 2003). Both for maintaining and troubleshooting.

1. Event log
– Look for Warnings and Errors (System, DS, DNS and FRS)

2. dcdiag /v /e /c /f:dcdiag.txt
– My favorite. This will diagnose all DC’s and write the result to a single log file (here: dcdiag.txt). Be aware that this will generate some network traffic if you have many DC’s in various sites.

3. netdiag /v
– diagnose network related issues

4. nltest /dclist:spurs.local
– list all domain controllers in the spurs.local domain and what site they are located (handsome to get a quick overview in a new domain)

5. netdom query fsmo
– list the FSMO holders in the domain/forest

6. netdom query dc
– list all domain controllers in spurs.local. It can’t list RODCs.

7. dsquery server -isgc
– list all the Global Catalogs

8. repadmin /showrepl and repadmin /replsum
– show the last replication cycle

9. repadmin /showbackup *
– show when the last backup was taken

10. dcdiag /test:dns /f:dnstest.txt /v
– to test DNS issues. Look at the end of the file for the summary.

11. dnslint /ad /s <ip-address of DNS server> /v
– Verifies registration and records and create a htm file for presentation.

Other useful tools I like:

Account lockout and management tools:
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Group Policy Management Consol (must have):
http://www.microsoft.com/downloads/details.aspx?familyid=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

Oldcmp (for cleanup):
http://www.joeware.net/freetools/tools/oldcmp/index.htm

Wireshark (for network troubleshooting):
http://www.wireshark.org/

Policy Reporter (for parsing Userenv logs):
http://www.sysprosoft.com/policyreporter.shtml

How nice would it be to have a toolkit for females where you could easily debug them and get straight forward answers? Maybe someday in the future….

Assuming you have a 2003 DC SP1< and a good System state backup. Not older than your domains tombstone lifetime.

Start the DC in DSRM (F8 at boot)

fig.1

Start NTBackup

Restore Wizard > Next

Choose the System state backup file > Next > Advanced

Restore files to “Original Location”

Leave exsisting files > Next

fig.2

If you have only one DC in your domain. Tick the last checkbox (fig.2). If you have more than one, don’t tick it.

Press “Finish”

Do not restart the DC at this moment.

Mark the object as authoritative (meaning the object(s) will get replicated to other DC’s because it’s authoritative)

http://technet.microsoft.com/en-us/library/cc757068(WS.10).aspx

Open cmd >ntdsutil

> authoritative restore

> restore subtree destinguishedName

ie. An OU accidentally got deleted called “Reserves” holding all the Tottenhams reserves user objects. (What the heck. They aren’t good enough for the first team, but maybe someday they will so let’s get them back).

fig.3

> quit

Restart the DC in normal mode (SP1 or newer). The AD Replication will do the job to get the OU and the user objects replicated to the other DC’s in the domain.

If you have a Windows 2003 SP1 or newer DC, the ntdsutil will create two files if the restored user object have any back-links to group membership. If they do you have to restore the back-link aswell. But wait until all DC’s have got the users replicated.

Syntax: ldifde -i -f <ar*.ldf>

ie: ldifde -i -f ar_20100129-081113_links_spurs.local.ldf

If you have a Win2008 R2 domain and restore a user from the Recycle Bin you don’t have to worry about the back-links. The process will do it for you.

The documentation is a vital part of the admin’s day. It’s time consuming and when there are changes to the system, it’s you who got to update the documentation.  That can be boring!

Remember that outdated (or may I call it tombstoned?!) documentation can be worse than no documentation!

If you’re a System consultant that got the job setting up a domain, it’s always nice to hand over some documentation of the domain to the company that hired you.

Don’t worry, the help is out there just waiting for you! Microsoft have a great utility called “Active Directory Topology Diagrammer”. It reads the configuration of your domain/forest and generates/updates a Visio drawing of the hole domain/forest! Including all domain controllers, global catalogs, trusts, OU structure, sites, schema version, SP level, user count and so on.

 

Just tick the checkboxes you want and hit the “Discover” button. After a few seconds the discovery completes. Go get yourself a cup of nice warm coffee,  press the “Draw” button and enjoy your coffee while ADTD populates the Visio drawing for you

This tool can also draw your Exchange organization.

Download a free copy of ADTD here

If you don’t have Visio available you can download a 60 days free trial from MS here.

When the Tottenham manager (FYI: Harry Redknapp) picks his starting 11 before a match, he also chooses 7 additional players to sit on the bench. As backups. If ie. a player gets injured during the game, he always have a backup he can use that is sitting on the bench. Just waiting to be substituted.

What do you do if you got a flat tire in the middle of nowhere, and you find out that there isn’t a spare tire in the trunk? “Sh*t, I thought I had a backup!”

An OU with dozen of user objects can accidentally be deleted. Your single DC in the domain can say goodnight anytime (yeah right, who has the guts enough to have a single DC in his domain?!). Your SYSVOL with all your fancy GPOs vanished. “Hey! Where did they go?”

So, just like everything else, a good backup can be very good to have. Even in the Active Directory world. I quote Instan at the Microsoft CSS/PSS:

As my grandfather used to say, “it’s better to have a backup you don’t need than to need a backup you don’t have”

http://blogs.technet.com/instan/default.aspx

If you don’t have a backup routine of your domain controller, then now is a good time to implement it.

A quick way to see when the last backup occurred. Open cmd and type:

repadmin /showbackup *

(Repadmin is part of the Windows 2000/2003 support tools)
http://www.microsoft.com/downloads/details.aspx?familyid=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en

I have scheduled a System state backup running every night on three of my DC’s in the domain using NTbackup (or Windows backup). (We also have a Tivoli backup running that backup the entire server…Paranoid you know 😮
I store the backup files on a network share for easy access (by the admin *).

The name you give the backup file can be in great help for other admins to do a restore.

Naming of the backup file: http://technet.microsoft.com/en-us/library/cc785766(WS.10).aspx

Schedule System state backup: http://technet.microsoft.com/en-us/library/cc759092(WS.10).aspx

If you at least have a System state backup and a disaster do occur. Then you’ll probably be able to restore your domain back on track. Just be sure that backup file have not exceeded your domain Tombstone Lifetime (60 or 180 days).

* Security around how to protect the backup is out of the scope for this entry.