Archive: Author Archive

Troubleshooting slow logon

3 comments June 24th, 2010

If a light bulb has stopped glowing, you wouldn’t start with tearing down the wall to check the cables. You’d probably check if pressing the light switch will help you get the light back. If that didn’t work, you’ll move on to replace the light bulb. Still no luck? You’ll move on to check the fuse.

If the fuse is ok, is it just this room that is affected? You might look out the window to see if your neighbours have some lights on.

If you can’t figure it out, you will maybe call en electrician. You’d tell him all the things (steps) you have checked. Maybe the electrician have some additional steps he/she ask you to check…

Why would you follow these steps?

A wise man once said “if you know how a system works, then you’d be able to troubleshoot the system” (at least I think he said it:)

This rule applies to almost all efficient troubleshooting. If you’re going to troubleshoot slow logon issues, then it’s not as easy as the light bulb example. The cause can be hundreds of things. So where should I start looking?

Instead of re-inventing the wheel, here is my four favorite MS team blogs regarding the issue. If you take your time and read them, you will have a very good chance to find the culprit.

1. Ask the Perf team

2. Ask the DS team part#1

3. Ask the DS team part#2

4. Troubleshooting AD by Instan

Configure the time

3 comments June 23rd, 2010

Applies to Server 2003/2008. Not for Windows 2000.

Time is crucial in an Active Directory domain. If there are i.e. more than 5 minutes offset between a DC and a client computer, the Kerberos protocol used for authentication will fail.

You may also see problems with AD replication if two DCs are out of time sync, since attributes that are changed are time stamped when the change occurred. The time stamp is one of three functions to prevent replication/attribute conflicts.

When a user logs on to his/her workstation and authenticates, the computer will synchronize its time with the authenticating DC.

This DC, if it’s not the PDC role holder, synchronizes its time with the domain’s PDCe role holder.

The PDCe holder should synchronize its time with a reliable time source. You could find a NTP server close to you HER.
If the DC holding the PDC dies, the role is transferred or siezed you have to configure the time source on the new PDCe.
Configuring the external time source can be a mess, and maintaining it might be even more messy

The MS DS team made a blog entry about this some time ago and I must say it’s a really elegant approach!!

In short terms they create a GPO, sets an external time source, configures a WMI filter so the GPO only applies to the domains PDCe role holder, and link the GPO to the Domain Controller container.

Open the GPMC and create a new WMI filter:











Query: Select * from Win32_ComputerSystem where DomainRole = 5

Create a new GPO and set the external time source:

Computer Configuration/Administrative Templates/System/Windows Time Service/Time Providers/Configure Windows NTP Client

You set the NtpServer you prefer and change the type to NTP.











Activate the WMI filter to this GPO:












and link the GPO to the Domain Controllers container:





















To see how the DCs is synchronizing their time, run: w32tm / monitor





Here dc01test.spurs.local (the PDCe holder) uses its HW clock while dc4test.spurs.local is synchronizing with dc01test.

Restart the time service (net stop w32time && net start w32time) and force a Group Policy update (gpupdate /force or wait 5 minutes)

Now the newly created GPO is applied and now dc01test is synchronizing with the external time source.






You can also see this in the System Event log:











So what happens if I transfer the PDCe role from dc01test to dc4test?

I wait for 5 minutes (and run w32tm /monitor just to check):






As you can see dc4test is now synchronizing with the external time source, while dc01test is synchronizing with dc4test.

You don’t have to think of configure the time source if your PDCe is transferred.
You even don’t have to clean the old PDCe holder as the registry don’t gets tattooed by this!!!
If you configure the time with a GPO, the registry settings will be located here:


If you don’t use a GPO, the settings will be set here:


The first one takes precedence over the second one.


Journal Wrap

8 comments June 6th, 2010


– Windows 2000/2003/2008 domain controllers using FRS (not DFSR).
– More than one Domain Controller
– Atleast one DC with a healthy SYSVOL

Why do Journal Wraps occur?

Instan at the AD Troubleshooting blog made an excellent blog entry about:

What happens in a Journal Wrap?

You should give it a read to understand what is going on under the hood.

Symptoms that might occur:

  • Event ID 13568 is logged in the NtFrs event log
  • A generic Event ID 1058 may be logged
  • You make changes to a logon script but not all users got the change
  • Changing a GPO or creating a new GPO is not applied to all users or computers
  • Missing SYSVOL share
  • A RSoP or gpresult report that data or policy object is missing or corrupt

If you take a look at the 13568 event you’ll see that there is a “solution” to this problem:

Set the “Enable Journal Wrap Automatic Restore” registry parameter to 1


Restart ntfrs service.

This is not a good solution for post-Server 2000 SP3.
I don’t know why Microsoft still have this “how-to-fix” in event 13568, but they say in KB 290762:

Important: Microsoft does not recommend that you use this registry setting, and it should not be used post-Windows 2000 SP3. Appropriate options to reduce journal wrap errors include…

Update: I had to ask around about this since it was nagging me:

The event was never changed because the product group didn’t want to pay for the localization cost, nor admit that this registry setting caused more problems than it fixed. It actually came down to ego – the developer of FRS was a real piece of work. So instead the public docs were updated to state not to use that autorecovery registry setting.

Instead you should go for the Burflags method. This will kick start your SYSVOL up and running. Most often a “non-authoritative” (D2) approach will fix you up.

The “D2” key can be set two places in registry:

Global re-initialization:

HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup


Replica set specific re-initialization:

HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets\GUID

If you’re using DFS replica sets that holds a large amount of data that is healthy, go for the “Replica set specific re-initialization”. If you set the Global Burflags, FRS will re-initialize all replica sets, including the DFS namespace the member holds. If they hold a large amount of data… that might take some time.

To find the GUID of SYSVOL, look for the “Replica Set Name” named “Domain System Volume (SYSVOL SHARE)” under the subkey “HKLM\..\..\Replica Sets”:

This screenshot have only one GUID since I don’t use DFS in my lab.

Change the value of Burflags to D2 (hex).
If you don’t uses DFS you could just set the Global Burflags to D2. It will not make any difference under what subkey you set it. This will re-initialize all replica sets the member holds (in this case the SYSVOL).

After you have set the Burflags key to D2, you have to restart the NTFRS service on the affected DC.

Overview of what happens:

1. The Burflags is set to 0
2. Event ID 13565 is logged. non-authoritative restore has started
3. The content of SYSVOL are moved to the pre-existing folder
4. Event ID 13520 is logged
5. The local FRS database is rebuilt
6. It re-join (vvjoin) the replica set
7.  The “bad DC” will compare all files (file ID and MD5 sum) it has in the Pre-existing folder with the files from an upstream partner.
8. If a match is found, it will copy the file from the Pre-Existing folder to the original location. If they don’t match, it will pull the file from the upstream partner.
9. Event ID 13553 is logged
10. FRS notifies (SysvolReady reg.key = 1) the Netlogon service that SYSVOL is ready and can be shared.
11. The Netlogon service will share SYSVOL and Netlogon.
12. Event ID 13516 is logged (finished)


When you have verified that SYSVOL is shared and in sync, you can delete the content in the Pre-Existing folder to free up space.

Authoritative restore (D4):

If your SYSVOL is all messed up on every DC’s, you might have to do an “authoritative restore” using both the D4 and D2 values.

By the way you should never, ever use the D4 flag on more than one DC as you will have a lot of collisions and morphed folders. The D4 flag should only be set like Microsoft says, as a last resort.

Quick overview:

1. Stop the NtFrs service on every DC
2. Set the D4 flag on one DC that will be authoritative for the replica set(s). The SYSVOL content will not be moved to the pre-existing folder on the authoritative member.
3. Set the D2 flag on the other DC’s (non-authoritative)
4. Start the NtFrs service on the “D4” DC.
5. Check that Event ID 13553 and 13516 is logged.
6. If step 5 is ok, start NtFrs on the “D2” DC’s.

For detailed steps, see “How to rebuild the SYSVOL tree and its content in a domain”


FRS event codes:

What happens in a Journal Wrap?

How to rebuild the SYSVOL tree and its content in a domain

Using the BurFlags registry key to reinitialize File Replication Service replica sets

Backing Up and Restoring an FRS-Replicated SYSVOL Folder

FRS and the A-record and CNAME

No comments May 29th, 2010


‘DC01test’ has a modified object that should be replicated to its partner ‘DC4test’:

1. ‘DC01test’ queries AD for a configured replication partner (default defined by the KCC service)

2. ‘DC01test’ knows the name (‘DC4test’) of his replication partner, but needs to find the GUID of ‘DC4test’.

3. ‘DC01test’ compare all CNAME record in the “_msdcs zone” and finds the GUID that match the name ‘DC4test’

4. Next step ‘DC01test’ needs to find is the IP of ‘DC4test’ so it can connect to ‘DC4test’.

5. ‘DC01test’ sends a recursive DNS query to its primary configured DNS server asking for a CNAME (the alias of the GUID).

Query: guid._msdcs.spurs.local
DNS server respond with: ‘DC4test.spurs.local’

6. ‘DC01test’ ask his DNS for the A-record for ‘DC4test.spurs.local’
DNS server returns the IP:

7. ‘DC01test’ connects to ‘DC4test’ and flags that “I have a change you need to get from me”.

8. Since FRS is based on PULL (not push), ‘DC4test’ will pull the changes on the object from ‘DC01test’.

If the A-record or the CNAME is missing or not correct, this process will fail. As a result, the replication will fail.
A handy tool that will test that all records are registered on all authoritative DNS servers is “dnslint”. It will create a HTM-report and highlight errors/warnings.

ie. dnslint /ad /s /v

If a CNAME is missing:

DNSLint usage:
Troubleshooting with DNSLint:


No comments May 5th, 2010

Have you ever felt that sometimes your girlfried is crumpy but still says everything is fine? You feel a tension in the air.
You: Something wrong?

Her: No (*gosh* she thinks. Why can’t he read my mind that senseless bastard)

You: Cool!
(but you isn’t 100 per cents comfortable with the answer. You feel that there is something in the air, but you can’t tell what it is)

Four days goes by. You have just got home from a football game (Tottenham vs Liverpool: 2-1). Happy as you can be, but you notice your girlfriend is on fire!!

Her (shouting): Why did you say no to visiting my parents two weeks ago? You and your brainless soccer.

You (thinking): it’s called “football” not “soccer”, but wisely you keep your mouth shut.

Her: You spend more time with your Tottenham compared to me and bla,bla,bla…

You (thinking): ahhh.. that’s what was in the air a week ago…

Everything in the OSI model below layer 7 is straight forward and well documented. It’s “layer 8” that is the most complex layer and hardest to understand.
In Active Directory this is not a case, unless you’re not dealing with a “Slow logon problem” (which can be a layer 8 problem).
If you feel there is something wrong in AD, you’ll get a straight forward answer by asking your domain what’s the problem. You just need the tools and syntax to do the questions for you.

Here are the tools and syntaxes I use most of the time to get the answers:

The MS Support Tools package. This is a “must have” package as long as you have a Domain Controller (<= 2003). Both for maintaining and troubleshooting.

1. Event log
– Look for Warnings and Errors (System, DS, DNS and FRS)

2. dcdiag /v /e /c /f:dcdiag.txt
– My favorite. This will diagnose all DC’s and write the result to a single log file (here: dcdiag.txt). Be aware that this will generate some network traffic if you have many DC’s in various sites.

3. netdiag /v
– diagnose network related issues

4. nltest /dclist:spurs.local
– list all domain controllers in the spurs.local domain and what site they are located (handsome to get a quick overview in a new domain)

5. netdom query fsmo
– list the FSMO holders in the domain/forest

6. netdom query dc
list all domain controllers in spurs.local. It can’t list RODCs.

7. dsquery server -isgc
– list all the Global Catalogs

8. repadmin /showrepl and repadmin /replsum
– show the last replication cycle

9. repadmin /showbackup *
– show when the last backup was taken

10. dcdiag /test:dns /f:dnstest.txt /v
– to test DNS issues. Look at the end of the file for the summary.

11. dnslint /ad /s <ip-address of DNS server> /v
Verifies registration and records and create a htm file for presentation.

Other useful tools I like:

Account lockout and management tools:

Group Policy Management Consol (must have):

Oldcmp (for cleanup):

Wireshark (for network troubleshooting):

Policy Reporter (for parsing Userenv logs):

How nice would it be to have a toolkit for females where you could easily debug them and get straight forward answers? Maybe someday in the future….


1 comment April 26th, 2010

1. You discover that the netlogon service is in a pause state
2. Event ID 2095 / 2103 is logged in the directory service event log
3. Inbound and outbound replication is disabled

You’re in a now in an USN-Rollback state!

(This situation will never happen in a single DC forest)

The most common reasons for this state is that an unsupported restore method has occurred.


– You clone a DC with ie. VMWare Converter
– You revert to a snapshot of a DC and start the DC in normal mode without setting the “Database restored from backup” registry key [1][2]

If your HW is set to do buffered disc writes and an unexpected power failure occur, may also put you in an USN-Rollback state

The way to get out of this state is to remove the bad DC out of your domain:

1. on the bad DC: dcpromo /forceremoval
2. on a healthy DC: Run a Metadata cleanup [3]
3. on a healthy DC: seize the FSMO if necessary [4]
4. rebuild the “bad” DC and promote it back

I’m living in a freezing country (bah!) and we use to say “pee in your pants to get warm (for about 5 seconds…)”.

I have seen some recommendation at some other blogs and forums that provides a “quick” solution to recover from a USN-Rollback state.

Here is a “pee in your pants” solution:

– Delete the “DSA Not Writable” registry key
– Enable replication with repadmin
– Reboot
– Fixed? Nah, not really!

Here is what Microsoft says about this in an extention to KB 875495 [5] that for some reason is hidden for the general public:

Deleting or manually changing the Dsa Not Writable registry entry value puts the rollback domain controller in a permanently unsupported state. Therefore, such changes are not supported. Specifically, modifying the value removes the quarantine behavior added by the USN rollback detection code. The Active Directory partitions on the rollback domain controller will be permanently inconsistent with direct and transitive replication partners in the same Active Directory forest.”


[1] DC’s and VM’s – Avoiding the Do-over
[2] Backup and Restore Considerations for Virtualized Domain Controllers
[3] Metadata cleanup
[4] Seizing the FSMO’s
[5] KB 875495 – How to detect and recover from a USN rollback

GPO backup

No comments March 16th, 2010

When you take a System state backup of a DC it includes a backup of your SYSVOL with all your GPO’s. If a GPO get corrupted or is accidentally deleted you have to restore the System state to get the policy back. This operation is time consuming.

With the Group Policy Management Consol (GPMC) you can take backups of your GPO’s directly from the consol (and even restore them) which is less time consuming then a System state restore.

Even better are the scripts that follow with the GPMC. With them you can i.e. schedule a regular backup of all GPO’s.

I made a script that dumps the GPO’s to a file share, using some the scripts that followed with the installation of the GPMC.

Download the GPMC here for Win2003.


‘ Backup all GPO’s in the domain
‘ author: Rune Sørensen
‘ 14.04.2009 , v.1.0

‘ Save the script as a vbs file and run it once or create a scheduled task
‘ runnning the script.
‘ \\server\share should reflect your servername and sharename

Dim fso, strPath, objShell

‘ Filepath to the share
strPath = “\\server\share\GPO_Backup\*”

Set fso = CreateObject(“Scripting.FileSystemObject”)
Set objShell = CreateObject(“Wscript.Shell”)

‘ Delete the last taken backup

strExecuteBackup = “cmd /c ” & “cd %programfiles%\gpmc\scripts\ && cscript BackupAllGPOs.wsf \\server\share\GPO_Backup”‘

strQueryBackups = “cmd /c ” & “cd %programfiles%\gpmc\scripts\ && cscript QueryBackupLocation.wsf \\server\share\GPO_Backup > \\server\share\GPO_Backup\BackupLocations.txt”

strCreateReport = “cmd /c ” & “cd %programfiles%\gpmc\scripts\ && cscript GetReportsForAllGPOs.wsf \\server\share\GPO_Backup”

objShell.Run strExecuteBackup
WScript.Sleep (120000)

objShell.Run strQueryBackups
WScript.Sleep (60000)

objShell.Run strCreateReport
Set objShell = nothing
Set fso = nothing

””””””””””””””””””””” EOF ”””””””””””’

Restore an OU

No comments March 11th, 2010

Assuming you have a 2003 DC SP1< and a good System state backup. Not older than your domains tombstone lifetime.

Start the DC in DSRM (F8 at boot)


Start NTBackup

Restore Wizard > Next

Choose the System state backup file > Next > Advanced

Restore files to “Original Location”

Leave exsisting files > Next


If you have only one DC in your domain. Tick the last checkbox (fig.2). If you have more than one, don’t tick it.

Press “Finish”

Do not restart the DC at this moment.

Mark the object as authoritative (meaning the object(s) will get replicated to other DC’s because it’s authoritative)

Open cmd >ntdsutil

> authoritative restore

> restore subtree destinguishedName

ie. An OU accidentally got deleted called “Reserves” holding all the Tottenhams reserves user objects. (What the heck. They aren’t good enough for the first team, but maybe someday they will so let’s get them back).


> quit

Restart the DC in normal mode (SP1 or newer). The AD Replication will do the job to get the OU and the user objects replicated to the other DC’s in the domain.

If you have a Windows 2003 SP1 or newer DC, the ntdsutil will create two files if the restored user object have any back-links to group membership. If they do you have to restore the back-link aswell. But wait until all DC’s have got the users replicated.

Syntax: ldifde -i -f <ar*.ldf>

ie: ldifde -i -f ar_20100129-081113_links_spurs.local.ldf

If you have a Win2008 R2 domain and restore a user from the Recycle Bin you don’t have to worry about the back-links. The process will do it for you.

Domain rename

13 comments March 8th, 2010

Domain renaming is not a daily task but a task you do if the management forces you to do it! (ie. because of a company restructure, take over etc )

There are many resources on the Internet sharing a “walk through” about this job, but I made my own documentation some years ago when I was told to rename the domain. So I just go with the flow and publish it.

To do this task your domain/forest functional level has to be at least 2003 and all DC’s need at least SP1.

Exchange 2003 SP2. This is the only version that supports a domain rename. Exchange 5.5, 2000 and 2007 is not supported and Exchange can’t be installed on a DC.

Before you proceed you do have to read the official documentation and requirements from Microsoft:

– Download the domain rename tools

– Understanding How Domain Rename Works

Step-by-Step Guide to Implementing Domain Rename

The environment consisted of:

One forest (2003 Functional level) with three domains (2003 FL, transitive trust and a parent-child trust), six DC’s (Win2003 SP1) and four Exchange servers (Win2003 SP1 with Exchange SP1).

The objective was to rename one of the three domains. (The domain without a child).

Before we started banging on the production environment, we made a test environment to test the rename and its impact on all third-part applications like Citrix, MSSQL based applications, HP Data Protector. After a month of testing and three successful renaming, we moved over to the production environment.


To increase your chance of a successful renaming your domain have to be in a good shape.

· Your event logs should be clean on all DC’s and Exchange servers
· “dcdiag /v /e /c” should be clean
· “netdiag /debug /v” should be clean

You need to have a domain member to act as the Control station (CS). Should be at least a Win2003 SP1 server. Log on to the control station with an enterprise admin (I guess you don’t bother the “run as” in this situation) and download the domain rename tools to this server (domainrename.exe and xdr-fixup.exe).

Install by running the domainrename.exe. It will install rendom.exe and gpfixup.exe to “C:\Program files\Microsoft Domain Rename Tools”

Copy both these files to “C:\Rename”

Now it’s time to take some System State backups of your domain controllers and keep them in a safe place.

In this documentation I will use theses domain names:

Old domain name:
New domain name: spurs.local

Create a new DNS zone:

· Open the DNS management consoll (dnsmgmt.msc)
· Right click “Forward Lookup Zones” > “Add new forward lookup zone”
· Call it “spurs.local” (without quotes)
· If you have a trusting domain, create the same zone as a secondary zone in the trusting domain

DNS suffix:

When you rename the domain the DNS suffix in the domain will change. Two conditions must be checked:

· The computers DNS suffix should be configured to change when the domain membership changes (default)
· No Group Policy must configured to set the primary DNS suffix to computers.

Do the renaming procedure:

Open cmd and change the directory to “C:\Rename”.

1. rendom /list

· This will create a list of the directory partitions in the forest
· Copy the “domainlist.xml” file to “domainlist-save.xml”
· Open “domainlist.xml” in Notepad and change it to the new forest description

2. rendom /showforest

· Verify that it reflect the new domain name

3. rendom /upload

· Generates the domain rename instructions
· Pushes the rename instruction to all DC’s
· Force a replication. “repadmin /syncall /APed”

4. rendom /prepare

· Verify that all DC’s are ready
· You should get an answer from all DC’s and they should NOT return an error. If they do, open “dclist.xml” (that was created in step 3). The DC’s that have reported errors will not be tagged with <state>prepared</state>. You have to troubleshoot any errors. DO NOT set the state to “prepared” manually in this file for any DCs!

You should fix any errors and re-run “rendom /prepare” until all DCs are in the “prepared” state.

5. rendom /execute

· If everything goes as planned you should get an answer from all DCs. The DCs will reboot automatically. When the DCs are back online the domain name is changed, but not the DNS suffix on the DCs itself. This has to be done manually on each DC in the renamed domain:

Add the new DNS suffix:

· netdom computername /add:dc01.spurs.local

Change the primary DNS suffix:

· netdom computername /makeprimary dc01.spurs.local

Reboot the server.

Remove the old DNS suffix:

· netdom computername dc01.spurs.local /

Reboot the CS twice!

5.1. Exchange

(still working from the CS):

Before you proceed to the Exchange specific tasks, you got to be sure you are not going back with a domain restore.

· xdr-fixup /s:domainlist-save.xml /e:domainlist.xml /trace:TRACEFILE /changes:CHANGESCRIPT.ldf

This will create two files. changescript.ldf and restorescript.ldf. You run this command only one time (not one time per Exchange server).

· ldifde -i -f changescript.ldf

(to revert, run “ldifde -i -f restorescript.ldf”)

· Restart all Exchange servers twice

6. rendom /end

· this will unfreeze the forest

Side steps:

Reestablish external trusts and validate:

· “nltest /” (from a DC in the renamed domain)

· “nltest /sc-query:spurs.local” (from the trusting domain)
Fix DFS topology (if you use DFS)

Fix GPO links:

gpfixup / /newdns:spurs.local /oldnb:tottenham /newnb:spurs /dc:dc01.spurs.local /user:administrator /pwd:password 2>1 > gpfixup.log

Look for errors in the created log.

Take a new System state of the DC’s.

Restart all other servers twice.

Verify the Exchange rename:

· xdrfixup /verify:restorescript.ldf /changes:verifycorrections.ldf

this should give you:

Verified that the server was renamed to exch01.spurs.local. Verify pass has completed.(it should list all Exchange servers involved in this output)

Verify/update the Recipient Update Services (RUS) which DC it should use.

If applicable, update the Active Directory Connector (ADC)

Reboot every computer in the domain twice. When it’s done. Do the last step **:

7. rendom /clean

Side steps:

· Authorize the DHCP server
· Delete the old Forward Lookup Zone from DNS
· dcdiag /v /e /c
· netdiag /debug /v
· Check Event logs

** If you have many domain member laptops out of the house during the rename, you can wait with step 7 until they have logged on the domain and rebooted twice. I think I waited a week before I ran step 7.

If you run step 7 and there are members that have not been booted twice you have to rejoin them to the domain. I made a script to keep track of computers that have not been updated with the new domain name.

''''''''''''''''''''''''''''''''''''''' Save me as a vbs file '''''''''''''''''''''''''''''''''''''''

On Error Resume Next


Set objFSO = CreateObject(“Scripting.FileSystemObject”)

””” Create a text file with all computers holding the old domain name

Set objResultsFile = objFSO.CreateTextFile(“C:\temp\tottenham.txt”, True)  Set objConnection = CreateObject(“ADODB.Connection”) Set objCommand = CreateObject(“ADODB.Command”) 

objConnection.Provider = “ADsDSOObject” objConnection.Open “Active Directory Provider” 

Set objCommand.ActiveConnection = objConnection objCommand.Properties(“Page Size”) = 1000 objCommand.Properties(“Searchscope”) = ADS_SCOPE_SUBTREE  

””’ Modify the query so that it responds to your domain 

objCommand.CommandText = _ “SELECT dnsHostName, distinguishedName FROM ‘LDAP://dc=spurs,dc=local'” & _ “WHERE objectCategory=’computer’ AND dnsHostName=’*'”

Set objRecordSet = objCommand.Execute

Do Until objRecordSet.EOF 

objResultsFile.Write objRecordSet.Fields(“dnsHostName”).Value & ” –> OU: ” objResultsFile.Write objRecordSet.Fields(“distinguishedName”).Value objResultsFile.Writeline objRecordSet.MoveNext Loop

Wscript.Echo objRecordSet.RecordCount objResultsFile.Close

'''''' EOF ''

Documenting AD

1 comment February 10th, 2010

The documentation is a vital part of the admin’s day. It’s time consuming and when there are changes to the system, it’s you who got to update the documentation.  That can be boring!

Remember that outdated (or may I call it tombstoned?!) documentation can be worse than no documentation!

If you’re a System consultant that got the job setting up a domain, it’s always nice to hand over some documentation of the domain to the company that hired you.

Don’t worry, the help is out there just waiting for you! Microsoft have a great utility called “Active Directory Topology Diagrammer”. It reads the configuration of your domain/forest and generates/updates a Visio drawing of the hole domain/forest! Including all domain controllers, global catalogs, trusts, OU structure, sites, schema version, SP level, user count and so on.


Just tick the checkboxes you want and hit the “Discover” button. After a few seconds the discovery completes. Go get yourself a cup of nice warm coffee,  press the “Draw” button and enjoy your coffee while ADTD populates the Visio drawing for you

This tool can also draw your Exchange organization.

Download a free copy of ADTD here

If you don’t have Visio available you can download a 60 days free trial from MS here.