Awinish's Technical Blog

Lets continue the journey of learning & Share.!!

Archive for March, 2011

Friday Mail Sack Directory Services by NedPyle(Technical Lead in Microsoft)

Posted by Awinish on March 25, 2011

Presuming, many of you know & its for them who don’t know, NedPyle(Technical Lead in Microsoft) shares his knowledge base on DS at every Friday known as Friday Mail sack questions/answer, which gives us best opportunity to learn about DS in depth & clear the doubts/myths related Directory services. It occurs on every Friday(if he is not on leave or any other reason)shares plethora of interesting concepts & facts on Directory services.

If you are eager to know the working, concepts, design, bugs etc. related to Directory services, keep an eye on Friday mail sack as well as NedPyle’s Blog on below link. I can say firmly it cleared lot of my doubts & enhanced my DS concept, if you wish to learn, do take a look or add it to your favorite space or use RSS feed, its worth reading & your time.

Its a great initiative by Ned & DS team. Kudos to Ned & his team for the great work.

Take a look at his latest session on Dcdiag.

Friday Mail Sack



Posted in Directory Services, DNS/DHCP, Exchange, OS/Certificates, SCCM/SCOM | Tagged: , | Leave a Comment »

Windows 2008 R2 SP1 and Directory Services: What’s New

Posted by Awinish on March 13, 2011

There are no of Directory service fixes released with Windows 2008 R2 SP1.

Overall 795 public fixes that were rolled into SP1 and they’re all listed here.

So, its time for rolling out windows 2008 R2 SP1 for all windows 2008 R2 running systems, but not before carrying test in your lab environment.


Posted in Directory Services, Exchange | Tagged: , | Leave a Comment »

Joe's tool ADFIND & OLDCMP for AD

Posted by Awinish on March 9, 2011

I must say Joe is simply brilliant who had developed a wonderful tool which not only cut down the effort required writing script for searching/modifying/deleting object in AD but added lots of add-on & getting the report in such a easy readable format made me fan of his tool. I was thinking but myself using this tool for my lab as i’m not into support made me feel, if this i would have been known or tried earlier , i would have saved lot of effort & time.

OLDCMP & ADFIND tools usage & reports are better than any other available tool, i said better, this doesn’t mean other tool are usable.

Download OLDCMP tool from Jo’e site & for cmd/usage see the below in the link.

Download ADFIND tool from Jo’e site & for cmd/usage see the below in the link.

Few sample cmd like finding deleted user account from AD

Joe’s Blog

Posted in Directory Services, Exchange, Scripts/Powershell | Tagged: , | 2 Comments »

DNS recommendations from Microsoft

Posted by Awinish on March 8, 2011

Many forum/post, often i see a question, how to configure DNS in my domain controller, is primary point to itself or secondary DNS server, is it OK to configure loopback IP & what are the best practices etc.

I would not cover everything, leave for the below link to answer for you. Few things, i would like to mention

  • NEVER use public IP configured directly in the NIC either of the DC or clients.
  • Public IP(ISP DNS) used for external domain name resolution,should always be configured in Forwarder of DNS servers.

NedPyle from Microsoft has got recommended & best practices for DNS. So next time you aare confused or looking for best practices follow the below link.


Posted in Directory Services, DNS/DHCP, Exchange | Tagged: | 3 Comments »

Repadmin-Expert Cmd

Posted by Awinish on March 6, 2011

Do you know repadmin is the best tool for Active directory troubleshooting, editing or modifying but few knows there is something called repadmin /experthelp which shows you expert level cmd & it should be used with caution to modify any change in AD.

You might have used basic switches with repadmin like /showreps /showobjmeta /replsummary etc, but it has more to offer with expert cmd.

You know AD replication are based on per attribute basis, so if i want to see the all the attribute replicated with other dc, you can use repadmin /showobjmeta (cn=abc,ou=ouname,dc=corp,dc=cotoso,dc=com),it will show all the attribute replicated with the date, USN no & best thing is in order.

I remember the situation, where i wanted to track which DC has performed the password change & i used repadmin /showsobjmeta cmd & it gave me the complete listing.

To know more, take a look at below link.

Understanding Urgent Replication

Posted in Directory Services | Tagged: | Leave a Comment »

Upgrade from Windows 2000/2003 to 2008/2008 R2 Domain Controllers

Posted by Awinish on March 4, 2011

One question which I often come across is how to upgrade your domain from windows 2003 to windows 2008 or 2008 R2.

Mostly organizations are running their domain controller on windows 2003 x86(32bit), windows 2008 R2 is available only in x64(64bit) & initially when we want to upgrade their domain from windows 2000 to 2003 they use ADPREP.EXE as 99% organization has their DC on 32bit system.

Now, you too decided to upgrade your domain controller to windows 2008 R2 which is only available in x64bit, & while looking for ADPREP.EXE, you found ADPREP32.EXE as well as ADPREP.EXE both is available in windows 2008 R2 media, now you are confused which one to be used on windows 2003 which is 32bit to prepare schema so you can introduce x64 bit (2008 or 2008 R2) domain controller.

Thinking ADPREP32.EXE is made for 32bit dc & since you are going to use windows 2008 R2 which is x64, you decided to run on windows 2000 or 2003 which is 32 bit & what’s next you got error, scratching your head looking for here & there checking your Active directory health using DCDIAG & NETDIAG (NETDIAG is not available in windows 2008 & above), but everything is well & good. Now you decided to verify replication using REPADMIN & REPLMON (REPLMON is not available in windows 2008 & above) tool that’s also fine, you again decided to re-look to account used for ADPREP which has to be member of following schema admin, enterprise admin & domain admin it is too in place, so what is wrong or making ADPREP to fail when everything is in place.

Well, its nothing wrong but you chose the wrong version of ADPREP, MS has released two version of ADPREP32.EXE which has to run on 32bit OS DC & ADPREP.EXE has to run on 64 bit DC. There is no different between ADPREP32.EXE & ADPREP.EXE, both does the same job, its only for compatibility with 32bit OS & 64bit OS.

This time you went ahead & tried ADPREP32.EXE from 2008 or 2008 R2 media & you found it working.

I found people have doubt, if I upgrade the schema from windows 2000/2003 to 2008/2008 R2, will there be any issue, to clear the doubt, ADPREP will only add the new attribute & classes, but it will not modify or delete the already existing attribute or classes.

One more important thing if you have multiple domain or domain controller with large site base, wait for the replication cycle to finish & make sure changes has replicated to all the DC’s, then only proceed.

You need to run the below commands on the following DC servers only not on member server or new windows 2008 R2 which is going to be ADC:

Command Domain Controller
adprep.exe /forestprep Schema Master
adprep.exe /domainprep Infrastructure Master
adprep.exe /domainprep /gpprep Infrastructure Master
adprep.exe /rodcprep *(This command is optional. Run it only if you want to install a read-only domain controller (RODC). There is no harms in running even. ) Domain Naming Master/IM(Can be executed on any of the DC)

adprep.exe /domainprep /gpprep is not required, if you are upgrading your domain from windows 2003/20032 to windows 2008/2008 R2, its only required during the upgrade of windows 2000 to 2003/R2 or 2008/R2.

The function of gpprep is to add permission on policy folder in Sysvol.

Once you verify everything is well & good, then only proceed, which is only way to achieve error free upgrade.

To know more about Adprep /forestprep, adprep /domainprep, adprep /domainprep /gpprep & why we need to run it, refer below.

AD Schema Version:

OS Version

Schema Version

Windows 2012 R2 69
Windows 2012 56
Windows 2008 R2 47
Windows 2008 44
Windows 2003 R2 31
Windows 2003 30
Windows 2000 13


How to find the current Schema Version

dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion

In multi-domain environment, sometimes you don’t run domainprep after forestprep & the reason could be, you don’t want to upgrade all the domain or it is postponed for later time due to business requriements. In this case to find out whether domainprep was earlier ran or not, you can check the revision attribute.

AD Revision Version:

OS Version Revision Version
Windows 2012 11
Windows 2008 R2 5
Windows 2008 3


dsquery * CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,dc=domainname,dc=local -scope base -attr revision

In case of the multiple domain forest, use only domain.local because schema master will be common & will be running on the DC with schema role only.

To find out which DC is holding DNS partition, run below command. To find out DC holding DomainDnsZones for particular domain, provide specific domain name. To find out DC holding forestDnsZones partition, enter root domain.

dsquery * CN=Infrastructure,DC=DomainDnsZones,DC=Domain,DC=com -attr fSMORoleOwner

dsquery * CN=Infrastructure,DC=forestDnsZones,DC=Domain,DC=com -attr fSMORoleOwner

References to the AD upgrade in windows 2008 or 2008 R2

Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD DS Domains

Upgrade Domain Controllers: Microsoft Support Quick Start for Adding Windows Server 2008 or Windows Server 2008 R2 Domain Controllers to Existing Domains

Performing an Active Directory Health Check Before Upgrading

Few Steps prior to preparing your environment for windows 2008 or 2008 R2.

  • Checking your Domain & domain controller health using dcdiag, & netdiag(Netdiag is not available in windows 2008 & above) tool.
  • Check replication using repadmin tool.
  • Check the DNS name resolution & its related error in event log.
  • Check error related to sysvol & FRS.

Troubleshooting ADPREP errors.

Happy upgrading..

Posted in Directory Services | Tagged: , , | 52 Comments »

Understanding AdminSDHolder and Protected Groups

Posted by Awinish on March 1, 2011

If you have faced an issue, where you add a domain user to a protected group like administrators,domain admins, enterprise admins, schema admins, account operator etc. & after an hour or so membership disappears & you are scratching your head who did it. You start your findings & come to know its “AdminSDHolder” which reside in system partition reset the ACL to preserver the protected group from misuse & its built-in function. You can disable the automatic reset of permission on protected/built-in groups, but i would say you are inviting security flaws in your environment.

If you want to understand the details of AdminSDHolder & its working, take a look at below posted link. MVP John Policelli on has explained in-depth on his blog & i thought sharing it to readers on my blog too.

Five common questions about AdminSdHolder and SDProp


Posted in Directory Services | Tagged: | Leave a Comment »