Awinish's Technical Blog

Lets continue the journey of learning & Share.!!

Posts Tagged ‘Active Directory’

Active Directory/GPO Guides

Posted by Awinish on July 2, 2011

Post-Graduate AD Studies

Everything you need to get started with Active Directory

Infrastructure Planning and Design

AD DS Design Guide

Active Directory Domain Services Operations Guide

Windows Server 2008 Step-by-Step Guides

Active Directory Design Guide by Microsoft

Remote Desktop Services in Windows Server 2008 R2: Step-by-Step Guides

Microsoft has released group policy for beginners. I saw the guide & found really helpful for beginners who actually wants to start from basics. It can be found at below link.

For reading it online, refer below.

Group policy master site(Videos,Guides etc.)

Group policy webcast series video


Posted in Directory Services, Group Policy | Tagged: , | 3 Comments »

Configuring DNS in child domain

Posted by Awinish on April 9, 2011

I have seen people through various forums/blogs getting confused : how to configure DNS server in child domain for Parent’s domain name resolutions?  The confusion is, should it point to itself for DNS server address or parent DNS server for name resolution of parent & child domain both? In order to make the life easier & remove the confusion, i thought of coming up with the article on my blog.

Firstly, understand that DNS is the backbone of AD & most of the issues we face in our environment is because of the improper configuration of DNS server.  In few posts, i saw people using Public IP as the DNS address or ISP’s DNS address directly configured into their servers/domain systems NIC for preferred DNS server address, which is absolutely wrong & the reason is, when DNS lookup is performed against the local resource records in the domain, first it queries local host file in your system located in inside “etc” folder, if it can’t locate anything configured there, it looks for preferred DNS server IP in NIC. If NIC’s preferred DNS address is configured with public IP or ISP’s IP, it will forward the query directly to that public IP for local domain name resolution & the query will be performed, before it is says request timed-out. The reason is that, your local domain & its records exists in your local DNS server. How a DNS server hosted outside your domain can even come to know existent of any such private domain without any record in its DNS server? From security perspective, its a big passage for attacker to penetrate your infrastructure & attack your network for access.

Public DNS server’s IP has to be configured into Forwarder Tab of your local DNS server. If you have multiple DNS server running in your domain, configure all of the local DNS server forwarder to have this Public DNS IP address, but make sure you obtain this public DNS server address from your ISP & you are not using anything like or, since these are not the authoritative DNS server for your domain through which query has to pass for name resolution. The query for external domain name resolution has to pass through your ISP’s DNS server. Using or any other public IP directly in your DC/servers as a preferred DNS or alternate DNS server is going to pose a security threat for the environment.

Question: How do I set up DNS for a child domain?

Answer: To set up DNS for a child domain, create a delegation record on the parent DNS server for the child DNS server. Create a secondary zone on the child DNS server that transfers the parent zone from the parent DNS server.

Note Windows Server 2003 has additional types of zones, such as Stub Zones and forest-level integrated Active Directory zones, that may be a better fit for your environment.

Set the child domain controller to point to itself first. As soon as an additional domain controller is available, set the child domain controller to point to this domain controller in the child domain as its secondary.

How To Create a Child Domain in Active Directory and Delegate the DNS Namespace to the Child Domain

Note: Ignore the version of OS, its applicable for all the windows OS as concept for DNS has not been changed.


Posted in Directory Services, DNS/DHCP, Exchange | Tagged: , | 6 Comments »

Friday Mail Sack Directory Services by NedPyle(Technical Lead in Microsoft)

Posted by Awinish on March 25, 2011

Presuming, many of you know & its for them who don’t know, NedPyle(Technical Lead in Microsoft) shares his knowledge base on DS at every Friday known as Friday Mail sack questions/answer, which gives us best opportunity to learn about DS in depth & clear the doubts/myths related Directory services. It occurs on every Friday(if he is not on leave or any other reason)shares plethora of interesting concepts & facts on Directory services.

If you are eager to know the working, concepts, design, bugs etc. related to Directory services, keep an eye on Friday mail sack as well as NedPyle’s Blog on below link. I can say firmly it cleared lot of my doubts & enhanced my DS concept, if you wish to learn, do take a look or add it to your favorite space or use RSS feed, its worth reading & your time.

Its a great initiative by Ned & DS team. Kudos to Ned & his team for the great work.

Take a look at his latest session on Dcdiag.

Friday Mail Sack


Posted in Directory Services, DNS/DHCP, Exchange, OS/Certificates, SCCM/SCOM | Tagged: , | Leave a Comment »

Windows 2008 R2 SP1 and Directory Services: What’s New

Posted by Awinish on March 13, 2011

There are no of Directory service fixes released with Windows 2008 R2 SP1.

Overall 795 public fixes that were rolled into SP1 and they’re all listed here.

So, its time for rolling out windows 2008 R2 SP1 for all windows 2008 R2 running systems, but not before carrying test in your lab environment.


Posted in Directory Services, Exchange | Tagged: , | Leave a Comment »

Joe's tool ADFIND & OLDCMP for AD

Posted by Awinish on March 9, 2011

I must say Joe is simply brilliant who had developed a wonderful tool which not only cut down the effort required writing script for searching/modifying/deleting object in AD but added lots of add-on & getting the report in such a easy readable format made me fan of his tool. I was thinking but myself using this tool for my lab as i’m not into support made me feel, if this i would have been known or tried earlier , i would have saved lot of effort & time.

OLDCMP & ADFIND tools usage & reports are better than any other available tool, i said better, this doesn’t mean other tool are usable.

Download OLDCMP tool from Jo’e site & for cmd/usage see the below in the link.

Download ADFIND tool from Jo’e site & for cmd/usage see the below in the link.

Few sample cmd like finding deleted user account from AD

Joe’s Blog

Posted in Directory Services, Exchange, Scripts/Powershell | Tagged: , | 2 Comments »

Repadmin-Expert Cmd

Posted by Awinish on March 6, 2011

Do you know repadmin is the best tool for Active directory troubleshooting, editing or modifying but few knows there is something called repadmin /experthelp which shows you expert level cmd & it should be used with caution to modify any change in AD.

You might have used basic switches with repadmin like /showreps /showobjmeta /replsummary etc, but it has more to offer with expert cmd.

You know AD replication are based on per attribute basis, so if i want to see the all the attribute replicated with other dc, you can use repadmin /showobjmeta (cn=abc,ou=ouname,dc=corp,dc=cotoso,dc=com),it will show all the attribute replicated with the date, USN no & best thing is in order.

I remember the situation, where i wanted to track which DC has performed the password change & i used repadmin /showsobjmeta cmd & it gave me the complete listing.

To know more, take a look at below link.

Understanding Urgent Replication

Posted in Directory Services | Tagged: | Leave a Comment »

Upgrade from Windows 2000/2003 to 2008/2008 R2 Domain Controllers

Posted by Awinish on March 4, 2011

One question which I often come across is how to upgrade your domain from windows 2003 to windows 2008 or 2008 R2.

Mostly organizations are running their domain controller on windows 2003 x86(32bit), windows 2008 R2 is available only in x64(64bit) & initially when we want to upgrade their domain from windows 2000 to 2003 they use ADPREP.EXE as 99% organization has their DC on 32bit system.

Now, you too decided to upgrade your domain controller to windows 2008 R2 which is only available in x64bit, & while looking for ADPREP.EXE, you found ADPREP32.EXE as well as ADPREP.EXE both is available in windows 2008 R2 media, now you are confused which one to be used on windows 2003 which is 32bit to prepare schema so you can introduce x64 bit (2008 or 2008 R2) domain controller.

Thinking ADPREP32.EXE is made for 32bit dc & since you are going to use windows 2008 R2 which is x64, you decided to run on windows 2000 or 2003 which is 32 bit & what’s next you got error, scratching your head looking for here & there checking your Active directory health using DCDIAG & NETDIAG (NETDIAG is not available in windows 2008 & above), but everything is well & good. Now you decided to verify replication using REPADMIN & REPLMON (REPLMON is not available in windows 2008 & above) tool that’s also fine, you again decided to re-look to account used for ADPREP which has to be member of following schema admin, enterprise admin & domain admin it is too in place, so what is wrong or making ADPREP to fail when everything is in place.

Well, its nothing wrong but you chose the wrong version of ADPREP, MS has released two version of ADPREP32.EXE which has to run on 32bit OS DC & ADPREP.EXE has to run on 64 bit DC. There is no different between ADPREP32.EXE & ADPREP.EXE, both does the same job, its only for compatibility with 32bit OS & 64bit OS.

This time you went ahead & tried ADPREP32.EXE from 2008 or 2008 R2 media & you found it working.

I found people have doubt, if I upgrade the schema from windows 2000/2003 to 2008/2008 R2, will there be any issue, to clear the doubt, ADPREP will only add the new attribute & classes, but it will not modify or delete the already existing attribute or classes.

One more important thing if you have multiple domain or domain controller with large site base, wait for the replication cycle to finish & make sure changes has replicated to all the DC’s, then only proceed.

You need to run the below commands on the following DC servers only not on member server or new windows 2008 R2 which is going to be ADC:

Command Domain Controller
adprep.exe /forestprep Schema Master
adprep.exe /domainprep Infrastructure Master
adprep.exe /domainprep /gpprep Infrastructure Master
adprep.exe /rodcprep *(This command is optional. Run it only if you want to install a read-only domain controller (RODC). There is no harms in running even. ) Domain Naming Master/IM(Can be executed on any of the DC)

adprep.exe /domainprep /gpprep is not required, if you are upgrading your domain from windows 2003/20032 to windows 2008/2008 R2, its only required during the upgrade of windows 2000 to 2003/R2 or 2008/R2.

The function of gpprep is to add permission on policy folder in Sysvol.

Once you verify everything is well & good, then only proceed, which is only way to achieve error free upgrade.

To know more about Adprep /forestprep, adprep /domainprep, adprep /domainprep /gpprep & why we need to run it, refer below.

AD Schema Version:

OS Version

Schema Version

Windows 2012 R2 69
Windows 2012 56
Windows 2008 R2 47
Windows 2008 44
Windows 2003 R2 31
Windows 2003 30
Windows 2000 13


How to find the current Schema Version

dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion

In multi-domain environment, sometimes you don’t run domainprep after forestprep & the reason could be, you don’t want to upgrade all the domain or it is postponed for later time due to business requriements. In this case to find out whether domainprep was earlier ran or not, you can check the revision attribute.

AD Revision Version:

OS Version Revision Version
Windows 2012 11
Windows 2008 R2 5
Windows 2008 3


dsquery * CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,dc=domainname,dc=local -scope base -attr revision

In case of the multiple domain forest, use only domain.local because schema master will be common & will be running on the DC with schema role only.

To find out which DC is holding DNS partition, run below command. To find out DC holding DomainDnsZones for particular domain, provide specific domain name. To find out DC holding forestDnsZones partition, enter root domain.

dsquery * CN=Infrastructure,DC=DomainDnsZones,DC=Domain,DC=com -attr fSMORoleOwner

dsquery * CN=Infrastructure,DC=forestDnsZones,DC=Domain,DC=com -attr fSMORoleOwner

References to the AD upgrade in windows 2008 or 2008 R2

Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD DS Domains

Upgrade Domain Controllers: Microsoft Support Quick Start for Adding Windows Server 2008 or Windows Server 2008 R2 Domain Controllers to Existing Domains

Performing an Active Directory Health Check Before Upgrading

Few Steps prior to preparing your environment for windows 2008 or 2008 R2.

  • Checking your Domain & domain controller health using dcdiag, & netdiag(Netdiag is not available in windows 2008 & above) tool.
  • Check replication using repadmin tool.
  • Check the DNS name resolution & its related error in event log.
  • Check error related to sysvol & FRS.

Troubleshooting ADPREP errors.

Happy upgrading..

Posted in Directory Services | Tagged: , , | 52 Comments »

Understanding AdminSDHolder and Protected Groups

Posted by Awinish on March 1, 2011

If you have faced an issue, where you add a domain user to a protected group like administrators,domain admins, enterprise admins, schema admins, account operator etc. & after an hour or so membership disappears & you are scratching your head who did it. You start your findings & come to know its “AdminSDHolder” which reside in system partition reset the ACL to preserver the protected group from misuse & its built-in function. You can disable the automatic reset of permission on protected/built-in groups, but i would say you are inviting security flaws in your environment.

If you want to understand the details of AdminSDHolder & its working, take a look at below posted link. MVP John Policelli on has explained in-depth on his blog & i thought sharing it to readers on my blog too.

Five common questions about AdminSdHolder and SDProp


Posted in Directory Services | Tagged: | Leave a Comment »

Impact of Cloning and Virtualization on Active Directory Domain Services

Posted by Awinish on February 16, 2011

The best AD seminar on TechEd, fundamental concepts within Active Directory and the impact of cloning & virtualization upon domain controllers, domain members and Windows in general. Dean Wells (Program Manager in MS)also discuss how to best leverage virtualization, and how to both mitigate problems and to avoid occurrences in the first place.

The below session is been presented by Dean Wells, Sr. Program Manager in Microsoft.


Posted in Directory Services | Tagged: , | Leave a Comment »

Password Filter

Posted by Awinish on February 14, 2011

Do you know password filter, if not take a look.


Posted in Directory Services | Tagged: | Leave a Comment »