Directory Service: Event ID 1480 and 1393, replication halted due to low disk space

Apr

28

2011

The information provided in event logs is often not too clear but it has definitely gotten better starting in W2K8. I recently encountered an issue where replication delays to certain DC were reported. I immediately looked at the repadmin  replication summary and noticed that my deltas that usually stayed around within an hour had jumped ...
read more →

Windows Server 2008

Auditing Group Membership changes 1

Mar

3

2011

I often get this asked this question, “how do I audit group membership changes”. Whereas a lot of AD Change Monitor Tools (Quest, Netwrix etc.) have nice reports that can be generated to look up this information, this question comes up when a change auditor product for AD is not in picture. Let me cover ...
read more →

Windows Server 2008 R2

PowerShell : How do I create Trust ?

Feb

24

2011

A question was raised on ActiveDir regarding the ability to create Trust via a command line utility. It was discussed how netdom is no longer a supported command line utility to create Trusts. I referenced a snip from AD Cook Book using PowerShell to create Trust via the .Net AD namespace method alternatively.(System.DirectoryServices.ActiveDirectory). You can ...
read more →

PowerShell

Server Core R2 DC promotion fails due to unavailable ADDS binaries

Feb

20

2011

I encountered an issue promoting a Server Core R2 to a domain controller. The DCPROMO on Server Core is handled via unattended mode with answer file. The error I received is below. It was due to Server Core’s inability to install/confirm ADDS binaries. C:UsersAdministrator>dcpromo /unattended:answer.txt Checking if Active Directory Domain Services binaries are installed… Failed ...
read more →

Windows Server 2008 R2

PowerShell : How do I clear sIDhistory attribute ? 3

Dec

13

2010

What is sIDhistory attribute ? The sIDhistory attribute is the key attribute that holds the previous SID(s) of Users and Groups objects that facilitate the Active Directory migrations. It contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a ...
read more →

PowerShell

PowerShell : How do I set the delegation sensitive flag on users and computers ?

Aug

23

2010

Kerberos Delegation, constrained and unconstrained is a complex topic, and one that often comes up when Security implications of External/Forests Trusts are discussed. Few days ago, on ActiveDir a similar topic was shed light upon. In brief Brian Arkills sums it up below, The other security implication that most folks seem oblivious to is the ...
read more →

PowerShell

PowerShell : How to lookup Schema version of your forest ?

Jul

30

2010

The schema version is revealed via the objectversion attribute off of the schema object from your configuration head of the forest i.e “cn=schema,cn=configuration,dc=yourdomain,dc=int”. So using Quest Cmdlets, you can run this query : Get-QADObject "cn=schema,cn=configuration,dc=yourdomain,dc=int" -ip objectversion | select objectversion The –ip is the alias for includedproperties. And, when using the native AD Cmdlets of ...
read more →

Windows Server 2008 R2

Reviewing few very useful adds in Quest AD Cmdlets v1.4

Jul

16

2010

Whereas most of newly added cmdlets focus on  PKI and Email Address Management in v1.4, there are a few cmdlets and handful of new parameters that ought to come in very handy with your AD tasks. Below I review a few that I think are some great adds : When you are enumerating a large ...
read more →

PowerShell

Quest AD Cmdlets a.k.a Active Roles Management Shell version 1.4 gets released

Jul

15

2010

From version 1.2 with 49 cmdlets, to version 1.3 with 63 cmdlets and now on to version 1.4 that has 32 new cmdlets making it total of 95. Here are the new cmdlets in v1.4 : • Get-QADLocalCertificateStore • New-QADLocalCertificateStore • Remove-QADLocalCertificateStore • Get-QADCertificate • Where-QADCertificate • Add-QADCertificate • Import-QADCertificate • Show-QADCertificate • Edit-QADCertificate • ...
read more →

PowerShell

Create Active Directory Delegations Report with PowerGUI 1

Jun

28

2010

Often times you need to analyze your existing permissions (delegations) on your AD Objects within your domain/forest, perhaps you have just taken over an administrative role over AD and would like to quickly surface information regarding what group and user accounts have certain rights across the board in a pertinent domain. With PowerGUI and Kirk ...
read more →

PowerShell

PowerShell : How to rename Groups in bulk ? 4

May

4

2010

Often times there is a need to standardized Groups’ naming convention such as with migrations, when you don’t have a rich migration tool that can conform the names or when you don’t have a AD proxy management tool such as ARS in your normal provisioning process. Using Quest Cmdlets with PowerShell to rename groups is ...
read more →

PowerShell

PowerShell : How do I fix displayName attribute for all users in Active Directory ?

Feb

19

2010

For small shops that do not leverage automated provisioning tools, they face challenge in keeping the attributes for Users and other objects in AD standardized. For similar situation, recently I was asked from Access Control team if there is an easy way to fix the displayName attribute for all users or to fill in the ...
read more →

PowerShell

PowerShell : How do I check Active Directory Tombstone Lifetime ? 1

Feb

9

2010

What is Active Directory Tombstone Lifetime (TSL) ? The tombstone lifetime in an Active Directory forest determines how long a deleted object (called a “tombstone”) is retained in Active Directory Domain Services (AD DS). The tombstone lifetime is determined by the value of the tombstoneLifetime attribute on the Directory Service object in the configuration directory ...
read more →

Windows Server 2008 R2

Time Synchronization for Virtualized DCs 1

Dec

9

2009

As usual a good conversation spurred on ActiveDir on a much discussed scenario of virtualizing your DCs while be varied of the known pitfalls. While virtualized DCs are fully supported on either competing virtualization solution by Microsoft, one known subject I would like to highlight here is the proper time synchronization. You must make sure ...
read more →

VMware

PowerShell : How do I find old Trusts ?

Oct

6

2009

As usual Joe shared a great insight that trusts well-doing can in one way be verified by checking the trust accounts for their last password resets. When trusts are created the accounts for them are by default created under ‘Users’ container, and are named as TrustedDomain$ and just like computer accounts, trusts reset their password ...
read more →

PowerShell