Shariq Sheikh | Port 389

With Windows Server 2008 having role specific snap-ins installed for each role, if you have to demote a Windows Server 2008 DC thru normal “dcpromo” command. You will notice that the DC specific roles from within the Server Manager will not be uninstalled. Even though the DC has been fully demoted,  Active Directory has been uninstalled, the Server has been rebooted but the snap-ins for roles such as AD and DNS are still there (in case your DC was also a DNS). It causes a bit of nuisance as its not as if these snap-ins will serve you like “adminpak” and you could manage AD from other DCs from this member server now. As of course for that you will need the RSAT tools. See the screenshots below to see the problem and error if you try to use the snap-in, and finally see the wizards to remove the lingering roles.

One of the exciting features of Windows Server 2008 is Powershell (command-line interactive shell and scripting language). Powershell allows Admins to achieve control over their Active Directory/Servers environment and accomplishes the remote management tasks which used to be done with VB, WMI and ADSI scripts. Where WMI and ADSI calls are still part of Powershell cmdlets pronounced command-lets (commands that trigger the call in the interactive PS shell), the number of lines and the need to know the ‘scripting’ has substanially been lowered.

Powershell v1.0 can be installed as a feature in Windows Server 2008 or can be individually installed on Windows XP SP2 or Windows Server 2003 SP1 from here as RTW. This provides 130 cmdlets that enable easier system administration and accelerated automation. On top of that Quest Software has released ActiveRoles Management Shell for Active Directory (for free) that provides another set QAD (Quest Active Directory) cmdlets that extend the AD specifics management tasks. You can get the Quest Management Shell and subsequent cmdlets from here (http://www.quest.com/powershell/activeroles-server.aspx)

While Quest cmdlets run in their own shell, the quest snap-in can also be registered in the Powershell by running the following command, after installing Quest Management Shell.

Add-PSSnapin Quest.ActiveRoles.ADManagement

You may run Get-PSsnapin to validate

Alternatively you can work directly within the Quest Management Shell where you will have all the native PS cmdlets available to you. To find out all the QAD related cmdlets, run get-commad *-qad*.

And lastly give one of the QAD cmdlets a test drive, for instance to create a new user in AD and to find out how the New-QADuser can be used, run the Get-Command New-QADuser -detail to learn the full syntax and available options.

Here are a couple of great resources to hit the ground running with Powershell and Quest Management Shell (a.k.a QAD Cmdlets).

PowershellPro Tutorials
PowerGUI and QAD Wiki
PowerGUI Forums
Windows Powershell Forums

We are all aware how helpful the repadmin tool has become (available thru Windows Support Tools in Windows Server 2003 and earlier) for troubleshooting the replication issues. In Windows Server 2008, this tool along with others come pre-packaged within the OS. You no longer have to install the Support Tools to rein in the benefits of handy command line tools such as, dcdiag, netdiag, rendom and many others.

Here is one repadmin syntax I have become used to as it gives me a snapshot of source DCs and the Destination DCs and their replication status. The command is repadmin /replsum

In above scenario there are two DCs (both Windows Server 2008) showing their latest largest delta times. The Source DC is one that changes have gone out from, where as Destination DC is one who adopted changes from other DC, hence replicated.

What needs to be noticed here is under normal circumstances both DCs would show up under Source and Destination, but since the VM08-02 is a read-only domain controller it can only grab changes from other DC and can’t replicate changes out from it. It only shows up under Destination DC and shows that it was at the receiving end of applying changes to it in terms of Active Directory replication. While read-write domain controller (RWDC) shows changes replicated out from it i.e VM08-01.

The fail/total %% and error column comes very handy when somewhere out there one of your DC has stopped talking to others or hasn’t been talked to due to an issues such is incorrect firewall settings.

Repadmin is one handy tool that all AD Admins should invest a little time learning. For more information on repadmin /showrepl command, click here.

The Windows Server 2008 Server Core installation does support Read Only Domain Controllers (RODC). This support makes Server Core ideal for brance office scenarios. To make a Server Core part of your domain as RODC, you use the unattended answer file with the following text with your settings and passwords

[DCInstall]
InstallDNS=Yes
ConfirmGC=Yes
RebootOnCompletion=Yes
ReplicaDomainDNSName=2008.lab
ReplicaOrNewDomain=readonlyreplica
ReplicationSourceDC=dc3.2008.lab
SafeModeAdminPassword=
SiteName=Default-First-Site-name
UserDomain=2008.lab
UserName=admin08
Password=
CreateDNSDelegation=No

You can place the text file on the root of your C drive on the server core and run the following command

dcpromo /unattend:unattend.txt where unattend.txt is the text file you created above

Later on we will discuss other embedded command line structures and built-in programs such as OCSETUP which will allow you to add roles and features to your server core. Keep in mind that making the domain controller is the only setup you must not use OCSETUP for, and you must utilize DCPROMO for it, otherwise your server may not function properly.

After running the above process, you will notice that from a Windows Server 2008 full installation, using ADUC we can readily confirm that our DC is RODC.

In a previous post we discussed the FSMO Roles and we know that one of the FSMO Roles is RID Master. What a RID Master does and whats its significant, let’s recap. RID Master – Each object must have a globally unique number (GUID). The RID master makes sure each domain controller issues unique numbers when you create objects such as users or computers. For example DC one is given RIDs 1-4999 and DC two is given RIDs 5000 – 9999.

In this post I will be showing you the command which you can run to check the available Relative Identifiers (RID) pool on one of your DCs.

You should have the Windows Server 2003 Support tools installed and the command to run is as follows:

dcdiag /v /test:ridmanager

/v is for verboselogging and the /test:ridmanager is to define the specific test and to avoid the other dcdiag test runs. Take a look at the attached screenshot above, It shows the current RID Allocation Pool and the Previous Allocation Pool. 500 RIDs are assigned from the RID Master and after 50% of the pool has been consumped, another request for pool refill is made to the RID Master.

Previously you have been able to use RENDOM utility provided by Microsoft to rename your Window 2000 and Windows Server 2003 domains. However in Windows Server 2008 domain you don’t have to separately install Rendom utility. It gets installed as part of “Active Directory Domain Services” role when you promote a server to the DC role. And It can be found here : %windir%\system32\rendom.exe.

I used it to rename a Windows Server 2008 domain in my test lab environment. The process was pretty straightforward but it may require more tasks if you have multiple DCs in a multi domain environment.

The Forest and Domain Functional Level should be Windows Server 2008 to proceed with the following task.

From the command prompt, I started out by running rendom /list which outputs an XML file (Domainlist.xml) to the directory where rendom resides. You edit that file to change your domain configuration to the new domain name. i.e ForestDNSZones, DomainDNSZones, Netbios name. See referenced link for details.

After you have modified the file you can run rendom /showforest which shows you the future configuration, verify and make changes if necessary.

Upload the changes you have made in the XML file: Run rendom /upload

Verify readiness of Domain Controller(s): Run rendom /prepare

Execute domain rename instructions: Run rendom /execute

After thats finishes up successfully, you should also run GPFIXUP tool to fix up GPO references to your old domain name. See Step 12 of this document.

Here is an example :

C:\Users\Administrator>gpfixup /olddns:08r2.lab /newdns:mcts.lab
Group Policy fix up utility Version 1.1 (Microsoft)

Start fixing group policy (GroupPolicyContainer) objects:
……..

Start fixing site group policy links:
.

Start fixing non-site group policy links:
….
gpfixup tool executed with success.

C:\Users\Administrator>gpfixup /oldnb:08r2 /newnb:mcts
Group Policy fix up utility Version 1.1 (Microsoft)

Start fixing group policy (GroupPolicyContainer) objects:
..
gpfixup tool executed with success.

Lastly, run rendom /clean

The identity (domain GUID) of the renamed domain does not change during a domain rename operation. Thus a computer’s domain membership does not change as a result of the holding domain being renamed.

However, every member computer joined to the renamed domain needs to be rebooted twice. Please refer to “How Domain Rename works” technical reference for more info.

How Domain Rename Works : Microsoft Technet

Other References:

http://dsg.port.ac.uk/~hx/rename_domain/index.php

http://www.msexchange.org/tutorials/Domain-Rename.html (for domains with Exchange)

Every domain has a default setting for ms-DS-MachineAccountQuota value 10. This means that any user can add up to 10 machines to a domain. You can modify this object in directory by using ADSIedit tool to prevent this behavior.

Warning: Using ADSIedit can have adverse effects on your Active Directoy environment, if not handled with proper knowledge.

Launch ADSIedit from run command, ADSIedit.msc

Under Domain Configuration, expand and find your domain. Right click and go to the Properties

Look for the following property and modify it to ’0′

Hit OK, Apply and exit

How does it keep track of how many machines have you added based on your user ID/account ?

For a computer account created by domain users, the account has ‘ms-DS-CreatorSID’ attribute to indicate the creator user. When a user adds a computer to the domain, a process enumerates the ‘ms-DS-CreatorSID’ attribute on every computer account in the domain and calculates if the sum exceeds the current quota for that user.

The ‘ms-DS-CreatorSID’ and ‘ms-DS-MachineAccountQuota’ with default value 10 are also available in Windows Server 2008 AD DS.

Note: The ‘ms-DS-CreatorSID’ attribute will be unset in the computer account that is pre-created in Active Directory Users and Computers MMC or joined by domain administrators.

http://support.microsoft.com/kb/243327

Where Account Lockouts save us from brute force password attacks and help us standardize our environment for password policies, sometimes it can be painful to troubleshoot and find out why and where it happened. Microsoft does provide us with the ‘Account Lockout Management Tools’ suite which can be very handy to diagnose the root cause of an account lockout.

· AcctInfo.dll. Helps isolate and troubleshoot account lockouts and to change a user’s password on a domain controller in that user’s site. It works by adding new property pages to user objects in the Active Directory Users and Computers Microsoft Management Console (MMC).

· ALockout.dll. On the client computer, helps determine a process or application that is sending wrong credentials.

· ALoInfo.exe. Displays all user account names and the age of their passwords.

· EnableKerbLog.vbs. Used as a startup script, allows Kerberos to log on to all your clients that run Windows 2000 and later.

· EventCombMT.exe. Gathers specific events from event logs of several different machines to one central location.

· LockoutStatus.exe. Determines all the domain controllers that are involved in a lockout of a user in order to assist in gathering the logs. LockoutStatus.exe uses the NLParse.exe tool to parse Netlogon logs for specific Netlogon return status codes. It directs the output to a comma-separated value (.csv) file that you can sort further, if needed. The latest version available is 1.0.0.60.

· NLParse.exe. Used to extract and display desired entries from the Netlogon log files.

Unfortunately, I didn’t find good documentation of how to quickly make good use of these tools when my domain admin account started getting mysteriously locked out after I had changed my password due to the policy in place. From my experience I found Lockout Status and EventComb MT to be most useful from the suite.

I knew the common causes why my account would get locked out due to one of the reasons listed here : See this but I needed to figure out what is the offending machine or service thats providing my old credentials to a DC thats causing the account to be locked out.

I started out launching Lockout Status tool and selected my domain admin account as ‘target’ from the file menu and running it. It gave me list of all the DCs with the status of my account and more importantly the DC the lockout happened on in the ‘Orig Lock’ tab towards the right of the program screen. I then launched the Event CombMT piece and right clicked in the white space in the search area and added the DC the lockout originated at. I choose from ‘Option’ menu where I wanted to output the file as txt or CSV. I chose ‘Security’ as log files search option for all event types and then putting ’644′ as the event id and clicked on search.

It outputted the CSV file in the area I had specified and I was able to see that it found the event 644 for my ID on 6 different machines across the domain, it was listed under ‘Caller Machines Name’ column, (I know its bad administration on my part to sometimes disconnect my terminal sessions instead of logging off). Sure enough when I logged on to those machines I immediately saw the following notifications.

I had to log off and log back in to clear out the error. After that, I ran the Lockout Status tool again and noticed the lock status for my domain admin account had been cleared out.

Conclusion: Never leave your account logged on somewhere (or have a service run under your user context) and lock the machines or disconnect the remote session without logging off, and when using tools like Remote Desktops (which can be useful and allow you to have a list of machines you remote in frequently during the day), make sure you don’t save your passwords in the session configurations.

More Resources:

Download the Microsoft Account Management Tools

Technet Resource on how to maintain and manage the account lockout

WindowsSecuirty.com-Implementing and Troubleshooting Account lockout

Sometimes you have a task on your hand for your Active Directory environment but it isn’t an easy one, or lets just say that not many people have come across having a need for it (so not a whole lot you can google for). I recently had a situation like this. Basically in our AD environment we failed to realized the importance and fell behind in keeping our reverse lookup zones updated. As we all know that AD infrastructre does not rely on reverse lookups and you can get away with not having all your defined subnets populated in the reverse zones (in-addr.arpa). We began having some random errors of unsuccessful Group policy applications on some machines and also we started being bugged by the SMS group of the failure of SMS clients installation since some applications like SMS do rely on having to lookup machines by their IP addresses.

We are quite a big environment as we have little over 1000 AD defined subnets and only 80 some had been populated in the reverse lookup zones. I was tasked to make sure that all the reverse zones are created in our DNS from the defined subnets. As it could be very tedious task, I wanted to automate the process. I am not a scriptor but I knew that we could not be the only who has had this issue and I tried digging the newsgroups/blogs/forums and the internet in general but I had no or little luck finding any relevant information.

I started off looking into ADSIedit, as I wanted the export the subnet objects and then somehow import them back into the DNS. I knew that there was DNSCMD command line utility that allows you to do various tasks for zones/records creations, deletion and modification. Unfortunately it did not have a very wide syntax that allowed to pipe-in a list from an external source such a CSV file (that would have the subnets I export from AD). As expected the export part went fine and I had the full list of all the AD defined subnets. Now I was struggling to find a VBscript I could wrap this file into and pipe-in thru DNSCMD like utility.

I looked at Joeware free AD utilites, and I saw Joe had a tool called ADfind. I decided to query him and I got a rapid reply back from him with some suggestions, he assured me it is doable using his ADfind utility combined with some other script or utility. In mean time he forwarded my query to Dean Wells of MSEtechnology who emailed me a rather quick solution using Joe’s ADfind tool (see below). I was extremely pleased how my easy attempt to query seasoned scriptors had paid off.

Apart from other great writing and consulting achievements both Joe Richards and Dean Wells are Micrsoft MVPs and their voluntary efforts to help out the community truly exhibited what MVP program is all about.

So here is the command you would run at your DNS server to accomplish this task;

for /f "tokens=1,2,3 delims=." %n in ('adfind -config -rb "CN=Subnets,CN=Sites" -f "objectclass=subnet" name -list') do @dnscmd /zoneadd %p.%o.%n.in-addr.arpa /primary

add ‘ds’ in front of the primary (/dsprimary) if you wish to make the zones AD integrated

NOTES from Dean
-If you place the syntax above within a batch file, please note that any occurrence of a ‘%’ symbol must be replaced with ‘%%’ (two of them)
-ADfind and DNSCMD must both exist within the current directory or the system path
-In its current form, the syntax assumes the subnet is comprised of 3 octets

Maybe the most forgotten password is the one for Directory Services Restore Mode (DSRM) because it’s created only when a DC is built, and used only during critical DC recovery operations, which hopefully does not happen very often. Not knowing this password can prevent a successful recovery.

If you don’t know your DSRM password and haven’t stored them in a safe place, use the following commands for each Domain Controller to reset it to a known value:

ntdsutil
set dsrm password
reset password on server {servername}

Once you do this, write down that password and lock/encrypt it away.

In my last post, I talked about what FSMO roles are how to retrieve them thru GUI. In this post I am showing you a quick way to tell what DCs are holding which FSMO roles in your forest/domain. It can be done by running NETDOM QUERY FSMO command at one of your DCs.

Notice, that my Schema Master and Domain Naming Master reside in the forest root domain (virtualdomain.com) since they are forest level FSMOs and the PDC Emulator, RID Master and Infrastructure Master are all on one DC (virtualdc3) which is on a separate domain tree (Shq.tech)

Typically NETDOM command-line tool enables administrators to manage Windows Server 2003 and Windows 2000 domains and trust relationships from the command line is available thru the Resource Kit. It has a range of syntax you can do various things with such as,

- Manage computer accounts for domain member workstations and member servers, Establish one-way or two-way trust relationships between domains.

Use NETDOM /? to see the available options or go here to get the list.

FSMO (pronounced – fiz-mo) roles are essentially domain controllers with higher power than their peer DCs hence the name Flexible Single Master Operation, the word flexible is perhaps in there since you do have the flexibility to move these roles around (the word floationg has been referenced at some places as well). From the name you really have to focus on the Single Master Operation part to understand that these roles have a single role attached to them that only one DC can have.

There are total of 5 FSMO roles with two at the Forest level and three at Domain level. And here is what they are.

Forest Level FSMO roles:

1. Domain Naming Master – Ensures that each child domain has a unique name.  How often do child domains get added to the forest?  Not very often I suggest, so the fact that this is a FSMO does not impact on normal domain activity.  My point is it’s worth the price to confine joining and leaving the domain operations to one machine, and save the tiny risk of getting duplicate names or orphaned domains.
2. Schema Master – Operations that involve expanding user properties e.g. Exchange 2003 / forestprep which adds mailbox properties to users.  Rather like the Domain naming master, changing the schema is a rare event.  However if you have a team of Schema Administrators all experimenting with object properties, you would not want there to be a mistake which crippled your forest.  So its a case of Microsoft know best, the Schema Master should be a Single Master Operation and thus a FSMO role.

Domain level FSMO roles: 

1. PDC Emulator - Most famous for backwards compatibility with NT 4.0 BDC’s.  However, there are two other FSMO roles which operate even in Windows 2003 Native Domains, synchronizing the W32Time service and creating group policies.  I admit that it is confusing that these two jobs have little to do with PDCs and BDCs. 
2. RID Master – Each object must have a globally unique number (GUID).  The RID master makes sure each domain controller issues unique numbers when you create objects such as users or computers.  For example DC one is given RIDs 1-4999 and DC two is given RIDs 5000 – 9999.
3. Infrastructure Master – Responsible for checking objects in other other domains.  Universal group membership is the most important example.  To me, it seems as though the operating system is paranoid that, a) You are a member of a Universal Group in another domain and b) that group has been assigned Deny permissions.  So if the Infrastructure master could not check your Universal Groups there could be a security breach.

You can see your Domain level FSMOs from the ADUC (Active Directory Users & Computers) right click on the domain name and click on Operations Roles, from there you have the ability transfer these roles as well. Of Forest level FSMOs, Domain Naming Master can be looked up from the Active Directory Domains and Trusts, you have to right click on the Domains and Trusts at the top in the left pane and click on Operation Roles. And for Schema Master look up you have to register a DLL and add in an snap-in (see here).

As windows system admin you should know the importance of the FSMO roles and have good knowledge of what each one does and how to transfer and sieze them when necessary.

For more detailed reading see this great article, as you may not find a lot of FSMO information in general MS press books targeted towards MS certification (at least for Windows Server 2003 track).

Updating schema for your forest is not something you do very often, however, it is a requirement when you introduce a Windows server 2003 DC in a Windows 2000 domain or when you introduce the first Windows Server 2008 in your Windows Server 2003 domain. (There may be other times when you have to do this such as when adding Exchange to your environment). Nonetheless it is a very simple and easy task.

 I recently added a Windows Server 2008 domain tree to my existing Windows Server 2003 forest in my lab environment and here is how you do it. You start out by putting Windows Server 2008 DVD (in my case it was mounting the ISO image to the VM) on your schema master DC and from the command prompt you go to the (D:\Sources\adprep\) you can run the help option “/?” to know the syntaxes that apply here.

I ran the “adprep /forestprep”, you will have to hit C and ENTER to give assurance that all your DCs are at Windows 2000 SP4 level or above. In my case it imported about 14 new schema files “.ldf” files and successfully finished.

The next step is to run the “domainprep” syntax from within the same location and that is to be done on your infrastructute master FSMO role. (See FSMO). In my case it was a different DC, so same steps from above except for this time we only had to run the “domainprep” part.

In my case I also ran “adprep /domainprep /gpprep” to update the permissions on my existing GPOs. In future I may write a FAQ or memory refresher about FSMO roles as it is imperative to know the importance of these rules and to understand what we did here and why it could only be done on certain FSMO holders.

Apart from great tools such as command line Repadmin and GUI based Replmon, Dsastat (Windows Support Tool) is a command line utility that allows you to check your DCs replications, it compares and detects differences between directory partitions on domain controllers. The tool retrieves capacity statistics such as megabytes per server, objects per server, and megabytes per object class. Then, the tool compares the attributes of replicated objects. You can use the tool to compare two directory trees across replicas in the same domain or, for a global catalog, across different domains.

Following is an end result from the simple command with -s syntax for server names; i.e

dsastat -s:dc1;dc2

For more information, see this

If you are like me and often have to go and look for the command line shortcuts apart from the ones you use on daily basis and are easy to remember (i.e mstsc, dsa.msc, compmgmt.msc) for launching the administrator tools in Windows Server 2003. Here is an handy list you can print out and hang it in behind your computer until you remember them all.

AD Domains and Trusts
domain.msc

Active Directory Management
admgmt.msc

AD Sites and Serrvices
dssite.msc

AD Users and COmputers
dsa.msc

ADSI Edit
adsiedit.msc

Authorization manager
azman.msc

Certification Authority Management
certsrv.msc

Certificate Templates
certtmpl.msc

Cluster Administrator
cluadmin.exe

Computer Management
compmgmt.msc

Component Services
comexp.msc

Configure Your Server
cys.exe

Device Manager
devmgmt.msc

DHCP Managment
dhcpmgmt.msc

Disk Defragmenter
dfrg.msc

Disk Manager
diskmgmt.msc

Distributed File System
dfsgui.msc

DNS Managment
dnsmgmt.msc

Event Viewer
eventvwr.msc

Indexing Service Management
ciadv.msc

IP Address Manage
ipaddrmgmt.msc

Licensing Manager
llsmgr.exe

Local Certificates Management
certmgr.msc

Local Group Policy Editor
gpedit.msc

Local Security Settings Manager
secpol.msc

Local Users and Groups Manager
lusrmgr.msc

Network Load balancing
nlbmgr.exe

Performance Montior
perfmon.msc

PKI Viewer
pkiview.msc

Public Key Managment
pkmgmt.msc

QoS Control Management
acssnap.msc

Remote Desktops
tsmmc.msc

Remote Storage Administration
rsadmin.msc

Removable Storage
ntmsmgr.msc

Removalbe Storage Operator Requests
ntmsoprq.msc

Routing and Remote Access Manager
rrasmgmt.msc

Resultant Set of Policy
rsop.msc

Schema management
schmmgmt.msc

Services Management
services.msc

Shared Folders
fsmgmt.msc

SID Security Migration
sidwalk.msc

Telephony Management
tapimgmt.msc

Terminal Server Configuration
tscc.msc

Terminal Server Licensing
licmgr.exe

Terminal Server Manager
tsadmin.exe

UDDI Services Managment
uddi.msc

Windows Mangement Instumentation
wmimgmt.msc

WINS Server manager
winsmgmt.msc

Enjoy !

Distributed File System Replication was a major improvement over DFS and FRS, and also an intended seller feature of the R2 of Windows Server 2003. I came across a great article that describes what the DFRS does and how easily it can be setup. In domain environment, prior to installing DFSR the schema must be updated to the R2 version with the ADPREP utility from the CD2 of the Windows Server 2003 R2.

“DFSR is a multimaster replication engine used to distribute copies of data across multiple servers. It can run with or without DFS Namespaces, but its most popular use is to ensure that every member of a set of servers—a replica set—contains identical data and that replication is fast and bandwidth-efficient. It has many features, including bandwidth management, replication scheduling, and an innovative compression algorithm, that together dramatically decrease the amount of network bandwidth needed to keep data synchronized across your network. Microsoft reports that using DFSR results in up to a 300 percent improvement in the speed of large-file replication and 40 percent less administrative time spent managing the replication set.”

http://www.windowsitpro.com/Article/ArticleID/95223/95223.html

A perfect tool for System Administrators who often spend too much time in Visio diagramming their Active Directory Infrastructure

“The Microsoft Active Directory Topology Diagrammer reads an Active Directory configuration using ActiveX Data Objects (ADO), and then automatically generates a Visio diagram of your Active Directory and /or your Exchange 200x Server topology. The diagramms include domains, sites, servers, administrative groups, routing groups and connectors and can be changed manually in Visio if needed.”

It is a freebie.

Download it here..

What was previously the Micrsoft Active Directory Health Check Program is now the Active Directory Risk Assessment Program (ADRAP).

“Microsoft ADRAP provides critical insight into the health of your directory services. Microsoft’s own experience internal engineers utilize our own IT department’s tool to take a snapshot of your production Active Directory (AD) environment”.

Under ADRAP the new program/utility is called Active Directory Snapshot tool (ver 5.0.1) that you install in your environment to run the analysis prior to having the Microsoft’s internal engineer coming out to do the assessment and recommendation for the cleanups/fixes. Our ADRAP project is due to take place in July this year, I am told we were heavily benefited last year by this program and we made several improvements in our AD infrastructure.

Note that the ADST is a diagnostic tool, not a monitoring tool. Thus it is not intended as a replacement for a enterprise class monitoring solution such as MOM, or System Center Operation Manager. There are some requirements for this program, for details take a look at the attached white papers.

ADRAP Datasheet v1.0

ADRAP Datasheet v1.5