What is Active Directory Tombstone Lifetime (TSL) ?
The tombstone lifetime in an Active Directory forest determines how long a deleted object (called a “tombstone”) is retained in Active Directory Domain Services (AD DS). The tombstone lifetime is determined by the value of the tombstoneLifetime attribute on the Directory Service object in the configuration directory partition.
Directory Services veteran and MVP Joe Richards has published a short blog entry demystifying the confusion a technet article has caused in regards to how to go about figuring a TSL on a particular domain. Note that new forests that are installed with Windows Server 2003 with SP1 and up have a default tombstone lifetime of 180 days.
Joe shares his ADFIND tool to lookup the current value of the TSL attribute (irrespective of what OS was used to build the forest). Note that as Joe pointed out if this attribute is not set (i.e empty value) then the TSL is 60 days. Here I show you how to lookup the TSL with PowerShell.
Also, here is how you can use DSQUERY from the Windows Support Tools to lookup the TSL.
dsquery * “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=R2,DC=lab” -scope base –attr
tombstonelifetime
Note that I have used my test forest’s DN of R2.lab in above examples, be sure to replace the values with your forest’s DN. Above query should be typed in one line.
Server Core seems to be the perfect candidate for installing KMS. Key Management Service mediates your Volume Licensing with Microsoft Activation Services and acts as the man-in-the-middle for the activation for all your KMS clients that comprise of Vista, Windows 7, Windows Server 2008 and R2. With Windows 7 and Windows Server 2008 R2, what you have in KMS is Volume Activation 2.0. In contrast with KMS, what you have is MAK that stands for multiple activation key. MAK is targeted for clients that stay off the network whereas KMS is designed for your internal clients. Following I have a simple overview design of how it works.
My Windows Server 2008 R2 Server Core has a very small footprint, it is a single processor/20gb hd/512mb ram machine. The first thing you need is the KMS Host key from your Microsoft Volume Licensing site or from your TAM. The command to register the machine as the KMS host is slmgr /ipk <your key>
Once it is registered, you need to activate the host itself. Run slmgr -ato You can check the status and brief description of the KMS host by running slmgr –dli
The verbose information is provided via slmgr –dlv
Once KMS is setup, it will register its SRV record in DNS. You can verify from your workstation if it has done so via,
nslookup -type=srv _vlmcs._tcp
From then on clients will automatically be reverted to your KMS host for activation but as hinted in the drawing above, starting with Windows 7 and 08 R2, the minimum threshold (activation attempts/requests) that are needed to fully activate the KMS host is 25 Vista/Windows 7 clients or 5 Server 2008 (R2). This number can comprise of virtual and physical loads, previously this was limited to physical systems only. The slmgr -dlv will show you the total requests received. Note that the KMS is desgined to let you better manage your internal activation for compliance reason. Micrsoft does not go receive any internal information from between the KMS host and KMS client. KMS has you abide your EA Volume Licenseing, check the VL Product Groups shown in the diagram that are pertinent for your environment. I find the group B to be most commonly required.
Important note : Installing/configuring the KMS does not open up the pertinent firewall port (default port 1688). From running “slmgr -dli” you will notice that it says that the KMS is listening on port 1688 but the rule is not enabled so you may do so like this.
netsh advfirewall>FIREWALL add rule name=”KMS” dir=in action=allow protocol=tcp localport=1688 Ok.
One of the DNS improvements in Windows Server 2008 R2 is DNS Cache Locking in which if configured the cache entries are not allowed to be modified for the percentage of TTL.
Cache locking is a new security feature available with Windows Server® 2008 R2 that allows you to control whether or not information in the DNS cache can be overwritten. When a recursive DNS server responds to a query, it will cache the results obtained so that it can respond quickly if it receives another query requesting the same information. The period of time the DNS server will keep information in its cache is determined by the Time to Live (TTL) value for a resource record. Until the TTL period expires, information in the cache might be overwritten if updated information about that resource record is received. If an attacker successfully overwrites information in the cache, they might be able to redirect traffic on your network to a malicious site.
Cache locking is configured as a percent value. For example, if the cache locking value is set to 50, then the DNS server will not overwrite a cached entry for half of the duration of the TTL. By default, the cache locking percent value is 100. This means that cached entries will not be overwritten for the entire duration of the TTL. The cache locking value is stored in the CacheLockingPercent registry key. If the registry key is not present, then the DNS server will use the default cache locking value of 100.
You can configure the CacheLocking with DNSCMD utility from the command line (launched under elevated rights).
dnscmd /Config /CacheLockingPercent <percent>
You may also check the current percentage set for this setting with the /info switch of DNSCMD.
With above, the pertinent DWORD registry key is created under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters
However, in real world you push down this registry key via Group Policy Preferences to all your DNS servers. Values for the key are shown below.
Here is quick snippet of password set/reset ‘Set-ADaccountPassword’ cmdlet in 08 R2 via ADWS (native AD cmdlets) and a test screencast from me.
I highly recommend to use the built in cmdlet help to learn the syntax and available parameters. Whether you are using the cmdlet as an one-off task or trying to incorporate it into a script.
First we run, Help Set-ADaccountPassword -examples to look at what the options are and then use,
Set-ADaccountPassword -Identity Moyo -reset where the user id is moyo, and provide the new value of the password. Unlike many other functions where you must run the ADWS under elevated ‘administrative’ privileges, if you are running this cmdlet on your DC, you can run this under normal security context.
Previously I had briefly written about ADAC and today we take a look at some of the things you can accomplish by this new interface of Active Directory.
We start out by launching the ADAC, by running DSAC.exe from the run window
ADAC offers two views, the list view
and the tree view
There are several useful queries built-in which you can add from the ‘Add criteria’ button such as find all the users with expired passwords
And add multiple criteria to your query
From the task pane, you can create a new user
Its an ease of use to be able to fill in all the pertinent attributes from a single interface
Now you can raise DFL and FFL from one location, previously you had to raise the FFL from AD Domains and Trusts snap-in
From the Global Search page, you can simply also add your own LDAP query
You can add specific navigation nodes into your list-view such as the Users container and apply different filters (query) to do a comparison side-by-side, from the same ‘add navigation nodes’ window you can also add other trusted domains to manage multi-domain environment all in one place.
I had earlier posted about the Add-Computer cmdlet bug in Windows 7 RC builds which didn’t allow the computer to be added to the domain via PowerShell. With Windows 7 RTM, it is fixed and turns out to be pretty handy should you need to script the domain joins for your new builds. The command to add the machine is pretty simple.
The –passthru switch as chosen in the example shows the results.
Check out help for what you can do with this cmdlet such as when you need to add the computer account to a specific OU. Remember that adding machine via PowerShell to the domain does not require you to create the computer name before hand, but it pre-exists than its not an issue.
For reasons unknown to me the useful Rename-Computer cmdlet (shown in my earlier example) seems to have been removed past CTP3 builds and the RTM. Even though the technet reference for all Windows 7 PowerShell cmdlets still has it listed.
ADMGS aka AD Web Services aka Powershell Native AD cmdlets which is originally a Windows Server 2008 R2 feature is out of beta and can be downloaded from here for DCs running down level OSs.
The Active Directory Management Gateway Service enables administrators to use the Active Directory module for Windows PowerShell and the Active Directory Administrative Center running on Windows Server 2008 R2 or Windows 7 to access or manage directory service instances that are running on Windows Server 2008 or Windows Server 2003 DCs.
“Note: Installing the Active Directory Management Gateway Service on your Windows Server 2008–based or Windows Server 2003–based servers does not make it possible for you to install the Active Directory module or the Active Directory Administrative Center (which is available only on Windows Server 2008 R2 or Windows 7 operating systems) on these servers. “
Ever wonder what controls the native permissions on the security principal such as Domain Admins and Administrators in Active Directory ? What if an owner changes the permission these entities have ? The permissions do come back. They must. John Policelli had a great article on the subject of AdminSDHolder and SDPROP in this month’s technet article. The magic is driven by the AdminSDHolder which is an object that resides under the System container of Domain NC. This object has a unique ACL which is used to control the permissions of security principals that are members of built-in AD groups, also known as “protected groups”. The SDPROP (Security Descriptor Propagator) is the process that runs in the background and complies all the permissions according to the AdminSDHolder.
Every hour, a background process called SDPROP runs on the domain controller that holds the PDC Emulator operations master role. It compares the ACL on all security principals (users, groups and computer accounts) that belong to protected groups against the ACL on the AdminSDHolder object. If the ACL lists aren’t the same, the ACL on the security principal is overwritten with the ACL from the Admin–SDHolder object. In addition, inheritance is disabled on the security principal.
John has done an excellent job on explaining the process and how it can affect you. I would like to show you the one-liners with which you can look-up who is part of that “elite” bunch in your AD with PowerShell (ADWS) on Windows Server 2008 R2 and as well with PowerShell (and Quest) in Windows Server 2003 domain.
For every recipient of this process i.e security principal such as user, group or computer, there is an attribute named “admincount” that gets marked as “1″ indicating that this principal via nesting or explicitly is part of a protected group in AD.
On Windows Server 2008 R2 where can you use (ADWS), the simple command to retrieve the user and group objects with admincount set as 1 is this.
Get-ADgroup -LDAPFilter “(admincount=1)” | select name
Get-ADuser -LDAPFilter “(admincount=1)” | select name
In domains that are pre-Windows Server 2008 R2, you can use similar QAD cmdlets.
Get-QADGroup -LDAPFilter “(admincount=1)”
Get-QADuser -LDAPFilter “(admincount=1)”
If you would just like to get the total number of users, you may count it like this.
(Get-QADuser -Ldap “(admincount=1)”).count
Another great read on AdminCount, AdminSDHolder, and SDPROP is right here from Mike B. Smith.
As named “domain modes” in Windows 2000 time, Domain Functional Level and Forest Functional Level (introduced in Windows Server 2003) list has grown with the inception of two new Windows Server 2008 functional levels. While Domain Functional Level limits the OS of the DCs, a raise to the Forest Functional Level (in a multi-domain environment) can only be achieved after all child domains’ DFL have been met. Both Functional Levels do not dictate the type of OS you can run on your member servers. They dictate which OS can run on a DC and introduce new functionality to AD as you move up the ladder. Such as, to be able to take advantage of AD Recycle Bin functionality all your DCs must be running Windows Server 2008 R2 and the FFL must be at 2008 R2.
There are now 6 different types of Domain Functional Levels;
1. Windows 2000 Mixed (supports NT4/2000/2003 DCs)
2. Windows 2000 Native (supports 2000/2003 DCs)
3. Windows Server 2003 Interim (supports NT4/2003 DCs)
4. Windows Server 2003 (supports only 2003 DCs)
5. Windows Server 2008 (supports only 2008 DCs)
6. Windows Server 2008 R2 (supports only 2008 R2 DCs)
And five forest functional levels:
1. Windows 2000 (supports NT4/2000/2003 DCs)
2. Windows 2003 Interim (supports NT4/2003 DCs)
3. Windows Server 2003 (supports only 2003 DCs)
4. Windows Server 2008 (supports only 2008 DCs)
5. Windows Server 2008 R2 (supports only 2008 R2 DCs)
As Exchange 2010 will only run on Windows Server 2008 (64bit only), there were some known issues with the beta version with the Windows Server 2008 R2 (mainly newer builds than 7000), due to PowerShell and WinRM stacks being incompatible. That issues is well discussed here and hopefully those issues are now resolved with the RC.
Windows Server 2008 R2 provides a web service that is required by ADAC and native AD-Cmdlets of PowerShell, that service in known as ADWS and its part of proverbial ADMGS framework. So ADMGS equals ADWS out-of-box. The service lets Server 2008 R2 AD PowerShell cmdlets and other applications work against the DCs with ADMGS installed. And its final version has been released with Windows Server 2008 R2 which hit RTM earlier this week. That ADMGS framework and comparison of changes from 2008 to 2008 R2 was briefly discussed in a Brian Desmond’s webcast a few months back.
Something not part of the original plan and considered due to high demand is that now you have ADWS add-on service/functionality available to manage your down-level DCs such as Windows Server 2003 and 2008 (non-R2). This means you don’t have to be at 2008 R2 FFL to run this.
Active Directory Management Gateway Service download details and instructions will be available to you on MS Connect site – http://connect.microsoft.com/ADWS/
Once you have it installed, you can take advantage of native AD PowerShell Cmdlets. This certainly adds good competitiveness to the cmdlets world and Quest Active Roles QAD cmdlets finally have something to compete against.
Much has been said about the manageability of AD Recycle Bin in Windows Server 2008 R2 via the Microsoft’s intended way i.e via PoSH cmdlets. Though this option stays to be only enable-able via PowerShell, the ability to restore objects (the process of reanimation of objects in earlier ADs) has been extended to GUI by Overall Solutions Inc. The GUI tool is very simple to use and its available for free. Below I show you how to restore a deleted OU with objects inside via this tool. See previous post on how to enable the AD Recycle Bin feature in your Windows Server 2008 R2 forest.
We delete an OU called Chicago which contains a Global Group.
Launch the ADRecycleBin tool (be sure to launch it under administrator’s context)
Right click on the child object of a deleted tree and select all
Click on Restore Deleted Object on top right corner
And its simple as that. Lesson of the story, there is always a window for someone to step in and fill the void. I had earlier posted how Server Core that was intended to be managed via CLI only had made a U-TURN in R2 release of Windows Server 2008. Personally, I wouldn’t mind having to manage this feature solely from PowerShell, but its nice to have the GUI option available.
Launch the PowerShell under Administrator’s account context, and type this cmdlet.
Enable-ADOptionalFeature -Identity ‘CN=Recylcle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com
Read and understand the warning of this action’s irreversebility, and hit “Y” for yes to continue.
In following screenshot I show you an error not neccesarily applicable to you, the cmdlet complained about not being able to verify the FSMO ownership role. The reason for this was the fact that in my VM Lab environment I had shut down another DC for maintenance and it had not been replicated or talked to.
As I brought that downed DC back online, forced the replication, I was able to proceed. You can then confirm with this cmdlet.
Get-ADOptionalFeature ‘Recycle Bin Feature’
Here is a great post on this hot feaure of Windows Server 2008 R2.
Perhaps, inspired by Guy’s utility ‘Server Core Configurator’. There is now a menu driven utility call SCONFIG.exe in R2 version of Server Core. This allows you to do all the initial configuration tasks, such as rename the computer, join to domain, set an new IP or DNS, or enabled the RDP etc.
Previously you had to rely on netdom, netsh, and WMIC to perform these initial tasks, unless you had the Server Core Configurator (as mentioned above) installed. Note that this SCONFIG menu is very much similar to that of Hyper-V menu.
Here are a few posts that you may find helpful for the pre-R2 Server Core.
As briefly discussed before, a feature to offline domain join machines is available in Windows Server 2008 R2. The utility is called “djoin.exe” which is used to perform this task. Here is an official blurb on what the offline domain join is what it would be used for and then I will show you how to perform this simple task.
“Offline domain join is a new process that computers that run Windows® 7 or Windows Server® 2008 R2 can use to join a domain without contacting a domain controller. This makes it possible to join computers to a domain in locations where there is no connectivity to a corporate network. For example, an organization might need to deploy many virtual machines in a datacenter. Offline domain join makes it possible for the virtual machines to be joined to the domain when they initially start after the installation of the operating system. No additional restart is required to complete the domain join. This can significantly reduce the overall time required for wide-scale virtual machine deployments.
A domain join establishes a trust relationship between a computer running a Windows operating system and an Active Directory® domain. This operation requires state changes to Active Directory Domain Services (AD DS) and state changes on the computer that is joining the domain. To complete a domain join in the past using previous Windows® operating systems, the computer that joined the domain had to be running and it had to have network connectivity to contact a domain controller”
I created the metadata as known as “blob” on one of my DC for a Server named 2008R2RC2 that I wanted to join to domain offline (i.e the target machine not connected to the network) and saved it to a txt file called computer_prov, then as usual I run the help on the utility to learn what syntax it has available. Here is the command syntax I ran to provision the computer account and to create the metadata.
I get an error that I am not running the Shell with elevated privileges, I get out and get back in with the “run as administrator” option, and get the same error.
Perhaps its a bug in RC release, I then tried the same syntax from the conventional CMD line window and was successful.
I then restarted the target computer and machine had been joined to the domain.
A couple years back someone made a recommendation on Microsoft Exchange Forums that equivalent to Exchange BPA, it would be nice for AD Admins to have an AD Best Practices Analyzer, this was passed on to the AD Team. Though I am not if this particular thread was the driver behind it, but starting in Windows Server 2008 R2, AD Admin will have the BPA.
“Active Directory Domain Services (AD DS) Best Practices Analyzer (BPA) is a server management tool that can help you implement best practices in the configuration of your Active Directory environment. AD DS BPA scans the AD DS server role as it is installed on your Windows Server 2008 R2 domain controllers, and it reports best practice violations. You can filter or exclude results from AD DS BPA reports that you do not need to see. You can also perform AD DS BPA tasks by using either the Server Manager graphical user interface (GUI) or cmdlets in the Windows PowerShell command-line interface.”
ADBPA is a great idea, it gives you a quick glance into the new DC you have just stood up. It points you toward setting the NTP settings correctly if the DC is also PDC. It lets you know if your OUs are not set to be protected from accidental deletion. It also reminds you that certain directory partitions (NC) have not been backed up since a certain of period time. You can access the ADBPA from the Server Manager -> ADDS.
You may notice that if you are running the Windows Server 2008 Beta version, there seems to be a bug with ADBPA rule. One of the non-compliant complain is about the DC’s inability to reach a DNS server to retrieve DC specific records even when the DC itself is also the DNS and the pertaining records are existing. This behavior has been corrected in the RC version.
The compliant section also shows where your DC meets the expected configuration, such as when it advertises itself as a DC in its local site. One downside I see with ADBPA is that it cannot be self-launched into its separate MMC. Or unlike the Exchange BPA, it is only accessible in a small window from within the Server Manager. So there if is large number of non-compliant/compliant messages, the browsing ability is not that great.
How does ADBPA gather this data ?
“When you run the AD DS BPA scan on a domain controller, the BPA engine invokes the AD DS BPA Windows PowerShell script that collects configuration data from the AD DS environment that this domain controller belongs to. The AD DS BPA Windows PowerShell script then saves the collected AD DS configuration data to an XML document. The BPA run-time engine validates this XML document against the XML schema.”
It is version 47 in RC and it may very well change when R2 gets RTM. You can check the objectVersion attribute of your current forest on the Schema Naming Context (NC) via ADSIedit.msc.
Here are some older Schema versions.
13=Win2k
30=2003
31=2003R2
44=2008
Here is more detail of schema changes in Windows Server 2008 R2 RC.
@mekline Great, so I assume you are working on implementing recommendations made by the ADRAP engagement with MS at this client ? in reply to mekline1 day ago
