Shariq Sheikh | Port 389

A request came in from the Access Control team requesting that they be provided with the users that have been created in a particular office since last 90 days. As usual, PowerShell (with QAD cmdlets) has very simple one liners you can retrieve this information with.

You may also use this to export this data to a CSV file. Notice that when using the export-csv cmdlet you must choose the ‘select’ and define the attributes that should be exported. Format-Table (aliased above as FT) is used to display the information on the console.

GetQADUser-sizelimit 0 | where{$_.whencreated -gt (get-date).adddays(-90)}| select Name,WhenCreated,DN | Export-csv c:\Users90days.csv

There is always a couple of ways to accomplish the same task with further fine tuning your query. As you can see that above query would grab all the users in the domain, going by their whenCreated attribute and present you the pertinent users.

You can define the OU to search with the –searchroot parameter.

Get-QADUser –Searchroot ‘test.mydomain.int/Users/Chicago/’ | where{$_.whencreated -gt (get-date).adddays(-90)}

Alternatively, if you would to like find users account that have been modified since x number of days, you can try something like this.

$OU = <OU PATH>
Get-QADUser -LastChangedAfter (get-date).adddays(-7) -search $OU -sl 0 | ft name,whenchanged

The Active Directory Groups Nesting restrictions is an often-discussed topic among my peers especially in a multi-domain forest and often a question raised in forums and mailing lists. Although there have been some great blogs written that dive deep into the technical restrictions, I personally needed a simple reference chart that I could refer to and which serves me as a memory refresher. Between the two types of Active Directory Groups, Security and Distributions, there are restrictions in both but this attempted reference chart covers only Security type. There are three scopes of Security Groups. Domain Local, Global, and Universal. A leading practice for each of these scopes for NTFS permissions is as follows. Domain Local Groups are used for permissions (ACLs), Users are populated in Global Groups, and Universal Groups are used to manage Global Groups. But often times there are needs to circumvent this model and cross nesting is required especially in a multi-domain forest or in a large environment with multiple forests. The nesting restrictions of each group that you must know about can be broken into three questions and subsequent charts below :

Please note that these nesting restrictions assume Window 2000 native or Windows Server 2003 DFL.

1. Which particular group will take other scope type (nested) as its member i.e from the same domain and from a trusted domain ?

Chart 1 for Question # 1

Chart 2 for Question # 1

2. Where can a particular group be assigned permissions (ACL) i.e only in the domain where it resides and also cross domains ? (trusted or other child domains within the same forest )

All three scope types can be used to assign permissions in the same domain where the groups reside.

Chart 1 for Question # 2

3. Which group will accept users and computers from same and trusted domain ?

All three scope types will accept Users and Workstation from the same domain where they reside.

Chart 1 for Question # 3

More information on the scope of these groups can be found here:

http://technet.microsoft.com/en-us/library/cc755692.aspx

To learn about a leading access control model known as AGDLP see :

http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci1255549,00.html

Microsoft earlier this month released the AD Risk Assessment Program Scoping Tool to public. My look at it tells me that this tool essentially more fancily does what ADRAP Sutiability Scripts did, which came with ADRAP Snapshot Tool, which of course came when you had the official ADRAP engagement and cut a check for it. As beneficial as ADRAP could be for a mid-to-large AD environment, I felt in my experience that it never had enough word of mouth. Very few people seem to have heard of it and there isn’t a lot information publicly available for the program, so until you have it done you have a very little idea on what the program offers. This tool is to do just that, it makes the program more public, it gives you a quick glimpse of what the program is about as well as it readies your environment for the actual ADRAP sweep, hence named Scoping Tool. Below you will see the simple 8 steps process that runs several checks on your AD environment and creates a nice HTML report at the end which you would supposedly send it to your TAM prior to the engagement. Regardless of whether you will have the engagement or not, I think this tool serves as a quick snapshot into your environment. This tool is however intended for premier customers.

Download the tool here

Get white papers regarding Active Directory Risk Assessment Program

What is it ?

Windows Server 2003 includes support for a startup switch that lets you tune the allocation of use of memory and memory address space. Regardless of the amount of physical memory in your system, Windows uses a virtual address space of 4 GB, with 2 GB allocated to user-mode processes (for example, applications) and 2 GB allocated to kernel-mode processes (for example, the operating system and kernel-mode drivers). On systems that have 1 GB or more of physical memory, the startup switche can be used to allocate more memory to applications (3 GB) and less memory to the operating system (1 GB). This additional virtual address space helps reduce the amount of memory fragmentation.

How beneficial is it ?

You may have read many articles on this subject before. This discussion has been going on for many years now and at times has almost reached epic proportions due to the conflicting information available from Microsoft. Long story short is that by and large, you should NOT use the /3GB switch unless you meet specific criteria, please read the following article as it demystifies the whole theory. Or read the excerpt below.

http://blogs.technet.com/askperf/archive/2007/03/23/memory-management-demystifying-3gb.aspx

The /3GB option was intended as a short term solution to allow applications such as database servers to maintain more data in memory than a 2GB address space allowed. However, using the /3GB method to increase the user-mode memory space comes at a cost. If we have to allocate an additional 1GB of this address space to the user-mode space, then the System space is cut in half. Drivers, Heap, Paged & NonPaged Memory all have only half the resources to work with now. However, because of the way memory mapping works, cutting the kernel space in half does a lot more than just reducing the address space. Many of the structures within the kernel virtual memory space are cut back by far more than 50%.

For a process to access the full 3GB address space, the image file (application process) must have the IMAGE_FILE_LARGE_ADDRESS_AWARE flag set in the image header.

If the flag is not set in the image header, then the OS reserves the third gigabyte so that the application won’t see virtual addresses greater than 0x7FFFFFFF. You set this flag by specifying the linker flag /LARGEADDRESSAWARE when building the executable. This flag has no effect when running the application on a system with a 2-GB user address space. Therefore if you enable the /3GB switch, then applications that do not have this flag set can only use the standard 2GB of User mode memory, and the Kernel is still limited to the 1GB space – which means that 1GB of virtual memory is basically wasted !

All that is required to make it happen is a switch in the boot.ini file. The switch, /3GB, is placed
at the end of the line that executes the WinNT loading process.

Example:

[operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINNT="Windows NT
Server Version 4.00" /3GB

Or you may add an additional line in your boot.ini as above to have the option to boot into either environment, with or without the switch.

What to keep in mind ?

This topic deals with the the virtual memory address space and has no relevance with the physical memory, it is however a limitation of a 32bit OS if you are running 64bit OS this not applicable. At the end of the day you must decide if your application is capable of handling this switch as an added benefit. Often times, if you are having to up the threshold of your OS handling of things and or things such as over-clocking your processor to keep up, one might worry about the logic behind it. Perhaps go for 64bit OS to begin with.

Using Uptime utility from Microsoft you can get your server uptime (i.e time since the last reboot) which can come in handy particularly when you are trying to troubleshoot a server’s unexpected reboot and failures.

Uptime.exe can be used to display the current uptime of the local or remote system. Optionally, it can also scan the Event log for key system events such as system restart or computers that are not responding (hanging). Where possible, it also calculates system availability. It is primarily intended for Windows NT Server 4.0 Service Pack 4 or later, though it operates in limited fashion on earlier versions.

You can download it from the link below and drop it on the root of the c:\ or where you wish and the command line to run is simply uptime

http://support.microsoft.com/kb/232243

Previously you have been able to use RENDOM utility provided by Microsoft to rename your Window 2000 and Windows Server 2003 domains. However in Windows Server 2008 domain you don’t have to separately install Rendom utility. It gets installed as part of “Active Directory Domain Services” role when you promote a server to the DC role. And It can be found here : %windir%\system32\rendom.exe.

I used it to rename a Windows Server 2008 domain in my test lab environment. The process was pretty straightforward but it may require more tasks if you have multiple DCs in a multi domain environment.

The Forest and Domain Functional Level should be Windows Server 2008 to proceed with the following task.

From the command prompt, I started out by running rendom /list which outputs an XML file (Domainlist.xml) to the directory where rendom resides. You edit that file to change your domain configuration to the new domain name. i.e ForestDNSZones, DomainDNSZones, Netbios name. See referenced link for details.

After you have modified the file you can run rendom /showforest which shows you the future configuration, verify and make changes if necessary.

Upload the changes you have made in the XML file: Run rendom /upload

Verify readiness of Domain Controller(s): Run rendom /prepare

Execute domain rename instructions: Run rendom /execute

After thats finishes up successfully, you should also run GPFIXUP tool to fix up GPO references to your old domain name. See Step 12 of this document.

Here is an example :

C:\Users\Administrator>gpfixup /olddns:08r2.lab /newdns:mcts.lab
Group Policy fix up utility Version 1.1 (Microsoft)

Start fixing group policy (GroupPolicyContainer) objects:
……..

Start fixing site group policy links:
.

Start fixing non-site group policy links:
….
gpfixup tool executed with success.

C:\Users\Administrator>gpfixup /oldnb:08r2 /newnb:mcts
Group Policy fix up utility Version 1.1 (Microsoft)

Start fixing group policy (GroupPolicyContainer) objects:
..
gpfixup tool executed with success.

Lastly, run rendom /clean

The identity (domain GUID) of the renamed domain does not change during a domain rename operation. Thus a computer’s domain membership does not change as a result of the holding domain being renamed.

However, every member computer joined to the renamed domain needs to be rebooted twice. Please refer to “How Domain Rename works” technical reference for more info.

How Domain Rename Works : Microsoft Technet

Other References:

http://dsg.port.ac.uk/~hx/rename_domain/index.php

http://www.msexchange.org/tutorials/Domain-Rename.html (for domains with Exchange)

Every domain has a default setting for ms-DS-MachineAccountQuota value 10. This means that any user can add up to 10 machines to a domain. You can modify this object in directory by using ADSIedit tool to prevent this behavior.

Warning: Using ADSIedit can have adverse effects on your Active Directoy environment, if not handled with proper knowledge.

Launch ADSIedit from run command, ADSIedit.msc

Under Domain Configuration, expand and find your domain. Right click and go to the Properties

Look for the following property and modify it to ’0′

Hit OK, Apply and exit

How does it keep track of how many machines have you added based on your user ID/account ?

For a computer account created by domain users, the account has ‘ms-DS-CreatorSID’ attribute to indicate the creator user. When a user adds a computer to the domain, a process enumerates the ‘ms-DS-CreatorSID’ attribute on every computer account in the domain and calculates if the sum exceeds the current quota for that user.

The ‘ms-DS-CreatorSID’ and ‘ms-DS-MachineAccountQuota’ with default value 10 are also available in Windows Server 2008 AD DS.

Note: The ‘ms-DS-CreatorSID’ attribute will be unset in the computer account that is pre-created in Active Directory Users and Computers MMC or joined by domain administrators.

http://support.microsoft.com/kb/243327

Where Account Lockouts save us from brute force password attacks and help us standardize our environment for password policies, sometimes it can be painful to troubleshoot and find out why and where it happened. Microsoft does provide us with the ‘Account Lockout Management Tools’ suite which can be very handy to diagnose the root cause of an account lockout.

· AcctInfo.dll. Helps isolate and troubleshoot account lockouts and to change a user’s password on a domain controller in that user’s site. It works by adding new property pages to user objects in the Active Directory Users and Computers Microsoft Management Console (MMC).

· ALockout.dll. On the client computer, helps determine a process or application that is sending wrong credentials.

· ALoInfo.exe. Displays all user account names and the age of their passwords.

· EnableKerbLog.vbs. Used as a startup script, allows Kerberos to log on to all your clients that run Windows 2000 and later.

· EventCombMT.exe. Gathers specific events from event logs of several different machines to one central location.

· LockoutStatus.exe. Determines all the domain controllers that are involved in a lockout of a user in order to assist in gathering the logs. LockoutStatus.exe uses the NLParse.exe tool to parse Netlogon logs for specific Netlogon return status codes. It directs the output to a comma-separated value (.csv) file that you can sort further, if needed. The latest version available is 1.0.0.60.

· NLParse.exe. Used to extract and display desired entries from the Netlogon log files.

Unfortunately, I didn’t find good documentation of how to quickly make good use of these tools when my domain admin account started getting mysteriously locked out after I had changed my password due to the policy in place. From my experience I found Lockout Status and EventComb MT to be most useful from the suite.

I knew the common causes why my account would get locked out due to one of the reasons listed here : See this but I needed to figure out what is the offending machine or service thats providing my old credentials to a DC thats causing the account to be locked out.

I started out launching Lockout Status tool and selected my domain admin account as ‘target’ from the file menu and running it. It gave me list of all the DCs with the status of my account and more importantly the DC the lockout happened on in the ‘Orig Lock’ tab towards the right of the program screen. I then launched the Event CombMT piece and right clicked in the white space in the search area and added the DC the lockout originated at. I choose from ‘Option’ menu where I wanted to output the file as txt or CSV. I chose ‘Security’ as log files search option for all event types and then putting ’644′ as the event id and clicked on search.

It outputted the CSV file in the area I had specified and I was able to see that it found the event 644 for my ID on 6 different machines across the domain, it was listed under ‘Caller Machines Name’ column, (I know its bad administration on my part to sometimes disconnect my terminal sessions instead of logging off). Sure enough when I logged on to those machines I immediately saw the following notifications.

I had to log off and log back in to clear out the error. After that, I ran the Lockout Status tool again and noticed the lock status for my domain admin account had been cleared out.

Conclusion: Never leave your account logged on somewhere (or have a service run under your user context) and lock the machines or disconnect the remote session without logging off, and when using tools like Remote Desktops (which can be useful and allow you to have a list of machines you remote in frequently during the day), make sure you don’t save your passwords in the session configurations.

More Resources:

Download the Microsoft Account Management Tools

Technet Resource on how to maintain and manage the account lockout

WindowsSecuirty.com-Implementing and Troubleshooting Account lockout

Sometimes you have a task on your hand for your Active Directory environment but it isn’t an easy one, or lets just say that not many people have come across having a need for it (so not a whole lot you can google for). I recently had a situation like this. Basically in our AD environment we failed to realized the importance and fell behind in keeping our reverse lookup zones updated. As we all know that AD infrastructre does not rely on reverse lookups and you can get away with not having all your defined subnets populated in the reverse zones (in-addr.arpa). We began having some random errors of unsuccessful Group policy applications on some machines and also we started being bugged by the SMS group of the failure of SMS clients installation since some applications like SMS do rely on having to lookup machines by their IP addresses.

We are quite a big environment as we have little over 1000 AD defined subnets and only 80 some had been populated in the reverse lookup zones. I was tasked to make sure that all the reverse zones are created in our DNS from the defined subnets. As it could be very tedious task, I wanted to automate the process. I am not a scriptor but I knew that we could not be the only who has had this issue and I tried digging the newsgroups/blogs/forums and the internet in general but I had no or little luck finding any relevant information.

I started off looking into ADSIedit, as I wanted the export the subnet objects and then somehow import them back into the DNS. I knew that there was DNSCMD command line utility that allows you to do various tasks for zones/records creations, deletion and modification. Unfortunately it did not have a very wide syntax that allowed to pipe-in a list from an external source such a CSV file (that would have the subnets I export from AD). As expected the export part went fine and I had the full list of all the AD defined subnets. Now I was struggling to find a VBscript I could wrap this file into and pipe-in thru DNSCMD like utility.

I looked at Joeware free AD utilites, and I saw Joe had a tool called ADfind. I decided to query him and I got a rapid reply back from him with some suggestions, he assured me it is doable using his ADfind utility combined with some other script or utility. In mean time he forwarded my query to Dean Wells of MSEtechnology who emailed me a rather quick solution using Joe’s ADfind tool (see below). I was extremely pleased how my easy attempt to query seasoned scriptors had paid off.

Apart from other great writing and consulting achievements both Joe Richards and Dean Wells are Micrsoft MVPs and their voluntary efforts to help out the community truly exhibited what MVP program is all about.

So here is the command you would run at your DNS server to accomplish this task;

for /f "tokens=1,2,3 delims=." %n in ('adfind -config -rb "CN=Subnets,CN=Sites" -f "objectclass=subnet" name -list') do @dnscmd /zoneadd %p.%o.%n.in-addr.arpa /primary

add ‘ds’ in front of the primary (/dsprimary) if you wish to make the zones AD integrated

NOTES from Dean
-If you place the syntax above within a batch file, please note that any occurrence of a ‘%’ symbol must be replaced with ‘%%’ (two of them)
-ADfind and DNSCMD must both exist within the current directory or the system path
-In its current form, the syntax assumes the subnet is comprised of 3 octets

Maybe the most forgotten password is the one for Directory Services Restore Mode (DSRM) because it’s created only when a DC is built, and used only during critical DC recovery operations, which hopefully does not happen very often. Not knowing this password can prevent a successful recovery.

If you don’t know your DSRM password and haven’t stored them in a safe place, use the following commands for each Domain Controller to reset it to a known value:

ntdsutil
set dsrm password
reset password on server {servername}

Once you do this, write down that password and lock/encrypt it away.

FSMO (pronounced – fiz-mo) roles are essentially domain controllers with higher power than their peer DCs hence the name Flexible Single Master Operation, the word flexible is perhaps in there since you do have the flexibility to move these roles around (the word floationg has been referenced at some places as well). From the name you really have to focus on the Single Master Operation part to understand that these roles have a single role attached to them that only one DC can have.

There are total of 5 FSMO roles with two at the Forest level and three at Domain level. And here is what they are.

Forest Level FSMO roles:

1. Domain Naming Master – Ensures that each child domain has a unique name.  How often do child domains get added to the forest?  Not very often I suggest, so the fact that this is a FSMO does not impact on normal domain activity.  My point is it’s worth the price to confine joining and leaving the domain operations to one machine, and save the tiny risk of getting duplicate names or orphaned domains.
2. Schema Master – Operations that involve expanding user properties e.g. Exchange 2003 / forestprep which adds mailbox properties to users.  Rather like the Domain naming master, changing the schema is a rare event.  However if you have a team of Schema Administrators all experimenting with object properties, you would not want there to be a mistake which crippled your forest.  So its a case of Microsoft know best, the Schema Master should be a Single Master Operation and thus a FSMO role.

Domain level FSMO roles: 

1. PDC Emulator - Most famous for backwards compatibility with NT 4.0 BDC’s.  However, there are two other FSMO roles which operate even in Windows 2003 Native Domains, synchronizing the W32Time service and creating group policies.  I admit that it is confusing that these two jobs have little to do with PDCs and BDCs. 
2. RID Master – Each object must have a globally unique number (GUID).  The RID master makes sure each domain controller issues unique numbers when you create objects such as users or computers.  For example DC one is given RIDs 1-4999 and DC two is given RIDs 5000 – 9999.
3. Infrastructure Master – Responsible for checking objects in other other domains.  Universal group membership is the most important example.  To me, it seems as though the operating system is paranoid that, a) You are a member of a Universal Group in another domain and b) that group has been assigned Deny permissions.  So if the Infrastructure master could not check your Universal Groups there could be a security breach.

You can see your Domain level FSMOs from the ADUC (Active Directory Users & Computers) right click on the domain name and click on Operations Roles, from there you have the ability transfer these roles as well. Of Forest level FSMOs, Domain Naming Master can be looked up from the Active Directory Domains and Trusts, you have to right click on the Domains and Trusts at the top in the left pane and click on Operation Roles. And for Schema Master look up you have to register a DLL and add in an snap-in (see here).

As windows system admin you should know the importance of the FSMO roles and have good knowledge of what each one does and how to transfer and sieze them when necessary.

For more detailed reading see this great article, as you may not find a lot of FSMO information in general MS press books targeted towards MS certification (at least for Windows Server 2003 track).

Long after there have been hundreds of free online space givers have emerged, Microsoft has recently jumped in with their own flavor. Windows Live SkyDrive is a free online space that gives away 5gb space for your music, data, pictures, and videos. Along with that there is also a ‘public folder’ feature available similar to that of Microsoft Outlook. Service over all is good however the limit for file size upload is 50mb which in my opinion isn’t very good. But heck you can’t beat free 5gb of ciber space.

You don’t have to sign-up for the service if you already have an hotmail or msn account. Just go here after you log-in to your hotmail/msn account and reserve your space.

I myself have a public folder space now which I intend to use to publish Microsoft related evals/software and documentation.

If you are like me and often have to go and look for the command line shortcuts apart from the ones you use on daily basis and are easy to remember (i.e mstsc, dsa.msc, compmgmt.msc) for launching the administrator tools in Windows Server 2003. Here is an handy list you can print out and hang it in behind your computer until you remember them all.

AD Domains and Trusts
domain.msc

Active Directory Management
admgmt.msc

AD Sites and Serrvices
dssite.msc

AD Users and COmputers
dsa.msc

ADSI Edit
adsiedit.msc

Authorization manager
azman.msc

Certification Authority Management
certsrv.msc

Certificate Templates
certtmpl.msc

Cluster Administrator
cluadmin.exe

Computer Management
compmgmt.msc

Component Services
comexp.msc

Configure Your Server
cys.exe

Device Manager
devmgmt.msc

DHCP Managment
dhcpmgmt.msc

Disk Defragmenter
dfrg.msc

Disk Manager
diskmgmt.msc

Distributed File System
dfsgui.msc

DNS Managment
dnsmgmt.msc

Event Viewer
eventvwr.msc

Indexing Service Management
ciadv.msc

IP Address Manage
ipaddrmgmt.msc

Licensing Manager
llsmgr.exe

Local Certificates Management
certmgr.msc

Local Group Policy Editor
gpedit.msc

Local Security Settings Manager
secpol.msc

Local Users and Groups Manager
lusrmgr.msc

Network Load balancing
nlbmgr.exe

Performance Montior
perfmon.msc

PKI Viewer
pkiview.msc

Public Key Managment
pkmgmt.msc

QoS Control Management
acssnap.msc

Remote Desktops
tsmmc.msc

Remote Storage Administration
rsadmin.msc

Removable Storage
ntmsmgr.msc

Removalbe Storage Operator Requests
ntmsoprq.msc

Routing and Remote Access Manager
rrasmgmt.msc

Resultant Set of Policy
rsop.msc

Schema management
schmmgmt.msc

Services Management
services.msc

Shared Folders
fsmgmt.msc

SID Security Migration
sidwalk.msc

Telephony Management
tapimgmt.msc

Terminal Server Configuration
tscc.msc

Terminal Server Licensing
licmgr.exe

Terminal Server Manager
tsadmin.exe

UDDI Services Managment
uddi.msc

Windows Mangement Instumentation
wmimgmt.msc

WINS Server manager
winsmgmt.msc

Enjoy !

Distributed File System Replication was a major improvement over DFS and FRS, and also an intended seller feature of the R2 of Windows Server 2003. I came across a great article that describes what the DFRS does and how easily it can be setup. In domain environment, prior to installing DFSR the schema must be updated to the R2 version with the ADPREP utility from the CD2 of the Windows Server 2003 R2.

“DFSR is a multimaster replication engine used to distribute copies of data across multiple servers. It can run with or without DFS Namespaces, but its most popular use is to ensure that every member of a set of servers—a replica set—contains identical data and that replication is fast and bandwidth-efficient. It has many features, including bandwidth management, replication scheduling, and an innovative compression algorithm, that together dramatically decrease the amount of network bandwidth needed to keep data synchronized across your network. Microsoft reports that using DFSR results in up to a 300 percent improvement in the speed of large-file replication and 40 percent less administrative time spent managing the replication set.”

http://www.windowsitpro.com/Article/ArticleID/95223/95223.html

WSUS 3.0 SP1 was released yesterday, following are the improvements that have been made from Version 3.0.6

The improvements that SP1 offers include:

• Support for Windows Server 2008.
• New Client Servicing API.
• Support client registration.
• Filter of updates by category and classification.
• Provide applicability rule extension mechanism.
• Obtain package metadata and report update status for each client.

• Improvements for local publishing: supports publishing of drivers within the enterprise by using vendor provided catalogs. API include support for bundles and prerequisites.
• All hotfixes: WSUS 3.0 SP1 includes all the changes and hotfixes that have been issued since the release of WSUS 3.0.
• Support for Microsoft SQL Server 2005: WSUS 3.0 SP1 lets you use SQL Server 2005.

You can get it here..