Directory Services/Active Directory

Ulf B. Simon-Weidner's Blog
Re-Awarded: Microsoft Most Valuable Professional (MVP) for Directory Services

Wohoo, what a way to start a new year! I just got the message that I’m reawarded as MVP for Windows Server – Directory Services. This is my 11th consecutive MVP-Award.


Thanks Microsoft, and I’m looking forward to a great year!



Posted Wed, Jan 1 2014 17:30 by Ulf B. Simon-Weidner | with no comments

A great TechEd so far …

… will get even better. Tomorrow morning Sam Devasahayam and I will present the session “What’s new in Active Directory in Windows Server 2012”. It’s loaded from information of the Active Directory Product Group, and I’ll bring in some real-world scenarios. I’m looking forward to the session. Loads of information and loads of reference slides to take away after the session.

After the success from TechEd US we decided that we are again taking questions using twitter. If you come to the session, and you have a question but don’t feel like walking up to one of the microphones, you can use twitter to ask the question and we will get to it in the session or if we are running short on time we will get back afterwards.

Questions? Simply use the hashcode #TESIA312 for tomorrows session.

image  image

Hopefully will see you there!


P.S.: If you like the session, please don’t forget to fill in the session evaluation. I will provide a MS-Tag and QR-Code right at the end of the session, so have your phones ready Winking smile

Posted Wed, Jun 27 2012 16:55 by Ulf B. Simon-Weidner | with no comments

Session “Evolution of AD Recovery” from TechEd US available online

Hi again,

I forgot to mention that the session is available online – for those who couldn’t make it to TechEd US and were asleep when it was streamed online. For everyone who will be at TechEd Europe, don’t watch it now, come by and say hello in Amsterdam Winking smile

WP_000032  photo-intro

And … THANKS JIMMY for the pictures!

Posted Mon, Jun 18 2012 1:53 by Ulf B. Simon-Weidner | with no comments

My demo equipment at TechEd

Hi there,

I spoke to multiple people being totally excited about my demo equipment at TechEd, and was asked couple times if I can blog this. So here we go.

The hardware I used is a Lenovo Tablet X220T – thanks Lenovo! It’s a great hardware: I love to work with tablet pc’s, and I’ve worked with it for years, however a hardware I had before died on me (was my personal one, but I used it as main device reducing my work laptop for demo and test). I always preferred Lenovos Keyboards and their solid business laptops. And the tablet is great - I like being able to work in a train, plane, wherever, having all input options (mouse+keyboard, touch or stylus) and select whether to write a long text using keyboard, reviewing, sketching out or handwriting annotations using a pen or simply touching the things I want to open or select. I want to work the way I prefer, not thinking about input but being able just to do it. I POWERED (had to say this in caps) the Lenovo with Windows 8, which rocks!! It’s also able to handle 16GB of RAM, which is great for Hyper-V in Windows 8. There’s a new version out, X230T, with USB 3, mSATA for Broadband or additional disk (cool, mSATA Disk for the OS, traditional and bigger HDD for the data and VMs in a convertible tablet form factor with 16GB), and a optional battery where they claim up to 18 hours uptime. I cannot wait to get my hands on one of these, and if it’s as satisfying as I believe it’s definitely shopping time for me. To get back to my presentation – I’ve done multiple with the same hardware and since I currently have only one internal HDD I’m using an external SATA-Drive with PCI-Express-Adapter to speed up if I need more power for my VMs (did this at The Experts Conference in April).

The new default installation of Windows Server 2012 is the Server Core option. You are also able to switch back and forth – or in between. The options are Server Core, Full Server, or in between with Server Core with Management GUI. The last option has Server Manager and the management interfaces but still lacks Explorer (Shell, Start Menu, File Browsing), Internet Explorer and many other things. It’s new to Server Core in Windows Server 2012 to decide whenever to either install or uninstall Management or full GUI. Additionally, Server Core offers now the possibility to uninstall binaries which are not needed. Back in the early days of Windows there were no unused binaries on disk, however it was always hard to struggle when you were installing a new component on an existing server because you were asked for the CD and had to insert the right language version and also the right distribution media (e.g. it depended whether it was a volume licence media, off the shelf media, MSDN or TechNet,…). With some version – IIRC it was Vista/2008 – this was changed and all the compresed binaries for all components (roles and features) were copied onto the system, even when they were not used but so that if anyone was going to install a component later (s)he wasn’t asked for the media.

Today, Virtualization and packing multiple machines on one host is critical, especially when we talk about cloud computing. So in Windows Server 2012 we are able to install or uninstall roles or features, but we are also able to uninstall the features and remove the binaries from the system, allowing us a smaller footprint of the operating system installation. However, when you remove a feature, you can still install it, but you need to ensure that the machine is able to connect to Windows Update or you need to provide the install.wim-file, installation media or an installed server to pull the binaries from.

I’ve created a base image (I always do this, then creating differential disks to create individual machines, gives higher performance with multiple machines, less disk space and easy creation of new machines).

So since it’s the new installation default, and I think that is a great way to go (reducing systems to what they are supposed to do), I used Server Core as only operating system option for my demos at TechEd. I decided to strip down the base image as much as possible, and was running a Powershell command to remove all binaries which are not used right after the installation:

(get-WindowsOptionalFeature -online) | %{ if ($_.State -eq 'Disabled')


    disable-WindowsOptionalFeature -FeatureName $_.FeatureName -online –remove


I needed the management tools somewhere, so I put the Remote Server Administration Tools (RSAT) for Windows 8 on the host operating system. There is some configuration needed when you remotely want to install a Server Core as first domain controller, since the client and the server are obviously not on the same domain. However, you can do this (enable remote management on the server, configure the client to trust the server using Windows Remote Management and HTTPS,..), for some things you’ll have to fall back to the commandline in Server Core (Server Manager allowed me to install the binaries, however was unable to promote the DC, I had to do this with dcpromo /promotes …). But I always had to right-click and configured the account used for Management. This is not the experience I want for the attendees of my session.

So I decided to join the host to the domain of the virtual machine on the same host. Risky? Not really. The default configuration will start the VM when it was started when powering down. But it’s taking a bit longer than the host, apparently. Also, cached credentials allow me to log on without a running DC. So when I was logging on to quickly, I didn’t get a kerberos ticket and was unable to access the server. But [WIN]+[L] to log Windows and then logging back on is a workaround in this case, and I made sure before my session that I was able to start Server Manager and work remotely against my machine.

Joining the machine was a bit tricky. I tried to avoid mangling DNS. On the conference net my client is getting its IP-Settings via DHCP, but trying to keep the server on DHCP was a hazzle since I needed to reconfigure the trusted hosts. So my DC needed a static IP, and I felt I want this different from the conference net. So the client was basically on two different subnets. But he needs full DNS to the DC in order to join the domain and in order to work. LMHosts and Hosts are no option, since you can’t configure SRV-Records there (what the client is looking for in an Active Directory domain). So one option was to configure the client (=host) to use only DNS-Services of the DC. But the DC was not able to forward requests, remember, it’s on a separate network. And I didn’t need internet connectivity for the DC, but for the client (since I allowed questions via Twitter in my session).

So I thought it would be cool if I’d be able to use conditional forwarding on the client. Conditional Forwarding is a DNS-Server feature introduced in Windows Server 2003, where you can configure that certain DNS namespaces are not resolved via the standard forwarder but via another specific one. Conditional Forwarding (and Stub Zones) are frequently used within companies when they have multiple DNS namespaces.

Conditional Forwarding on the Client brought me to Direct Access. In DA you are able to configure, on the client, which IP-Adresses and which DNS-namespaces should be resolved against a corporate DNS-Server instead of using Internet DNS-Services. Direct Access is much more, but I just needed this piece. So I configured the name resolution policy table to forward requests against the virtual subnet or against my virtual DNS-namespace to the virtual DC, and everything worked like a charm.

I think this setup is really cool. I was able to demo almost everything without logging into the virtual machine, by just using the RSAT-Tools from the host. The host was able to connect to the internet and to the virtual world and knew where to go with every request. I was able to receive twitter questions right on stage and answered them in the session (and also online after the session later). And with the Windows 8 tablet, I was able to highlight areas using the pen, using touch to advance slides or to bring in the twitter application on a split screen – twitter to the right and presentation to the left – without leaving the current topic but also showing attendees what questions got in and that we are really answering them on stage. Switching to the demo consoles was also easy doing touch. And keyboard/mouse for demoing the server and typing in commands in Powershell or CMD.

It was a great success at TechEd US, and I will repeat the same setup and strategies at TechEd Europe in about a week.


Posted Mon, Jun 18 2012 1:14 by Ulf B. Simon-Weidner | with no comments

“speaking 2.0” at Microsoft TechEd today

I’m speaking today about “The Evolution of Active Directory Recovery” at TechEd 2012 US (SIA319, 1pm in Hall N310). The session will also be streamed.

I had a great idea, and I’m looking forward to see how it’s working. And I haven’t seen this before Winking smile:

I’ll be taking questions using Twitter.

If you are in the audience (in the hall or online) and you have any questions, just twitter them using the hashtag #TESIA319 – this enables me to follow up with the answers either in the session, or if we are short on time or have to many sessions I’m following up afterwards. This also enables attendees who are not sitting close to a Microphone, who are watching the streamed version or who feel more comfortable writing than speaking to ask their questions.

Two simple rules: use the #TESIA319 hashtag – I will not monitor anything else during the session, and please ask questions in the areas I’ve covered, so that we can try avoiding to have questions which are covered in the next slides.

Looking forward to the session and hopefully seeing you there!

Ulf B. Simon-Weidner

Posted Thu, Jun 14 2012 17:48 by Ulf B. Simon-Weidner | 1 comment(s)

TechEd 2012 US

Hi there,

I’m currently at TechEd 2012 in Orlando, and it’s time to get back blogging again. As you’ve propably seen, the Release Candidate for Windows Server 2012 and Windows 8 Release Preview have been released.

No wonder that there is a lot of information at TechEd about the new Windows Operating Systems. I’ve been working with both versions for a while now and love the products. Computacenter Germany is in the Windows Server Rapid Deployment Program and we currently deploy WS2012 in production, and we are currently delivering a roadshow about Windows 8 where I have the honor to present Windows Server 2012 features which are supporting a great client infrastructure.

I’m speaking on Thursday at 1pm about the Evolution of Active Directory Recovery. I’m looking forward to the session – I’ve delivered it just a few month back at The Experts Conference in San Diego, but have updated it a lot. There is not a single slide which is the same Winking smile. Additionally I’m exited running it from the release previews, but will post more details on my demo-infrastructure later.

If you are at TechEd, and interested in high level Active Directory content, I encourage you coming by (or find me at the Active Directory & Dynamic Access to Files booth), if you sent your collegues let them know. The session will also be live streamed for those who couldn’t make it to TechEd. If you make it to TechEd Europe in Amsterdam later this month, don’t stay up late (in European Timezones) to watch the stream but come by to the repeat of the session in Europe.

Let me know how you liked it, and don’t forget to provide official feedback if you want this deep-level content sessions about Active Directory coming back – it’s a small fight every year at TechEd and at some years we had almost no AD sessions. Another reason why I’m so exited about this years TechEd.

Details about the session are at

If you want to twitter about it, please use #tesia319 and follow me @DSGeek.

Posted Tue, Jun 12 2012 15:47 by Ulf B. Simon-Weidner | with no comments

Speaking engagements

I’m currently getting ready for some speaking engagements:

Tuesday next week (Sept 21st) I’m proud to moderate the Windows Infrastructure Track of the IIR IT-Admin Tech Talk. In this track we are covering not only the operating system related technologies, but also Cloud, Office 365, Sharepoint and Exchange. I’ll also present two sessions myself there:

13 Years Active Directory
an overview of previous and future scenarios

I will cover various design considerations, misunderstandings of early designs, whether corporate infrastructures have adjusted or should be adjusted. At the end we will take a look into challenges for future designs, on-premises and in the cloud.

Who am I in the cloud?

In this session I will talk about challenges and opportunities of cloud computing in general and Office 365 in special: Does cloud mean sunshine for the CIO and rain for the Admin? Which skills are needed? What is the long-term strategy for cloud computing in your enterprise?

The IT-Admin TechTalk will be in Frankfurt and is in German language.

Also the next international conference is coming up. The Experts Conference Europe will also be in Frankfurt in October this year. It is about half a year after TEC USA in Las Vegas. TEC is known to be the best and high-skilled conference when it comes to Directory Services, and has expanded over the years beyond the AD and FIM tracks to also cover Exchange, Sharepoint and Cloud technologies in different tracks. TEC is attracting the most high-skilled speakers, Microsoft values the conference so much that they send more Program Managers and Developers of the product groups to TEC than to their own IT-Pro Conference TechEd. Additionally TechEd EU will not happen this year, so maybe you are able to convince your boss. Las Vegas has been a great success, lots of interesting sessions, a lot of community interaction, and I’m very much looking forward to Frankfurt. This conference is in English.

At The Experts Conference I will speak three sessions, but will post details later when the agenda is done.


Posted Wed, Sep 14 2011 21:31 by Ulf B. Simon-Weidner | with no comments

First Developer Preview of Windows “8” released

In case you missed it: yesterday was the Keynote of the BUILD-conference (the Professional Developer Conference got a new name), and Steven Sinofski (Vice President of the Windows Server Division at Microsoft) officially introduced the first version of Windows “8” to the broad public. Pretty exciting and a lot of changes. You can see the keynote at, and download the developer preview at If you are a MSDN subscriber there are more versions and information available, including a developer preview of the server version. If you are at BUILD, I highly recommend to see the server sessions also, as far as I know there is one today which will present the overview what’s coming in the next server version. Pretty exciting!

Please remember:

  • Windows “8” is a codename and might change
  • It is a developer preview – not a quite-stable beta – only for testing and starting to develop for the new user interface (Metro, the same than Windows Phone)

And BTW, some tipps:

  • Since Vista you can install using a USB-Key which I find totally cool. You are likely to have to re-format your USB-Key. You can do this using Diskpart.exe, “List Disk”, “Select Disk #” (make sure you have the Key selected, and we will wipe it in the next step). “Clean” will wipe the key, then you have to “Create Partition Primary”, make it “Active”, and format it NTFS “Format FS=NTFS QUICK”. Fat or Fat32 won’t work since the image of the developer preview is over 4 GB. Copy all Files from the ISO-Image (extracted) to the USB-Key. Afterwards you can boot from the key and install.
  • If installation is failing to find the disk drive prompting you to point to a driver, it might be an issue with the USB-Key (some are detected as harddrive and make issues when installing). Try a different key, or burn the ISO. Bad message here – you need to burn it to a dual-layer DVD since it’s to large. And installing from a USB-Key is usually faster than from DVD.

Enjoy the preview!


Posted Wed, Sep 14 2011 17:21 by Ulf B. Simon-Weidner | with no comments

R2: Forest and Domain Mode can be reverted

I was asked many times “what may break if I update the forest or domain mode?”. Usually … nothing! Actually I’ve never heard of anything breaking when you increased the forest or domain mode. However, in Windows Server 2008 or lower versions of domain controllers there was no possibility to roll back the forest or domain mode.

No way!

No way?

OK – you were able to do a forest recovery (recovering at least one DC of each domain in the forest and rebuild the forest), however I doubt that this is a option usually.

What domain or forest modes for? Actually the only thing they are responsible for, is to tell all domain controllers that each domain controller at the domain or forest has now a certain operating system level, that there will not be new dcpromos of down level operating systems (or at least will not be successful, so no down level DCs will be added to the domain), and that the domain controller can enable certain features which are only allowed if all DCs are at the same level. Examples for this is linked value replication at the Windows Server 2003 Level, fine grained password policies at the Windows Server 2008 domain mode, automatic changes of SPNs or the possibility to turn on AD Recycle Bin at the Windows Server 2008 R2 forest mode. The domain or forest functional level change does only ensure that there are no downlevel DCs at that point, and publishes the status letting all DCs know. Each DC locally will do the changes he needs to do to communicate at the new level, such as changing the database when the recycle bin is turned on, or publishing that he is willing to replicate attribute values separately instead of on a big blob.

However, companies were anxious to increase the forest or domain level. Not because there’s known harm, but because a recovery is not easy if there might happen anything.

In Windows Server 2008 R2 the Active Directory product group made some changes: you are able to increase the domain and forest mode, and you are also able rollback the mode to Windows Server 2008, and switch around as you like. The upgrade of the forest or domain mode is reversible …

unless you enable a optional feature which requires this mode!

So this has changed. Forest or domain mode upgrades do not automatically enable features which make the mode non-reversible, you can first upgrade the forest or domain mode, wait for a few hours/days/weeks (as you like or your companies working behaviors require), and after you ensured that all applications are working turn on the features you like. Each new Active Directory feature (right now in Windows Server 2008 R2 there is only the Recycle Bin) states if it is able to turn it off and whether it requires a forest or domain level. The Recycle Bin cannot be reversed and – as stated – needs Windows Server 2008 R2 Forest level.

So rollback of the forest / domain mode is possible. However, once you increased the mode to Windows Server 2008 R2, the user interface will not allow you to decrease the mode again. This might lead to some confusion.


But we also got the Powershell Commandlets for Active Directory to help us out.

First we need to load the Powershell Commandlets for AD:

Import-Module ActiveDirectory

Then we need to decrease the forest mode first (the forest mode specifies the minimum version of the domain mode of any domain in the forest, therefore we cannot decrease the domain mode when the forest mode is higher):

Set-ADForestMode -identity (Get-ADForest).name -ForestMode Windows2008Forest

You can also specify the forest name in the “-identity” parameter, however I’m lazy, so I’m just getting the name of the current forest.

Next we are are able to decrease the domain mode:

Set-ADDomainMode -identity (Get-ADDomain).name -DomainMode Windows2008Domain

And here is the result, the mode has changed and is changeable again:

after posh

Voila, hopefully you don’t have to do this in production, but at least it is possible and should ease your migration efforts.


Posted Wed, Sep 14 2011 16:39 by Ulf B. Simon-Weidner | with no comments

“Active Directory” SPECIAL EDITION of the IT-Administrator published

MVP Florian Frommherz and I wrote a Special Edition of the IT-Administrator: almost 180 pages which provide in-depth information about Active Directory. We are discussing the Evolution of AD, Domain and Forest Strategies, Understanding the Domain/Forest Levels, LDAP Backgrounds and Application Performance testing, AD and DNS, AD Backup and Recovery, Background Information about the AD Recycle Bin, Virtualization of DCs, Replication Across Firewalls, RODCs, Delegation and MSAs, Fine Grained Password Policies and many more.
We are very happy with the result: a huge amount of in-depth information for any AD Admin or Consultant.

Sorry – just in German for now. But an interesting read.

If you got it, feel free to provide feedback!



Posted Thu, Nov 4 2010 22:24 by Ulf B. Simon-Weidner | 3 comment(s)

Preparing for TechEd Europe



TechEd Europe will be in Berlin next week, and I’m looking forward delivering three sessions there:

  • SIA301-IS - Under the Hood: What Really Happens During Critical Active Directory Operations
    Wednesday Nov 10, 9:00 – 10:00 AM
    Thursday Nov 11, 4:30 – 5:30 PM

    Come and discuss critical Active Directory-Operations.
    Are you fully aware what “critical” operations in AD really do? In this interactive session we will talk about those operations, understanding what they are doing and how to distinguish whether operations are critical to your environment or not. Ulf has been working in the field for more than 13 years, and has a lot of notes and examples to share. We will talk about how to approach challenges, and study scenarios that show how other companies managed the associated risks and prepared for rollbacks. We have some common scenarios for everyone but please bring your own questions as well, as we want this talk to be as interactive as possible.

    Since this is an interactive session don’t forget that they “live” from discussing opinions in the audience, so the repeat will be different.
  • SIA306 - A Dozen Years AD - Discuss Previous and Future Design Decisions
    Thursday Nov 11, 2:30 – 3:30 PM

    Active Directory has evolved over the years, along with security recommendations and best practices. But has our corporate design changed that much? Is it required? What should we change, and what should we retain? Ulf B. Simon-Weidner is a long standing, internationally recognized expert in Active Directory, and in this session he will discuss Active Directory Designs of the past, present and future.

Posted Thu, Nov 4 2010 17:40 by Ulf B. Simon-Weidner | with no comments

How to get more Infrastructure Masters in your domain?

Usually we have one Infrastructure Master in the domain who’s responsible to maintain references to objects in other domains – such as users which are members of a group in a different domain – to make sure if the target-object (user) is being renamed, moved or otherwise his distinguishedname has changed it can still be found. He is doing this by creating phantoms (small objects which contain only distinguishedname, SID and GUID).

Actually, making it more complicated but accurate – those group memberships are not maintained by referencing the data directly (a group in the database does not contain the data of it’s members) but by referencing objects by the database-row (like an ID, called DistinguishedNameTag or DNT). So if we add a user to a group, there is a link-table in the database where there will be a new entry with the forward link referencing the DNT or the user and the backward-link referencing the DNT of the group. So the phantoms are also needed that there is a database-row for the target object, otherwise there wouldn’t be a DNT to reference as target.

The second role of the infrastructure master is to be a single machine in the domain, only for the purpose that we need to run an operation against the domain and make sure to hit a specific DC – and always the same if we run it multiple times, the infrastructure is used (e.g. for domainprep, rodcprep,..).

The second role is the reason why we have one IM per application partition, see my post “How many Infrastructure Masters do you have” about it.

So talking about reference update, the primary reason for the IM, this is also the reason why an infrastructure master cannot run on a global catalog – because it is using the GC (who knows about the objects in other domains anyways) to validate his local data against the data of the GC. For more about GCs vs. IM see “Global Catalog vs. Infrastructure Master

But how do we get more Infrastructure Master (for reference update) in the domain?


When you are running all DCs on Windows Server 2008 R2, turn on recycle bin. There you go. This will enable running an reference update task on every DC which is not a GC.

The reason behind this? When the recycle bin is enabled, the objects we knew before as tombstones are now deleted objects with all data maintained. We are able to restore these. Therefore we need to maintain reference updates for deleted objects as well, and those changes on deleted objects are not replicated to other DCs. Additionally we need to maintain links – links who point to or from deleted objects need to be “marked” as deactivated, so that it is possible to activate them when the object is restored.

Actually I will cover the recycle bin among a lot of useful information at TEC – if you are there come to my session:

A DS Geek’s Notes from the Field – Active Directory Recovery Unveiled
Speaker: Ulf Simon-Weidner

You’ve got R2 and enabled Recycle-Bin, so no other actions are necessary to prepare for an AD-Recovery? Or you haven’t yet deployed R2 (or switched to the forest-level)? Are you aware that even with today’s possibilities are not prepared for every scenario? You have to blend in certain features. You also have to manage them and adjust your processes accordingly! This session will give you an insight into experiences and practices from a field perspective about what can go wrong, what should you do to manage and look after AD in a proactive way. In this session, you’ll hear experiences from the field about Active Directory Disaster-prevention and recovery among interesting thoughts, scripts and scenarios. Think beyond and get inspired. This session will distinguish you from the Admins who keep their CV updated in case anything goes wrong to the ones who are prepared instead.

Posted Sat, Feb 13 2010 18:05 by Ulf B. Simon-Weidner | with no comments

Adjusting the Tombstone Lifetime

I just had a pretty interesting discussion via a mailing list with some other Active Directory MVPs and some members of the Active Directory Product Group in Redmond.

As we know, there is a new default for the tombstone lifetime in Active Directory. The discussion initiated because there is an article on Technet which is incorrect: Currently point 8 states that the tombstone lifetime, if it is <not set>, depends on the version of the Operating System of the first DC in the forest. However this is not correct and the article is already being changed.

If you are not familiar with tombstones, I wrote Some details about Tombstones, Garbage Collection and Whitespace in the AD DB a while ago. Basically, a tombstone is an object which is deleted, however a small part of it is maintained in AD for 60 or 180 days (by default) to make sure that all DCs receive the information that the object needs to be deleted. When the 60 or 180 days are over (this is the tombstone lifetime) every DC will delete the object locally (this is not replicated, the DC simply calculates if “time-of-deletion + tombstone-lifetime < now”, if yes the object is cleaned up. This “cleaning up” is done during garbage collection, which is by default every 12 hours.

The tombstone lifetime therefore is also the limit of the “shelf live” of an backup – if you’d use an backup which is older it would reintroduce objects which were already deleted, so the maximum age of an backup is the same as the tombstone lifetime.

In Windows Server 2003 SP1 Microsoft decided to increase the tombstone lifetime to 180 days, as I wrote in Active Directory Backup? Don't rush - you'll get more time. However, in Windows Server 2003 R2 there was a minor slip so this version introduced 60 days again. To clarify, this only changes if you set up a new forest and the value will depend on the level of the operating system of that first DC.

Operating System of first DC tombstoneLifetime (days)
Windows 2000 Server 60
Windows Server 2003 w/o SP 60
Windows Server 2003 SP1/2 180
Windows Server 2003 R2 (SP1) 60
Windows Server 2003 R2 SP2 180
Windows Server 2008 and higher 180


You can verify what your tombstone lifetime is by looking at the Attribute "tombstoneLifetime" of the object cn=directory service,cn=windows,cn=services in the Configuration-Partition.

dsquery * "cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=<forestDN>" –scope base –attr tombstonelifetime

If the attribue has an value, tombstone lifetime is that value in days, if it has no value it is 60 days. What changed the default to 180 is the file schema.ini, which is creating the default objects in a new AD. The version of Windows Server 2003 SP1 and higher (see table above) of schema.ini sets simply the value 180 in the attribute tombstoneLifetime.

Is it recommended to adjust the Tombstone-Lifetime to the new default?

Over the years there were many infrastructures who’s DCs didn’t replicate within 60 days, leading to replication issues and lingering objects. There were many cases within Microsoft PSS and I’ve also seen a couple of infrastructures where I had to fix this. Therefore Microsoft decided to raise the default tombstone lifetime to 180 days, which also extends the lifetime of your backup. It is up to your company to decide whether to change the tombstone lifetime to the new default.

In the E-Mail-Thread we were also discussing if there are any issues with changing the tombstone lifetime.

If you lower the tombstone lifetime, there is no issue. The garbage collection process will be a bit more busy (usually it only needs to clean up changes from a 12 hour timeframe 60 or 180 days ago, but if we go down from 180 to 60 garbage collection needs to clean up the changes of 120 days the next time it is running). However this shouldn’t lead to a performance issue, and if you think it’ll be an issue you can stage it (e.g. moving from 180 to 150, waiting at least for replication + 12 hours, then go from 150 to 120 and so on).

However, if you want to raise the tombstone lifetime, e.g. from 60 to 180 to match the new default, there’s one scenario which needs to be considered:

Lets say we have two DCs, DC-Munich and DC-LA (L.A. because that where The Experts Conference will be in April). On DC-Munich we change the tombstoneLifetime from <not set> (=60) to 180. When garbage collection runs on DC-Munich it is bored – it already cleaned up all changes from 60 days ago but we instructed it to keep everything now to 180 days, so the next 120 days garbage collection does not need to do anything. However a bit later DC-LA (who hasn’t gotten replication with the new tombstoneLifetime yet) runs garbage collection and cleans up everything which happened in the 12h timespan 60 days ago.

In this scenario, DC-Munich has objects (tombstones) which were cleaned up on DC-LA, leading various detection mechanisms to identify them as lingering objects (repadmin will detect them, as well as various update processes which will prevent you from doing operations like schema updates for the next 120 days). This will resolve after 120 days, however is pretty inconvenient.

To increase tombstoneLifetime in big infrastructures, there is only one valid solution:

  • make sure that garbage collection will not run instantly after you changed the attribute, then after changing the attribute force replication and make sure it’s replicated everywhere
  • lower the tombstone lifetime before increasing it. e.g. set it to 55 and make sure it has been replicated everywhere, then wait at least 12 hours or ensure that garbage collection was running on all DCs. This ensures that there are no objects which need to be taken care of garbage collection for the next couple days. Then increase the tombstone lifetime to the value you intended, e.g. 180 days. Make sure that replication works and every DC is getting the update in the next few days, and you are on the safe side
    Thanks to Jesko who discussed this scenario with me – I was wrong – increasing is always causing trouble with lingering objects. Controlling garbage collection is the only way to go.

I think this scenario is very interesting, so I wanted to share it.

Posted Wed, Feb 10 2010 11:00 by Ulf B. Simon-Weidner | 3 comment(s)

Previous Versions in Windows Home Server

Hi there and happy new year!

Last year the server I used at home went dead, and since it was pretty customized it’s also pretty ugly to repair. I’ve used it as virtualization host and file server, with three hard drives – the first for the operating system and stuff I don’t need highly redundant, the other two mirrored with all the data I prefer to keep (fotos, projekt, personal stuff, music I’ve bought). Even my home-drive of my laptops is just a share which is always synchronized for offline usage. Remote Access was possible either using STTP (VPN via SSL, built into Windows Server 2008+ and Vista+) or Remote Desktop Gateway (RDP via SSL, same OS requirements).

So … Server dead … no money … but highly important data on it. So I’ve done some research, and also got recommendations from follow MVPs, and decided to go with Windows Home Server, and got it up the same way (OK, without virtualization and the Windows Server 2008 features, but works for now until budget allows me a virtualization host again, and even then I’ll keep the home server and run the virtualization separatelly – WHS is a great product and base of my home network, data backup and recovery and home media strategy now).

However, to get back to the subject…

Today I’ve consolidated some of the data and made some error and deleted stuff from one share (personal) which was not yet in the project share. However, I’ve implemented Volume Shadow Copies and should be able to get the Files back via the previous versions client. So I went into previous versions, located the files, they were still there, but I was unable to open them / copy them / restore them. I always got the message “Das Gerät ist nicht angeschlossen” which translates to “The device is not connected”. Weird. After searching in some German Home Server Forums, I’ve found the statement that VSS (Volume Shadow Copies, the supporting technology of Previous Versions or Windows Backup or AD-Snapshots) are not working on Windows Home Server but on by default because MS might use it in the future. However, WHS is also keeping your Data redundant across multiple drives, and in the forums it was mentioned that the Data is like Tombstones which points to the real data in other locations.

To make the post not overly long, this is how you get previous versions back on a Windows Home Server:

  • Open up \\servername\d$\DE\shares\ (you also need to go via UNC if you do it from the WHS-console, Windows Server 2003 where WHS is based on only supports previous versions via UNC or mapped, not locally).
  • Navigate to the folders or files and use previous versions there, then copy the files back to \\server\share.

This is because:

  • \\server\share is the location where the tombstones of the data are stored, if you navigate there via previous versions you get the structure but only tombstone files which you can’t access or restore.
  • \\server\d$\DE\shares is one of the location where the real data is stored, might also vary depending on your setup (I’m not sure if it’s always d$ or if it depends how the drives are configured) and across which volumes the data is kept redundant (which is automatically decided by WHS).
  • \\server\c$\FS\<driveletter, e.g. F>\DE\shares would work as well, however VSS/Previous Version apparently has issues with the mount point, so you need to create a “Help Share” e.g. at c:\fs\F\DE\shares and then navigate via the new share [1].

Note: There are some things to consider:

  • WHS automatically decides where to keep the data redundant, so you might have to search across the volumes (d:\de\shares, c:\fs\f\de\shares, c:\fs\g\de\shares …)
  • Shadow copies are using by default 12% of the volumes space. If the “changed data” exceeds this limit the oldest snapshots will be released. Since it is likely that the volumes on your home server have different sizes (which is the default if you have to similar harddrives in your WHS, since the first one has one volume for the OS of 20MB usually), the default storage size for Volume Shadow Copies has different sizes. Therefore it might be that if you can access older data on one of the volumes which is not available on newer ones.
  • Since I don’t know exactly how the “redundancy algorithm” of WHS works (and I don’t need to know, that’s the beauty of WHS) I recommend not to restore the data in the original paths (d:\de, c:\fs\f\de,..) but to copy them to the default shares.

I hope this is valuable information to some WHS-Users out there, it would have been valuable for me earlier today ;)


Happy weekend,



[1] The issue here is apparently that the previous versions client is getting the information whether Volume Shadow Copes are set up or not from the share it accesses. This is not the case on the C-Drive by default. However, even if we enable Previous Versions on the C-Drive, the Previous Versions Client will only show the Volume Shadow Copies of the C-Drive and not from the Mount-Points, so I recommend keeping VSS turned of on the C-Drive (ehm – Volume).

Posted Sat, Jan 9 2010 13:48 by Ulf B. Simon-Weidner | with no comments

My Value of TechEd

The last day of TechEd Europe has started. It’s been great as usual. I was satisfied about my sessions, I’m satisfied about other sessions I’ve seen. However – what’s my value of TechEd?

  1. TechEd is inspiring: always when you are put together with a clever bunch of folks, it’s inspiring to talk about technologies, there possibilities as well as what’s lacking, and get a lot of good ideas.
  2. TechEd is networking: hard to keep up with all the people you know or you should know, but TechEd is one of the major places where you get so many people who work with the same technologies and share the same interests. Great place to keep in contact and meet new people – only bad thing that it’s to short Wink
  3. TechEd is geeky: Couple years ago I was complaining that they didn’t have and real 400-Level Sessions at TechEd for IT-Professionals. Then I was able to deliver 400-Level sessions over the years (“A Directory Services Geek’s View on …”), mostly at TechEd EMEA but also at TechEd US. I’m glad to see that especially TechEd Europe is providing in-depth content to IT-Pros (this was actually one thing we’ve heard complains at TechEd US this year, however not at Europe! Hope this still improves). It’s fun to prepare those sessions, it’s fun delivering them, great to get the feedback and great to hear afterwards how happy the attendees are about not getting a marketing session.
  4. TechEd is broadening horizons: Especially when talking with attendees in the Technical Learning Center or after my sessions, or in the evening at parties, it’s broadening my horizons when they are asking questions, tell me about their scenarios and ideas. Even when working as consultant with many companies, I only get to meet a certain amount of customers. However at TechEd I’m meeting so many people every day, so many different scenarios, it’s just great to broaden my horizons and my knowledge!
  5. TechEd is knowledge: Breakout Sessions, Interactive Sessions, Technical Learning Center (Ask the Experts), Hands on Labs, … and about almost all Microsoft technologies – there is only one place where you can lean so much in different ways
  6. TechEd is community: MVPs, MCTs, CLIP, Microsoft employees, colleagues, friends, people who share the same interests, …

… there are lots of more points …

I’m doing multiple conferences a year, and TechEd is boosting knowledge in Microsoft technologies! I love it! To bad it’s the last day today, however I’m also looking forward going home and enjoying the weekend.

Posted Fri, Nov 13 2009 12:08 by Ulf B. Simon-Weidner | with no comments

Filed under: , ,

Using AD-Powershell to protect OUs from accidental deletion

If you use Active Directory-Users and –Computers from Windows Server 2008 or higher (also ships with the Remote Server Administration Tools in Windows Vista or Windows 7), or the Active Directory Administrative Center in Windows Server 2008 R2 or Win7 RSAT newly created OUs are protected from accidental deletion. However, this does not apply to OUs which were there prior (migrated) or OUs which are created another way.

Therefore, during migrations or when you still run downlevel versions of the administration tools, I recommend to protect OUs from accidental deletion but you need to find another way to do it instead of looking into the Object-Tab of each OU (with Advanced View selected).

Powershell v2 and the new Active Directory Commandlets makes this easy for us:

First you need to import the Active Directory Commandlets:

import-module ActiveDirectory

Then you query all OUs, and pipe them into the set-ADOrganisationalUnit Command and specify to set the “flag” to protect the OUs from accidental deletion:

Get-ADOrganizationalUnit -filter * | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

Easy, right?

If you want to put this in a scheduled task, simply use the following commandline (in one line):

powershell.exe -command "&{import-module ActiveDirectory; get-ADOrganizationalUnit –filter * 
| set-ADOrganizationalUnit –ProtectedFromAccidentalDeletion $true}"

Posted Wed, Nov 11 2009 15:30 by Ulf B. Simon-Weidner | 1 comment(s)

djoin.exe not a Powershell command

I’ve heard from a speaker I respect the question whether Microsofts strategies are consequent because they are basing everything on Powershell, however the djoin.exe-command is not a Powershell command.

Interesting one, but also very understandable if you think about it. Djoin.exe is created to provide the following possiblity in Windows Server 2008 R2 and Windows 7:

  • Create a computer account in the directory and store a file to support a offline-join of the computer to the domain
  • Offline join the computer to it’s account using the file created in the prior step

The Active Directory Domain Services product group has created a lot of Powershell Commandlets to support Management of Active Directory on Windows Server 2008 R2, actually you can download the Active Directory Managment Gateway Service to support the Powershell commands running against Windows Server 2003 (R2) or Windows Server 2008 (without R2). The Management Gateway provides the Active Directory WebService, which is used by Powershell and the new Administrative Center. The WebService is automatically there if you install a Windows Server 2008 R2 Domain Controller, therefore you don’t need the Management Gateway there.

The Active Directory Powershell Commandlets are available on Windows Server 2008 R2, or Windows 7 with the Remote Server Administration Tools for Active Directory installed. If a system has not the Active Directory

As I said before, one of the two main responsibilities is to join computers offline to the domain, either in Scenarios with RODCs (e.g. in the DMZ) or mass-creation / joining e.g. if you have your hardware vendor or distributor preinstalling machines for you.

So – would we want to install the Remote Server Administration Tools for Active Directory on Clients or member servers just to join them to the domain? Nope. Would we want to have multiple powershell-modules for AD (e.g. one for server management, one for joining domains, one for directory data management, …)? Nope.

So I guess an exe for this purpose is OK, and I also guess that this is the reason behind.

Posted Mon, Nov 9 2009 15:29 by Ulf B. Simon-Weidner | with no comments

How to make your session prominent at TechEd Europe

Funny – I arrived at TechEd Europe and many already talked to me about my session – I figured out it’s now popular because it had been rescheduled from Tuesday morning to Wednesday morning, so everyone at TechEd got a separate paper with the session updates and mine was one from the few.

I’ve also heard it’s popular looking at the registrations, so if you plan on coming, come a bit early to make sure to get in. We also do a re-run on Thursday morning.

SIA02-IS: Active Directory: What's New in R2

Join this interactive and open discussion about Active Directory updates in Windows Server 2008 R2 or other topics that you bring up. Join product group members and an MVP with undoubted Active Directory experience.

It’s an interactive session, so we will be there (Brjann Brekkan, Technical Product Manager for Identity Management and I are presenting the session togehter), listening and talking to you about the questions you have about the new features of Active Directory Domain Services in Windows Server 2008 R2.

The session is scheduled on

  • Wednesday, 9:00, Interactive Theater 4 (green)
  • Thursday, 9:00, Interactive Theatre 6 (pink)


Posted Mon, Nov 9 2009 14:25 by Ulf B. Simon-Weidner | with no comments

Powershell's social responsibility

The world is not as polite anymore as it was years ago. People are forgetting what was called “good behavior / manner”. And Powershell is entering the world and starting to monopolize in the world of scripting languages.

I think Powershell should show some level of social responsibility. And today, I’m taking action to change it:

I, Ulf B. Simon-Weidner, propose hereby that Powershell should be forced to show more social responsibility. Therefore I propose two actions:

  1. Any command executed should, by default, set the –whatif parameter
    (This would prevent the commands from executing, it'll only tell us what it would do)
  2. To really execute a command, the –please Parameter must be used, which will revoke the –whatif parameter.

Wouldn’t this be nice?

Posted Tue, Sep 15 2009 15:20 by Ulf B. Simon-Weidner | 12 comment(s)

Filed under:

Clarifications of a stopped Active Directory

In Windows Server 2008 you are able to stop Active Directory-Domain Services using the services snap-in or by typing

net stop ntds

However, this is for servicing only and not a state where the DC is intended to be kept for a longer period. Stopping AD is intended for servicing NTDS where there is a need of a stopped AD (such as in Directory Services Restore Mode, DSRM) but where is no need of a completely flushed Memory and stopped dependencies. So what you can do are things like offline defragmentation of the database or moving the database a.s.o.

I think, this is a good feature. Yes, it would be great to do other things. Yes, it would be great to restore AD without going in DRSM. There are things which would be nice. However … it’s better than before, and that’s what is important.

I love to do things using scripts. I love to use a toolbox, some script I’ve used before. Imagine – in the past doing offline defrags of the Active Directory database would require to reboot into Directory Service Restore Mode, log on as local admin (=DSRM-admin) then run ntdsutil with the options to do offline defrag into new files, then copy the new files over the old ones, reboot again into full more.

However, in Windows Server 2008 and above it is as easy as stopping NTDS, offline defrag, moving, starting NTDS.

It is urgent that you keep in mind that you can stop NTDS, however it’s not ment to be there for a longer period.

However, three things which made me worry if this feature is not well understood:

  1. It’s not a state to keep for a longer period, not a replacement for recovery-DCs (which are turned off in the closet).
  2. Not a replacement for DSRM when it comes to System State Recovery / Authoritative Restore which a Backup restored. If you need to restore a system state backup, the only supported way is to do it in DSRM.
  3. Authoritative marking object which haven’t been replicated to the DC in question is OK, same goes for file-management operations other than restoring a backup (the content of the dit basically needs to remain the same)
  4. You can’t logon with the DSRM-Admin when NTDS is stopped. This was hitting – in the beta-timeframe – someone who had a single DC, stopped NTDS, speared some time (screen saver kicked in) and couldn’t log on. DSRM-logon is not possible by default with a stopped NTDS when there are not other logon-servers available (if they are, e.g. you have a second DC, they are authenticating you on the DC with the stopped NTDS).
    DSRM-Admin (which equals to local admin on a DC) is only available on Small Business Server (by default) or if you modified the following registry-key:
    Value 0: DSRM-Logon only when in DSRM (default)
    Value 1: DSRM-Logon only when NTDS stopped (or DSRM) (default in
    Value 2: DSRM-Logon always

HTH, Ulf

Posted Tue, Sep 15 2009 15:18 by Ulf B. Simon-Weidner | 2 comment(s)

More Posts Next page »