Directory Services/Active Directory : Active Directory

“speaking 2.0” at Microsoft TechEd today

Ulf B. Simon-Weidner — Thu, 14 Jun 2012 15:48:44 GMT

I’m speaking today about “The Evolution of Active Directory Recovery” at TechEd 2012 US (SIA319, 1pm in Hall N310). The session will also be streamed.

I had a great idea, and I’m looking forward to see how it’s working. And I haven’t seen this before :

I’ll be taking questions using Twitter.

If you are in the audience (in the hall or online) and you have any questions, just twitter them using the hashtag #TESIA319 – this enables me to follow up with the answers either in the session, or if we are short on time or have to many sessions I’m following up afterwards. This also enables attendees who are not sitting close to a Microphone, who are watching the streamed version or who feel more comfortable writing than speaking to ask their questions.

Two simple rules: use the #TESIA319 hashtag – I will not monitor anything else during the session, and please ask questions in the areas I’ve covered, so that we can try avoiding to have questions which are covered in the next slides.

Looking forward to the session and hopefully seeing you there!

Ulf B. Simon-Weidner

Speaking engagements

Ulf B. Simon-Weidner — Wed, 14 Sep 2011 19:31:00 GMT

I’m currently getting ready for some speaking engagements:

Tuesday next week (Sept 21st) I’m proud to moderate the Windows Infrastructure Track of the IIR IT-Admin Tech Talk. In this track we are covering not only the operating system related technologies, but also Cloud, Office 365, Sharepoint and Exchange. I’ll also present two sessions myself there:

13 Years Active Directory
an overview of previous and future scenarios

I will cover various design considerations, misunderstandings of early designs, whether corporate infrastructures have adjusted or should be adjusted. At the end we will take a look into challenges for future designs, on-premises and in the cloud.

Who am I in the cloud?

In this session I will talk about challenges and opportunities of cloud computing in general and Office 365 in special: Does cloud mean sunshine for the CIO and rain for the Admin? Which skills are needed? What is the long-term strategy for cloud computing in your enterprise?

The IT-Admin TechTalk will be in Frankfurt and is in German language.

Also the next international conference is coming up. The Experts Conference Europe will also be in Frankfurt in October this year. It is about half a year after TEC USA in Las Vegas. TEC is known to be the best and high-skilled conference when it comes to Directory Services, and has expanded over the years beyond the AD and FIM tracks to also cover Exchange, Sharepoint and Cloud technologies in different tracks. TEC is attracting the most high-skilled speakers, Microsoft values the conference so much that they send more Program Managers and Developers of the product groups to TEC than to their own IT-Pro Conference TechEd. Additionally TechEd EU will not happen this year, so maybe you are able to convince your boss. Las Vegas has been a great success, lots of interesting sessions, a lot of community interaction, and I’m very much looking forward to Frankfurt. This conference is in English.

At The Experts Conference I will speak three sessions, but will post details later when the agenda is done.

Ulf

“Active Directory” SPECIAL EDITION of the IT-Administrator published

Ulf B. Simon-Weidner — Thu, 04 Nov 2010 20:24:01 GMT

MVP Florian Frommherz and I wrote a Special Edition of the IT-Administrator: almost 180 pages which provide in-depth information about Active Directory. We are discussing the Evolution of AD, Domain and Forest Strategies, Understanding the Domain/Forest Levels, LDAP Backgrounds and Application Performance testing, AD and DNS, AD Backup and Recovery, Background Information about the AD Recycle Bin, Virtualization of DCs, Replication Across Firewalls, RODCs, Delegation and MSAs, Fine Grained Password Policies and many more.
We are very happy with the result: a huge amount of in-depth information for any AD Admin or Consultant.

Sorry – just in German for now. But an interesting read.

If you got it, feel free to provide feedback!

Ulf

Preparing for TechEd Europe

Ulf B. Simon-Weidner — Thu, 04 Nov 2010 15:40:00 GMT

TechEd Europe will be in Berlin next week, and I’m looking forward delivering three sessions there:

SIA301-IS - Under the Hood: What Really Happens During Critical Active Directory Operations
Wednesday Nov 10, 9:00 – 10:00 AM
Thursday Nov 11, 4:30 – 5:30 PM

Come and discuss critical Active Directory-Operations.
Are you fully aware what “critical” operations in AD really do? In this interactive session we will talk about those operations, understanding what they are doing and how to distinguish whether operations are critical to your environment or not. Ulf has been working in the field for more than 13 years, and has a lot of notes and examples to share. We will talk about how to approach challenges, and study scenarios that show how other companies managed the associated risks and prepared for rollbacks. We have some common scenarios for everyone but please bring your own questions as well, as we want this talk to be as interactive as possible.

Since this is an interactive session don’t forget that they “live” from discussing opinions in the audience, so the repeat will be different.
SIA306 - A Dozen Years AD - Discuss Previous and Future Design Decisions
Thursday Nov 11, 2:30 – 3:30 PM

Active Directory has evolved over the years, along with security recommendations and best practices. But has our corporate design changed that much? Is it required? What should we change, and what should we retain? Ulf B. Simon-Weidner is a long standing, internationally recognized expert in Active Directory, and in this session he will discuss Active Directory Designs of the past, present and future.

How to get more Infrastructure Masters in your domain?

Ulf B. Simon-Weidner — Sat, 13 Feb 2010 17:05:04 GMT

Usually we have one Infrastructure Master in the domain who’s responsible to maintain references to objects in other domains – such as users which are members of a group in a different domain – to make sure if the target-object (user) is being renamed, moved or otherwise his distinguishedname has changed it can still be found. He is doing this by creating phantoms (small objects which contain only distinguishedname, SID and GUID).

Actually, making it more complicated but accurate – those group memberships are not maintained by referencing the data directly (a group in the database does not contain the data of it’s members) but by referencing objects by the database-row (like an ID, called DistinguishedNameTag or DNT). So if we add a user to a group, there is a link-table in the database where there will be a new entry with the forward link referencing the DNT or the user and the backward-link referencing the DNT of the group. So the phantoms are also needed that there is a database-row for the target object, otherwise there wouldn’t be a DNT to reference as target.

The second role of the infrastructure master is to be a single machine in the domain, only for the purpose that we need to run an operation against the domain and make sure to hit a specific DC – and always the same if we run it multiple times, the infrastructure is used (e.g. for domainprep, rodcprep,..).

The second role is the reason why we have one IM per application partition, see my post “How many Infrastructure Masters do you have” about it.

So talking about reference update, the primary reason for the IM, this is also the reason why an infrastructure master cannot run on a global catalog – because it is using the GC (who knows about the objects in other domains anyways) to validate his local data against the data of the GC. For more about GCs vs. IM see “Global Catalog vs. Infrastructure Master”

But how do we get more Infrastructure Master (for reference update) in the domain?

Easy.

When you are running all DCs on Windows Server 2008 R2, turn on recycle bin. There you go. This will enable running an reference update task on every DC which is not a GC.

The reason behind this? When the recycle bin is enabled, the objects we knew before as tombstones are now deleted objects with all data maintained. We are able to restore these. Therefore we need to maintain reference updates for deleted objects as well, and those changes on deleted objects are not replicated to other DCs. Additionally we need to maintain links – links who point to or from deleted objects need to be “marked” as deactivated, so that it is possible to activate them when the object is restored.

Actually I will cover the recycle bin among a lot of useful information at TEC – if you are there come to my session:

A DS Geek’s Notes from the Field – Active Directory Recovery Unveiled
Speaker: Ulf Simon-Weidner

You’ve got R2 and enabled Recycle-Bin, so no other actions are necessary to prepare for an AD-Recovery? Or you haven’t yet deployed R2 (or switched to the forest-level)? Are you aware that even with today’s possibilities are not prepared for every scenario? You have to blend in certain features. You also have to manage them and adjust your processes accordingly! This session will give you an insight into experiences and practices from a field perspective about what can go wrong, what should you do to manage and look after AD in a proactive way. In this session, you’ll hear experiences from the field about Active Directory Disaster-prevention and recovery among interesting thoughts, scripts and scenarios. Think beyond and get inspired. This session will distinguish you from the Admins who keep their CV updated in case anything goes wrong to the ones who are prepared instead.

Adjusting the Tombstone Lifetime

Ulf B. Simon-Weidner — Wed, 10 Feb 2010 10:00:00 GMT

I just had a pretty interesting discussion via a mailing list with some other Active Directory MVPs and some members of the Active Directory Product Group in Redmond.

As we know, there is a new default for the tombstone lifetime in Active Directory. The discussion initiated because there is an article on Technet which is incorrect: http://technet.microsoft.com/en-us/library/cc784932(WS.10).aspx. Currently point 8 states that the tombstone lifetime, if it is <not set>, depends on the version of the Operating System of the first DC in the forest. However this is not correct and the article is already being changed.

If you are not familiar with tombstones, I wrote Some details about Tombstones, Garbage Collection and Whitespace in the AD DB a while ago. Basically, a tombstone is an object which is deleted, however a small part of it is maintained in AD for 60 or 180 days (by default) to make sure that all DCs receive the information that the object needs to be deleted. When the 60 or 180 days are over (this is the tombstone lifetime) every DC will delete the object locally (this is not replicated, the DC simply calculates if “time-of-deletion + tombstone-lifetime < now”, if yes the object is cleaned up. This “cleaning up” is done during garbage collection, which is by default every 12 hours.

The tombstone lifetime therefore is also the limit of the “shelf live” of an backup – if you’d use an backup which is older it would reintroduce objects which were already deleted, so the maximum age of an backup is the same as the tombstone lifetime.

In Windows Server 2003 SP1 Microsoft decided to increase the tombstone lifetime to 180 days, as I wrote in Active Directory Backup? Don't rush - you'll get more time. However, in Windows Server 2003 R2 there was a minor slip so this version introduced 60 days again. To clarify, this only changes if you set up a new forest and the value will depend on the level of the operating system of that first DC.

Operating System of first DC	tombstoneLifetime (days)
Windows 2000 Server	60
Windows Server 2003 w/o SP	60
Windows Server 2003 SP1/2	180
Windows Server 2003 R2 (SP1)	60
Windows Server 2003 R2 SP2	180
Windows Server 2008 and higher	180

You can verify what your tombstone lifetime is by looking at the Attribute "tombstoneLifetime" of the object cn=directory service,cn=windows,cn=services in the Configuration-Partition.

dsquery * "cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=<forestDN>" –scope base –attr tombstonelifetime

If the attribue has an value, tombstone lifetime is that value in days, if it has no value it is 60 days. What changed the default to 180 is the file schema.ini, which is creating the default objects in a new AD. The version of Windows Server 2003 SP1 and higher (see table above) of schema.ini sets simply the value 180 in the attribute tombstoneLifetime.

Is it recommended to adjust the Tombstone-Lifetime to the new default?

Over the years there were many infrastructures who’s DCs didn’t replicate within 60 days, leading to replication issues and lingering objects. There were many cases within Microsoft PSS and I’ve also seen a couple of infrastructures where I had to fix this. Therefore Microsoft decided to raise the default tombstone lifetime to 180 days, which also extends the lifetime of your backup. It is up to your company to decide whether to change the tombstone lifetime to the new default.

In the E-Mail-Thread we were also discussing if there are any issues with changing the tombstone lifetime.

If you lower the tombstone lifetime, there is no issue. The garbage collection process will be a bit more busy (usually it only needs to clean up changes from a 12 hour timeframe 60 or 180 days ago, but if we go down from 180 to 60 garbage collection needs to clean up the changes of 120 days the next time it is running). However this shouldn’t lead to a performance issue, and if you think it’ll be an issue you can stage it (e.g. moving from 180 to 150, waiting at least for replication + 12 hours, then go from 150 to 120 and so on).

However, if you want to raise the tombstone lifetime, e.g. from 60 to 180 to match the new default, there’s one scenario which needs to be considered:

Lets say we have two DCs, DC-Munich and DC-LA (L.A. because that where The Experts Conference will be in April). On DC-Munich we change the tombstoneLifetime from <not set> (=60) to 180. When garbage collection runs on DC-Munich it is bored – it already cleaned up all changes from 60 days ago but we instructed it to keep everything now to 180 days, so the next 120 days garbage collection does not need to do anything. However a bit later DC-LA (who hasn’t gotten replication with the new tombstoneLifetime yet) runs garbage collection and cleans up everything which happened in the 12h timespan 60 days ago.

In this scenario, DC-Munich has objects (tombstones) which were cleaned up on DC-LA, leading various detection mechanisms to identify them as lingering objects (repadmin will detect them, as well as various update processes which will prevent you from doing operations like schema updates for the next 120 days). This will resolve after 120 days, however is pretty inconvenient.

To increase tombstoneLifetime in big infrastructures, there is only one valid solution:

make sure that garbage collection will not run instantly after you changed the attribute, then after changing the attribute force replication and make sure it’s replicated everywhere
lower the tombstone lifetime before increasing it. e.g. set it to 55 and make sure it has been replicated everywhere, then wait at least 12 hours or ensure that garbage collection was running on all DCs. This ensures that there are no objects which need to be taken care of garbage collection for the next couple days. Then increase the tombstone lifetime to the value you intended, e.g. 180 days. Make sure that replication works and every DC is getting the update in the next few days, and you are on the safe side
Thanks to Jesko who discussed this scenario with me – I was wrong – increasing is always causing trouble with lingering objects. Controlling garbage collection is the only way to go.

I think this scenario is very interesting, so I wanted to share it.

Using AD-Powershell to protect OUs from accidental deletion

Ulf B. Simon-Weidner — Wed, 11 Nov 2009 14:30:49 GMT

If you use Active Directory-Users and –Computers from Windows Server 2008 or higher (also ships with the Remote Server Administration Tools in Windows Vista or Windows 7), or the Active Directory Administrative Center in Windows Server 2008 R2 or Win7 RSAT newly created OUs are protected from accidental deletion. However, this does not apply to OUs which were there prior (migrated) or OUs which are created another way.

Therefore, during migrations or when you still run downlevel versions of the administration tools, I recommend to protect OUs from accidental deletion but you need to find another way to do it instead of looking into the Object-Tab of each OU (with Advanced View selected).

Powershell v2 and the new Active Directory Commandlets makes this easy for us:

First you need to import the Active Directory Commandlets:

import-module ActiveDirectory

Then you query all OUs, and pipe them into the set-ADOrganisationalUnit Command and specify to set the “flag” to protect the OUs from accidental deletion:

Get-ADOrganizationalUnit -filter * | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

Easy, right?

If you want to put this in a scheduled task, simply use the following commandline (in one line):

powershell.exe -command "&{import-module ActiveDirectory; get-ADOrganizationalUnit –filter * 
| set-ADOrganizationalUnit –ProtectedFromAccidentalDeletion $true}"

djoin.exe not a Powershell command

Ulf B. Simon-Weidner — Mon, 09 Nov 2009 14:29:31 GMT

I’ve heard from a speaker I respect the question whether Microsofts strategies are consequent because they are basing everything on Powershell, however the djoin.exe-command is not a Powershell command.

Interesting one, but also very understandable if you think about it. Djoin.exe is created to provide the following possiblity in Windows Server 2008 R2 and Windows 7:

Create a computer account in the directory and store a file to support a offline-join of the computer to the domain
Offline join the computer to it’s account using the file created in the prior step

The Active Directory Domain Services product group has created a lot of Powershell Commandlets to support Management of Active Directory on Windows Server 2008 R2, actually you can download the Active Directory Managment Gateway Service to support the Powershell commands running against Windows Server 2003 (R2) or Windows Server 2008 (without R2). The Management Gateway provides the Active Directory WebService, which is used by Powershell and the new Administrative Center. The WebService is automatically there if you install a Windows Server 2008 R2 Domain Controller, therefore you don’t need the Management Gateway there.

The Active Directory Powershell Commandlets are available on Windows Server 2008 R2, or Windows 7 with the Remote Server Administration Tools for Active Directory installed. If a system has not the Active Directory

As I said before, one of the two main responsibilities is to join computers offline to the domain, either in Scenarios with RODCs (e.g. in the DMZ) or mass-creation / joining e.g. if you have your hardware vendor or distributor preinstalling machines for you.

So – would we want to install the Remote Server Administration Tools for Active Directory on Clients or member servers just to join them to the domain? Nope. Would we want to have multiple powershell-modules for AD (e.g. one for server management, one for joining domains, one for directory data management, …)? Nope.

So I guess an exe for this purpose is OK, and I also guess that this is the reason behind.

Clarifications of a stopped Active Directory

Ulf B. Simon-Weidner — Tue, 15 Sep 2009 13:18:36 GMT

In Windows Server 2008 you are able to stop Active Directory-Domain Services using the services snap-in or by typing

net stop ntds

However, this is for servicing only and not a state where the DC is intended to be kept for a longer period. Stopping AD is intended for servicing NTDS where there is a need of a stopped AD (such as in Directory Services Restore Mode, DSRM) but where is no need of a completely flushed Memory and stopped dependencies. So what you can do are things like offline defragmentation of the database or moving the database a.s.o.

I think, this is a good feature. Yes, it would be great to do other things. Yes, it would be great to restore AD without going in DRSM. There are things which would be nice. However … it’s better than before, and that’s what is important.

I love to do things using scripts. I love to use a toolbox, some script I’ve used before. Imagine – in the past doing offline defrags of the Active Directory database would require to reboot into Directory Service Restore Mode, log on as local admin (=DSRM-admin) then run ntdsutil with the options to do offline defrag into new files, then copy the new files over the old ones, reboot again into full more.

However, in Windows Server 2008 and above it is as easy as stopping NTDS, offline defrag, moving, starting NTDS.

It is urgent that you keep in mind that you can stop NTDS, however it’s not ment to be there for a longer period.

However, three things which made me worry if this feature is not well understood:

It’s not a state to keep for a longer period, not a replacement for recovery-DCs (which are turned off in the closet).
Not a replacement for DSRM when it comes to System State Recovery / Authoritative Restore which a Backup restored. If you need to restore a system state backup, the only supported way is to do it in DSRM.
Authoritative marking object which haven’t been replicated to the DC in question is OK, same goes for file-management operations other than restoring a backup (the content of the dit basically needs to remain the same)
You can’t logon with the DSRM-Admin when NTDS is stopped. This was hitting – in the beta-timeframe – someone who had a single DC, stopped NTDS, speared some time (screen saver kicked in) and couldn’t log on. DSRM-logon is not possible by default with a stopped NTDS when there are not other logon-servers available (if they are, e.g. you have a second DC, they are authenticating you on the DC with the stopped NTDS).
DSRM-Admin (which equals to local admin on a DC) is only available on Small Business Server (by default) or if you modified the following registry-key:
HKLM\System\CurrentControlSet\Control\Lsa\DSRMAdminLogonBehavior
Value 0: DSRM-Logon only when in DSRM (default)
Value 1: DSRM-Logon only when NTDS stopped (or DSRM) (default in
Value 2: DSRM-Logon always

HTH, Ulf

Exchange 2010 RC touches AdminSDHolder

Ulf B. Simon-Weidner — Wed, 09 Sep 2009 07:51:47 GMT

I was just pointed to the blog of David Loder who’s pointing out that the Release Candidate of Exchange 2010 is changing the permissions enforced by AdminSDHolder to critical groups to allow Exchange Organizational Admins to change the group memberships of Enterprise Admins, Schema Admins, Domain Admins a.s.o.

OK, one of Microsoft Program Managers already responded, and I do agree that this is not a released product and pre-release versions are there for finding those bugs.

I’d just like to say:

@Ross: This is not that hard to fix:

for existing OUs stamp it on their ACE (preferably top-level - if inheritance is blocked on lower levels check and point to an KB

for new OUs change the defaultNtSecurityDescriptor of the OU-Class in the schema

don't touch adminSdHolder ;)

The first one will make sure that existing OUs allow Exchange Admins to control Group memberships (actually I’d even like to discuss if this is necessary – usually group membership administration is not done in the same instance where groups are mail enabled – the first one would be a generic help-desk task, the second a Exchange-Admin task).

I’d also prefer – if OUs are touched – that if the organization decided to block security inheritance at one point that a new version of some software shouldn’t go beyond that point but respect the design but warn them about the consequences.

The second suggestion makes sure that new OUs will get the permissions by default when creating the OU.

The third suggestion makes me think about two things:

is there no process for infrastructure critical changes as changing the adminSdHolder (I’d think that the Active Directory Product Group should be involved if something as this is happening, how should they ensure security if other groups are mangling around with their mechanisms)?
why is this coming up in RC? If a product is at Release Candidate Level, it’s mostly finished and usually there are not this many changes approved afterwards (unless they are critical). I hope that this will be fixed!

Thanks David for finding this one, very interesting, and I hope it’ll be fixed!

See Davids Blog for his post

See my blog-post about AdminSdHolder

And since I wanted to mention this: if you are in Europe (or want to come), The Experts Conference (TEC) is in Berlin next week and it is THE place for Active Directory and Exchange.

Windows Server 2008 R2 (and Windows 7) availability

Ulf B. Simon-Weidner — Wed, 03 Jun 2009 08:59:32 GMT

Hyper-Excited: Windows Server 2008 R2 and Windows 7 will be finalized in the second half of July, which is when they will become available for Partners and MSDN a.s.o., and broadly available (Stores, on new PCs a.s.o.) at the End of October!!!

Windows Server Division Weblog:
http://blogs.technet.com/windowsserver/archive/2009/06/02/windows-server-2008-r2-rtm-and-general-availability.aspx

Windows 7 Teamblog:
http://windowsteamblog.com/blogs/windows7/archive/2009/06/02/the-date-for-general-availability-ga-of-windows-7-is.aspx

Woohooo!!!

Contacts displayed as containers

Ulf B. Simon-Weidner — Sun, 17 May 2009 08:58:01 GMT

At TechEd I was staffing the Windows Server 2008 R2 Active Directory-Booth. We had a lot of interesting questions, scenarios and discussions there.

One interesting issue was a customer who asked us why his contacts in Active Directory are being displayed as containers and how he can take it off. Actually this took us some time to look into it. He had two forests – when he was targeting Active Directory-Users and –Computers against one forest, his contacts were displayed as containers (meaning there was a plus-symbol right next to it and you were able to see it in the tree, with no objects underneath). On the other forest the contacts weren’t displayed as container.

So we had to figure out what’s going on there. And what I’ve actually found is quite interesting, and I believe that more companies are running into this, so I found it worth documenting it on the web.

So what’s going on is that we found out the one forest was extended with the Windows Server 2008 Schema (adprep /forestprep) but the customer is still running Windows Server 2003 DCs. In the Schema of Windows Server 2003 by default there are not any objects who can be “underneath” a contact [1]. In the Windows Server 2008 Schema there are two new objects, which can be underneath a contact. Those are ms-net-ieee-80211-grouppolicy and ms-net-ieee-8023-grouppolicy. You can check this by querying the attribute allowedChildClassesEffective on a contact – this is a constructed attribute which is telling you which objects may be underneath the current object, more specifically which attributes the currently logged on user can create underneath the current object (taken permissions into credit). [2]

dsquery * “cn=My Contact,ou=…,dc=…” –scope base –properties allowedChildClassesEffective

In Powershellv2 (which ships with Windows Server 2008 R2 and in RSAT for Win7 (need to install, see [3]) you can use the following command (make sure that the Active Directory-Module is loaded, either use the shortcut or import-module ActiveDirectory):

get-adobject -identity "cn=My Contact,ou=…,dc=…" -properties allowedChildClassesEffective

In Active Directory-Users and –Computers there is an option in the view-menu which allows you to specify whether you’d like to see users, computers and groups as containers or not. In the version which ships with Windows Server 2008 (or is in the Remote Server Administration Tools of Vista and above) this setting is extended to behave on contacts as well. This setting is local to the computer and overrides any settings in the schema.

So apparently Active Directory-Users and –Computers is querying the schema, sees that contacts may contain other objects and is displaying them as containers, whether you’ve set the view-option or not (in Windows Server 2003 R2 and before) because is doesn’t apply to contacts. This is fixed with the versions which are shipping in Windows Server 2008 or RSAT for Vista and higher.

So if you extended the schema to Windows Server 2008 (R2), but your management consoles are still running on Windows Server 2003 (R2) / Windows XP and prior you’ll see contacts as containers.

There would be a workaround – there is a setting in the display specifiers which is modifying this behavior. It’s in cn=contact-display,cn=409,cn=display specifies,cn=configuration,dc… (your forest-root domain DN, you’ll also have to exchange the 409 with your language version, where 409 equals US-English, 407 would be German a.s.o.). So the workaround is to navigate to the contact-display object, then change the Value for the “treatAsLeaf”-attribute to TRUE (by default it’s <not set>) [4].

While this workaround will work, I wouldn’t actually recommend it, in my eyes the “bug” is not annoying enough that you’d change something in the configuration context. On the other hand, this setting is quite unimportant. So it’s up to you, however as soon as you start working with the Windows Server 2008 (R2) Management Consoles this wont annoy you anymore. So keep migrating ;)

Ulf

---

[1] It’s actually not defined in the object what kind of objects can be underneath, but on the child-objects what possible superior it may have.

[2] IMHO Scripting or Programming Best-Practice would mean to query an object prior to creating a child-object for allowedChildClassesEffective to make sure that the current user has the right to create the object.

[3] The Remote Server Administration Tools for Windows 7 include the Powershell Module for Active Directory. If you open the generic Powershell-Windows you’ll have to import-module ActiveDirectory first (there’s a shortcut installed in Administrative Tools which starts Powershell with this module loaded instead. Note that the PS-Provider relies on the Active Directory Webservice (ADWS), so you need one Windows Server 2008 R2 Domain Controller. ADWS is also announced to be available as Out-of-band Release/Hotfix for Windows Server 2003 and 3008, however this is currently not available. Win7 and WS2k8R2 are also just Release Candidates at this point, however I already want to mention how to do things using PSv2 since we have to get used to this in the AD-World (and it’s pretty impressive actually what you can do with it easily).

[4] Boolean Values in Active Directory are kind of weird – there are three states as opposed to two – either TRUE, FALSE or <not set> if the attribute is empty. Also the reason for a boolean value in general is to keep space limited, you only need one bit usually. However in AD the String of the Word TRUE or FALSE is stores.

Rumors about AD-Snapshots

Ulf B. Simon-Weidner — Mon, 04 Aug 2008 15:17:43 GMT

I've recently heard /read some rumors about AD-Snapshots. As I wrote before in Timetraveling Active Directory the new feature of Active Directory in Windows Server 2008 - AD-Snapshots or "the Database Mounting Tool" (how Microsoft calls the technology) how to look at a snapshot / backup can help you recovering data from older states of your Active Directory. I've also spoken about this and demoed it in my "A Directory Services Geek's View on Active Directory Recovery in Windows Server 2008" which was so far presented at TechEd Europe 2007 in Barcelona, the German Windows Server 2008 Launch in Frankfurt, the Directory Experts Conference 2008 in Chicago, TechEd US 2008 in Orlando, and which will pre presented at ICE-Lingen (in Lingen at the end of August. I've also wrote articles about this in the IT-Administrator in March and April this year.

So some rumors:

a mounted Database will show you all partitions, however Microsoft only supports the domain partition, the other partitions are not supported.
As far as I know it is not supported to recover from snapshots at all, however it works but you have to script. As I mentioned the process is:

Creating a snapshot with NTDSUtil (ntdsutil -> snapshot -> Activate Instance NTDS -> Create)
or
Backing up the systemstate (wbadmin start systemstaterecovery -backuptarget:s:)
Mounting a snapshot in the filesystem (ntdsutil -> snapshot -> list all -> mount xyz)
or
Restoring the systemstate to an alternative location (wbadmin start systemstaterecovery –version:07/07/2008-14:41 –recoveryTarget:e:\recovery\)
Starting the snapshot / restored NTDS.dit as Read-only directory (dsamain -dbpath c:\$snap...\ntds\ntds.dit -ldapport 10000)
Reanimating the tombstone of the user(s) in question
Getting back additional data out of the snapshot and into production using scripts or ldifde.exe, see my post about converting the LDIF: Converting LDIF-Files
Fixing backlinks: This is not easily done using LDIFs. Remember that Backlinks are not writeable, so you have to retrieve the backlink, then update the forward-link in question. Using LDIFDE this would be hard to accomblish. Most of the time we mostly care about Group Memberships, then we can also use a one-line commandline:

dsget user cn=Ulf,ou=Demo,dc=xyz,dc=com -s localhost:10002 -memberof 
  | dsmod group -addmbr cn=Ulf,ou=Demo,dc=xyz,dc=com

you could retrieve information from other partitions, but you'll also have to script it and be aware that it's not supported from Microsoft
One rumor I've recently read: Using ntdsutil to perform an authoritative restore without rebooting in Directory Service Restore Mode. This is also not supported. The only supported way to perform an authoritative restore is in DSRM. However I've talked to some of the developers, and they said it'll work as long as you are rebooting instantly after performing the authoritative restore (to make sure that caches and everything is cleaned), so you can do it without DSRM (stopping AD, performing the non-authoritative and the authoritative restore, then rebooting the machine without restarting AD prior). However it's not supported!!!!
There are tools out there to help you recovering from a snapshot:

If you speak German and you are unable to attend ICE you can see my session at the German Launchevent Online. If you attend ICE come there, the session has been updated .

How many Infrastructure Masters do you have?

Ulf B. Simon-Weidner — Thu, 31 Jul 2008 12:09:09 GMT

There are certain roles in Active Directory - which is a multi-master directory (meaning that every DC can write if he's member of the domain) - which need a "single-master", someone who takes care that certain things are only performed once and they are unique.

As we should know, there are five of those "Flexible Single Master Operations"-Masters (FSMOs) (however let's not get into the discussion why they are called "Flexible" - back in the NT5-beta-days (beta of Windows 2000) they were even called "Floating"). Two which are unique in the forest, and three which are unique in the domain.

FSMOs per forest:

Schema-Master: guess what - someone has to be responsible updating the schema and making sure that it's unique. What a surprise!
Domain Naming Master: Same for certain names in the forest, which need to be unique.

FSMOs per domain:

PDC-Emulator: the most complex and most important role. Not only reliable to replicate AD-content to NT4-BDCs (not in Windows Server 2008 anyways), but the PDC-Emulator is also the last instance of password changes, he's targeted by the Group Policy Object Editor, takes care of AD-integrated DFS-Namespace, the PDC-E of the forest-root-domain is responsible for providing the right time to all members of the forest, a.s.o. He's important, and you need him even if you don't have NT4 in your domain anymore (hopefully - it's gray-haired by now).
RID-Master: My favorite role, since he reminds me on your account managers at the Octoberfest. Every year we take a lot of customers to the Octobeerfest . Someone is assigned per table to get beer-coupons for everyone. If he's running out he has to go to the account manager responsible to get another stack. The RID-Master is doing the same. He's making sure that RID (the last part of the security-identifier) is unique per domain by giving every DC a stack of RIDs to issue, and if he's running out of RIDs (meaning that his stack is half-empty / half-full) he's requesting the next RID-Pool.
Infrastructure-Master: He's the one who makes sure that cross-domain memberships are being taken care of (what a sentence). So what he's really doing is comparing group-memberships and other cross-domain links against other domains (in the GC), and if some link is targeted at another domain in the forest he's taking care to create a phantom so that all DCs know what the link-target is. Why is that - lets get out of the "bullet-points".

If we look at the AD-Database (which is not being replicated - AD does take care of replication - the database is the local store per domain controller) there are two major tables in the database: the data-table and the link-table. Every row in the data-table is a single object, which is referenced by the "Distinguished Name Tag (DNT)". This is a unique ID for each object in the database (per domain controller - across domain controllers it is very unlikely that the same object has the same DNT - as I said - replication is on the application layer and not on the Database-Layer). However, there is the link-table. The Link-Table is taking care of all links. So all group-members vs. user-member-ofs a.s.o. are stored there with their DNT. If the DC needs to enumerate group members, he's simply searching in the link-table for the "link-source" and enumerates their targets, if he's looking for the member-of information of a user he's searching for the link-destination and enumerates their sources. Sounds logical? Hopefully.

But remember that groups (such as other links) may contain objects of other domains. How would we be able to reference those, they don't have a row and don't have a DNT in the domain database. That's where the Infrastructure-Master kicks in. He's taking care to create phantom-objects of objects which are referenced in a domain but which are from a foreign domain. So those objects are being created as "small version of those objects" in the domain where they are referenced. They are even smaller than the partitial attribute set which makes it into the Global Catalog. I've already blogged about the Global Catalog vs. Infrastructure Master dependency, so for this discussion go there. Also you can look at the Knowledgebase-Article "KB 248047: Phantoms, tombstones and the infrastructure master" on TechNet. The last parts about cross-domain references are the interesting ones in this context.

So how many FMSO-Role owners do we have in our forest?

There is one Schema-Master.
There is one Domain Naming Master.
The number of PDC-Emulators is the same than the number of domains.
The number of RID-Masters is the same than the number of domains.
The number of Infrastructure Masters is ...

How many infrastructure masters do we have?

Most would say "as much as we have domains as well". Wrong!

And that's the interesting part - we do have one Infrastructure Master per domain, that's correct. But - remember that Windows Server 2003 introduced Application Partitions? We would be able to have link-references (they could even be cross partitions, not even domains) in an application partition as well. However if the "Domain Infrastructure Master" wouldn't hold a copy of the application partition (which has a separate and configurable replication scope - one of our customers has one application partition per site but cross-domain), how would he be able to take care of those cross-partition references? He wouldn't be able to, there's no way he could do this.

Therefor we have one infrastructure master per domain, plus one per application partition. So by default, if you have a Windows Server 2003 or higher forest with the default application partitions (for DNS, the forestDnsZones and domainDnsZones), let's assume five domains, then you have:

1 Schema Master
1 Domain Naming Master
5 PDC-Emulators
5 RID-Masters
11 Infrastructure Masters (5 Domain Infrastructure Masters + 1 for the forestDnsZones + 5 for the domainDnsZones of each domain - however they may reside on the same DC)

Where can I see the application partitions infrastructure masters?

To see where the IMs of the application partitions reside, you have to go into active directory with any tool like adsiedit.msc, ldp or whatever you prefer. Connect to the application partition, navigate to the cn=Infrastructure-object underneath the application partitions root, and look at the fSMORoleOwner-Attribute. It's pointing to the NTDSSettings-Object of the server who currently holds the role. You can also use dsquery to do this:

dsquery * cn=Infrastructure,dc=domainDnsZones,dc=example,dc=com -attr fSMORoleOwner

If you want to figure out what partitions you have in the forest, you can use the following command:

dsquery * cn=partitions,cn=configuration,dc=example,dc=com -attr nCName

And if we only want application partitions, we add the filter (systemflags=5) which means that we are looking for all partitions which don't replicate to the global catalog, which is the case for application partitions (Note: App-IMs may reside on GCs therefore ):

dsquery * cn=partitions,cn=configuration,dc=example,dc=com -filter "(systemflags=5)" -attr nCName

And for those of you who like small one-line commands, they can figure out who the infrastructure master is for all application partitions (as said, all in one line):

for /f %i in ('dsquery * "cn=partitions,cn=configuration,dc=example,dc=com"
-filter "(systemflags=5)" -attr nCName ^| find /v "nCName"') do
@echo %i && dsquery * cn=Infrastructure,%i -attr fSMORoleOwner

Have fun

But why do I care about application partitions infrastructure masters?

Actually I had a conversation about this in Redmond a couple years ago, that there's a infrastructure master for every application partition. I had actually forgotten about this, until a collegue of mine told me about an issue when preparing your forest for Windows Server 2008 Read-Only Domain Controllers (RODCs).

If you want to prepare your forest for Windows Server 2008 Read-Only Domain Controllers, you have to run "adprep /rodcprep". This command is setting permissions so that RODCs are able to replicate content. RODCs are not in the Domain Controllers Group, so by default they don't have sufficient permissions. Since RODCs may hold Active Directory-integrated DNS-Zones, they are also required to have those permissions on the application partition. Since we cannot be sure that a certain DC holds all application partitions - for domainDnsZones that's granted if you have multiple domains - and since it's not granted that the domains Infrastructure Master holds the application partitions in this domain (e.g. if he's not DNS-Server, he doesn't hold the domainDnsZones of his own domain as well) Microsoft decided to target the IMs with this command (we are still at "adprep /rodcprep").

Many companies have either reinstalled DCs or took DCs down. One of the DCs which has often been taken down is the first DC in the forest, either because he's being updated from a previous OS or because it was old hardware, hardware-failures a.s.o. However, the first DC in the forest also holds the application partition infrastructure master (let's introduce the acronym AP-IM and D-IM, second for the domains infrastructure master) for the forestDnsZones and for the domainDnsZones of the forest root domain. When administrators took down those DCs, they moved FSMOs because they know it's the right thing to do. However, if you use either the MMCs or ntdsutil to move the FSMOs (KB 324801: How to view and transfer FSMO roles in Windows Server 2003 and KB 255504: Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller) the AP-IM will not be moved automatically.

So it is very likely that a company has application partitions which do not have an infrastructure master, because the server is offline/removed and the role hasn't been transferred.

Is it critical if the application partition infrastructure master is not available anymore?

No, in most cases it's not. E.g. the default application partitions are used by DNS only, and only store the DNS-Zones and the dnsNode-Objects which reflect the records. They don't use links, therefor there's no need for an infrastructure master at those application partitions. However, you need to fix this for sure if you want to introduce Windows Server 2008 Read-Only Domain Controllers to be able to run "adprep /rodcprep". You can either do this manually by simply changing the attribute fSMORoleOwner of the cn=Infrastructure,dc=<your-application-partitions-dn>-Object with the distinguishedName of the NTDSSettings-Object of the server who's supposed to hold the role. The issue is also described in KB 949257: Error message when you run the "Adprep /rodcprep" command in Windows Server 2008: "Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Contoso,DC=com" which also provides you with a VBScript to change the role owner.

IT-Administrator in Heidelberg

Ulf B. Simon-Weidner — Wed, 16 Jul 2008 16:14:52 GMT

I'm writing for the German magazine IT-Administrator. Recently they've published an series about Windows Server 2008 and another about Active Directory-Recovery (in Windows Server 2008), and in August they'll publish an article about Hyper-V from me.

Recently they've asked me if I could present a half-day Workshop in Heidelberg. Last Thursday we did this, and the day was exciting and interesting. A lot of good questions, a very interested audience, and I really enjoyed being there. Here are two pictures (and no - I wasn't just sitting around - for some reason they took the pictures while I was demoing AD-Snapshots):

Why Clients don't (need to) understand the concept of Read-Only Domain Controllers (RODC)

Ulf B. Simon-Weidner — Mon, 16 Jun 2008 17:08:56 GMT

Hi There,

just back from TechEd, it's time for some technical posts. So one of the questions I got very often is what you need in your infrastructure to deploy read-only Domain Controllers. Along with that question goes what Client-Version of the Operating System is needed that they are able to authenticate with an RODC.

What is a RODC?
The Read-Only Domain Controller is a new concept in Windows Server 2008. While a regular Domain Controller allows updates to the domain contents on each DC, an RODC is only receiving updates from Full DCs. He will not take any write requests. He is further not replicating any password or cached secrets. This distinguishes him from a NT4 Backup Domain Controller (BDC), who had all passwords stored locally. Also he is - in every other means - a full domain controller and LDAP-Server, also stores all GPOs in Sysvol. To allow offline operations (when the WAN to the RODC-Site is failing) Administrators are able to configure if certain users passwords are allowed to be cached, by putting them in a group which is in the allow list. There is also a group whos passwords are denied to be cached, even if they are in the allow list. List group contains by default certain administrative accounts, such as domain administrators, enterprise administrators, the operators groups a.s.o.
The RODC is built for the unsecured Branch-Office or for the DMZ/perimeter network, where you are either unable to ensure the physical security of a DC or where the environment is untrusted.

So the first thing you need is to prepare your existing infrastructure. The RODC is a Domain Controller, so you need to update the schema. Further the RODC needs some assistance from a Full-DC, so you need to deploy enough Full-DCs to allow replication to the RODCs. For most environments one Full DC should be sufficient (RODCs only replicate inbound, not outbound, which also increases performance and decreases replication traffic), however I'd always prefer a second one to allow redundancy. To prepare the schema you need to perform the forestprep and domainprep operations (adprep /forestprep and adprep /domainprep), if you want to deploy RODCs you also need to perform a adprep /rodcprep in every domain of the forest to allow a Global Catalog on the RODC. However you do not need a Windows Server 2008 DC in Domains where you don't want to deploy RODCs. However two: there are other reasons why you should deploy Windows Server 2008 .

But how do RODCs perform certain functions? They can take the role of a Global Catalog server and of a DNS-Server. If a client (member-servers might also be clients to Active Directory, even the domain controller itself - his OS - might be a client to AD) tries to write against an RODC the RODC is using LDAP write referrals to tell the Client that he is supposed to write to a different DC (a Full Windows Server 2008 DC). LDAP referrals have been defined e.g. in RFC 2551 back in 1997, so LDAP-applications should be able to follow them.

And how is a logon performed against the RODC? The user is actually performing the logon against the RODC. The RODC is looking in his local AD to verify whether or not he's able to verify the users password. If he has no cached copy of the password he is forwarding the request to a full DC. Further he is requesting the full DC to replicate the password down to him, the full DC checks the allow- and deny-lists and decides whether or not to replicate the password down. The full DC further issues a kerberos ticket for the client. The RODC is informed that the client may log on, and the RODC is issuing his own kerberos ticket for the client. All other things of the logon process, such as compiling the token with group membership information and pulling down group policies is done against the RODC. If the user logs on another time, and the password is cached on the RODC, the RODC does not need to contact the full DC and is able to process the logon-request even if the WAN is offline.

The other thing are DNS updates. Clients in the Branch Office (or Remote Office how we prefer to call it nowadays) are supposed to use the local DNS-Server. However they might update their DNS-Records, which is totally acceptable. But if the RODC is not writeable, and DNS is stored in AD, and actually the DNS-Zones on a RODC are not writeable too, how are those updates performed. This answer is actually quite simple. We Windows Admins got spoiled over time, since our DNS-Servers - when the zone is stored in AD - allow updates on any DNS-Server which is also a DC and holds a copy of the AD-integrated Zone. However think back to the concepts of DNS. We always had a single primary DNS-Server who was able to write updates, and multiple secondaries who were just able to answer to queries. Clients who want to write in DNS had to request a SOA (start of authority) Record for the zone they want to write into. Full DCs who are DNS-Servers with an AD-integrated replica of the Zone were always answering with themselves as SOA (the SOA-Record only allows one Server, and there is only one SOA per Zone, as opposed to Nameserver (NS) Records where are multiple per DNS-Zone). RODCs don't have an SOA for themselves, they hold a SOA which is stating the Name of a Full DC. So that is simple, Clients who want to write into DNS are still (same technology as in the 80th) querying the zone for it's SOA, and then they are contacting the Server which is stated in the SOA to write the update. But RODCs provide some intelligence as well - if a client was contacting them for the SOA they wait for a moment to allow the client to update his record, then they are requesting a single-object-replication from the Full DC for the Clients DNS-Record so that the DNS-Information at the clients site is updated as soon as possible, while any other site will receive it with the regular replication.

So Clients / Memberservers and other machines should be able to run against RODCs. However, there are certain things which might affect this statement:

The Read-only partitial attribute set (RO-PAS): It is possible to define in the schema that certain attributes should not be replicated to RODCs. However the application needs to be aware of this, since those requests are not referred to a full DC.
Replication latencies: if an application is performing a write request it will be redirected to a full DC. If the application tries to read that data again before replication occurs, the RODC will still return the old data. If you want to make sure that your applications write against RODCs be aware of this issue, and look for a writeable DC when you perform write/readback-operations or make sure that you are not using write/readback (but stick against the RODC if you only perform read operations, otherwise you will slow down your application since it's always crossing the WAN).
Firewalls: especially in DMZ-Scenarios your clients might not have a connectivity to a full DC, so write referrals will fail. Make sure that you don't need write requests in those scenarios.
WAN-Offline: write operations will also fail in this scenario

I hope I was able to get some lights behind RODCs, theres a lot of more information available online, e.g. look at the following page: Application Compatibility with RODCs

Ulf

Impressions of the Directory Experts Conference

Ulf B. Simon-Weidner — Mon, 03 Mar 2008 20:50:00 GMT

Today is day one of the Directory Experts Conference in Chicago. So far the conference has been very good - but that was as expected. I had one session today right before lunch, "A Directory Services Geek's View on Active Directory Recovery in Windows Server 2008". Went quite well, however the power-plug on stage was switched off so my machine decided to go into sleep-mode during the presentation. For some reason this session is attracting Laptop-issues, during the Launch in Frankfurt the virtual machine decided to "unexpectedly shutdown". Things happen, that's part of the fun, isn't it?

HEROS happen {here}

Ulf B. Simon-Weidner — Thu, 21 Feb 2008 14:08:26 GMT

For the past three days I was at the Microsoft Launch Event Germany, the first and as we were told biggest (by the number of attendees) Launch for Windows Server 2008, Visual Studio 2008 and SQL Server 2008. I did three presentations:

Active Directory-Domänendienste in Windows Server 2008
(Active Directory-Domainservices in WS2k8)
Erfahrungen eines Directory Services-Experten mit Sicherheit und Delegation im Active Directory
(A Directory Services-Geek's View on Access Control Entries)
Erfahrungen eines Directory Services-Experten mit Active Directory-Recovery mit Windows Server 2008
(A Directory Services Geek's View on Active Directory-Recovery in Windows Server 2008)

The event was very good and very successful as far as I can see. There were minor issues, e.g. on the first day it wasn't that clear which sessions are in which rooms, and the acoustic was pretty bad in some of the rooms since you were able to hear the other speakers of the other rooms as well (luckily two of my presentations were in the good rooms), but over all I was very satisfied. A lot of good and experienced speakers, interested and interesting attendees with good questions and suggestion, a great event. Overall there were about 7500 people in Frankfurt attending this event.

I've also got a view good ideas for some new blog-posts, so stay tuned.

And now it's time to get ready for the Directory Experts Conference 2008 in Chicago in the first week of March. I'll also present there the "Directory Services Geek's View on Active Directory-Recovery in Windows Server 2008" session.

Congrats Microsoft: Windows Server 2008 is RTM

Ulf B. Simon-Weidner — Tue, 05 Feb 2008 07:12:21 GMT

I cannot state it any better: the best Windows Server release ever has been released to manufacturing - Windows Server 2008 is finished.

Windows Server 2008 is very stable and very well-done for production use. As I wrote before we at Computacenter are using it since October 2007 in Production, and I have a customer where we already run a full shop only on Vista and 2k8 since September (on Beta 3).

And we've also done a lot of things, to quickly recap just what we've done with customers was a 10-city Roadshow in Germany (half-day sessions on WS2k8, last one will be in Berlin next week), countless presentations at customer or trade shows / events, countless sessions to make sure our staff is ready to sell and deliver WS2k8-Solutions, one press-release in October, and a couple references which will be published shortly.We will be with many people at the German Launchevent, are partner there with a booth, and I'll deliver 3 sessions plus a interactive one, created many flyers and solutions around the product, … just being ready to deliver.

I'm very excited about the new product - let's start deploying more of it!

And here are the blogs which will give you a feeling how it was at Microsoft in the last couple hours:

Windows Server 2008 - RTM!!!

Windows Server 2008 – A time to sit back, remember and party!

I'm on the Edge [;)]

Ulf B. Simon-Weidner — Wed, 21 Nov 2007 23:23:05 GMT

Last week I was at TechEd:IT-Forum in Barcelona. I'll follow up with more details later. However the guys from edge.technet.com have done an interview with me, which went online last night. I was speaking about my sessions, AD Restore in Windows Server 2008 and Schema Updates.

You can find it currently on the homepage, and here's the direct link for later:

Ulf on AD at TechNet Edge