Technical posts about IT

Monthly archives for November, 2011

Powershell Code: Working with a Computer’s Local SAM Accounts & Groups

Nov30
2011 Leave a Comment Written by Sean Metcalf

We know by now how easy it is to work with Active Directory leveraging the many AD commandlets. However, what about when it becomes necessary to get information about a local account or group on a specific computer.

Get a list of administrators on a specific computer:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$Computer = "COMPUTERNAME"
TRY
{ ## OPEN TRY
$ADSIComputer = [ADSI]("WinNT://" + $Computer + ",Computer")
$AdminGroup = $ADSIComputer.PSbase.Children.Find("Administrators")
$AdminGroupMembers= $AdminGroup.PSbase.Invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $Null, $_, $Null)}
} ## CLOSE TRY
CATCH { Write-Warning "Unable to get Administrators Group Membership on $Computer `r " }

Write-Output "$Computer Administrators: `r "
Write-Output "========================= `r "
Write-Output " `r "
ForEach ($Member in $AdminGroupMembers)
{ ## OPEN ForEach Member in AdminGroupMembers
$Member
} ## CLOSE ForEach Member in AdminGroupMembers
Write-Output " `r "


Check for Domain Admins in the local Administrators group on a specific computer:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$Computer = "COMPUTERNAME"
$AdminGroup = [ADSI]"WinNT://$Computer/Administrators,group"
TRY { $AdminGroupMembers = @($AdminGroup.psbase.Invoke("Members")) }
CATCH { ## OPEN Catch
Write-Warning "Could not connect to $Computer. It may be offline. `r "
} ## CLOSE Catch
IF ($AdminGroupMembers)
{ ## OPEN IF AdminGroupMembers contains data
$AdminGroupMembers | ForEach-Object `
{ [array]$AdminGroupMemberList += $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null) }
ForEach ($Member in $AdminGroupMemberList)
{ ## OPEN ForEach Member in MemberNames
IF ($Member -like "*Domain Admins*")
{ Write-Output "Domain Admins has Administrative rights to $Computer }
} ## CLOSE ForEach Member in MemberNames


Get the name of the default local administrator account

1
2
3
4
 $Computer = "COMPUTERNAME"
$LocalAdminInfo = Get-WmiObject –Query ‘Select * from Win32_UserAccount Where (LocalAccount="True" and SID like "%-500")’ -ComputerName $Computer
$LocalAdmin = $LocalAdminInfo.Name
Write-Output "The local administrator account on $Computer is $LocalAdmin `r "


Set a local admin’s password:

1
2
3
4
5
6
7
$Computer = "COMPUTERNAME"
$LocalAdmin = "Administrator"
$AdminPassword = "NewAdminPassword999!"

$Admin = [adsi]("WinNT://$Computer/$LocalAdmin, user")
Write-Output "Attempting to change password for $computer\$LocalAdmin..." `r
$Admin.psbase.invoke("SetPassword", "$AdminPassword")

Create new user on computer:

1
2
3
4
5
6
7
8
9
10
$Computer = "COMPUTERNAME"
$User = "NewUser"
$Password = "NewPassword999!"

Write-Verbose "Creating $User on $Computer `r "
$ADSIUserCreate = $ADSIComputer.Create("User", $User)
$ADSIUserCreate.setpassword($password)
$ADSIUserCreate.SetInfo()
$ADSIUserCreate.description = ""
$ADSIUserCreate.SetInfo()

Add a user to Administrators Group:

1
2
3
4
5
6
7
8
9
$DomainDNS = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name
$Computer = "COMPUTERNAME"
$User = "NewUser"
Write-Verbose "Adding $User to Administrators group on $Computer `r "
IF ($Computer -like "*$DomainDNS") { $Computer = $Computer -replace(".$DomainDNS") }
Write-Verbose "Adding $User to Administrators group on $Computer `r "
$objUser = [ADSI]("WinNT://$Computer/$User")
$objGroup = [ADSI]("WinNT://$Computer/Administrators")
$objGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)
Google+FacebookEmailPrintShare
Posted in Microsoft Products, Powershell Code, Security, Tech - Tagged , , , , , ,

Active Directory Replication Resources

Nov29
2011 Leave a Comment Written by Sean Metcalf

If you really want a deep dive into Active Directory replication, I highly recommend the following resources:

These two resources will provide more information on AD replication than you probably ever wanted to know.

Some key concepts that are explored:

  • Up-to-dateness vector
  • High watermark
  • USN attributes and their importance in AD
  • Change notification
  • Bridgehead vs. Preferred Bridgehead
  • Site cost, replication interval, and the site link schedule
Google+FacebookEmailPrintShare
Posted in Favorite, Microsoft Products, Tech, Technical Reference - Tagged , , , , , , , ,

Powershell Code: Get AD Domain User Statistics

Nov28
2011 Leave a Comment Written by Sean Metcalf

I have been working on an AD Statistics script for a little while now that provides some basic information about the AD environment.

This Powershell code gathers data from the Active Directory domain for users and displays some user statistics.

Here’s code to get a bunch of information on Users in Active Directory:
NOTE: The LastLogonTimeStamp only replicates about every 14 days by default.

Import-Module ActiveDirectory
Write-Output “Generating AD User Statistics `r “
$DomainDNS = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name #Get AD Domain (lightweight & fast method)
[int] $UserLogonAge = 180
[int] $UserPasswordAge = 365
$DateTime = Get-Date #Get date/time
$ShortDate = Get-Date -format d
$UserStaleDate = $DateTime.AddDays(-$ComputerPasswordAge)
$NeverLoggedOnDate = $DateTime.AddDays(-365)
$LastLoggedOnDate = $DateTime – (New-TimeSpan -days $UserLogonAge)
$PasswordStaleDate = $DateTime – (New-TimeSpan -days $UserPasswordAge)
$DateTime = Get-Date #Get date/time
$UserStaleDate = $DateTime.AddDays(-$UserPasswordAge)
$NeverLoggedOnDate = $DateTime.AddDays(-365)
$Yesterday = $DateTime.AddDays(-1)
$Yesterday = $Yesterday.ToShortDateString()
[string]$Yesterday = $Yesterday
$Today = $DateTime.ToShortDateString()
[string]$Today = $Today

$1Days = $DateTime.AddDays(-1)
$2Days = $DateTime.AddDays(-2)
$3Days = $DateTime.AddDays(-3)
$4Days = $DateTime.AddDays(-4)
$5Days = $DateTime.AddDays(-5)
$6Days = $DateTime.AddDays(-6)
$7Days = $DateTime.AddDays(-7)
$30Days = $DateTime.AddDays(-30)
$45Days = $DateTime.AddDays(-45)
$60Days = $DateTime.AddDays(-60)
$90Days = $DateTime.AddDays(-90)
$120Days = $DateTime.AddDays(-120)
$180Days = $DateTime.AddDays(-180)

Write-Output “Discovering all users in $ADDomainDNSRoot … `r “
# Gather a list of all users in AD including necessary attributes
[array]$AllUsers = Get-ADUser -filter * -properties Name,DistinguishedName,Enabled,LastLogonDate,LastLogonTimeStamp,LockedOut,msExchHomeServerName,SAMAccountName
$AllUsersCount = $AllUsers.Count
Write-Output “There were $AllUsersCount user objects discovered in $ADDomainDNSRoot … `r “
Write-Output ” `r “

Write-Output “Count Disabled Users `r “
[array] $DisabledUsers = $AllUsers | Where-Object { $_.Enabled -eq $False }
$DisabledUsersCount = $DisabledUsers.Count
[array] $EnabledUsers = $AllUsers | Where-Object { $_.Enabled -eq $True }
$EnabledUsersCount = $EnabledUsers.Count
Write-Output “There are $EnabledUsersCount Enabled users and there are $DisabledUsersCount Disabled users in $DomainDNS `r “

Write-Output “Count Inactive Users that are Enabled `r “
[array] $InactiveUsers = $AllUsers | Where-Object { ($_.PasswordLastSet -lt $UserStaleDate) -and ($_.Enabled -eq $True) }
$InactiveUsersCount = $InactiveUsers.Count
Write-Output “There are $InactiveUsersCount users identified as Inactive (with passwords older than $UserPasswordAge days in $DomainDNS `r “

Write-Output “Count Admin Accounts (accounts with _ad in the name) `r “
[array] $AllAdminAccounts = $AllUsers | Where-Object { ($_.SAMAccountName -like “*_ad”) -or ($_.Name -like “*_ad*”) }
$AllAdminAccountsCount = $AllAdminAccounts.Count
#
[array] $EnabledAdminAccounts = $AllAdminAccounts | Where-Object { $_.Enabled -eq $True }
$EnabledAdminAccountsCount = $EnabledAdminAccounts.Count
Write-Output “There are $EnabledAdminAccountsCount Enabled Admin accounts in $DomainDNS (out of a total of $AllAdminAccountsCount Admin accounts) `r “
#
[array] $ActiveAdminAccounts = $EnabledAdminAccounts | Where-Object { ($_.LastLogonDate -ge $180Days) -and ($_.PasswordLastSet -gt $NeverLoggedOnDate) }
$ActiveAdminAccountsCount = $ActiveAdminAccounts.Count
Write-Output “There are $ActiveAdminAccountsCount Active Admin accounts in $DomainDNS (Active accounts have logged on in the past 6 months and have current passwords) `r “

Write-Output “Count Service Accounts (accounts with SVC in the name) `r “
[array] $AllServiceAccounts = $AllUsers | Where-Object { $_.SAMAccountName -like “*SVC*” }
$AllServiceAccountsCount = $AllServiceAccounts.Count
[array] $EnabledServiceAccounts = $AllServiceAccounts | Where-Object  { $_.Enabled -eq $True }
$EnabledServiceAccountsCount = $EnabledServiceAccounts.Count
Write-Output “There are $EnabledServiceAccountsCount Enabled Service accounts in $DomainDNS (out of a total $AllServiceAccountsCount Service accounts) `r “

Write-Output “Count users with an Exchange Mailbox `r “
[array] $MailboxUsers = $AllUsers | Where-Object { $_.msExchHomeServerName -notlike $NULL }
$MailboxUsersCount = $MailboxUsers.Count
[array] $MailboxEnabledUsers = $MailboxUsers | Where-Object { $_.msExchHomeServerName -notlike $NULL }
$MailboxEnabledUsersCount = $MailboxEnabledUsers.Count
Write-Output “There are $MailboxUsersCount users in $DomainDNS with an Exchange Mailbox. `r “
Write-Output “There are $MailboxEnabledUsersCount Enabled users in $DomainDNS with an Exchange Mailbox. `r “

Write-Output “Count Enabled users who have logged on in the last 30 days `r “
[array] $LastLogon30 = $EnabledUsers | Where-Object { $_.LastLogonDate -ge $30Days }
$LastLogon30Count = $LastLogon30.Count
Write-Output “Out of $EnabledUsersCount Enabled users in $DomainDNS only $LastLogon30Count have logged on in the last 30 days (there may be up to a 14 day margin of error for this count) `r “

Write-Output “Count Enabled users who have logged on in the last 45 days `r “
[array] $LastLogon45 = $EnabledUsers | Where-Object { $_.LastLogonDate -ge $45Days }
$LastLogon45Count = $LastLogon45.Count
Write-Output “Out of $EnabledUsersCount Enabled users in $DomainDNS only $LastLogon45Count have logged on in the last 45 days `r”

Write-Output “Count Enabled users who have logged on in the last 60 days `r “
[array] $LastLogon60 = $EnabledUsers | Where-Object { $_.LastLogonDate -ge $60Days }
$LastLogon60Count = $LastLogon60.Count
Write-Output “Out of $EnabledUsersCount Enabled users in $DomainDNS only $LastLogon60Count have logged on in the last 60 days `r”

Write-Output “Count Enabled users who have logged on in the last 90 days `r”
[array] $LastLogon90 = $EnabledUsers | Where-Object { $_.LastLogonDate -ge $90Days }
$LastLogon90Count = $LastLogon90.Count
Write-Output “Out of $EnabledUsersCount Enabled users in $DomainDNS only $LastLogon90Count have logged on in the last 90 days `r”

Write-Output “Count Enabled users who have logged on in the last 120 days `r”
[array] $LastLogon120 = $EnabledUsers | Where-Object { $_.LastLogonDate -ge $120Days }
$LastLogon120Count = $LastLogon120.Count
Write-Output “Out of $EnabledUsersCount Enabled users in $DomainDNS only $LastLogon120Count have logged on in the last 120 days `r”

Write-Output “Count Enabled users who have logged on in the last 180 days `r”
[array] $LastLogon180 = $EnabledUsers | Where-Object { $_.LastLogonDate -ge $180Days }
$LastLogon180Count = $LastLogon180.Count
Write-Output “Out of $EnabledUsersCount Enabled users in $DomainDNS only $LastLogon180Count have logged on in the last 180 days   `r”

Write-Output “Count All users who have NEVER logged on `r”
[array] $LastLogonNever = $AllUsers | Where-Object { ($_.LastLogonDate -eq $NULL) -and ($_.PasswordLastSet -gt $NeverLoggedOnDate) }
$LastLogonNeverCount = $LastLogonNever.Count
Write-Output “Out of All $AllUsersCount users in $DomainDNS $LastLogonNeverCount have NEVER logged on (no logon date associated with account) `r”

Write-Output “Count users who logged in during the last week `r”
[array] $LastLogon1 = $EnabledUsers | Where-Object { $_.LastLogonDate -le $7days }
$LastLogon1Count = $LastLogon1.Count
Write-Output “$LastLogon1Count Enabled users logged in within the last week  `r”

Write-Output “Count users who logged in yesterday `r”
[array] $LastLogonYesterday = $EnabledUsers | Where-Object { $_.LastLogonDate -like “*$Yesterday*” }
$LastLogonYesterdayCount = $LastLogonYesterday.Count
Write-Output “$LastLogonYesterdayCount Enabled users logged in yesterday  `r”

Write-Output “Count users who logged in today `r”
[array] $LastLogontoday = $EnabledUsers | Where-Object { $_.LastLogonDate -like “*$Today*” }
$LastLogontodayCount = $LastLogontoday.Count
Write-Output “$LastLogontodayCount Enabled users logged in today (so far) `r”

Write-Output “Count enabled users who have accounts locked out `r”
[array] $EnabledLockedUsers = $EnabledUsers | Where-Object { $_.LockedOut -eq $True }
$EnabledLockedUsersCount = $EnabledLockedUsers.Count
Write-Output “$EnabledLockedUsersCount Enabled users are currently locked out `r”

Google+FacebookEmailPrintShare
Posted in Microsoft Products, Powershell Code, Tech - Tagged , , , ,

Powershell Code: Get AD Domain Computer Statistics

Nov27
2011 Leave a Comment Written by Sean Metcalf

I have been working on an AD Statistics script for a little while now that provides some basic information about the AD environment.

This Powershell code gathers data from the Active Directory domain for computers and displays some computer statistics.

Here’s code to get a bunch of information on Computers in Active Directory:
NOTE: The LastLogonTimeStamp only replicates about every 14 days by default. Domain Computers update this attribute at every boot up.

Import-Module ActiveDirectory
Write-Output “Generating AD Computer Statistics  `r “
$DomainDNS = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name #Get AD Domain (lightweight & fast method)
[int] $ComputerLogonAge = 180
[int] $ComputerPasswordAge = 180
$DateTime = Get-Date #Get date/time
$ShortDate = Get-Date -format d
$LastLoggedOnDate = $DateTime – (New-TimeSpan -days $ComputerLogonAge)
$PasswordStaleDate = $DateTime – (New-TimeSpan -days $ComputerPasswordAge)

Write-Verbose “Getting list of AD Computers `r “
$Time = (Measure-Command `
    {[array] $AllComputers = Get-ADComputer -filter * -properties Name,CanonicalName,Enabled,passwordLastSet,SAMAccountName,LastLogonTimeStamp,DistinguishedName,OperatingSystem }).TotalMinutes  
$AllComputersCount = $AllComputers.Count
Write-Verbose “There were $AllComputersCount Computers discovered in $DomainDNS in $Time minutes…  `r “

Write-Verbose “Count Disabled Computers `r”
[array] $DisabledComputers = $AllComputers | Where-Object { $_.Enabled -eq $False }
$DisabledComputersCount = $DisabledComputers.Count
Write-Verbose “Count Enabled Computers `r”
[array] $EnabledComputers = $AllComputers | Where-Object { $_.Enabled -eq $True }
$EnabledComputersCount = $EnabledComputers.Count
Write-Verbose “There are $EnabledComputersCount Enabled Computers and there are $DisabledComputersCount Disabled Computers in $DomainDNS `r “

Write-Verbose “Count Inactive Computers… `r”
[array] $InactiveComputers = $AllComputers | Where-Object { $_.PasswordLastSet -lt $PasswordStaleDate }
$InactiveComputersCount = $InactiveComputers.Count
Write-Verbose “There are $InactiveComputersCount Computers identified as Inactive (with passwords older than $ComputerPasswordAge days in $DomainDNS  `r “

Write-Verbose “Identifying Workstation computers from the list of Enabled Computers… `r”
$WorkstationComputers = $EnabledComputers |  Where { ($_.OperatingSystem -notlike “*Server*”) -and ($_.OperatingSystem -like “*Windows*”) }
$WorkstationComputersCount = $WorkstationComputers.Count
Write-Verbose “After filtering server objects, There are $WorkstationComputersCount Windows workstations discovered in $ADDomainDNSRoot …  `r ”

Write-Verbose “Identifying Server computers from the list of Enabled Computers…  `r “
$ServerComputers = $EnabledComputers | Where {$_.OperatingSystem -like “*Server*”}
$ServerComputersCount = $ServerComputers.Count
Write-Verbose “After filtering workstation objects, There are $ServerComputersCount Windows Servers discovered in $ADDomainDNSRoot …  `r “

Google+FacebookEmailPrintShare
Posted in Microsoft Products, Powershell Code, Tech - Tagged , , , , , ,

Powershell Code: Get AD Domain Group Statistics

Nov26
2011 Leave a Comment Written by Sean Metcalf

I have been working on an AD Statistics script for a little while now that provides some basic information about the AD environment.

This Powershell code gathers data from the Active Directory domain for groups and displays some group statistics.

Import-Module ActiveDirectory
Write-Output “Getting list of AD Groups `r “

[array]$AllADGroups = Get-ADGroup -Filter * -Properties *
$AllADGroupsCount = $AllADGroups.Count
Write-Output “There are $AllADGroupsCount Total groups in AD `r “

[array]$ADUniversalGroups = $AllADGroups | Where {$_.GroupScope -eq “Universal” }
$ADUniversalGroupsCount = $ADUniversalGroups.Count
$PCTofTotal = $ADUniversalGroupsCount / $AllADGroupsCount
$PCTofTotal = “{0:p2}”                      -f $PCTofTotal
Write-Output “There are $ADUniversalGroupsCount Universal groups in AD ($PCTofTotal of all groups) `r “

[array]$ADGlobalGroups = $AllADGroups | Where {$_.GroupScope -eq “Global” }
$ADGlobalGroupsCount = $ADGlobalGroups.Count
$PCTofTotal = $ADGlobalGroupsCount / $AllADGroupsCount
$PCTofTotal = “{0:p2}”                      -f $PCTofTotal
Write-Output “There are $ADGlobalGroupsCount Global groups in AD ($PCTofTotal of all groups)  `r “

[array]$ADDomainLocalGroups = $AllADGroups | Where {$_.GroupScope -eq “DomainLocal” }
$ADDomainLocalGroupsCount = $ADDomainLocalGroups.Count
$PCTofTotal = $ADDomainLocalGroupsCount / $AllADGroupsCount
$PCTofTotal = “{0:p2}”                      -f $PCTofTotal
Write-Output “There are $ADDomainLocalGroupsCount Domain Local groups in AD ($PCTofTotal of all groups)  `r “

[array]$ADSecurityGroups = $AllADGroups | Where {$_.GroupCategory -eq “Security” }
$ADSecurityGroupsCount = $ADSecurityGroups.Count
$PCTofTotal = $ADSecurityGroupsCount / $AllADGroupsCount
$PCTofTotal = “{0:p2}”                      -f $PCTofTotal
Write-Output “There are $ADSecurityGroupsCount Security groups in AD ($PCTofTotal of all groups)  `r “

[array]$ADMESecurityGroups = $ADSecurityGroups | Where {$_.Mail -ne $Null }
$ADMESecurityGroupsCount = $ADMESecurityGroups.Count
$PCTofTotal = $ADMESecurityGroupsCount / $AllADGroupsCount
$PCTofTotal = “{0:p2}”                      -f $PCTofTotal
Write-Output “There are $ADSecurityGroupsCount Mail-Enabled Security groups in AD ($PCTofTotal of all groups)  `r “

[array]$ADDistributionGroups = $AllADGroups | Where {$_.GroupCategory -eq “Distribution” }
$ADDistributionGroupsCount = $ADDistributionGroups.Count
$PCTofTotal = $ADDistributionGroupsCount / $AllADGroupsCount
$PCTofTotal = “{0:p2}”                      -f $PCTofTotal
Write-Output “There are $ADDistributionGroupsCount Distribution groups in AD ($PCTofTotal of all groups)  `r “

[array]$ADMEnotUniGroups = $AllADGroups | Where { ($_.GroupCategory -eq “Distribution”) -AND ($_.GroupScope -ne “Universal” ) }
$ADMEnotUniGroupsCount = $ADMEnotUniGroups.Count
$PCTofTotal = $ADMEnotUniGroupsCount / $AllADGroupsCount
$PCTofTotal = “{0:p2}”                      -f $PCTofTotal
Write-Output “There are $ADMEnotUniGroupsCount Distribution groups that are not Universal groups in AD ($PCTofTotal of all groups)  `r “

Google+FacebookEmailPrintShare
Posted in Microsoft Products, Powershell Code, Tech - Tagged , , , , , , ,

Troubleshooting: Users Can’t Login (aka Why SYSVOL Replication is Critical for GPO Processing)

Nov25
2011 Leave a Comment Written by Sean Metcalf

I recently assisted a customer with an issue where users where unable to connect to Citrix on the thin clients. The problem seemed to be related to an error on the server stating that group policy could not be processed on the computer. There was an error that pointed to not being able to access the GPT.ini file associated with a GPO and that GPO processing stopped at that point. So I opened up Windows Explorer and pointed it to \\domain.com\SYSVOL\domain.com\Policies and discovered the GPO GUID didn’t exist. I guessed that someone accidentally deleted the GPO folder and suggested they unlink the current one (the one flagged as not processing), create a new GPO with the same settings and then link the new one to the OU. While they were doing that, I dug a little deeper. I opened Windows Explorer and pointed it to \\DomainDC02\SYSVOL\domain.com\Policies and discovered the GPO GUID didn’t exist. However, when I went to \\DomainDC01\SYSVOL\domain.com\Policies the GPO GUID did exist. Aha! I logged onto DomainDC02 and restarted the NTFRS service (Powershell: restart-service ntfrs). I checked the FRS log and sure enough – Journal Wrap.

Microsoft describes FRS as follows:

“FRS is a multi-threaded, multi-master replication engine that Windows Server 2003 and Windows 2000 domain controllers use to replicate system policies and logon scripts for Windows Server 2003, Windows 2000, and earlier-version clients. In Microsoft Windows NT, the LanMan Replication (LMREP) service handled replication. FRS replaced LMREP in Windows 2000. You can also use FRS to replicate content between Windows 2000 servers that host the same fault-tolerant Distributed File System (DFS) roots or child node replicas.”

FRS monitors all changes to the NTFS file system and is interested in any updates to files that is in the SYSVOL folder structure. When a file/folder update occurs in the SYSVOL folder, it is logged in the NTFS Journal. FRS keeps its own log to keep track of what NTFS updates it knows about. So, if the NTFS Journal has performed modification #152, FRS checks its log to see if it has a record of 152 and then if it is contained in the SYSVOL folder structure. If it is, then FRS stages the change and then replicates it to a SYSVOL replica, aka a Domain Controller. The problem comes in where FRS is stopped for a while due to low disk space (the issue I encountered), system failure, the service was stopped and never restarted, or some other reason the FRS service stopped running. Once it starts up again, it checks the NTFS Journal for the last update number. If the last update number is beyond the number range FRS has in its log, a Journal Wrap occurs since FRS can’t be certain that all updates have been properly processed. When FRS is in a Journal Wrap state, it stops replicating since SYSVOL is inconsistent on that server and no longer advertises SYSVOL as Ready.

Journal Wrap means that changes on this DC may be lost since the SYSVOL on this DC needs to be recreated. That process is detailed in Microsoft KB #290762 (the infamous Burflags article). KB 290762 describes how to set a registry key (Burflags) to D2 to resolve a SYSVOL problem on a single DC (typical Journal Wrap scenario) or to set it to D4 to wipe SYSVOL throughout the domain (make sure you have a good backup to restore SYSVOL afterwards).

I freed up space on the server’s drive hosting SYSVOL (the root cause – the drive had only a few MB free) and followed article KB 290762 to set burflags in the registry to D2. This reinitialized SYSVOL on the problem DC (DC02) and fixed the issue.

When I went back to \\DomainDC02\SYSVOL\domain.com\Policies everything was there. I also checked  \\domain.com\SYSVOL\domain.com\Policies and all was right with the world. Running gpupdate on the server showed that GPO processing occurred successfully.

Key takeaways from this:

  1. Monitor your servers.
  2. Monitor your servers and use the monitoring product – at least glance at it once a day.
  3. Check your servers regularly for volumes low on drive space – Monitoring is a great way to do this.
  4. Did I mention monitoring?
  5. Don’t put a lot of junk in SYSVOL. This is not the place to store files you want to access from anywhere. That’s what DFS is for.
Google+FacebookEmailPrintShare
Posted in Microsoft Products, Tech - Tagged , , , , , , , , , , ,

Happy Thanksgiving!

Nov24
2011 Leave a Comment Written by Sean Metcalf

As a Thanksgiving treat, here’s the story of the Squeeky Lobster which is an actual Log value in the Jet Database (Exchange & AD).

Enjoy!

Google+FacebookEmailPrintShare
Posted in Microsoft Products, Tech, Technical Reference - Tagged ,

Reference: Windows & Active Directory DNS

Nov23
2011 Leave a Comment Written by Sean Metcalf

Here are some excellent DNS resources to reference when reading up on how Windows & AD implement DNS:

Google+FacebookEmailPrintShare
Posted in Career, Deployment, Microsoft Products, Tech, Technical Reference - Tagged , , , , , ,

Powershell Commandlet: Get-RootDSE

Nov19
2011 Leave a Comment Written by Sean Metcalf

A tremendously useful Active Directory commandlet is get-RootDSE which gets a bunch of useful information about AD. This command provides the attributes and their values you would see if you opened ADSIEdit.msc and pointed it to RootDSE. The information provided simplifies getting an LDAP directory’s configuration details. The Powershell code and the result (shown below) provide a bunch of useful information. Here are some of my favorites:

Highest Committed USN (on the DC contacted by this operation)
AD Configuration Naming Context (the Configuration partition DN)
AD Current Time (helpful to see if the time is accurate)
AD Default Naming Context (this is the domain’s DN)
AD DNS Host Name (full DNS name of the DC contacted)
AD Domain Controller Functionality (Effectively the OS version of the DC contacted)
AD Domain Functionality
AD Forest Functionality
AD DS Service Name (this is the DC’s SPN)
AD Is Global Catalog Ready? (Is the DC advertising as a GC)
AD Is Synchronized? (Is the DC up-to-date with replication)
AD LDAP Service Name (this is the DC’s SPN)
AD Naming Contexts  (this is a list of all NCs)

The following Powershell code displays much of this useful and interesting info, but more importantly sets each of these values into variables:

#############################################
# Get Extended Active Directory Information ##############################################

Import-Module ActiveDirectory
# Get RootDSE Info
Write-Verbose “Get RootDSE information `r”
$ADRootDSE = Get-ADRootDSE -Properties *
$ADhighestCommittedUSN = $ADRootDSE.highestCommittedUSN
$ADconfigurationNamingContext = $ADRootDSE.configurationNamingContext
$ADcurrentTime = $ADRootDSE.currentTime
$ADdefaultNamingContext = $ADRootDSE.defaultNamingContext
$ADdnsHostName = $ADRootDSE.dnsHostName
$ADdomainControllerFunctionality = $ADRootDSE.domainControllerFunctionality
$ADdomainFunctionality = $ADRootDSE.domainFunctionality
$ADdsServiceName = $ADRootDSE.dsServiceName
$ADforestFunctionality = $ADRootDSE.forestFunctionality
$ADisGlobalCatalogReady = $ADRootDSE.isGlobalCatalogReady
$ADisSynchronized  = $ADRootDSE.isSynchronized
$ADldapServiceName  = $ADRootDSE.ldapServiceName
$ADnamingContexts = $ADRootDSE.namingContexts
$ADrootDomainNamingContext = $ADRootDSE.rootDomainNamingContext
$ADschemaNamingContext = $ADRootDSE.schemaNamingContext
$ADserverName = $ADRootDSE.serverName
$ADsubschemaSubentry  = $ADRootDSE.subschemaSubentry
$ADsupportedCapabilities  = $ADRootDSE.supportedCapabilities
$ADsupportedControl  = $ADRootDSE.supportedControl
$ADsupportedLDAPPolicies = $ADRootDSE.supportedLDAPPolicies
$ADsupportedLDAPVersion  = $ADRootDSE.supportedLDAPVersion
$ADsupportedSASLMechanisms = $ADRootDSE.supportedSASLMechanisms

Write-Output “Highest Committed USN: $ADhighestCommittedUSN `r”
Write-Output “AD Configuration Naming Context: $ADconfigurationNamingContext `r”
Write-Output “AD Current Time: $ADcurrentTime `r”
Write-Output “AD Default Naming Context: $ADdefaultNamingContext `r”
Write-Output “AD DNS Host Name: $ADdnsHostName `r”
Write-Output “AD Domain Controller Functionality: $ADdomainControllerFunctionality `r”
Write-Output “AD Domain Functionality: $ADdomainFunctionality `r”
Write-Output “AD Forest Functionality: $ADforestFunctionality `r”
Write-Output “AD DS Service Name: $ADdsServiceName `r”
Write-Output “AD Is Global Catalog Ready?: $ADisGlobalCatalogReady `r”
Write-Output “AD Is Synchronized?: $ADisSynchronized `r”
Write-Output “AD LDAP Service Name: $ADldapServiceName `r”
Write-Output “AD Naming Contexts: $ADnamingContexts `r”
Write-Output “AD Root Domain Naming Context: $ADrootDomainNamingContext `r”
Write-Output “AD Schema Naming Context: $ADschemaNamingContext `r”
Write-Output “AD Server Name: $ADserverName `r”
Write-Output “AD Subschema Subentry: $ADsubschemaSubentry `r”
Write-Output “AD Supported Capabilities: $ADsupportedCapabilities `r”
# Write-Output “AD Supported Control: $ADsupportedControl `r”
Write-Output “AD Supported LDAP Policies: $ADsupportedLDAPPolicies `r”
Write-Output “AD Supported LDAP Version: $ADsupportedLDAPVersion `r”
Write-Output “AD Supported SASL Mechanisms: $ADsupportedSASLMechanisms `r”
Write-Output ” `r “

Result:

Highest Committed USN: 3929669
AD Configuration Naming Context: CN=Configuration,DC=Domain,DC=net
AD Current Time: 10/11/2011 12:25:33
AD Default Naming Context: DC=Domain,DC=net
AD DNS Host Name: DC1.Domain.net
AD Domain Controller Functionality: Windows2008R2
AD Domain Functionality: Windows2008R2Domain
AD Forest Functionality: Windows2008R2Forest
AD DS Service Name: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=Domain,DC=net
AD Is Global Catalog Ready?: TRUE
AD Is Synchronized?: TRUE
AD LDAP Service Name: Domain.net:dc1$@DOMAIN.NET
AD Naming Contexts: DC=Domain,DC=net CN=Configuration,DC=Domain,DC=net CN=Schema,CN=Configuration,DC=Domain,DC=net DC=DomainDnsZones,DC=Domain,DC=net DC=ForestDnsZones,DC=Domain,DC=net
AD Root Domain Naming Context: DC=Domain,DC=net
AD Schema Naming Context: CN=Schema,CN=Configuration,DC=Domain,DC=net
AD Server Name: CN=DC1,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=Domain,DC=net
AD Subschema Subentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=Domain,DC=net
AD Supported Capabilities: 1.2.840.113556.1.4.800 (LDAP_CAP_ACTIVE_DIRECTORY_OID) 1.2.840.113556.1.4.1670 (LDAP_CAP_ACTIVE_DIRECTORY_V51_OID)
1.2.840.113556.1.4.1791 (LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID) 1.2.840.113556.1.4.1935 (LDAP_CAP_ACTIVE_DIRECTORY_V61_OID) 1.2.840.113556.
1.4.2080
AD Supported LDAP Policies: MaxPoolThreads MaxDatagramRecv MaxReceiveBuffer InitRecvTimeout MaxConnections MaxConnIdleTime MaxPageSize MaxQuer
yDuration MaxTempTableSize MaxResultSetSize MinResultSets MaxResultSetsPerConn MaxNotificationPerConn MaxValRange
AD Supported LDAP Version: 3 2
AD Supported SASL Mechanisms: GSSAPI GSS-SPNEGO EXTERNAL DIGEST-MD5

 

 

Highest Committed USN: 3929669
AD Configuration Naming Context: CN=Configuration,DC=Domain,DC=net
AD Current Time: 10/11/2011 12:25:33
AD Default Naming Context: DC=Domain,DC=net
AD DNS Host Name: DC1.Domain.net
AD Domain Controller Functionality: Windows2008R2
AD Domain Functionality: Windows2008R2Domain
AD Forest Functionality: Windows2008R2Forest
AD DS Service Name: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=Domain,DC=net
AD Is Global Catalog Ready?: TRUE
AD Is Synchronized?: TRUE
AD LDAP Service Name: Domain.net:dc1$@DOMAIN.NET
AD Naming Contexts: DC=Domain,DC=net CN=Configuration,DC=Domain,DC=net CN=Schema,CN=Configuration,DC=Domain,DC=net DC=DomainDnsZones,DC=Domain,DC=net DC=ForestDnsZones,DC=Domain,DC=net
AD Root Domain Naming Context: DC=Domain,DC=net
AD Schema Naming Context: CN=Schema,CN=Configuration,DC=Domain,DC=net
AD Server Name: CN=DC1,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=Domain,DC=net
AD Subschema Subentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=Domain,DC=net
AD Supported Capabilities: 1.2.840.113556.1.4.800 (LDAP_CAP_ACTIVE_DIRECTORY_OID) 1.2.840.113556.1.4.1670 (LDAP_CAP_ACTIVE_DIRECTORY_V51_OID)
1.2.840.113556.1.4.1791 (LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID) 1.2.840.113556.1.4.1935 (LDAP_CAP_ACTIVE_DIRECTORY_V61_OID) 1.2.840.113556.
1.4.2080
AD Supported LDAP Policies: MaxPoolThreads MaxDatagramRecv MaxReceiveBuffer InitRecvTimeout MaxConnections MaxConnIdleTime MaxPageSize MaxQuer
yDuration MaxTempTableSize MaxResultSetSize MinResultSets MaxResultSetsPerConn MaxNotificationPerConn MaxValRange
AD Supported LDAP Version: 3 2
AD Supported SASL Mechanisms: GSSAPI GSS-SPNEGO EXTERNAL DIGEST-MD5

 

Google+FacebookEmailPrintShare
Posted in Microsoft Products, Powershell Code, Tech - Tagged , , ,

Working with SQL via Powershell

Nov18
2011 Leave a Comment Written by Sean Metcalf

As tricky as it is to get information about SQL databases from a SQL Server, Powershell (leveraging SMO) makes it much easier.

Here’s some great information from the Microsoft Scripting Guys on using Powershell to manage SQL Server 2008.

Google+FacebookEmailPrintShare
Posted in Microsoft Products, Tech, Technical Reference - Tagged , ,
« Older Entries
Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog do not represent the views of Metcorp Consulting, LLC or its partners. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2012