Posts tagged Deployment

Powershell Code: Find Non-Optimal AD Site Configuration

Jun06
2012 1 Comment

Written by Sean Metcalf

There are a lot of ways Active Directory sites can be configured (and mis-configured). Sometimes, one component is deleted without cleaning up the other. This script identifies a number of non-optimal site configurations.

Here’s what it does:

Get AD Site List
Get List of AD Subnets
Discover Subnets without sites
Discover Subnets not configured as Class C
Check each Site for missing subnets
Check each Site for missing site link
Check each Site for missing ISTG
Find AD Sites with no GCs
Find Manual Site Links

NOTE: You have to define the output file variables in order for the script to save each data piece in a log file.

Here’s the Code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136

Import-module ActiveDirectory

Write-Output "Gathering AD configuration data... `r "
$ADRootDSE = Get-ADRootDSE
$ADConfigurationNamingContext = $ADRootDSE.configurationNamingContext
Write-Output "Setting AD configuration variables `r "
$ADSiteDN = "CN=Sites,$ADConfigurationNamingContext"

# Get AD Site List
Write-Output "Get AD Site List `r"
$ADSites = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites
[int]$ADSitesCount = $ADSites.Count
Write-Output "There are $ADSitesCount AD Sites in the AD Forest `r"

# Get List of AD Subnets
Write-Output "Discovering Forest-wide subnet data in AD... `r "
[array] $ADSubnets = Get-ADObject -Filter { ObjectClass -eq "subnet" } -SearchBase $ADSiteDN -Properties Name,description,location,siteObject
[int]$ADSubnetsCount = $ADSubnets.Count
Write-Output "There are $ADSubnetsCount AD Subnets in the AD Forest `r"
Write-Output " `r "

# Discover Subnets without sites
Write-Output "Discovering Subnets without sites... `r "
IF ($SubnetsWithNoSites) { Clear-Variable SubnetsWithNoSites }
[array]$SubnetsWithNoSites = $ADSubnets | Where { $_.siteObject -eq $Null }
[int]$SubnetsWithNoSitesCount = $SubnetsWithNoSites.Count
Write-Output "There are $SubnetsWithNoSitesCount AD Subnets with no configured Sites in the AD Forest `r"
Write-Output " `r "

# Discover Subnets not configured as Class C
Write-Output "Discovering Subnets not configured as Class C subnets... `r "
IF ($SubnetsNotClassC) { Clear-Variable SubnetsNotClassC }
[array]$SubnetsNotClassC = $ADSubnets | Where { $_.Name -notlike "*24" }
[int]$SubnetsNotClassCCount = $SubnetsNotClassC.Count
Write-Output "There are $SubnetsNotClassCCount AD Subnets not configured as Class C subnets `r "
Write-Output " `r "

ForEach ($Site in $ADSites)
{ ## OPEN ForEach Site in ADSites
$SiteName = $Site.Name
[array] $SiteSubnets = $Site.Subnets
[array] $SiteServers = $Site.Servers
[array] $SiteAdjacentSites = $Site.AdjacentSites
[array] $SiteLinks = $Site.SiteLinks
$SiteInterSiteTopologyGenerator = $Site.InterSiteTopologyGenerator

# Check for missing subnets
IF (!$SiteSubnets)
{ ## OPEN IF there are no Site Subnets
Write-Output "The site $SiteName does not have a configured subnet. `r "
[array] $SitesWithNoSubnets += $SiteName
[int] $SitesWithNoSubnetsCount = $SitesWithNoSubnets.Count
} ## OPEN IF there are no Site Subnets

# Check for missing site link
IF (!$SiteLinks)
{ ## OPEN IF there are no Site Links for this site
Write-Output "The site $SiteName does not have an associated site link. `r "
[array] $SitesWithNoSiteLinks += $SiteName
[int] $SitesWithNoSiteLinksCount = $SitesWithNoSiteLinks.Count
} ## OPEN IF there are no Site Links for this site

# Check for missing ISTG
IF (!$SiteInterSiteTopologyGenerator)
{ ## OPEN IF there are no ISTG for this site
Write-Output "The site $SiteName does not have a configured InterSite Topology Generator server `r "
[array] $SitesWithNoISTG += $SiteName
[int] $SitesWithNoISTGCount = $SitesWithNoISTG.Count
} ## OPEN IF there are no ISTG for this site

# Find AD Sites with no GCs
$SiteGC = Get-ADDomainController -filter { (Site -eq $Site) -and (IsGlobalCatalog -eq $True) }
IF (!$SiteGC)
{ ## OPEN IF there are no GCs for this site
Write-Output "The site $SiteName does not have a Global Catalog associated with it `r "
[array] $SitesWithNoGC += $SiteName
[int] $SitesWithNoGCCount = $SitesWithNoGC.Count
} ## OPEN IF there are no GCs for this site
} ## CLOSE ForEach Site in ADSites

IF ($SitesWithNoSubnets)
{ ## OPEN IF There are SitesWithNoSubnets
Write-Output "There are $SitesWithNoSubnetsCount Sites without a configured Subnet. `r "
Write-Output "This list is saved to the file: $SitesWithNoSubnetsFile `r "
$SitesWithNoSubnets | out-file $SitesWithNoSubnetsFile
Write-Output " `r "
} ## CLOSE IF There are SitesWithNoSubnets
ELSE { Write-Output "There are no Sites without a configured Subnet. `r " }

IF ($SubnetsWithNoSites)
{ ## OPEN IF There are SubnetsWithNoSites
Write-Output "There are $SubnetsWithNoSitesCount Subnets without a configured Site. `r "
Write-Output "This list is saved to the file: $SubnetsWithNoSitesFile `r "
$SubnetsWithNoSites | out-file $SubnetsWithNoSitesFile
Write-Output " `r "
} ## CLOSE IF There are SubnetsWithNoSites
ELSE { Write-Output "There are no Subnets without a configured Site. `r " }

IF ($SitesWithNoSiteLinks)
{ ## OPEN IF There are SitesWithNoSiteLinks
Write-Output "There are $SitesWithNoSiteLinksCount Sites without a configured Sitelink. `r "
Write-Output "This list is saved to the file: $SitesWithNoSiteLinksFile `r "
$SitesWithNoSiteLinks | out-file $SitesWithNoSiteLinksFile
Write-Output " `r "
} ## CLOSE IF There are SitesWithNoSiteLinks
ELSE { Write-Output "There are no Sites without a configured Sitelink. `r " }

IF ($SitesWithNoGC)
{ ## OPEN IF There are SitesWithNoGC
Write-Output "There are $SitesWithNoGCCount Sites without a Global Catalog server. `r "
Write-Output "This list is saved to the file: $SitesWithNoGCFile `r "
$SitesWithNoGC | out-file $SitesWithNoGCFile
Write-Output " `r "
} ## CLOSE IF There are SitesWithNoGC
ELSE { Write-Output "There are no Sites without a Global Catalog server. `r " }

IF ($SubnetsNotClassC)
{ ## OPEN IF There are SubnetsNotClassC
Write-Output "There are $SubnetsNotClassCCount subnets that are not Class C subnets. `r "
Write-Output "This list is saved to the file: $SubnetsNotClassCFile `r "
$SubnetsNotClassC | out-file $SubnetsNotClassCFile
Write-Output " `r "
} ## CLOSE IF There are SubnetsNotClassC
ELSE { Write-Output "There are no subnets that are not Class C subnets. `r " }

## Find all Sites with manual connections
$ManualConnections = Get-ADObject -LDAPFilter "(&(ObjectClass = NTDSConnection) (!Options:1.2.840.113556.1.4.804:=1))" `
-SearchBase $ADConfigurationNamingContext -Property DistinguishedName,FromServer

IF ($FixManualConnections -eq $True)
{ $ManualConnections | Remove-ADObject -Verbose }
ELSE
{ ## OPEN ELSE FixManualConnections = False
Write-Output "Exporting Manual Site Connections to CSV report file ($ManualSiteConnectionsCSVReportFile)... `r "
$ManualConnections | Export-CSV $ManualSiteConnectionsCSVReportFile -NoType -Force
} ## CLOSE ELSE FixManualConnections = False

Posted in Microsoft Products, Powershell Code, Tech - Tagged Active Directory, AD Site, AD Subnets, Code, Configuration, GC, ISTG, Powershell, Site Configuration

Windows 2008 NSPI Connection Changes

Feb19
2012 Leave a Comment

Written by Sean Metcalf

Windows 2008 changed the NSPI from unlimited to 50 connections. This can affect a number of applications including Symantec , Blackberry , and others.

The real issue involves 3rd party (non-Microsoft) products (again, like Symantec & Blackberry) .
While Symantec may recommend setting this value to 0xffffffff (~4 billion) effectively rolling back this setting (to be fair, they do state it may not be desirable to set the max limit and provide a formula). I would not recommend setting NSPI to such a high value. Set it to 100 or 150 to see if that resolves the issue first. Then gradually increase the number by about 100.
The real issue is the application needs to be tweaked to handle the connection limit.

From Microsoft KB 949469:
To resolve this issue, check all NSPI connections that processes on the client create for connection leaks. For example, a call to the NspiBind function must have a corresponding call to the NspiUnbind function when an NSPI connection is no longer required. This operation may require that you debug any custom scripts or applications that are using NSPI. If this issue affects external applications, contact the software vendors for updates.

Note The Outlook NSPI MAPI provider that is installed with Microsoft Outlook is only intended for use with Microsoft Outlook. External scripts and applications that rely on the Outlook NSPI MAPI provider are not supported.

References:

Posted in Microsoft Products, Tech, Technical Reference, Troubleshooting - Tagged Active Directory, Configuration, Domain Controller, Global Catalog, Windows Server 2008, Windows Server 2008 R2

Active Directory Replication Overview & USN Rollback: What It Is & How It Happens

Jan25
2012 Leave a Comment

Written by Sean Metcalf

If you have experienced event id #2095, then you understand how a USN Rollback can negatively affect AD consistency.

What is a USN?

The USN (Update Sequence Number) is an Active Directory database instance counter that increments every time a single change is committed to the AD database on a Domain Controller. The USN is unique to each DC and has no correlation to a USN on another DC (and that doesn’t matter, as you will see why later on in this article). Active Directory replication keeps track of every Domain Controller’s USN and uses this information to determine when replication is required. Active Directory has two basic types of writes to the AD database, a replicated write (where the change is performed on another DC) and an originating write (where the change is performed on the local DC). AD Replicates and leverages the information about what changes were performed on which DCs and then replicated out.

Every Domain Controller has a server object in the site container stored within the Configuration partition. This object has a child object called “NTDS Settings” which has a GUID (Globally Unique IDentifier) attribute which is replicated as part of replication metadata and used by the KCC to build the replication topology. Each DC has its own copy of the Active Directory database stored in the ntds.dit file and this unique database instance on a DC is identified with its own GUID-type identifier called the “Invocation ID”. The Invocation ID is created when the DC is promoted and only changes when the AD database is restored using a supported method or an application partition is added or removed. The reason for this is so that when an AD database is restored to an earlier point in time, the USN is also restored to that point in time. This means that any change from the restored USN value until the original, pre-restored USN value would be ignored by other DCs pulling replication from the restored DC (since they track other DCs USNs that they replicate with and only pull updates when the destination DC’s USN increments above the last stored update value USN the DC has for it – more on this later). In order to avoid this situation, the DC’s AD database generates a new Invocation ID and stores the old Invocation ID is stored in an attribute on the server’s NTDS Settings object called retiredReplDSASignatures. In this manner, the DCs will treat a new Invocation ID as a new database and ensure it gets updates from it moving forward. You can see a DC’s Invocation ID and Server GUID by running repadmin /showrepl.

Much of the DC information is visible when running the Get-ADDomainController PowerShell commandlet:

PS C:\> import-module activedirectory ;
get-addomaincontroller -identity “MetcorpORGDC01.metcorp.org”

ComputerObjectDN           : CN=METCORPORGDC01,OU=Domain Controllers,DC=metcorp,DC=org
DefaultPartition           : DC=metcorp,DC=org
Domain                     : metcorp.org
Enabled                    : True
Forest                     : metcorp.org
HostName                   : MetcorpORGDC01.metcorp.org
InvocationId               : f2e96b87-bb2a-4572-a911-0c79721e7b4f
IPv4Address                : 10.10.10.11
IPv6Address                :
IsGlobalCatalog            : True
IsReadOnly                 : False
LdapPort                   : 389
Name                       : METCORPORGDC01
NTDSSettingsObjectDN       : CN=NTDS Settings,CN=METCORPORGDC01,CN=Servers,CN=WashingtonDC,CN=Sites,CN=Configuration,DC
                             =metcorp,DC=org
OperatingSystem            : Windows Server 2008 R2 Enterprise
OperatingSystemHotfix      :
OperatingSystemServicePack : Service Pack 1
OperatingSystemVersion     : 6.1 (7601)
OperationMasterRoles       : {SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster…}
Partitions                 : {DC=ForestDnsZones,DC=metcorp,DC=org, DC=DomainDnsZones,DC=metcorp,DC=org, CN=Schema,CN=Co
nfiguration,DC=metcorp,DC=org, CN=Configuration,DC=metcorp,DC=org…}
ServerObjectDN             : CN=METCORPORGDC01,CN=Servers,CN=WashingtonDC,CN=Sites,CN=Configuration,DC=metcorp,DC=org
ServerObjectGuid           : 214c2f5d-f9eb-4b0c-b1fa-4829fc8be2fc
Site                       : WashingtonDC
SslPort                    : 636

Notice in the Get-ADDomainController ouput above, there is a Computer Object DN and a Server Object DN?

The Computer Object DN is where the Domain Controller’s computer object is stored in the domain partition (DC=metcorp,DC=org in the example) and represents the DC in the domain.
The Server Object DN is representation of the DC as a replication object and is stored in the configuration partition under the site object (…,CN=Sites,CN=Configuration,DC=metcorp,DC=org in the example).

Every replicated change includes the following pieces of information:

The Replication Source DC’s GUID replicating the change (originating or replicated write)
The Replication Source DC’s USN
The Originating DC’s GUID (the DC where the AD update was first performed)
The Originating DC’s USN

NOTE: If the Originating Source DC’s GUID & the Originating DC’s GUID are the same, then this is an originating write. If they are different, then the change operation is a replicated write and the replication system uses the Up-To-Dateness Vector. The DCs use all of this information inlcuding the Up-To-Dateness Vector & the High Water Mark as part of “Propagation Dampening” to ensure that replication doesn’t get stuck in a loop.

There are two primary mechanism that leverage a DC’s USN to track replication updates:

The Up-to-Dateness-Vector(UTDV) is a method by which DC replication partners can quickly identify when data needs to be replicated. Each DC has a UDV that keeps track of the USN for every DC hosting a replicated partition. Every DC in the AD forest hosts the same base partitions and replicates these partitions separately: Configuration & Schema and frequently the Domain DNS & Forest DNS application partitions. All of the DCs in the same domain host the same domain partition. Each partition has an associated UDV with all DCs hosting the partition and their associated USN.Simply put, the UTDV is a table of all the DCs for a replicated partition and their replicated USNs and date/time when the DC last replicated. The UTDV is sent to the Source DC by the requesting Destination DC (replicating data is always a pull even though the notification may be a push action) to filter out updates the Destination DC already has. At the end of the replication cycle the Source DC sends the Destination DC its UTDV.Here’s an example of what it looks like:Repadmin: running command /showutdvec against full DC METCORPORGDC02.metcorp.org
Caching GUIDs.
..
WashingtonDC\METCORPORGDC02 (retired) @ USN 65593 @ Time 2012-01-21 12:29:38
WashingtonDC\METCORPORGDC02 @ USN 62096 @ Time 2012-01-23 21:47:00
ae7a0f8e-e7bd-4d4f-83df-1c731cdd8e47 @ USN 46734 @ Time 2012-01-21 14:17:26
WashingtonDC\METCORPORGDC01 @ USN 59160 @ Time 2012-01-23 21:46:33Notice how DC02 has 2 different entries, one with a USN of 65593 (marked Retired) and one with a USN of 62096. AD replication ignores the (Retired) Invocation ID’s USN and uses the current one for replication decisions, though it does keep it in the UTDV to ensure the USNs are kept separate.
The High Water Mark (HWM) on a DC tracks the highest USN replicated from each DC and uses that to identify when replication is required.Simply put, the HWM tracks the last USN replicated by one of the local DC’s replication partner. The HWM is used to track the most recent changes (objects and attributes) a Destination DC has received from Source DCs for a specific partition.For example, we have DC01 and DC02:DC01′s USN: 3300
DC02′s USN: 2200DC01 has a HWM of 2000 for DC02 and DC02 has a HWM of 3300 for DC01. When a change is performed on DC01, the USN is incremented to 3301 and when DC02 requests updates, it requests any changes since USN 3300. DC01 sends DC02 change #3301 and DC02 performs a replicated write to its AD database incrementing its local USN to 2201. What’s interesting about this is that at this point, DC01 has a HWM of 200 still and DC02 now has a USN of 2201. Since the DCs have the information about the originating DC and the originating DC’s USN, they know that this change has already been replicated so they update their HWM and wait for the next change.

What is USN Rollback?

Since updates are replicated when the USN on the source DC is larger than the destination DC has for the source DC (according to the UTDV & HWM), a USN Rollback scenario on a DC prevents replication of AD updates on that DC to any other. Typically when a USN goes backwards, it is due to a supported restore from backup. When this process occurs, the invocation ID changes. Since all replica partners track replication based on DC GUID, Invocation ID, and USNs, a supported restore method keeps the previous invocation ID as “retired” and effectively ignores it. The new database Invocation ID & associated USN are used to get AD changes from the DC… except when the USN rolls back with NO change in Invocation ID. This means that when a DC is in a state of USN Rollback, AD updates can be performed on that DC with NONE of the changes replicated to its replication partners. That’s bad news.

Examples help clarify concepts, so I’ll use one here.

DC01, DC02 & DC03 are Domain Controllers for the Active Directory domain metcorp.org.
DC01 is running on physical hardware and DC02 & DC03 are virtual DCs running on VMWare ESX.

The AD admin copies the DC02 virtual files on Monday and on Wednesday, DC02 fails.
The admin uses the DC02 VM files from Monday to get DC02 up and running on Thursday (ASAP, right?).

During the next replication cycle, DC01 & DC03 send DC02 the last update USN they have for DC02 (USN #31,131). DC02 checks its local USN and notes that the local USN (USN #29,000) is less than the ones sent (USN #31,131), so no update is replicated to DC01 or DC03. As changes to Active Directory are performed on DC02, they are not replicated to the other metcorp.org DCs until DC02′s USN increments past the USN the other DCs have for DC02. This means that 2,131 modifications occur on DC02 before the other DCs receive a single update – and then only changes from USN 31,132 on.

Note that in this situation, any change performed on DC02 is NOT replicated to any other DC. This means that modifications to AD on DC02 only exist on DC02 while other DCs may have different versions of the same objects, including passwords and group membership. See, bad news.

Day 01 – Sunday:
DC01′s USN #34,951
DC02′s USN #28,539
DC03′s USN #22,360

Day 02 – Monday:
DC01′s USN #35,123
DC02′s USN #29,000 (VM copied)
DC03′s USN #23,101

Day 03 – Tuesday:
DC01′s USN #36,432
DC02′s USN #31,131 – FAILS
DC03′s USN #24,555

Day 04 – Wednesday:
DC01′s USN #38,012
DC02 OFFLINE
DC03′s USN #25,010

Day 05 – Thursday:
DC01′s USN #39,951
DC02 Back online with USN #29,000
DC03′s USN #27,360

What causes USN Rollback to occur?

There are several scenarios that Microsoft has identified that can cause USN Rollback on a DC (i.e. unsupported configurations). All of these include the same common theme and that is taking an earlier state of a DC (backup or copy) and running it.

Starting an Active Directory domain controller whose Active Directory database file was restored (copied) into place by using an imaging program such as Norton Ghost.

Starting a previously saved virtual hard disk image of a domain controller. The following scenario can cause a USN rollback:

Promote a domain controller in a virtual hosting environment.

Create a snapshot or alternative version of the virtual hosting environment.

Let the domain controller continue to inbound replicate and to outbound replicate.

Start the domain controller image file that you created in step 2.

Starting an Active Directory domain controller that is located on a volume where the disk subsystem loads by using previously saved images of the operating system without requiring a system state restoration of Active Directory.

These scenarios pretty much always involve a virtual environment, so if you have virtual DCs you may want to ensure backups are done on the physical DCs (you can never go wrong with performing backups on the FSMOs to start) and/or ensure that the Windows Backup tool is used to backup the AD database (SUPPORTED backup method is key).

Detecting USN Rollback

Detecting USN Rollback is extremely difficult since DCs running Windows 2000 or Windows 2003 RTM didn’t check for repeating USNs for the same Invocation ID. There are no errors in the NTDS Replication event log or when using the replication utility Repadmin. There is a manual method for detecting a USN Rollback using Repadmin and Microsoft KB 875495 describes this process:

One way to detect a USN rollback is to use the Windows Server version of Repadmin.exe to run the repadmin /showutdvec command. This version of Repadmin.exe displays the up-to-dateness vector USN for all domain controllers that replicate a common naming context. To detect a USN rollback, compare the output of the repadmin /showutdvec command on the domain controller with the output of the same command on the domain controller’s replication partners. If the direct replication partners have a higher USN number for the domain controller than the domain controller has for itself, and the repadmin /showreps command does not report replication errors between direct replication partners, you have compelling evidence of a USN rollback.

C:\>Repadmin /showutdvec dc1 dc=contoso,dc=com
Caching GUIDs…
Site1\DC1 @ USN 10 @ Time 2004-08-04 15:07:15
Site2\DC2 @ USN 24805 @ Time 2004-08-04 15:06:59
C:\>Repadmin /showutdvec dc2 dc=contoso,dc=com
Caching GUIDs…
Site1\DC1 @ USN 50 @ Time 2004-08-04 15:07:15
Site2\DC2 @ USN 24805 @ Time 2004-08-04 15:06:59

Note in the example repadmin output above, DC2 has a USN of 50 for DC1 while DC1 has a USN of 10 for itself.

Starting with Windows 2003 Sp1 or newer (or earlier with the KB 875495 hotfix), DCs track and flag when another DC (source DC) sends a USN that was previously acknowledged with the same invocation id.

When a USN Rollback is identified on a Windows 2003 Sp1 or newer (or earlier with the KB 875495 hotfix), the following actions are performed on that DC:

The DC write event 2095 to the DC’s Directory Services event log.
The DC disables inbound and outbound replication.
The DC recognizes the USN Rollback and pauses its Netlogon service. This prevents any changes from being performed on the DC.

Windows 2003 SP 1 and newer Domain Controllers that detect a USN Rollback state on a replication source DC, log the following event:

Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 2095
Date: 3/10/2005
Time: 4:26:51 PM
User: USN\2B25VB$
Computer: 2B9A
Description: During an Active Directory replication request, the local domain controller (DC) identified a remote DC which has received replication data from the local DC using already-acknowledged USN tracking numbers. Because the remote DC believes it is has a more up-to-date Active Directory database than the local DC, the remote DC will not apply future changes to its copy of the Active Directory database or replicate them to its direct and transitive replication partners that originate from this local DC. If not resolved immediately, this scenario will result in inconsistencies in the Active Directory databases of this source DC and one or more direct and transitive replication partners. Specifically the consistency of users, computers and trust relationships, their passwords, security groups, security group memberships and other Active Directory configuration data may vary, affecting the ability to log on, find objects of interest and perform other critical operations. To determine if this misconfiguration exists, query this event ID using http://support.microsoft.com or contact your Microsoft product support. The most probable cause of this situation is the improper restore of Active Directory on the local domain controller. User Actions: If this situation occurred because of an improper or unintended restore, forcibly demote the DC. Remote DC: b55ee67f-ed73-4970-b2d4-7dc6f571439f Partition: CN=Configuration,DC=usn,DC=loc USN reported by Remote DC: 24707 USN reported by Local DC: 20485 For more information, see Help and Support Center at http://support.microsoft.com.

On the DC with USN Rollback the following events are logged:

Event Type: Warning
Event Source: NTDS General
Event Category: Replication
Event ID: 1113
Date: 3/10/2005
Time: 4:26:51 PM
User: USN\2B25VB$
Computer: 2B9A
Description: Inbound replication has been disabled by the user. For more information, see Help and Support Center at http://support.microsoft.com.

Event Type: Warning
Event Source: NTDS General
Event Category: Replication
Event ID: 1115
Date: 3/10/2005
Time: 4:26:51 PM
User: USN\2B25VB$
Computer: 2B9A
Description: Outbound replication has been disabled by the user. For more information, see Help and Support Center at http://support.microsoft.com

Event Type: Error
Event Source: NTDS General
Event Category: Service Control
Event ID: 2103
Date: 3/10/2005
Time: 4:26:51 PM
User: USN\2B25VB$
Computer: 2B9A
Description: The Active Directory database has been restored using an unsupported restoration procedure. Active Directory will be unable to log on users while this condition persists. As a result, the Net Logon service has paused. User Action See previous event logs for details. For more information, see Help and Support Center at http://support.microsoft.com.

Resolving USN Rollback on a DC

Microsoft recommends two methods to resolve a USN Rollback state:

Demote & re-promote the DC – this resets the Invocation ID & the USN.
Restore the DC from a supported backup (preferably using Microsoft’s Backup utility).

I recommend performing resolution step #1. Since the typical scenarios that bring about a USN Rollback involve imaging or performing an un-supported restoration, having a USN Rollback in the environment typically points to process issues. Often this is related to improper restore procedures.

In this situation, it is best to demote the Domain Controller by running dcpromo /forceremoval and perform a metadata cleanup of that DC. If the demoted DC was hosting any of the FSMO roles, they must be seized to another DC.

Only run DCPromo on the server to re-promote it after the metadata cleanup is successful (and any FSMOs are transferred).

References:

Posted in Favorite, Microsoft Products, Tech, Technical Reference - Tagged Active Directory, AD Replication, Configuration, Domain Controller, High Water Mark Vector, Powershell, up-to-dateness vector, Windows Server

Microsoft Active Directory Design Guidance (IPDs)

Dec18
2011 Leave a Comment

Written by Sean Metcalf

Not many people know that Microsoft provides a wealth of information useful for designing Active Directory structures. The so called Infrastructure Planning and Design (IPD) series is freely available on TechNet.

Here are a few of the Microsoft Products with IPDs:

Or, if you are feeling bold, download ALL of the IPDs!

The best thing about the IPD docs is the numbers used to determine how many servers to deploy.

For example, here is some extremely useful information for determining Active Directory Domain Controller numbers (from the AD IPD v2.1):

Task 1: Determine Number of Domain Controllers

For each domain in each location identified in Step B1, the minimum number of domain controllers required needs to be identified. The table below describes the minimum number of domain controllers required, based on number of users.

Table 4. Minimum Number of Domain Controllers

User per domain in a site Minimum number of domain controllers required per domain in a site

1–499 One – Single Processor

500–999 One – Dual Processors/Cores

1,000–2,999 Two – Dual Processors/Cores

3,000–10,000 Two – Quad Processors/Cores

For workloads greater than 10,000 users in a site, additional testing should be performed with user workloads to determine the need for additional hardware. Previous guidance stated an extra quad processor system for every additional 5,000 users. However, for authentication-only workloads, this will be overkill for most environments.

If only one domain controller per location exists, consideration should be made for the need to span the WAN to communicate with a domain controller for authentication and access to resources in the event of failure of the local domain controller.

All domain controllers within a domain must be fully aware of all information related to the domain. This is handled by replication of the AD DS database between domain controllers. This replication occurs within AD DS sites and across site boundaries. If the number of replication partners in a given site reaches 15 or more, an additional domain controller should be added to the site. Another domain controller should be added for each additional 15 replication partners.

Review all applications that rely on AD DS data. Some applications, such as Exchange Server, require additional domain controllers in order to function correctly. Evaluate the need for additional domain controllers based on the expected loads and requirements of the applications.

The IPD documents are valuable to the person tasked with design work.

Posted in Favorite, Microsoft Products, Tech, Technical Reference - Tagged Active Directory, AD, Architecture Template, Configuration, Design Documents, Design Help, DNS, Domain Controller, Exchange, Exchange Server 2010, FSMO, IPD, Microsoft SQL Server, SCCM, SCOM, Virtualization, Windows Server

How the Active Directory Installation Wizard Works

Dec07
2011 Leave a Comment

Written by Sean Metcalf

I was looking for a reference like this before when posting the information on using PowerShell to dynamically create a DCPROMO answer file.

Here’s a technical explanation on How the Active Directory Installation Wizard Works.

Here are my posts involving DCPromo:

Posted in Microsoft Products, Tech, Technical Reference - Tagged Active Directory, DCPromo, Domain Controller, Windows Server

Powershell Code: Create a DCPromo Unattend File Automatically with a Script

Nov01
2011 4 Comments

Written by Sean Metcalf

I was brought in by a customer to automate Windows Server 2008 R2 Domain Controller deployment. I wrote a massive Powershell script that performs the entire DC configuration – of course this script started as a simple automate DCPromo and grew from there. Here’s some of the script code to demonstrate how to generate the DCPromo unattend file (with some extras).

Detailed DCPromo Unattend Options [Microsoft.com].

The script here does several things:

Gets the server’s site name & domain
Enables Powershell Remoting
Installs server roles (configurable)
Generates a random DSRM (Safe Mode) password
Specify DCPRomo Replication Source DC
Generates DCPromo Unattend Answer File

Download the script file here as a txt.

#################
# Set Variables #
#################
[Reflection.Assembly]::LoadWithPartialName(“System.Web”) ## Used to create random passwords
[void][System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic')

Import-Module ActiveDirectory

$Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name #Get AD Domain (lightweight & fast method)
$Computer = $env:ComputerName
$CurrentUserName = $env:UserName
$ADSite = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite()

$DCPromoAnswerFile="c:\temp\dcpromo.ini"

## Set AD DB (NTDS) path
$LocationNTDS = "e:\NTDS"
## Set AD DB Transaction Logs path
$LocationNTDSLogs = "f:\NTDS"
## Set AD SYSVOL path
$LocationSYSVOL = "f:\SYSVOL"
## Install DC From Media (requires IFM media set)
$InstallFromMedia = "No"
## Set IFM media set path
$DefaultIFMPath = "c:\temp\IFM"
## Reboot server after DCPromo completes
$DCPromoReboot = "Yes"
## Install Domain Controller as Read-ONly Domain Controller (RODC)
$ISRODC = "No"
## Install Domain Controller as a Global Catalog
$ISGC = "No"
## Install Domain Controller as a DNS Server
$DNSInstallSwitch = "Yes"
## Install Domain Controller as a WINS Server
$InstallWINSServer

##############################
# Enable Powershell Remoting # 
##############################
write-output "Enabling Powershell remoting... `r "
Enable-PSRemoting -force

######################################################
# Configure Windows 2008 R2 Server Roles & Features #
######################################################
Write-Verbose "Server Core needs to use OCSetup to add roles and features `r "
write-output "Configuring the server with the appropriate roles and features... `r "
import-module servermanager

Write-Verbose "Install Common Windows roles and features `r "
add-windowsfeature GPMC, Backup-Features, Backup, Backup-Tools
# add-windowsfeature AD-Domain-Services ##Not necessary to install - will be installed as part of DCPROMO - DO NOT PRE-INSTALL AD DS on Server Core

Write-Verbose "Install Custom windows roles and features `r "
IF ($DNSInstallSwitch -match "Yes") { add-windowsfeature DNS }
IF ($InstallWINSServer -match "Yes") { add-windowsfeature WINS-Server }

##################################
# DSRM SafeMode Password Config #
##################################
Write-output "Configuring DSRM password... `r "
Write-Verbose "Generate a random password 30 characters in length `r "
$RandPassLength = [int] 30
Write-Output "Generating $RandPassLength Character Random Password for AD DSRM Account... `r "
$DSRMPass = [System.Web.Security.Membership]::GeneratePassword($RandPassLength,2)
$SafeModePWD = $DSRMPass 
Write-Output "DSRM is $DSRMPass `r " 

#########################################
# Specify DCPRomo Replication Source DC #
#########################################
Write-Verbose "Specify DCPRomo Replication Source DC `r "
Write-Verbose "This enables override cpaability in the standard DCPromo process of replicating with a local DC `r "
write-output "You can specify the replication source DC for use during DCPromo. `r "
write-output "This DC has to be available during the DCPromo process or DC promotion will fail. `r "
write-output " `r "

Write-Output "Prompt to specify explicit replication source DC `r "
$Response = [Microsoft.VisualBasic.Interaction]::InputBox("Specify the replication source DC for use during DCPromo? <Yes / No>",`
 "Specify DCPromo Replication Source DC?","No") 
Switch ($Response)
 { ## OPEN Switch Response
 "Y" { $ExplicitSourceDC = "Yes" }
 "Yes" { $ExplicitSourceDC = "Yes" }
 DEFAULT { $ExplicitSourceDC = "No" }
 } ## CLOSE Switch Response

IF ($ExplicitSourceDC -eq "Yes")
 { ## OPEN IF ExplicitSourceDC Yes
 write-output "By default, the script will autodiscover a 2008 R2 DC in the site. `r "
 write-output "You can specify a different replication source DC by entering the DC's FQDN. `r "
 Write-Verbose "Discover 2008 DC `r "
 $DiscoveredSourceDC = Get-ADDomainController -discover -forcediscover -nextclosestsite -service ADWS
 $DefaultSourceDC = $DiscoveredSourceDC.HostName
 $SourceDC = Get-ADDomainController -identity "$DefaultSourceDC"
 $SourceDCOS = $SourceDC.OperatingSystem
 $SourceDCRO = $SourceDC.IsReadOnly

 IF ($SourceDCOS -like "*2003*")
 { ## OPEN IF The discovered DC is running Windows Server 2003 *
 write-output "Native autodiscover found a 2003 DC: $DefaultSourceDC `r "
 write-output "Please manually specify a 2008 R2 DC. `r "
 } ## CLOSE IF The discovered DC is running Windows Server 2003 *

 IF ($SourceDCOS -like "*2008 R2*") 
 { ## OPEN IF The discovered DC is running Windows Server 2008 R2
 write-output "Native autodiscover found the 2008 R2 DC: $DefaultSourceDC `r "
 } ## CLOSE IF The discovered DC is running Windows Server 2008 R2

 IF ($SourceDCRO -eq $True)
 { ## OPEN IF The discovered DC is running Windows Server 2003 *
 write-output "Native autodiscover found a Read Only DC: $DefaultSourceDC `r "
 write-output "Please manually specify a 2008 R2 DC. `r "
 } ## CLOSE IF The discovered DC is running Windows Server 2003 * 

 Write-Verbose "Specify explicit replication source DC `r "
 $ReplSourceDC = [Microsoft.VisualBasic.Interaction]::InputBox("Please enter the hostname of the DC you want to use as the DCPromo replication source DC",`
 "Specify DCPromo Replication Source DC?","$DefaultSourceDC") 
 $ReplSourceDC = $ReplSourceDC.Replace(" ", "")
 IF (!$ReplSourceDC ) { $ReplSourceDC = $DefaultSourceDC }

 $ReplSourceDCInfo = Get-ADDomainController -identity "$ReplSourceDC"
 $ReplSourceDCOS = $ReplSourceDCInfo.OperatingSystem

 IF ($ReplSourceDCOS -like "*2003*")
 { ## OPEN IF The discovered DC is running Windows Server 2003 *
 write-output "You have selected the DC $ReplSourceDC which is running Windows Server 2003. `r "
 write-output "This DC is now set as the replication source DC. `r "
 } ## CLOSE IF The discovered DC is running Windows Server 2003 *

 IF ($ReplSourceDCOS -like "*2008 R2*") 
 { ## OPEN IF The discovered DC is running Windows Server 2008 R2
 write-output "$ReplSourceDC is a 2008 R2 DC. This DC is now set as the replication source DC. Continuing.. `r "
 } ## CLOSE IF The discovered DC is running Windows Server 2008 R2
 } ## CLOSE IF ExplicitSourceDC Yes

#######################################
# Final Prompt before running DCPromo #
#######################################
Write-Verbose "Final Prompt before running DCPromo `r "
IF ($DCPromoReboot = "Yes") { write-output "The server will reboot automatically upon DCPromo completion. Please review the $FinalTasksFile file for additional configuration items. `r " }
IF ($DCPromoReboot = "No") { write-output "The server will NOT reboot automatically upon DCPromo completion. Please review the $FinalTasksFile file for additional configuration items. This file will automatically display. `r " }

Write-Output "Once DCPromo starts, all data displayed on screen is logged to the DCPromo log file. `r "
Write-Host "If there are any problems with the DCPromo process, please reference the DCPromo log files located in C:\Windows\Debug" -backgroundcolor DarkGreen `r
Write-Output "If you receive a TCP error please doublecheck to ensure that all unused NICs are disabled (the issue arises when there is a NIC that is unplugged `r" 

##############################
# Build DCPromo Answer File #
##############################
write-output "Building DCPromo answer file for automated DC Promotion... `r "
Write-Verbose "If the DC will be an RODC, set config data here `r "
IF ($ISRODC -match "Yes") 
 { ## OPEN IF Bracket RODC is YES
 $DCInstallType = "ReadOnlyReplica"
 $CriticalReplication = "Yes"
 } ## CLOSE IF Bracket RODC is YES

ELSE 
 { ## OPEN IF Bracket RODC is NO
 $DCInstallType = "Replica"
 $CriticalReplication = "No" 
 } ## CLOSE IF Bracket RODC is NO

Write-Verbose "Build DCPROMO unattend file for Full DC `r "
Write-Output "Building the DCPromo answer file for promotion to Domain Controller... `r "

$DCPromoFile = @"
[DCINSTALL]
UserName=*
UserDomain=$Domain
Password=*
SiteName=$ADSite
ReplicaOrNewDomain=$DCInstallType
ReplicaDomainDNSName=$Domain
DatabasePath=$LocationNTDS
LogPath=$LocationNTDSLogs
SYSVOLPath=$LocationSYSVOL
CriticalReplicationOnly=$CriticalReplication
ConfirmGc=$ISGC
RebootOnCompletion=$DCPromoReboot
SafeModeAdminPassword=$SafeModePWD
"@ 
$DCPromoFile | out-file c:\temp\dcpromo.ini -force

Write-Verbose "Add ReplicationSourceDC to DCPROMO Unattend file `r "
IF ($ExplicitSourceDC -match "Yes")
{ ## OPEN IF ISRODC Yes
Write-output @"
ReplicationSourceDC=$ReplSourceDC
"@ | out-file c:\temp\dcpromo.ini -append
 } ## CLOSE IF ISRODC Yes

Write-Verbose "Build DCPROMO unattend file for RODC `r "
IF ($ISRODC -match "Yes") 
 { ## OPEN IF ISRODC Yes
Write-output @"
PasswordReplicationDenied=Administrators
PasswordReplicationAllowed="Allowed RODC Password Replication Group"
DelegatedAdmin=
"@ | out-file c:\temp\dcpromo.ini -append
 } ## CLOSE IF ISRODC Yes

######################################
# DCPromo Install From Media Option #
######################################
Write-Verbose "Install From Media? `r "
IF ($InstallFromMedia -eq "No")
 { ## OPEN IF Statement for Install from Media (NO)
 Write-Verbose "Prompt to DCpromo `r "
 $title = "Promote Server $Computer to Domain Controller"
 $message = "Do you want to promote $Computer to Domain Controller Now?"
 $yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", "Promotes server to DC."
 $no = New-Object System.Management.Automation.Host.ChoiceDescription "&No", "Exits the script."
 $options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no)
 $result = $host.ui.PromptForChoice($title, $message, $options, 0) 
 switch ($result)
 { ## OPEN Switch for DCPromo Prompt
 0 { Write-Output "You selected Yes. Running DCPromo now. Review the DCPromo log file in c:\Windows\Debug for results. `r " ; dcpromo /unattend:$DCPromoAnswerFile}
 1 { Write-Output "You selected No. `r " ; break}
 } ## CLOSE Switch for DCPromo Prompt
 } ## CLOSE IF Statement for Install from Media (NO)

ELSE
 { ## OPEN ELSE Statement for Install from Media (YES)
 #Prompt to DCpromo
 $title = "Promote Server $Computer to Domain Controller using Install From Media (IFM) option. $Computer is flagged for IFM install."
 $message = "Do you want to promote $Computer to Domain Controller using Install From Media (IFM) option Now?"
 $yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", `
 "Promotes server to DC with Install From Media (IFM) option."
 $no = New-Object System.Management.Automation.Host.ChoiceDescription "&No", `
 "Exits the script."
 $options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no)
 $result = $host.ui.PromptForChoice($title, $message, $options, 0) 
 SWITCH ($result)
 { ## OPEN Switch for DCPromo Prompt
 0 { Write-Output "You selected Yes. Running DCPromo using IFM Switch `r " ; dcpromo /ADV /ReplicationSourcePath:$IFMPath /unattend:$DCPromoAnswerFile}
 1 { Write-Output "You selected No. `r " ; break}
 } ## CLOSE Switch for DCPromo Prompt
 } ## CLOSE IF Statement for Install from Media (YES)

Posted in Favorite, Microsoft Products, Powershell Code, Tech - Tagged Active Directory, Code, Configuration, DCBuild, Domain Controller, Powershell, Windows Server 2008 R2

Powershell Code: Set a Server’s Time Zone Based on the Time Zone Setting on another Server

Oct31
2011 Leave a Comment

Written by Sean Metcalf

Windows synchronizes and stores time internally in UTC (aka GMT). Configuring a time zone on the server enables the server to display time local to the location of the server. This simplifies identifying when the server may be rebooted (8pm is probably acceptable, though 9am probably is not). Furthermore, scheduled tasks run at the time based on the Time Zone offset configuration.

Time Zone configuration on computers can be tricky. Some would argue that this is probably the only time a site-based Group Policy makes sense (update Time Zone script in a GPO). However, in most situations, it isn’t that difficult to set the server’s time zone when it is installed.

Here’s a neat script that configures a local server’s time zone based on the time zone setting on another server. This saves manual entry errors and the time it takes to configure it through the GUI.

########################
# Configure Time Zone #
########################
Write-Verbose "This component will configure the Time Zone based on the Time Zone of another server `r "
Write-Verbose "Prompt for Time Zone Configuration `r "

$TZServer = [Microsoft.VisualBasic.Interaction]::InputBox("Please enter the servername which has the correct time zone information you wish to use",`
 "Get Time Zone from Server","")
$TimeZone = Get-WMIObject -class Win32_TimeZone -ComputerName $TZServer
$TZDescription = $TimeZone.Description
$TZDaylightTime = $TimeZone.DaylightName
$TZStandardTime = $TimeZone.StandardName
write-output "Timezone is now set to $TZDescription `r " 

write-output "Configuring the Time Zone [$TZStandardTime] on $Computer... `r "
$TZResult = TZUTIL /s $TZStandardTime

Posted in Microsoft Products, Powershell Code, Tech - Tagged Domain Controller, Time Zone Configuration, Windows Server

Powershell: Updating Domain Controller Directory Services Restore Mode (DSRM) Passwords

Oct27
2011 Leave a Comment

Written by Sean Metcalf

Detailed information on updating Directory Services Restore Mode (DSRM) passwords for Windows Server 2008 (R2) Domain Controllers leveraging NTDSUtil synchronize password is posted on the Directory Services Team Blog.

I put together a Powershell script that performs the following:

Discovers all the Windows 2008 & 2008 R2 Domain Controllers in the domain and creates a special DSRM account in AD with a random complex password for each of them (assuming one doesn’t already exist).
Checks the date of the last password update for each account. Each account that is past the defined threshold is added to an update DC list.
Update the password on each od the DCs in the update DC list.
Use Powershell remoting to synchronize each of the DCs on the update DC list with the associated DC DSRM account in AD.

Note that this script creates one AD account per Domain Controller. This provides a simple solution for dealing with RODCs in the environment. Some may consider this overkill, but it also provides a simple method for tracking per DC DSRM password updates. Powershell Remoting must be enabled on all 2008 DCs for this to work.

The script uses Powershell remoting to run the ntdsutil command to synchronize the local DC DSRM password with the associated DC DSRM account the script created in Active Directory:
ntdsutil “set dsrm password” “sync from domain account <DCDSRMAccount>” q q

While I don’t often include a complete script solution, this seems to fit the bill.

Download the Powershell script: Update-DSRMp.txt

<# 
.SYNOPSIS
 NAME: Update-DSRMp.ps1
 This script creates & updates Active Directory with user accounts with which DCs running Windows 2008 
 synchronize their DSRM passwords.

.DESCRIPTION
 This script creates & updates Active Directory with user accounts with which DCs running Windows 2008 
 synchronize their DSRM passwords.

 This process is performed in the following stages:

 1. Enumerate all DCs in the AD forest. Identify Widnows 2008 DCs.
 2. Ensure there are special AD DSRM accounts for every DC (<DCName>DSRM). If a DC does not have a respective account, create it.
 3. Loop through all AD DSRM accounts and generate a random, complex, unique, 30-character password (default) and if the 
 account has not had the password updated in 90 days (default), update the AD DSRM account password.
 4. After checking the AD DSRM accounts exist and have recent passwords, connect to each DC and have the DC synchronize
 its (local) DSRM password with the respective AD DSRM account password.
 5. Log the DSRM password list to a secure location retaining history of older DSRM password lists. 

 NOTE: This script MUST be run on a Domain Controller.

.PARAMETER MaxPasswordAge
 This parameter sets when the DSRM password must be changed.
 DEFAULT: 60 (days)
 Example: Update-DSRMp.ps1 -MaxPasswordAge 90 

.PARAMETER PasswordLength
 This parameter configures how long the DSRM password should be.
 DEFAULT: 30 (characters)
 Example: Update-DSRMp.ps1 -PasswordLength 20 

.PARAMETER ForceUpdate
 By default the script will only perform a password change on the DSRM account if the 
 account password hasn't been updated within a predetermined threshold. 
 Using ForceUpdate forces an update on all account passwords.
 Example: Update-DSRMp.ps1 -ForceUpdate 

.PARAMETER Verbose
 Use this parameter to have the script provide additional detail regarding processing.
 Example: Update-DSRMp.ps1 -Verbose 

.PARAMETER Debug
 Use this parameter to have the script provide additional debug detail regarding processing.
 Example: Update-DSRMp.ps1 -Debug 

.EXAMPLE
 Update-DSRMp.ps1 -example 

.NOTES
 NAME: Update-DSRMp.ps1
 AUTHOR: Sean Metcalf 
 AUTHOR EMAIL: Sean Metcalf @t Metcorp Consulting [dot} com
 CREATION DATE: 10/04/2010
 LAST MODIFIED DATE: 10/26/2011
 LAST MODIFIED BY: Sean Metcalf
 INTERNAL VERSION: 01.11.10.26.19
 RELEASE VERSION: 2.0.1

#>
# This Powershell script leverages some features only available with Powershell version 2.0.
# As such, there is no guarantee it will work with earlier versions of Powershell.
# Requires -Version 2.0

#####################
# Script Parameters #
##################### 

Param 
 (
 [int]$PasswordLength = 30,
 [int]$MaxPasswordAge = 60,
 [switch]$ForceUpdate,
 [switch]$Verbose,
 [switch]$Debug
 )

############################
# Configure Script Options #
############################
Write-Output "" `r
Write-Output "Reading configured script options..." `r
Write-Output "" `r

Switch ($Verbose) 
 { ## OPEN Switch Verbose
 $True { $VerbosePreference = "Continue" ; Write-Output "Script logging is set to verbose." `r }
 $False { $VerbosePreference = "SilentlyContinue" ; Write-Output "Script logging is set to normal logging." `r }
 } ## OPEN Switch Verbose 

Switch ($Debug) 
 { ## OPEN Switch Debug
 $True { $DebugPreference = "Continue" ; Write-Output "Script Debug logging is enabled." `r }
 $False { $DebugPreference = "SilentlyContinue" ; Write-Output "" `r }
 } ## OPEN Switch Debug 

Write-Verbose "Setting default options for script parameters... `r "
Write-Verbose "Setting Password Length to $PasswordLength characters `r "
Write-Verbose "Setting Max Password Age to $MaxPasswordAge days `r "

$DCDSRMPasswordLength = $PasswordLength 
$DateTime = Get-Date #Get date/time
$DCDSRMPassResetThreshold = $DateTime.AddDays(-$MaxPasswordAge) 

Write-Verbose "Check script parameters and based on setting configure proper script options & inform user... `r"

Switch ($ForceUpdate)
 { ## OPEN Switch ComputerType
 $True {Write-Output "Force Update is set to True. DC AD DSRM account passwords will be reset and their local DSRM accounts will be synchronized." `r} 
 $False {Write-Output "Force Update is set to False. Processing will occur normally." `r }
 } ## CLOSE Switch ComputerType

Write-Output "" `r 

###############################
# Set Environmental Variables #
###############################
# COMMON
write-output "Setting environmental variables..." `r
$CurrentComputerName = $env:ComputerName
$Computer = $env:ComputerName
$CurrentUserName = $env:UserName
$CurrentOS = $Env:os
$DomainDNS = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name #Get AD Domain (lightweight & fast method)
$ADDomain = $DomainDNS 
[Reflection.Assembly]::LoadWithPartialName(“System.Web”)
$TimeVal = get-date -uformat "%Y-%m-%d-%H-%M" 
$LogDir = "C:\temp\Logs\" #Standard location for script logs
$DateTime = Get-Date #Get date/time
$Separator = "#" #Create separation line
$Sepline = $Separator * 75 #Create separation line
[ref]$a = $null # Used for IP Address Validation
IF (!(Test-Path $LogDir)) {new-item -type Directory -path $LogDir} 

# Commonly Used
$HostName = "$Computer.$DomainDNS"

# Script Specific
[int] $2008R2DCCount = 0
[int] $2008DCCount = 0
[int] $2003R2DcCount = 0
[int] $2003DcCount = 0
[int] $2000DcCount = 0
[int] $DomainRODCsCount = 0

# Script Logging
$LogFileName = "UpdateDSRMp-$TimeVal.log"
$ReportName = "DSRMPasswords-$TimeVal.txt" 
$ReportNameCSV = "DSRMPasswordsp-$TimeVal.csv" 
$LogFile = $LogDir + $LogFileName
$ReportFile = $LogDir + $ReportName
$ReportFileCSV = $LogDir + $ReportNameCSV

#Set OU Path Variables
$DSRMOULevel1 = "Accounts"
$DSRMOULevel2 = "Service"
$DSRMOUName = "DCDSRM"
$DSRMOURoot = "OU=$DSRMOULevel2,OU=$DSRMOULevel1"
$DSRMBaseOU = "OU=$DSRMOUName," + $DSRMOURoot

$DSRMAccountOU = $DSRMBaseOU 
$DSRMAccountLDAP = "LDAP://$DSRMAccountOU"
$DSRMAccountADSI = [adsi]"$DSRMAccountLDAP,$ADDomainDistinguishedName"
$DSRMAccountLDAPPath = $DSRMAccountADSI.Path
$DSRMAccountPath1 = "'" + $DSRMAccountPath + "'"

################################################
# Import Active Directory Powershell Elements #
################################################
write-output "Configuring Powershell environment..." `r
Write-Verbose "Importing Active Directory Powershell module `r"
import-module ActiveDirectory

##################
# Start Logging #
##################
# Log all configuration changes shown on the screen during run-time in a transcript file. This
# inforamtion can be used for troubleshooting if necessary
Write-Verbose "Start Logging `r"
write-output "" `r
Start-Transcript $LogFile -force
write-output "" `r

## Process Start Time
$ProcessStartTime = Get-Date
write-output "" `r
write-output "Script initialized by $CurrentUserName and started processing at $ProcessStartTime" `r
write-output "" `r

#############################################
# Get Active Directory Forest & Domain Info #
#############################################

# Get Forest Info
write-output "Gathering Active Directory Forest Information..."
Write-Verbose "Performing Get-ADForest powershell command `r"
$ADForest = Get-ADForest

$ADForestApplicationPartitions = $ADForest.ApplicationPartitions
$ADForestCrossForestReferences = $ADForest.CrossForestReferences
$ADForestDomainNamingMaster = $ADForest.DomainNamingMaster
$ADForestDomains = $ADForest.Domains
$ADForestForestMode = $ADForest.ForestMode
$ADForestGlobalCatalogs = $ADForest.GlobalCatalogs
$ADForestName = $ADForest.Name
$ADForestPartitionsContainer = $ADForest.PartitionsContainer
$ADForestRootDomain = $ADForest.RootDomain
$ADForestSchemaMaster = $ADForest.SchemaMaster
$ADForestSites = $ADForest.Sites
$ADForestSPNSuffixes = $ADForest.SPNSuffixes
$ADForestUPNSuffixes = $ADForest.UPNSuffixes

# Get Domain Info
write-output "Gathering Active Directory Domain Information..." `r
Write-Verbose "Performing Get-ADDomain powershell command `r"
$ADInfo = Get-ADDomain

$ADDomainAllowedDNSSuffixes = $ADInfo.ADDomainAllowedDNSSuffixes
$ADDomainChildDomains = $ADInfo.ChildDomains
$ADDomainUsersContainer = $ADInfo.UsersContainer
$ADDomainDeletedObjectsContainer = $ADInfo.DeletedObjectsContainer
$ADDomainDistinguishedName = $ADInfo.DistinguishedName
$ADDomainDNSRoot = $ADInfo.DNSRoot
$ADDomainDomainControllersContainer = $ADInfo.DomainControllersContainer
$ADDomainDomainMode = $ADInfo.DomainMode
$ADDomainDomainSID = $ADInfo.DomainSID
$ADDomainForeignSecurityPrincipalsContainer = $ADInfo.ForeignSecurityPrincipalsContainer
$ADDomainForest = $ADInfo.Forest
$ADDomainInfrastructureMaster = $ADInfo.InfrastructureMaster
$ADDomainLastLogonReplicationInterval = $ADInfo.LastLogonReplicationInterval
$ADDomainLinkedGroupPolicyObjects = $ADInfo.LinkedGroupPolicyObjects
$ADDomainLostAndFoundContainer = $ADInfo.LostAndFoundContainer
$ADDomainName = $ADInfo.Name
$ADDomainNetBIOSName = $ADInfo.NetBIOSName
$ADDomainObjectClass = $ADInfo.ObjectClass
$ADDomainObjectGUID = $ADInfo.ObjectGUID
$ADDomainParentDomain = $ADInfo.ParentDomain
$ADDomainPDCEmulator = $ADInfo.PDCEmulator
$ADDomainQuotasContainer = $ADInfo.QuotasContainer
$ADDomainReadOnlyReplicaDirectoryServers = $ADInfo.ReadOnlyReplicaDirectoryServers
$ADDomainReplicaDirectoryServers = $ADInfo.ReplicaDirectoryServers
$ADDomainRIDMaster = $ADInfo.RIDMaster
$ADDomainSubordinateReferences = $ADInfo.SubordinateReferences
$ADDomainSystemsContainer = $ADInfo.SystemsContainer
$ADDomainUsersContainer = $ADInfo.UsersContainer

# Display gathered Active Directory Forest & Domain Information 
Write-Verbose "Displaying data gathered from Get-ADForest and Get-ADDomain `r"

write-output "Displaying gathered Active Directory Information..." `r
write-output ""`r
write-output $SepLine `r
write-output "Active Directory Forest Name : $ADForestName" `r
IF (!$ADForestDomains) {write-output "Active Directory Forest Domains : [No Child Domains Found]" `r} 
ELSE {write-output "Active Directory Forest Domains : $ADForestDomains" `r}
write-output "Active Directory Forest Mode : $ADForestForestMode" `r
write-output "------------------------------------------------------" `r
write-output "Active Directory Domain Name : $ADDomainName" `r 
write-output "Active Directory Domain Mode : $ADDomainDomainMode" `r 
write-output "------------------------------------------------------" `r
write-output "FSMO: AD Domain Naming Master : $ADForestDomainNamingMaster" `r 
write-output "FSMO: AD Domain Schema Master : $ADForestSchemaMaster" `r 
write-output "FSMO: AD Domain PDC Master : $ADDomainPDCEmulator" `r 
write-output "FSMO: AD Domain RID Master : $ADDomainRIDMaster" `r 
write-output "FSMO: AD Domain Infrastructure Master : $ADDomainInfrastructureMaster" `r 
write-output $Sepline `r
write-output ""`r

$DomainDNS = $ADDomainDNSRoot

####################################
# Get Active Directory Information #
#################################### 

### DOMAIN DC DISCOVERY ###
# Discover Domain Controllers in AD
[array]$DomainControllers = $ADDomainReadOnlyReplicaDirectoryServers 
[array]$DomainControllers += $ADDomainReplicaDirectoryServers
$DomainControllers = $DomainControllers -Replace(".$DomainDNS","")

$DomainControllers = $DomainControllers | Get-Unique
$DomainControllers = $DomainControllers | Sort-Object

$DomainControllersCount = $DomainControllers.Count

Write-Output "Processing the following $DomainControllersCount Domain Controllers in $DOmainDNS ... `r " 

# Get DC Operating System Versions
Write-Verbose "Discovering all 2008 R2 DCs in the domain $DomainDNS ... `r "
[array] $2008R2Dcs = Get-ADDomainController -Filter { OperatingSystem -like "Windows Server 2008 R2*" }

ForEach ($DC in $2008R2Dcs)
 { ## OPEN ForEach DC in 2008Dcs
 [array] $Domain2008R2DCs += $DC.Name
 } ## CLOSE ForEach DC in 2008Dcs

$2008R2DCCount = $Domain2008R2DCs.Count
$Domain2008R2DCs = $Domain2008R2DCs | sort
Write-Verbose "Found $2008R2DCCount DCs in $DomainDNS." `r

Write-Verbose "Discovering all 2008 DCs in the domain $DomainDNS ... `r "
[array] $2008Dcs = Get-ADDomainController -Filter { (OperatingSystem -like "Windows Server 2008*") -and (OperatingSystem -notlike "Windows Server 2008 R2*") }

ForEach ($DC in $2008Dcs)
 { ## OPEN ForEach DC in 2008Dcs
 [array] $Domain2008DCs += $DC.Name
 } ## CLOSE ForEach DC in 2008Dcs

$2008DCCount = $Domain2008DCs.Count
$Domain2008DCs = $Domain2008DCs | sort
Write-Verbose "Found $2008DCCount 2008 DCs in $DomainDNS. `r "

Write-Verbose "Discovering all 2003 R2 DCs in the domain $DomainDNS ... `r "
[array] $2003R2DCsInSiteArray = Get-ADDomainController -Filter { (OperatingSystem -like "Windows Server 2003 R2*") }
ForEach ($DC in $2003R2DCsInSiteArray)
 { ## OPEN ForEach DC in 2003DCsInSiteArray
 [array] $Domain2003R2DCs += $DC.Name
 } ## CLOSE ForEach DC in 2003DCsInSiteArray

$2003R2DcCount = $Domain2003R2DCs.Count
$Domain2003R2DCs = $Domain2003R2DCs | sort
Write-Verbose "Found $2003DcCount 2003 DCs in $DomainDNS. `r "

Write-Verbose "Discovering all 2003 DCs in the domain $DomainDNS ... `r "
[array] $2003DCsInSiteArray = Get-ADDomainController -Filter { (OperatingSystem -like "Windows Server 2003*") -and (OperatingSystem -notlike "Windows Server 2003 R2*") }
ForEach ($DC in $2003DCsInSiteArray)
 { ## OPEN ForEach DC in 2003DCsInSiteArray
 [array] $Domain2003DCs += $DC.Name
 } ## CLOSE ForEach DC in 2003DCsInSiteArray

$2003DcCount = $Domain2003DCs.Count
$Domain2003DCs = $Domain2003DCs | sort
Write-Verbose "Found $2003DcCount 2003 DCs in $DomainDNS. `r "

Write-Verbose "Discovering all 2000 DCs in the domain $DomainDNS ... `r "
[array] $2000DCsInSiteArray = Get-ADDomainController -Filter { OperatingSystem -like "Windows 2000 Server*"}
ForEach ($DC in $2000DCsInSiteArray)
 { ## OPEN ForEach DC in 2000DCsInSiteArray
 [array] $Domain2000DCs += $DC.Name
 } ## CLOSE ForEach DC in 2000DCsInSiteArray

$2000DcCount = $Domain2000DCs.Count
$Domain2000DCs = $Domain2000DCs | sort
Write-Verbose "Found $2000DcCount 2000 DCs in $DomainDNS. `r "

write-output "Out of the $DomainControllersCount DCs in $DomainDNS: `r "
Write-Output "$DomainRODCsCount are RODCs & $DomainWritableDCsCount are writable DCs `r "
write-output "$2008R2DCCount are running Windows Server 2008 R2 `r "
write-output "$2008DCCount are running Windows Server 2008 `r "
write-output "$2003R2DcCount are running Windows Server 2003 R2 `r "
write-output "$2003DcCount are running Windows Server 2003 `r "
write-output "$2000DcCount are running Windows 2000 Server `r "

Write-Output "Building list of Windows 2008 DCs for updating `r "
$Domain2008DCsName = $Domain2008DCs + $Domain2008R2DCs 

# Set DSRM Account Path
$DSRMAccountPATH = $DSRMBaseOU +","+ $ADDomainDistinguishedName
Write-Verbose "DSRM Account path set to $DSRMAccountPATH `r "

######################
# Build Report Data #
######################

$ADReportData = 
@"

=========================================

ACTIVE DIRECTORY DSRM List
-------------------------------------
Report Generated on $DateTime by $CurrentUserName

Active Directory Forest: $ADForestName
Active Directory Domains: $ADForestDomains
Forest Functional Mode: $ADSchemaVersion

"@

################
# Check OU Path #
################
Write-Host "Checking to see if the target OU structure $DSRMAccountPATH exists..." `r
$ParentOUPath = $DSRMOURoot +","+ $ADDomainDistinguishedName
$DSRMBase1 = "OU=$DSRMOULevel1," + $ADDomainDistinguishedName

$DSRMOUCheck = test-path "AD:$DSRMAccountPATH"

IF ($DSRMOUCheck -eq $False)
 { ## OPEN IF DSRM OU doesn't exist
 Write-Host "OU structure $DSRMAccountPATH does not exist." `r
 Write-Host "Creating the OU structure for $DSRMAccountPATH ..." `r 
 New-ADOrganizationalUnit -Name $DSRMOULevel1 -Path $ADDomainDistinguishedName -ErrorAction SilentlyContinue
 New-ADOrganizationalUnit -Name $DSRMOULevel2 -Path $DSRMBase1 -ErrorAction SilentlyContinue
 New-ADOrganizationalUnit -Name $DSRMOUNAME -Path $ParentOUPath -ErrorAction SilentlyContinue
 } ## CLOSE IF DSRM OU doesn't exist
 ELSE
 { ## OPEN IF DSRM OU exists
 Write-Host "OU structure $DSRMAccountPATH does exist. Continuing..." `r
 } ## OPEN IF DSRM OU exists

$DSRMAccounts = Get-ADUser -Filter * -SearchBase $DSRMAccountPATH -Properties sAMAccountName,lastlogontimestamp -ErrorAction SilentlyContinue

#######################################
# Update AD DSRM Accounts & Passwords #
#######################################

$DSRMDescription = "This is a DC Service Account that is Disabled and is still being used. DO NOT DELETE. DO NOT MODIFY. POC: AD Team"
$DSRMUpdateRequired = $FALSE 
[array]$DCDSRMUpdateList = @()

write-host "Identifying Missing AD DSRM Accounts..." `r
ForEach ($DC in $Domain2008DCsName)
 { ## OPEN ForEACH - Read DC from $DomainControllers
 # Set the AD DSRM User Account naming template 
 $DSRMName = $DC + $DSRMOUName
 # IF there is not an AD DSRM account, create it
 TRY
 { ## OPEN TRY Check for Existing DSRM Account
 $DSRMAccountCheck = Get-ADUser $DSRMName -Properties PasswordLastSet -ErrorAction SilentlyContinue
 } ## CLOSE TRY Check for Existing DSRM Account

 CATCH
 { ## OPEN CATCH there is no Existing DSRM Account
 Write-Verbose "The account $DSRMName was not found in $DomainDNS `r "
 } ## CLOSE CATCH there is no Existing DSRM Account

 IF (!$DSRMAccountCheck)
 { ## OPEN IF - If there is not an existing account, create it 
 # Generate a random password $DCDSRMPasswordLength characters in length
 write-host "Generating $DCDSRMPasswordLength Character Random Password for AD DSRM Account..." `r
 $DSRMPass = [System.Web.Security.Membership]::GeneratePassword($DCDSRMPasswordLength,2)
 $DSRMPassword = ConvertTo-SecureString -AsPlainText $DSRMPass -Force
 # Create the AD DSRM User Accounts 
 write-host "There is no existing account for $DC ..." `r
 write-host "Creating new AD DSRM Account called $DSRMName for $DC ..." `r
 New-ADUser –name "$DSRMName" -SamAccountName "$DSRMName" -Path "$DSRMAccountPath" -DisplayName "$DSRMName" `
 -Description "$DSRMDescription" -Title "AD DC Service Account. DO NOT MODIFY." -Enabled $False -AccountPassword $DSRMPassword `
 -CannotChangePassword $True -PasswordNeverExpires $False
 ## -ChangePasswordAtLogon $False 
 $DSRMUpdateRequired = $TRUE
 write-host "Logging account information for $DC ..." `r
 $ADReportData += 
@"
 DC: $DC, Username: $DSRMName, Password: $DSRMPass

"@
 } ## CLOSE IF - If there is not an existing account, create it 
 ELSE 
 { ## OPEN ELSE IF the account already exists
 write-host "Account $DSRMName for $DC already exists. Checking Password Age to determine if update is required (ForceUpdate over-rides password age check)..." `r 
 # IF the account already exists & the password is older than $MaxPasswordAge days or ForceUpdate is Enabled, update the password 
 $DSRMPasswordLastSet = $DSRMAccountCheck.PasswordLastSet
 IF ( ($DSRMPasswordLastSet -le $DCDSRMPassResetThreshold) -or ($ForceUpdate -eq $True) ) 
 { ## OPEN IF - Only change the account password if it is older than $MaxPasswordAge days 
 # For accounts with passwords older than $MaxPasswordAge days, update the password
 # Generate a random password $DCDSRMPasswordLength characters in length
 write-host "Generating $DCDSRMPasswordLength Character Random Password for AD DSRM Account..." `r
 $DSRMPass = [System.Web.Security.Membership]::GeneratePassword($DCDSRMPasswordLength,2)
 $DSRMPassword = ConvertTo-SecureString -AsPlainText $DSRMPass -Force
 write-host "Password for account $DSRMName for $DC last changed on $DSRMPasswordLastSet which is older than $MaxPasswordAge days. Updating Password now..." `r
 Set-ADAccountPassword -Identity $DSRMName -Reset -NewPassword $DSRMPassword
 $DCDSRMUpdateList += $DC
 $DSRMUpdateRequired = $TRUE
 write-host "Logging account information for $DC ..." `r
 $ADReportData += 
@"
 DC: $DC, Username: $DSRMName, Password: $DSRMPass

"@
 } ## CLOSE IF - Only change the account password if it is older than 60 days 
 write-host "Password for account $DSRMName for $DC last changed on $DSRMPasswordLastSet which is less than $MaxPasswordAge days. Continuing..." `r 
 } ## CLOSE ELSE IF the account already exists

 } ## CLOSE ForEACH - Read DC from $DomainControllers

##################################################
# Connect to each DC to Update the DSRM Password #
##################################################
 write-host "Connecting to each DC to update DSRM passwords..." `r
 write-host ""

# This method only works if Powershell remoting is enabled...
#
# This component will connect to every DC in the $DCs list one by one and get #
# information from each DC. This is the block that does most of the work. #

 IF ($DSRMUpdateRequired -eq $TRUE) 
 { ## OPEN IF - Only have DCs pull DSRM password update if something has changed 
 write-host "Connecting to each DC to initiate synchronization of DSRM passwords..." `r
 write-host #SepLine

 IF ($ForceUpdate -Eq "True") { $DCDSRMUpdateList = $Domain2008DCsName }

 ForEach ($DC in $DCDSRMUpdateList) 
 { ## OPEN ForEach Loop every DC with a recent password update to update DSRMp

 TRY
 { $WinRMServiceCheck = Get-Service -name "WinRM" -ComputerName $DC }
 CATCH
 { Write-Output "WinRM service does not exist on $DC." `r}

 IF ($WinRMServiceCheck.Status -eq "Running")
 { ## OPEN IF - Check if WinRM service is running, if so, continue

 $ADDSRM = $ADDomainName +"\"+$DC + $DSRMOUName 
 $DCHostName = "$DC.$DomainDNS"

 #########################################
 # Update the DC's DSRM Password from AD #
 ######################################### 
 write-host "Connecting via Powershell to Remote Server: $DCHostName ..." `r
 $RemoteCommand = 'invoke-command -computer ' + $DC + ' -scriptblock { NTDSUTIL "SET DSRM PASSWORD" "SYNC FROM DOMAIN ACCOUNT ' + $ADDSRM + '" Q Q } ' 

 # Invoke-expression $RemoteCommand1 
 $NTDSResult = Invoke-expression $RemoteCommand
 write-host "Remote command sent..." `r
 write-host "" `r
 IF ($NTDSResult)
 { ## OPEN IF Command did run
 IF ($NTDSResult[2] -eq "Password has been synchronized successfully.")
 { ## OPEN IF - Command was successful
 Write-host "The DSRM Password for $DCHostName has been synchronized successfully." `r 
 } ## CLOSE IF - Command was successful
 ELSE { Write-host "An error occured and the DSRM Password has not been updated on $DCHostName." `r }
 } ## CLOSE IF Command did run
 write-host "" `r
 write-host "" `r 
 ###################################
 # Close Remote Powershell Session #
 ################################### 

 } ## CLOSE IF - Check if WinRM service is running, if so, continue
 ELSE 
 { ## OPEN ELSE - If WinRM service is not running
 Write-WARNING "$DC does not have the WinRM service enabled and running. Powershell Remoting is not possible. Run 'Enable-PSRemoting -Force' on the server." 
 } ## CLOSE ELSE - If WinRM service is not running 
 } ## CLOSE ForEach Loop every DC to update DSRMp
} ## CLOSE IF - Only have DCs pull DSRM password update if something has changed 

######################################
# Write the Data to the Report File #
######################################
write-host "Writing DSRM Report..." `r
$ADReportData | out-file $ReportFile

#################
# Stop Logging #
#################

#Stop logging the configuration changes in a transript file
Stop-Transcript

Write-output "Review the logfile $LogFile for script operation information." `r

Posted in Favorite, Microsoft Products, Powershell Code, Security, Tech - Tagged Active Directory, Automated DSRM Password Management, Code, Configuration, Directory Services Restore Mode Password, Domain Controller, DSRM, Password Management, Powershell, Read-Only Domain Controller, Windows Server 2008 R2

Microsoft Exchange Schema Update Reference Document

Oct24
2011 Leave a Comment

Written by Sean Metcalf

This is a worthy download for Active Directory support staff as well as Exchange personnel.

Microsoft’s Overview:

This download includes the Exchange Server Active Directory Schema Reference, which provides information about the changes that Microsoft Exchange Server makes to the Active Directory schema when it is installed. The Exchange Server Active Directory Schema Changes Reference includes changes made by Exchange Server 2010 SP2, Exchange Server 2010 SP1, Exchange Server 2010, Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007, and Exchange Server 2003.

http://www.microsoft.com/download/en/details.aspx?id=5401&WT.mc_id=rss_alldownloads_all

Posted in Microsoft Products, Tech - Tagged Active Directory, AD Schema, Configuration, Domain Controller, Exchange, FSMO, Microsoft Exchange Server, Schema Master, Windows Server

Powershell Commandlet: Get-ADDefaultDomainPasswordPolicy

Oct17
2011 2 Comments

Written by Sean Metcalf

I have been writing a Powershell script that gathers a ton of information about the Active Directory environment. I used the following code to get Active Directory Domain Password Policy info.

##############################
# Get Domain Password Policy #
##############################
Import-Module ActiveDirectory
Write-Verbose “Get Domain Password Policy `r”
$DomainPasswordPolicy = Get-ADDefaultDomainPasswordPolicy
Write-Output “Domain Password Policy: `r”
$DomainPasswordPolicy

Result:

ComplexityEnabled           : True
DistinguishedName           : DC=Domain,DC=com
LockoutDuration             : 00:30:00
LockoutObservationWindow    : 00:30:00
LockoutThreshold            : 0
MaxPasswordAge              : 42.00:00:00
MinPasswordAge              : 1.00:00:00
MinPasswordLength           : 7
objectClass                 : {domainDNS}
objectGuid                  : d7c3e480-f9da-6563-a71b-c13cb9f1435f
PasswordHistoryCount        : 24
ReversibleEncryptionEnabled : False

Posted in Microsoft Products, Powershell Code, Tech - Tagged Active Directory, Configuration, Domain Controller, Windows Server

Posts tagged Deployment

Powershell Code: Find Non-Optimal AD Site Configuration

Windows 2008 NSPI Connection Changes

Active Directory Replication Overview & USN Rollback: What It Is & How It Happens

Microsoft Active Directory Design Guidance (IPDs)

How the Active Directory Installation Wizard Works

Powershell Script: Create Install From Media (IFM) Set for DCPromo /ADV IFM Option

Powershell Code: Create a DCPromo Unattend File Automatically with a Script

Powershell Code: Create a DCPromo Unattend File Automatically with a Script

Powershell Code: Set a Server’s Time Zone Based on the Time Zone Setting on another Server

Powershell: Updating Domain Controller Directory Services Restore Mode (DSRM) Passwords

Microsoft Exchange Schema Update Reference Document

Powershell Commandlet: Get-ADDefaultDomainPasswordPolicy

Recent Posts

Categories

Archives

Active Directory

Exchange

Microsoft Blog

Powershell

Security

SharePoint

Virtualization

VMWare

Windows Server

Posts tagged Deployment

Recent Posts

Categories

Tags

Archives

Active Directory

Exchange

Microsoft Blog

Powershell

Security

SharePoint

Virtualization

VMWare

Windows Server