The Sysadmins

Tips and tricks from the Sysadmins

Category: Active Directory (page 3 of 4)

ADMT Series – 2. Preparing the ADMT Machine

You should install ADMT and SQL onto a member server in the target forest. Use the ADMT service account explained in the previous post to install SQL and ADMT.

ADMT requires a preconfigured instance of SQL Server for its underlying data store, so we’ll go ahead and install SQL 2008 SP1 Express on ADMT.target.local.

Installing SQL Express 2008 SP1

SQL Express download here: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=25052

1. Choose New Stand-alone installation.

2. Select Database Engine Service.

3. Accept the default named instance.

Continue reading

ADMT Series – 1. Preparing Active Directory

Introduction to Series

After recently using ADMT for an Active Directory migration I thought I’d write a series to document its use and to share any useful tips I found along the way. This first post will explain how to prepare the Active Directory for the migration process.

If you’ve found this blog post you’re probably already aware of what ADMT is and what it can be used for, and I’d suggest (as always) to read the documentation provided by Microsoft. The user guide for ADMT can be found here: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=19188

Series Test bed

In this Series I’m going to be using 3 servers and an XP client.

Server 1 AD1 – Target Domain Server 2008 R2 Domain controller in the target.local domain
Server 2 ADMT – Target Domain Server 2008 R2 Member Server running ADMT in the target.local domain
Server 3 DC1 – Source Domain Server 2003 Domain controller in the source.local domain
Client 1 XP – Source Domain Windows XP client in the source.local domain

The goal of this series will be to migrate from the 2003 source.local Domain to the 2008 R2 target.local domain.

Preparing Active Directory

In this post we’ll look at preparing Active Directory for the migration process. There are two main things to prepare, DNS and a domain trust.

Before the domain trust can be created both domains will need to be able to resolve each other via DNS. To achieve this you can use stub zones, secondary zones or forwarders. I’ll show you how to setup forwarders below on Server 2003 and 2008 R2. When using forwarders you need to manually populate the IP(s) of the name servers you’ll be using for resolution, if for whatever reason these change you will have to manually go back and change the forwarder. This probably isn’t an issue for most scenarios.

Setting up a Server 2008 R2 DNS Forwarder

1. Open the DNS MMC console, expand the server tree and select Conditional Forwarders. Right click and select new conditional Forwarder.

2. Enter the other DNS domain name (the source domain in this case), then click below where it says “Click here to add” and enter the IP address of on the DNS servers in the other domain. Press enter. If you have multiple DNS servers in your Active Directory it’s a good idea to store the conditional forwarder in AD, and replicate it accordingly.

Before the forwarder:

After the forwarder:

Continue reading

Active Directory Health Check Script

How do I know if Active Directory is healthy?

I’m having some Active directory issues, where do I start?

I see these questions asked a lot, and talking someone through some basic troubleshooting steps without having physical/remote access can be fairly time consuming. For that reason I’ve put together a script to collect basic information about the domain controller the script is run on and active directory itself- which is then written to a log file.

The log file is saved onto the current users desktop by default. If you want to save the log file to a share you’d use:

set logfile=\\server\share\ADHealth\ADHealth.txt

So, what does it do?

System Boot Time - systeminfo | find "System Boot Time:" – Displays boot time, not massively helpful or directly tied with Active Directory but still worth being aware of the last start-up time.

TCP/IP network configuration - IPCONFIG /all – Displays all current TCP/IP network configuration values. This is normally helpful to highlight any DNS server misconfiguration. For example setting them to external public resolvers.

DCDIAG /a – The meat and potatoes, there’s a great article on what it actually does here: http://blogs.technet.com/b/askds/archive/2011/03/22/what-does-dcdiag-actually-do.aspx. This is currently set to test all domain controllers (/a), you can get more verbose with /v, but I quite like the initial log to be succinct.

Repadmin /replsummary – Will show you an overview of any failures, and for which DC(s). http://technet.microsoft.com/en-us/library/cc835092%28v=ws.10%29.aspx

Repadmin /showrepl – This will let you know if the last replication attempts where successful. http://technet.microsoft.com/en-us/library/cc742066%28v=ws.10%29.aspx

NETDOM Query FSMO – This will return the FSMO role holders, which can be used to confirm that the role holders are still online and functioning. A good article on FSMO roles and what happens if one of them fails can be found here: https://msmvps.com/blogs/acefekay/archive/2011/01/16/active-directory-fsmo-roles-explained.aspx

Nslookup -querytype=srv _gc._tcp.%domain% – Displays all Global Catalogs.

The batch file

You can copy and paste it into your own batch file or download it from here. If you’re running it on a DC prior to Server 2008 you will need to install the Adminpak: Windows Server 2003 Service Pack 2 Administration Tools Pack (adminpak)

@Echo Off
ECHO Running AD Health Checks - Notepad will open after completion
ECHO You can share this log using http://pastie.org/pastes/new
ECHO This Command Prompt will close after you close Notepad
ECHO https://blog.thesysadmins.co.uk
set logfile=%userprofile%\Desktop\ADHealth.txt
echo You can share this log using http://pastie.org/pastes/new > %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM Finds system boot time
echo System Boot Time ------------------------------------------------------------- >> %logfile%
systeminfo | find "System Boot Time:" >> %logfile%
systeminfo | find "System Up Time:" >> %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM Displays all current TCP/IP network configuration values
echo IPCONFIG ------------------------------------------------------------- >> %logfile%
ipconfig /all >> %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM Analyse the state of domain controllers in a forest and reports any problems to assist in troubleshooting
echo DCDIAG ------------------------------------------------------------- >> %logfile%
dcdiag /a >> %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM The replsummary operation quickly summarizes the replication state and relative health
echo Replsummary ------------------------------------------------------------- >> %logfile%
repadmin /replsummary >> %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM Displays the replication partners for each directory partition on the specified domain controller
echo Showrepl ------------------------------------------------------------- >> %logfile%
repadmin /showrepl >> %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM Query FSMO roles
echo NETDOM Query FSMO ------------------------------------------------------------- >> %logfile%
netdom query fsmo >> %logfile%
REM Query Global Catalogs
echo List Global Catalogs ------------------------------------------------------------- >> %logfile%
for /f "tokens=2" %%a in ('systeminfo ^| findstr Domain:') do set domain=%%a
nslookup -querytype=srv _gc._tcp.%domain% >> %logfile%
notepad %logfile%

Run the batch file, when it has completed notepad will open with the freshly created log. If you need to share this log with someone I suggest using pastie.org, and pasting the (redacted) document.

ADHealth Batch

You may just want to run this as a one off when troubleshooting, or you may want to add this to a scheduled task (If so I’d remove the notepad %logfile% line off the end). This can be useful for comparisons and to outline when the error(s) / issues began. If your Active directory currently running like a dream, why not take a baseline log…

This script should give you a starting point for diagnosing some of the more common Active Directory issues. I recommend getting familiar with the tools included in the script, learning how to read and make sense of the information and to be aware of other parameters available.

Active Directory Fine Grained Passwords with ADSI Edit

Updated post for Server 2012 FGPP

Server 2008 introduced ‘Fine Grained Passwords’ (FGPP), which allows multiple password policies in a single domain. Prior to Server 2008 there was a limitation of one per domain.

To achieve this you will need to create a PSO (password settings object) which applies at the user or security group level. There are 3rd party applications out there to for this, but personally I find using ADSI straight forward enough.

The domain functional level needs to be 2008 or higher.

Let’s get to it!

  • Administrative Tools – ADSI Edit
  • Actions -> Connect
  • DC=domain,DC=com
  • CN=System
  • CN=Password Settings Container
  • Right click select new -> object

adsieditpso
You’ll be presented with a set of options which are explained below.

Common-Name – Friendly name to identify the policy
Password Settings Precedence – Think of metrics, if a user is in two groups the policy with the lower precedence will win
Password reversible encryption status – No need for this in our example and generally bad for security true/false
Password History Length – How many passwords does a user have to use before being allowed to return to the first
Password Complexity Status – Password Complexity true/false
Minimum Password Length – Minimum Password Length
Minimum Password Age – Minimum time before the password can be changed. This is set in Days:Hours:Minutes:Seconds, so for 1 day you would use 1:00:00:00
Maximum Password Age – Maximum time a password can be used This is set in Days:Hours:Minutes:Seconds, so for 90 days you would use 90:00:00:00
Lockout Threshold – How many times the password can be entered incorrectly before the account is locked out
Observation Window – The time in which incorrect passwords are logged, for example if we set 5 above, and 00:00:20:00 for this, if more than 5 incorrect passwords are typed within a 20 minute period the account will get locked out
Lockout Duration – If the account is locked out, the duration in which it stays locked out. This is set in Days:Hours:Minutes:Seconds, so for 1 hour you would use 00:01:00:00

  • Select ‘More Attributes’
  • Select a property to view and change to ‘PSO Applies to’

Get the DN (distinguished name) from ADUC (active directory users and computers). You will need to select advanced features in the view menu at the top. Double click on the group or user this PSO will apply to, select the attribute editor tab and find the distinguishedName attribute a small distance down. Copy and paste this into the edit attribute box in ADSI edit.

We can test if the policy has been applied by resetting a password for a user in ADUC or by typing dsget user DN -effectivepso , if dsget succeeded is returned without anything else displayed you went wrong somewhere as this means the default domain password policy is still in effect. This is what you want to see:

DSGET PSO

Active Directory OU, User and Computer Accidental Deletion

Server 2008 has a neat feature for preventing accidental deletions. It’s enabled by default when creating a new OU, but has to be enabled on users and computers.

New OU

To view the status or to enable/disable this feature, head over to ADUC, view and select advanced features. Right click the OU, User or Computer, select properties and view the object tab.

ADUC Object

If you try and delete a protected item, you will be greeted with the error message “You do not have sufficient privileges to delete %object%, or this object is protected from accidental deletion.”

Error Message

This is a handy feature for those extra important users and computers, or simply to prevent silly mistakes at the OU level.

Bulk Add Users to an AD Security Group from a CSV

Just a short post to demonstrate an easy method to bulk add objects to a security group in Active Directory using only one line of power shell.

To do this we’ll just need the following prerequisites:

  • PowerShell (In case you’re using a pre Win7/2008R2 platform), free download from Microsoft here.
  • Quest Powertools Active Directory Plugins, now called ‘Quest ActiveRoles Management Shell’. Also a free download, no Quest products are required for this and they can be found on the Quest site here.

Install the above, this may seem a little laborious to achieve such a simple task, however the above components are an enabler for a whole host of other Active Directory management scripts. Once installed, alter the security policy of the computer to allow unsigned scripts to be executed* and install the Quest AD commandlets..

set-executionpolicy unrestricted

add-PSSnapin quest.activeroles.admanagement

Next, prepare a text file (CSV) with a list of SAMaccountname values for users within your domain you want to add to a security group. In this instance it doesn’t matter if there are any commas in the file since we are only using one column of values, ensure each username entry is on a new line.

Finally, simply import the list of users from the CSV file with the following line of PowerShell script in the PowerShell console, swapping out ‘filename.csv’ with the name of your file and ‘GS-GroupName’ with the security group you wish to add users to..

Get-Content filename.csv | Add-QADGroupMember “GS-GroupName”

PowerShell should return a list of the users added to the security group like so:

* For those with a high regard for security, it is generally not advised to allow unsigned scripts to run on your computer or server, however PowerShell security is beyond the scope of this article. You can set the security policy back to AllSigned once you are done with the following command..

Set-ExecutionPolicy AllSigned

More information for those new to PowerShell can be found on this article on MS TechNet.

Active Directory User Logon Time and Date

This post explains where to look for user logon events in the event viewer and how we can write out logon events to a text file with a simple script.

Domain Controller
To view AD user logon times, set ‘Audit Logon events’ to ‘Success’ in the Default Domain Controllers Policy. When a user logs on you will receive the Event ID 540 (2003) or Event ID 4624 (2008) in the security log of the logonserver used.

Server 2003
Event ID 540

Server 2008
EventID 4624 DC

Continue reading

Older posts Newer posts