Tuesday, October 18, 2011

Find Non Replicated Attributes in Active Directory

The quick hitter series is back and this entry was inspired by a colleague (thanks Funk!)

If you are querying AD you may get inaccurate results if you are querying an attribute that is not replicated between all domain controllers.   Two common attributes I see people having issues with are lastlogon and whenchanged.  The issue here is suppose you query for lastlogon and get a value.  That may not be accurate as there may be a newer value on another DC.  On a side note for that issue lastlogontimestamp is usually good enough for most folks...but I digress.

Is there a way to find what attributes are not replicated between DCs?  The answer to that is yes and there are various methods to find this information.  I once again go to the great ADFIND tool from MVP Joe Richards   Joe was recently awarded the MVP for the 10th straight year and that is well deserved.

Adfind has a ton of great shortcuts and one of them is to find non-replicated attributes.

adfind -sc norepl cn -nodn

I only outputted the cn of the object and didn't need the distinguished name so left that off with -nodn

You can see part of the output below.  Notice the whenchanged attribute that was mentioned earlier.

systemFlags contains a flag that defines if an attribute is replicated.  As you can see in the link if the value 1 is applied to an attribute it will not be replicated.  So you could also get fancy with adfind and do something like

adfind -schema -bit -f  "&(objectclass=attributeschema)(systemflags:AND:=1)" cn -nodn
That should give you the exact same result as the previous command.  I'd personally always go with the shortcuts...they are there to make things easier...thanks Joe :)

Monday, September 26, 2011

Windows Server 8 - GUI on GUI Off

Before I start I'd love to hear comments on this feature in Windows 8.  Do you all think it is a feature that will be widely adopted?

This entry is about a new feature in Windows Server 8.  The ability to turn on and turn off the graphical shell.

Prior to Windows 2008 there was no Windows OS that didn't feature a full GUI.  Linux folks would often criticize Windows admins for not being talented around the command line.  That was true to some extent but there are a lot of Windows admins/engineers who are comfortable around the command line but there were tasks that could only be done via the GUI or were much easier from the GUI.

In Windows 2008 a new feature was introduced called server core

The Server Core installation option is an option that you can use for installing Windows Server 2008  A Server Core installation provides a minimal environment for running specific server roles, which reduces the maintenance and management requirements and the attack surface for those server roles

Server core was intimidating to a lot of Windows admins not used to administrating or configuring servers from the command line.

Server core was also available in 2008 R2 and introduced a tool called sconfig which made configuration much easier.  Other features such as powershell were also added in 2008 R2.

There was no way to convert a server core to a full server if there was a feature that needed to be installed that core didn't support.  I'm not sure what the server core adoption rate was. I've seen people speculate 10-15% but have not seen official numbers from Microsoft.

There are a lot of beneifts to server core including greatly reducing the number of reboots and patches needed. MVP Brian McCann has an excellent blog entry on Server Core with stats.

“In some cases, customers can see up to a 60% reduction in patch requirements and the number of reboots on a monthly basis”  These are the numbers that back up statements such as that.
Server core is still an option in Windows Server 8.

However for those that still are not comfortable with core there is an option to remove the GUI from a full installation of Windows 8.

As Ned Pyle pointed out in the comments of this AskDS blog this feature is not quite server core.  Meaning using these steps doesn't turn your server into core but it does remove many of the GUI features.  You will no longer need to worry about admins surfing the internet from your servers.  This may end up being the preferred method for deploying Windows Server 8....time will tell.

I first noticed the Server Graphical Shell in the Features list in Windows Server 8.  I had not seen this feature in the past.

The feature can be removed by just clearing the check box in the roles and features wizard from server manager.

I've unchecked the box in order to remove the Graphical Shell.

After the server is rebooted and comes back up the GUI shell is gone.  Server manager is still available.  Things like the MetroUI are now gone.

For fun I tried to surf the net using Internet Explorer

Items like the MMC and snap-in can be added.  The server can also be manged remotely.

Suppose an admin later decides later that they want this feature back.  It is just as easy as removing except this time the box is checked to add the feature

After a reboot the GUI shell is back.

For those that prefer PowerShell this can also be done in a few lines via PowerShell

I import the server manager module and viewed the features (not required)

From there it is as simple as remove-windowsfeature server-gui-shell

Adding it is just as easy...you guessed it

add-windowsfeature Server-Gui-Shell

Again I'd like to hear comments on this feature.  Was it needed since we already have server core or is this a nice middle ground that will be widely adopted?

Thanks for reading.

Wednesday, September 21, 2011

Windows Server 8 - DNS Management Console

I have to begin this post with the normal caveat that this is only the developers preview build that I'm testing with and things may change.

When I promoted my Windows Server 8 to become a domain controller I also installed DNS. As most people know AD has to have DNS in order to work. Most places use Microsoft DNS but you can also use BIND and others but I decided to stick with Microsoft.

After the DC was installed and rebooted I was able to access all the normal AD management consoles such as AD Users & Computers, Sites and Services, Domains and Trusts, AD Administrative Center and others.

I went to look at DNS and could not load the DNS management console.

I verified that the DNS feature had been installed.

I tried to add the DNS console via the MMC snap-in but it was missing.

I tried to run the dnsmgmt.msc command and again no luck

This could not be right and I had to be missing something. I decided to go look into the roles and features. Once again I verified that DNS was installed

I went into the features and looked at the Remote Server Administration Tools(RSAT) settings. I noticed that the DNS Server Tools were not checked/installed.

I checked the box to install the tools and just had to verify and install. This feature did not require a server reboot.

I once again tried to add the DNS tools via the MMC snap-in and this time voila it was there

I verified that dnsmgmt.msc would also work from the command line.

As you can see below the DNS management tools are now accessible and this is what it looks like in Windows Server 8 Developers Preview.

Tuesday, September 20, 2011

Windows Server 8 - Schema Version Quick Hitter


After being put on ice the quick hitter series is back.

I downloaded one of my favorite active directory tools called ADFIND from MVP Joe Richards

So far adfind seems to work great with Windows Server 8. I have not tested every switch but so far so good.

I really like the adfind shortucts and it is a great way to do things like quickly find the schema verision. adfind -sc schver

As you can see the schema version in Windows Server 8 Developers Preview is 51

There are other ways to find the schema version if you don't have adfind installed. Santhosh has a good blog entry where he outlines other methods such as adsiedit and dsquery.

If you are keeping track or are asked in a trivia/interview situation here are the AD schema versions throughout the OS Versions

Windows Server 8 Developers Preview 51
Windows 2008 R2 47
Windows 2008 44
Windows 2003 R2 31
Windows 2003 30
Windows 2000 13

Friday, September 16, 2011

Windows Server 8 & VMware Workstation

In a previous post I outlined installing Windows Server 8 Developer preview and all the current testing and screenshots have been done in a virtual box environment.

I also run VMware workstation and was running VMware workstation 7.1. I currently don't have a dedicated Hyper-V box at home but that will change in the future when I'm running Windows 8 as my desktop OS.

I tried installing Windows Server 8 on VMware 7.1

Initially it looked like it was going to start installing. Since Windows 8 was not an option I chose Windows 2008 R2 as the OS.

As you can see I also tried Windows 7 with no luck. I also tried other scenarios and they all didn't work. I figured this was a pre-beta release of Windows 8 so no big deal but I was a bit disappointed. If anyone has gotten this to work please comment.

On Septmember 14 VMware released Workstation 8

I decided to spend the $99 for the upgrade. Once I received the verification email I went to the download site and noticed there was only one executable for the full version and no upgrade version.

I wasn't sure if the full version would work or even let me download it. The VMware workstation team on twitter was really helpful and let me know to install the full version. It would uninstall 7.1 and then install 8.0 without losing any virtual machines. That worked fine so now the moment of truth would VMware workstation 8 support Windows Server 8 Developers Preview.

I started off with a typical install

This version still could not detect the OS but I'm guessing that will change in future release and as Windows 8 gets close to RTM.

I chose Windows Server 2008 R2 as my guest OS.

There is no license key for this version of Windows 8 so that is left blank.

I named my machine and set the location. I just use an external drive attached via USB 3.0. I would like a better storage system but I also don't want to break the bank.

I gave myself 40 GB and finished the process of configuring the virtual machine.

After reboot I was stuck in an endless loop telling me that the product key could not be read from the answer file. This had me worried as there is no product key

The endless loop was no fun so I shut the machine down and looked at the configuration again. I noticed the floppy drive there and I definitely don't need that. I removed the floppy drive

After removal of the floppy drive the installation proceeded with no issues.

There are some features such as cloning that I like in VMware that I don't get in Virtualbox but both are adequate for testing Windows 8 right now.

Thanks to the @vmw_workstation guys for their tips.

The normal caveat applies and that is that this is still a pre-beta release of Windows 8....but have fun.

Not sure if I'll be going to VMware workstation 9 down the road. I may have all Windows 8 boxes with Hyper-V by then :)

Thursday, September 15, 2011

Windows Server 8 - Fine-Grained Password Policies


In the old days (Windows 2000 and Windows 2003) an Active Directory domain could only have one password and account lockout policy per domain for domain accounts.

The group policy with the password settings had to be linked at the domain level(common method people used was to set the policy in the default domain policy).

What options where there if you wanted a different policy for certain users or certain groups? For example what if you wanted service accounts to have a stricter policy? There were not many options. Organizations could try and create their own filter (not recommended) or use a third party tool (not native, not cheap, and needs plenty of testing).

In some cases organizations would create a new domain because they wanted different policies. I was never involved in a new domain just for a password policy but I've heard of it happening.


Microsoft introduced a new feature in Windows 2008 called Fine Grained Password Policies (FGPP). The domain functional level has to be at Windows 2008 for this feature to work.

FGPP's allowed organizations to specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of groups and users in a domain.

The link above is a step by step guide for configuring FGPP's. There are also some other good FGPP references that I refer to.

As you can see in Florian and Sean's great blog entries setting up fine-grained passwords was not the easiest thing to do. Admins had to use ADSI Edit to configure it and the entire process was not admin/user friendly.

There were some third party tools that could make this process easier but again that involved another tool.


As noted in my previous post there are a lot of improvements in Windows Server 8. Once again a feature is now exposed using the Active Directory Administrative Center (ADAC).

To start open ADAC and navigate to the System container. From there navigate to the Passwords Settings Container and right click and select New > Password Settings

As you can see I named my Password Setting Object(PSO) and I set a precedence level. Precedence is used if there are multiple PSO's applied, the lower precedent will win. I'd try to limit the number of PSO's in a domain.

I've set the minimum length at 14 which is more stringent/strict compared to my normal domain policy which is 8 characters. I want the service accounts to have stronger passwords.

Next I'm going to select "Add" in the Directly Applies to box. In this example I am going to apply the PSO to a group named ServiceAccounts. I could have also selected user accounts here.

Once I'm done with creating and applying the PSO to the group I can verify that the password is set. I navigate to my Service account user that is a member of the ServiceAccount group. I right click and select "View resultant password settings"

The resultant password setting box is presented. It returns the Service Accounts PSO that I created.

There is also another option for user accounts. In ADAC you will notice a Password Settings pane.

PSOs can be directly assigned to user accounts. I'd recommend using groups when possible but the option is there.

So now the PSO is created in applied...but does it work. Can I still use an 8 character password for this account? If it worked correctly the 8 character password should no longer be accepted. I tried a 10 character complex password

Success Full Success!! It would be nice if the error message was more verbose. For example telling the user that they need a 14 character password based off the PSO settings.

One other area I think admins will continue to ask for is the ability to have a different password policy per OU (not just users and groups).

They can't get every feature into every release but this is a huge step forward. Nice job Microsoft AD Team! I think this will help organizations and now more folks will use FGPP. (just remember the domain functional level has to be at 2008 or higher)

Also remember this is a pre-Beta release so things can change. Having said that Steve Ballmer said over 500,000 copies have already been downloaded....the WIndows 8 buzz is on for sure :)

Wednesday, September 14, 2011

Windows Server 8 - Active Directory Recycle Bin

The active directory recycle bin was a welcome addition in 2008 R2. Prior to Windows 2008 R2 there were no easy ways to fully restore an AD object and keep all their attributes intact.

There was the system state/authoritative restore method
There was the tombstone reanimation method that didn't restore all the attributes but it was fast.
There were also some third party tools that could help.

So the options were not great and recovering deleted objects could be a pain. Admins rejoiced when they first heard of the AD recycle bin. The forest functional level had to be at Windows 2008 R2 but it was a major incentive to get there.

The AD recycle bin had to be enabled using Powershell and objects could only be restored using Powershell. Microsoft released a good AD recycle bin step by step guide for 2008 R2

Ned Pyle from the Microsoft AD team also had a great blog entry on the askds blog

The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting
Notice how to enable the feature and restore objects.

There were third party tools that put a GUI wrapper around the recycle bin but I'm referring to a native build.

So as you can see the AD Recycle Bin in 2008 R2 was very good step forward but it could be better. The Microsoft AD team heard the need for improving the feature and the feature has been improved.

It gets much better in Windows Server 8. The Active Directory Administrative Center (ADAC) has a lot of improvements and one of the big ones is being able to restore objects from the GUI. Powershell still works too but this will be easier for a lot of folks.

The AD Recycle Bin can now be enabled from ADAC

It can also be enabled by right clicking the domain and enabling it there

Warning alerting the user that once the Recycle Bin is enabled it can't be disabled...no turning back.

Note: In a production Windows Server 2008 R2 domain at Microsoft, the Active Directory Recycle Bin feature increased the size of the AD DS database by an additional 15 to 20 percent of the original database size.

I'm guessing those stats are still accurate and will update the blog if I find out anything new.

Once the enable recycle bin is chosen and the changes have replicated then the feature will work after a refresh of ADAC.

I have a test user with many attributes populated and a member of a group that I'm going to delete.

So now the user is deleted but how do I get it back. In ADAC I navigate to the Deleted Objects Node. As you can see the deleted user is there. I can right click and restore the object, restore to another location, locate parent, or view properties.

The deleted objects node in ADAC is the new hotness :)

As you can see I restored the object back to its original location and it is back with all attributes populated.

Anyone who has been in a pressure filled situation trying to get a user or object back in a hurry (especially if a VIP is involved) will really like this.

There will be follow ups to this post about other new features in ADAC and other test scenarios. Job well done Microsoft AD Team!!