Friday, March 30, 2012

Active Directory Administrative Center Twitter Question

I recently saw a question on Twitter about the Active Directory Administrative Center (ADAC)

Twitter is a site everyone knows but more and more it is a great place for tech information and sharing in the community.  There are a lot of good tweets on Active Directory and links to information.  There is also a fair amount of spam/bad links.  Those are usually easy to spot though (picture is a "sexy" model for example)

Thanks a lot to @SamErde for letting me use his post for this blog.





ADAC was released with Windows 2008 R2.  It has gained some traction but currently it is definitely still not the GUI tool of choice for Active Directory Administration.  AD Users & Computers still wins but that may change in Windows 8 when features like the AD Recycle Bin and Fine-Grained Passwords are brought into ADAC giving both of those features a much needed GUI.

In order to truly test I created three forests in my lab and created a forest trusts between the first forest and the other two forests.  I did see TechNet articles that this could be done but I like to verify.





I'm not just a blogger I also work in this world and I know setting up the trusts can be a pain.  You have to have proper ports open  That is often easier said than done.  Become friends with the firewall admins :)   You also need to ensure that name resolution is working.  I used conditional forwarders to resolve the domain names in DNS.  Stub zones and secondary zones would also work.

There are a lot of posts and resources about setting up trusts.  If you run into issues look at the basics first
  • For potential port blockages tools like telnet, portqry, wireshark, and netmon are really good starting points.
  • For DNS issues nslookup is a good place to start troubleshooting.  (wireshark/netmon are good there too)



At this point the forest trusts have been setup and the two way trusts are functional.   The first thing we need to do is to try and add one of the other domains in ADAC.


Add Navigation Nodes in ADAC - Windows Server 2008 R2



Add Navigation Nodes in ADAC - Windows Server 8 Beta


I added the screenshot from a Windows Server 8 Beta box just to show that the location for adding the Navigation Nodes has changed.

I'm going to use Windows 2008 R2 for the rest of the examples.   I select add navigation nodes from there I can add another domain.  

Adding domain in another forest to ADAC via Navigation Node

Once I add the domain from the trusted forest I can now see it in ADAC

Remote domain from trusted forest now appears in ADAC

That is great but what does that really get me?  I am able to view objects in the remote domain due to the default nature of AD allowing read access to most objects.

I'm not able to make any changes which is a good thing.  The fact that the forest trust exists doesn't give any rights to administer the remote domain.

Notice in the screenshot below, I attempt to update/edit a user in the remote forest/domain.  I'm unable to make any changes but can read his info.

Attempting to update a user 

Without any rights I can't really do much.  In this case I want the same account to be able the objects in both forests.

There are several options here but I added my admin account into the Built-In Administrators group in the remote domain.


My admin account has been added into the Administrators group in the remote domain


After the addition has replicated I then try to update the user account from ADAC again.  This time you will notice that the fields are not grayed out and I can make changes.



Wishlist:  I would like the ability to add another domain in the navigation node but also specify alternate credentials when I do that.  That would be handy if an admin has a separate admin account in the remote forest/domain.   I'm still researching that and will update the blog if I find something.

There is a good article about ADAC on TechNet that is worth reading.  

What are your thoughts on ADAC.  For those at 2008 R2 is it gaining traction in your environments?


Thursday, March 22, 2012

LastLogonTimestamp for Group Members

I was recently working in a secure environment and one of the issues was way too many domain admin accounts.  This is not a problem just in secure environment.  I've yet to encounter a federal organization that does an outstanding job of limiting the number of domain admins.  I've seen Joe Richards write about working at a Fortune 5 company where they ran with less than 5 domain administrators.  More and more organizations are trying to limit domain admins.  I doubt we will ever get to a point where less than five is the norm but things are getting better...slowly but surely.

The first step the security team took was to identify members of the domain admin group and the last time they logged in.  This is a good initial step to remove those that haven't logged on or used their accounts.  If someone hasn't used their domain admin account in 120 days or longer then I would question if they need the account.

Some folks on the security team were manually going and using a box that had the additional account info tab from the acctinfo.dll.  They were then looking at lastlogon box within the tab and manually entering that into a spreadsheet.  I knew there were easier ways to do this so I stepped in to help out.

For this exercise I keyed off the LastLogonTimeStamp (LLTS) The lastlogontimestamp can be off by 9-14 days.  The link to the askds blog entry on LLTS does a great job of explaining it.  If 9-14 days is not acceptable then you would have to query lastlogon on every DC.  Lastlogon does not replicate and that is why every DC would have to be queried.

For the examples I'm in my lab domain which is mkw2k8R2.com and I only have three users in the domain admin group.  I've only logged in with one of those users.

Method 1 - Using ADFIND

Regular blog users will not be surprised to find out that I used adfind from Joe Richards for method 1.  

adfind -default -f "memberof=cn=domain admins,cn=users,dc=mydomain,dc=mysuffix" samaccountname lastlogontimestamp -tdc -nodn -csv 


Method 2 - Using Quest AD Powershell Cmdlets

Many people that started with powershell and AD years ago are probably familiar with the free AD cmdlets from Quest.  

get-qaduser -memberof "domain admins" | select-object samaccountname, lastlogontimestamp


Method 3 - Using Microsoft's AD Powershell v2 Cmdlets

With the introduction of Windows 2008 R2 and Windows 7 Microsoft introduced the AD module for Windows Powershell.  There is already a lot of good information about the AD Module for Powershell so I won't go over that here.   I also admit I'm not a powershell master/guru.

get-aduser -LDAPFilter "(memberof=cn=domain admins,cn=users,dc=mkw2k8r2,dc=com)" -property lastlogondate | ft samaccountname, lastlogondate


If you noticed I used lastlogondate which is not an actual AD attribute.  My friend Richard Mueller had a good writeup on lastlogondate.    See the link and Richard's answer for more info on lastlogondate which is essentially the same as lastlogontimestamp


Method 4 - Using CSVDE

CSVDE is what you call an old school tool.  Those that have been around AD for years have definitely used the tool at some point.  It was around before adfind and powershell. 


csvde -f c:\userslogon.csv -r "(memberof=cn=domain admins,cn=users,dc=mkw2k8r2,dc=com)" -l samaccountname, lastllogontimestamp  


One problem with the CSVDE method is how it handles the output.   LastLogonTimeStamps are Integer8 (64-bit numbers) that CSVDE can't handle.  You will notice in methods 1-3 those tools did a good job of decoding the attribute.

Elizabeth Greene has a really good blog entry that has a formula you can use in excel to convert it into a readable date.

Notice in the screenshot the difference between the native format in cell C2 and what it looks like after I applied the formula




Method 5 - Using Repadmin

This method I first saw used in the blog from the askds team that I linked to earlier and I'll link to again here


repadmin /showattr dc1root dc=mkw2k8r2,dc=com /subtree /filter:"(memberof=cn=domain admins,cn=users,dc=mkw2k8r2,dc=com)" /attrs:lastlogontimestamp



Other Methods


I really like methods 1-3 the best.  There are other methods that I have not included here but I figured five is a good start for anyone.  Some other things you might see out there


  • VBScript - Richard is the king in this category and if you want to use VBScript I recommend testing his scripts out.
  • Powershell v1 without AD cmdlets - remember when I said I was not a powershell guru yet.  I'm guessing that is something that can be done but haven't tried to do it yet.   The AD cmdlets from Microsoft and Quest both work for me so I try to stick to them.

You can use these examples and modify them if you are looking for other groups.  There are other/better ways to identify old/stale accounts in a domain if you want to do it domain wide.  More to come on that.

I'm really looking forward to hearing from readers and the community on other methods for doing this.  If there are better ways to do it in Powershell please leave a comment and I'll definitely update the blog.

Inactive Domain Admins beware....you will be removed :)

Monday, March 19, 2012

Windows Server 8 AD Cloning, Virtualization, and Snapshots Warning

Windows Server 8 Beta has a lot of nice features.  Two features that are getting a lot of buzz in the Active Directory World are the ability to easily clone domain controllers and the support to restore Active Directory using snapshots.

Using snapshots can cause USN Rollback and other problems.  Mark Ramey from the Microsoft AD team has an excellent blog entry that you can read for more info.

I added the word Warning to the title of this blog because I've seen a few blogs, posts, and articles that may lead people to believe that this can all be done with a few mouse clicks.  This is not the case, it is not hard but there are some major prerequisites and steps that people have to be aware of.

A few screenshots from my lab using VMware workstation.  These options exist in most hypervisor  products.

Cloning in VMware Workstation 8


Snapshot in VMWare Workstation 8



***WARNING***  You can't just use the GUI and start cloning and taking snapshots without causing issues in a domain/forest with multiple DCs.  You can't manually copy the virtual machine files.  VMWare workstation 8 and the current VMWare products don't support these features.

To take advantage of these features the virtualization host must support VM Generation ID.   I'm guessing by the time Windows 8 is released all major vendors will support this but that means most folks will have to upgrade their hypervisor.

Microsoft currently has two really good documents that are a must read for anyone interested in these new features

Test Lab Guide:  Demonstrate Virtualized Domain  Controller (VDC) in Windows Server "8" Beta

Understand and Troubleshoot Virtualized Domain Controller (VDC) in Windows Server "8" Beta  - written by Ned Pyle - Outstanding document!!

I won't repeat the documents but some important sections


Steps to deploy a cloned virtualized domain controller


1.       Create the customized DcCloneConfig.xml file on a source domain controller
2.       Detect incompatible programs on the source domain controller
3.       Ensure the PDC emulator runs Windows Server "8" Beta, is not the clone source, and is available
4.       Authorize the source domain controller for cloning
5.       Shutdown the source domain controller and copy its disk
6.       Create a new clone virtual machine using the copied disks
7.       Start the source and cloned domain controller, then allow cloning to occur


For those that are fans of the GUI
There is no task-oriented graphical management program for VDC cloning in Windows Server "8" Beta; the provisioning steps are performed manually or using Windows PowerShell 


 Steps to restore a DC snapshot


1.       Take snapshot of DC
2.       Create a new Group Policy
3.       Validate GP replication (SYSVOL replication)
4.       Restore DC Snapshot



You can read the the documents to get a lot more info.   Ned's document is 162 pages...Ned is the king of documentation and writing :)

As I start using this feature more and eventually use this in production in the future I hope to write more on these features.  I won't try to replicate Ned's excellent document but there is going to be more to come.

Thursday, March 15, 2012

HSPD-12 and Active Directory Domains -Documents Updated

Microsoft has updated their documentation regarding HSPD-12 Logical Access Authentication and Active Directory Domains

These documents are probably going to be more valuable to those that support federal customers in the US but they are a good read for anyone planning to deploy smart cards in their environment.

For those not familiar with HSPD-12 in a nut shell it is a mandate for federal organizations to issue common ID/Smart cards to their users.  This comes into play in the Active Directory arena as the cards are used for login using two-factor authentication/smart card login.  The two-factors in this case are:

  • Something the user has - the smart card
  • Something the user knows - PIN

Everyone has seen this referenced in the Account tab of a user in AD Users & Computers.



Those in the military or who have supported US Military customers will hear the term CAC Card used for their smart cards. Those supporting civilian agencies/.gov will hear the term PIV Card for their smart cards.

You can get the updated Microsoft documentation here:

Kurt Hudson has a good quote about the documents on the Windows PKI Blog

Included within this document are detailed steps to configure Windows Server 2008 R2 Active Directory Domain Services (AD DS), Active Directory Certificate Services (AD CS), Windows® 7, and Microsoft® Office 2010 to perform traditional UPN based smart card logon, explicit smart card logon (client authentication certificate mapped to multiple accounts), explicit cross-forest smart card logon and NIST SP800-78-3 compliant S/MIME email exchanges. 
Smart card/HSPD-12 adoption within agencies varies.  DoD has definitely been the leader in this space.  There are other agencies that I've been at that are also rolling but there are also those that haven't even started issuing smart cards to the majority of their users yet.   I'm not naming names here :)



Tuesday, March 13, 2012

Windows Server 8 Member Server - ADAC Recycle Bin

Windows Server 8 Beta was released a few weeks ago and I understand that many organizations may be hesitant to start deploying domain controllers.

One nice thing is that some of the new features can easily run on a member server or workstation and work fine in your current domains.  You don't need to convince anyone about a schema update or new Windows 8 Domain Controllers right now.  Enjoy the new features with no risk (I'd argue there is not a lot of risk in adding a domain controller but I understand leadership wanting to wait on domain controllers)

One of those features is the AD Recycle Bin GUI. That is a nice addition that system administrators have been asking for since 2008 R2 was released. Your forest does have to be at 2008 R2 Forest Functional Level to enable the recycle bin.

Many people enabled and used the AD Recycle Bin in 2008 R2  There are even some 3rd party tools that can help and put a GUI front end around the Recycle Bin. In my opinion the GUI in Windows Server 8 is much nicer and is definitely a reason to add a Windows Server 8 member server now.

In my lab I have a 2008 R2 (forest functional level 2008 R2) Domain Controller and a Windows Server 8 Beta member server.


Windows 2008 R2 Domain



SIDE NOTE: As you can see my test domain is named USMCThanksForYourService.mil I've heard there might be some Marines stationed in Afghanistan reading this entry so a heartfelt thanks for all you all do. It takes a lot of courage to be in the military right now and you all are on the front lines. THANK YOU!!


SIDE NOTE II:  .  Any other military members reading my blog?  Leave a comment, I'd love to hear from you.

So people don't think I'm cheating I'll first verify that the Recycle Bin is not enabled by using the powershell command Get-ADOptionalFeature -Filter {name -like "*Recycle Bin*"} If EnabledScopes is empty that indicates the Recycle Bin has not been enabled.


AD Recycle Bin not enabled

I also join the Windows Server 8 Beta machine to the domain.


Adding Windows 8 Server to the domain


Once the server is added to the USMCThanksForYourService.mil domain I have to install the Remote Server Administration Tools (RSAT) Feature for Active Directory so I can have access to the necessary AD tools and fetures.


Adding Roles and Features in Server Manager




Adding RSAT Features




Adding RSAT Features Part II


Once the RSAT tools have been installed you are ready to use Active Directory Administrative Center (ADAC) against your 2008 R2 domain.

You can enable the AD Recycle Bin from the GUI now instead of the old way using Powershell 



Selecting ADAC from Server Manager in Windows 8


Enabling the AD Recycle Bin from Windows Server 8 Member Server ADAC

AD Recycle Bin Confirmation 1

AD Recycle Bin Confirmation 2


Just want to confirm that the AD Recycle Bin has been enabled.  Notice this time the same command yielded an entry in "EnabledScopes"...success

AD Recycle Bin Enabled - Confirmation
 A quick tutorial of the new feature now that it is enabled and the member server is up and ready to go.

As you can see there is a user named Dakota Meyer who is in the group "MedalofHonor"





A young contractor was really excited and lost his mind and accidentally deleted the account.   Luckily the USMC leadership had allowed this Windows 8 Member Server and Dakota's account would be restored in a few clicks.


In ADAC Navigate to the Deleted Objects Container




Notice the deleted user is listed.  Right click on the user for Restore Options





In ADAC we confirm that the user has been successfully restored





On the 2008 R2 DC the restore is confirmed using ADUC






Windows Server 8 Beta - Schema Version - Update

I previously posted a "quick-hitter" blog about the Active Directory Schema version in Windows 8 Developers Preview.

Windows Server 8 Beta has been out for over a week now and I have a domain controller in my lab for testing.  The schema version is now 52


I once again used adfind to quickly find the schema version.



I've updated the Active Directory Schema version table below.


Windows Server 8 Beta52
Windows 2008 R247
Windows 200844
Windows 2003 R231
Windows 200330
Windows 200013


Windows Server 8 Beta and VMware Tools

I am running VMware workstation 8.0.2 build-591240 to test Windows Server 8 Beta.  I'm doing this on my Windows 7 machine.  Right now there is no Microsoft hypervisor that runs on top of Windows 7/client OS that will support a 64 bit operating system (that changes with Windows 8)

The installation of Windows Server 8 Beta went fine and I had no issues with that.  I then tried to install VMware Tools

After the installation of VMWare tools the Windows Server 8 Beta box became unresponsive and the screen was black and the VM was unusable.  I had a snapshot so I went back to that and was able to work and test.

I looked around the VMware site and found a blog entry about running Windows 8 CP in Workstation 8

That didn't really help because my issue is with Windows Server 8.  I started reading the comments and noticed that there were others having this exact issue.  Some folks suggested enabling 3D Acceleration on the VM.


I enabled the feature and then installed VMware tools again and this time the VM booted up fine.  No black/unresponsive screen.

I hope this helps others trying to install VMWare tools with Windows Server 8.

Friday, March 9, 2012

Windows Server 8 DCPromo Error - FIXED

In a previous post  I showed that there was an error if trying to set the forest and domain functional levels to Windows 8 during DCPROMO using Windows 8 Developers Preview.

Now that Windows Server 8 Beta/Consumer Release Preview has been released I tested the promotion process again.

I once again selected Windows Sever 8 for my functional levels



I am very pleased to report that I no longer receive the same error that I mentioned with Windows Server 8 Developers Preview.

After the promotion is done the Functional Levels are set to Windows Server 8




Nice job with the fix Microsoft AD Team!  

I don't have a comprehensive list of features that are dependent on Windows Server 8 functional levels (forest & domain).  When I have that list I'll post it.

Enjoy Windows Server 8 Beta!