tag:blogger.com,1999:blog-73655137940752314992024-03-15T18:08:58.108-07:00My blog about Active Directory and everything else...by Mike Klinemklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.comBlogger77125tag:blogger.com,1999:blog-7365513794075231499.post-76817445230925339402013-12-05T05:00:00.000-08:002013-12-05T12:34:18.805-08:00Complete Windows 2012 & 2012 R2 Documentation I generally don't write posts that link to docs but this one is really good and I haven't seen a lot of traffic on it. Microsoft has released the entire contents of the Windows Server 2012 and Windows Server 2012 R2 sections of the TechNet Library.<br />
<br />
You can find it here:<br />
<br />
<div style="text-align: center;">
<a href="http://www.microsoft.com/en-us/download/details.aspx?id=41182"><span style="font-size: large;">Windows Server 2012 R2 and Windows Server 2012 TechNet Library documentation as a PDF</span></a></div>
<br />
<br />
<br />
From the Details:
<br />
<blockquote>
<blockquote class="tr_bq">
<i>This download is an Adobe® PDF of the entire contents of the Windows Server 2012 R2 and Windows Server 2012 section of the Microsoft TechNet Library, for the convenience of Windows Server users who have limited Internet access, or require a portable version of the Windows Server 2012 R2 and Windows Server 2012 documentation. The PDF is 116 MB, and 7,970 pages in length.</i></blockquote>
</blockquote>
<br />
That's right folks that is almost <b>8,000 pages</b>. This is not something you are going to read cover to cover quickly but it is a great reference and ctrl+F always works. I really like that the document also points you to other great sources like the <a href="http://blogs.technet.com/b/askds/">askds blog</a>. The next version will have askpfe entries as they are taking over much of the on-prem blogging these days. There is a lot of Active Directory content but there is a lot more in this document. <br />
<br />
I also posted this to reddit/sysadmin a few days ago and it received a good response. One of the comments said that we also need a similar PDF for exchange.<br />
<br />
There are not many companies that document and provide anything this thorough so a huge thanks to all the Microsoft teams that have worked to make this happen. Anyone that has been involved in writing documents or tech writing knows that this takes a lot of time and effort.<br />
<br />
<br />
<br />mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com0tag:blogger.com,1999:blog-7365513794075231499.post-21381248630783414502013-10-27T12:27:00.000-07:002013-12-05T10:20:27.738-08:00Active Directory Demo Fail Club Lessons LearnedEarlier this year I was speaking at a Microsoft event in the Washington DC area (Reston, VA to be exact). During this talk I was talking about Windows Server 2012 and Active Directory. I always like to have demos during the talks so people can actually see what the features look like.<br />
<br />
In previous talks I only had a single DC and the demos always work great in that environment. This time I decided to go with multiple DCs and two domains to make it more realistic. As anyone that does live demos knows the picture below says it all. We want our demos to be smooth and to have no issues.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcXUAiWS-G-ONpFJYTGgJNot6M-EjkHR_U6A5V3alU6xEakN-RbqW77SCqzyrsVtgbMb2saQzaWLI8f1hW5N-703DjMY3fjKhIUCoz7gFebrAFwzPZkaKrLoz-C6LosVD2P5XS6NYa_5U/s1600/DemoBlog.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcXUAiWS-G-ONpFJYTGgJNot6M-EjkHR_U6A5V3alU6xEakN-RbqW77SCqzyrsVtgbMb2saQzaWLI8f1hW5N-703DjMY3fjKhIUCoz7gFebrAFwzPZkaKrLoz-C6LosVD2P5XS6NYa_5U/s320/DemoBlog.jpg" height="320" width="308" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">What Every Presenter Thinks<br />
<br /></td></tr>
</tbody></table>
I'll go over what happened and point out lessons learned (good and bad) and hopefully this will help others. I do highly recommend going out and speaking and being involved in the community. I'm not saying try for the national conferences first but there are usually local events that people can get involved with. I'm still at the regional level (DC area). <br />
<br />
My talk started and I was rolling along and had my slides working fine and showed the audience about the changes in the domain controller promotion process and that went well with no hiccups. Then I get to the <a href="http://technet.microsoft.com/en-us/library/hh831477.aspx#BKMK_recycle_bin_ui">Recycle Bin feature in 2012</a> using Active Directory Administrative Center (ADAC). My environment consisted of two 2012 domain controllers in the root domain and one DC in the child.<br />
<br />
I show the slide and then I switch to the demo to show everyone how it works since most have not seen it. The first thing I do is go into ADAC and try to enable the recycle bin. This is where the demo fail club starts<br />
<br />
I received several errors when I tried to enable the AD recycle bin<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNU7zVcPI8ldr1N_gR7Fy-zZN6f1L6EYKlx24MJgTIMaWC2gYQzCsBkgqTab3F0YvXd_Ap4ElxfulnDcgaZzT7nHyxqOUZiwyneDCRf8iqayTnOlZRBsx8Qlk3i8xiWldNDNeYiD_mIzg/s1600/ADDS+Error1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNU7zVcPI8ldr1N_gR7Fy-zZN6f1L6EYKlx24MJgTIMaWC2gYQzCsBkgqTab3F0YvXd_Ap4ElxfulnDcgaZzT7nHyxqOUZiwyneDCRf8iqayTnOlZRBsx8Qlk3i8xiWldNDNeYiD_mIzg/s400/ADDS+Error1.jpg" height="150" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjMrp6JiG_KH06R3chGgl3LGfU7JGjtb1m97nooGCMWL8v6yYEISfFX9SUWcsG8jTF5qQY4Jtpzn7M1CN3NWcjB6J0eTuSnB050-RtFAtgNw0Ke2Q4CwiIR9OV15i-wDgK5yiC-WjgoZc/s1600/ADWS+error3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjMrp6JiG_KH06R3chGgl3LGfU7JGjtb1m97nooGCMWL8v6yYEISfFX9SUWcsG8jTF5qQY4Jtpzn7M1CN3NWcjB6J0eTuSnB050-RtFAtgNw0Ke2Q4CwiIR9OV15i-wDgK5yiC-WjgoZc/s400/ADWS+error3.jpg" height="152" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #38761d; font-size: large;"><b><u>The Good</u></b></span></div>
<div class="separator" style="clear: both; text-align: left;">
The first thing I did was take a second to look at what the errors were telling me. I calmly typed services.msc to verity the Active Directory Web Services were running. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The next thing I did was a quick netdom query fsmo. All my FSMOs were on my current DCs.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I also verified replication with repadmin.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><u><span style="color: #b45f06; font-size: large;">The So-So</span></u></b></div>
<div class="separator" style="clear: both; text-align: left;">
While this was going on I had a single DC/VM that I turned on. It is much harder for things to go wrong in a single DC demo environment. I've lately been staying away from this as this doesn't simulate any real production environment. I should have turned this machine on the second something went wrong or even better just had this machine on the entire time "just in case"</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><u><span style="color: red; font-size: large;">The Bad</span></u></b></div>
<div class="separator" style="clear: both; text-align: left;">
After checking the services/replication using repadmin I next went into the event logs. As I was typing <i>e..v..e..n..t..v..w..r..m..s..c</i> I knew this was a wrong move but kept doing it anyway. The audience is not there for me to go through an entire troubleshooting course. The Internet connection was spotty so what if I would have found something useful in event viewer then what? Would I have also sat there and looked it up and found a KB and taken the time to read that. You get the point, I only had limited time and this was going to take way too long.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #666666; font-size: large;"><b><u>After Action Report/Lessons Learned</u></b></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I ended up going into my single machine and showing them the features and then continued the rest of my presentation. The entire incident took less than 5 minutes but it feels a lot longer when 100 people are staring at you. Some things I learned and have used in subsequent talks</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ol>
<li>Always have a backup presentation on an external drive and even a backup laptop if possible. At a minimum a backup on a USB flash drive because if the laptop dies someone will most likely let you borrow their laptop.</li>
<li>If you encounter an error remember that these are mostly IT Pros listening to your IT pro talk so they deal with errors and issues all the time. That is the reason they hire us</li>
<li>Don't expect to fix every issue in a few minutes; time is usually not on your side.</li>
<li>Always have a backup plan. In my case it was a backup VM. I've seen some folks just skip the planned demo.</li>
<li>Remember that you are not the first one to encounter "demo fail" Some very high visible examples below. The first is Bill gates at CES 2005 and the second is Steve Jobs showing off iPhone 4 features. The point I'm making is it doesn't matter who you are; if you speak at enough events and give enough demos you will eventually join the "Demo Fail Club". It's sort of like a comedian...there is no comedian no matter how funny that has not bombed at some point.</li>
<li>The fail is usually not as bad as you think and the audience is usually forgiving and wants to see you succeed and they want to learn.</li>
<li>Microsoft has since asked me to speak at several events and I've taken these lessons learned and have yet to encounter another demo fail club...knock on wood.</li>
</ol>
<div>
<br /></div>
<div style="text-align: center;">
I'm in very good company. Gates & Jobs are also members of this club.</div>
<br />
<br />
<center>
<iframe allowfullscreen="" frameborder="0" height="344" src="//www.youtube.com/embed/K5y_Mu1vVKo" width="459"></iframe>
</center>
<br />
<br />
<center>
<iframe allowfullscreen="" frameborder="0" height="270" src="//www.youtube.com/embed/znxQOPFg2mo" width="480"></iframe>
<div>
</div>
</center>
<br />
<div>
<br /></div>
<div>
<br /></div>
<br />
<span style="color: #20124d; font-size: large;"><b><u>PostScript</u></b></span><br />
<span style="color: #20124d; font-size: large;"><b><u><br /></u></b></span>
When I got back to my desk I left my VM's on but didn't work on them. That is extremely rude in my opinion. Give the next speaker respect and listen if you are going to sit in the room. During the next break an hour later I logged on and enabled the recycle bin and of course it worked then after I gave it a few minutes.<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0xtwRvNqWjlw_ZTxJ3unSo32g-x-5-z5UTlj9LAFjxaWEdBKQw1LCkvjqysKtnZ68WcVSO508xv9iv0cldlS4WQQKiWg0JTpZOod3rGgfxUL_EQ7O-dTdp_X14R532tZWFQFYrrZWE4k/s1600/NowItWorks.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0xtwRvNqWjlw_ZTxJ3unSo32g-x-5-z5UTlj9LAFjxaWEdBKQw1LCkvjqysKtnZ68WcVSO508xv9iv0cldlS4WQQKiWg0JTpZOod3rGgfxUL_EQ7O-dTdp_X14R532tZWFQFYrrZWE4k/s400/NowItWorks.jpg" height="178" width="400" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><u><span style="color: #b45f06;"><br /></span></u></b></div>
mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com0tag:blogger.com,1999:blog-7365513794075231499.post-58178865748776979822013-10-22T05:00:00.000-07:002013-10-24T12:58:18.648-07:00Active Directory Powershell Cmdlets in 2012 R2<a href="http://blogs.technet.com/b/in_the_cloud/archive/2013/10/18/today-is-the-ga-for-the-cloud-os.aspx">Windows Server 2012 R2 was released on Oct 18, 2013</a>. Last Friday was a big day for everyone in the Microsoft community. In future blog posts I'll be going over some of the new features available for Active Directory in 2012 R2. I first want to get to know the features well before I blog about them :)<br />
<br />
One area that most Active Directory admins are familiar with is PowerShell. Not everyone is a PowerShell Expert but I'm seeing a lot of folks trying to learn PowerShell and this is definitely true in the Active Directory community.<br />
<br />
Windows 2012 R2 and Windows 8.1 introduced PowerShell version 4. This blog goes over the various versions of PowerShell and what is included for Active Directory in each version.<br />
<br />
It is also important to know that you can run various versions of the AD cmdlets against DCs with the <a href="http://technet.microsoft.com/en-us/library/dd391908(v=ws.10).aspx">Active Directory Web Services</a> running Ashley McGlone aka<a href="https://twitter.com/GoateePFE"> GoateePFE</a> has an excellent blog on <a href="http://blogs.technet.com/b/ashleymcglone/archive/2013/06/27/how-to-use-the-2012-active-directory-cmdlets-from-windows-7.aspx">how to use the PowerShell v 3.0 cmdlets from Windows 7.</a> I'd personally use a Windows 8 or 8.1 admin workstation if possible.<br />
<br />
PowerShell was known by the Code Name "Monad" and first shown off publically in 2003. It has come a long way since then. In PowerShell version 1.0 there were no native Active Directory cmdlets. <a href="http://www.quest.com/powershell/activeroles-server.aspx">Quest released PowerShell cmdlets</a> that worked in version 1. The Quest cmdlets are still used today and also work in versions 2-4.<br />
<br />
Starting with PowerShell version 2 the Microsoft Active Directory team introduced a native AD module. The initial native AD module contains 76 cmdlets and deals with many common tasks that AD admins deal with including object manipulation (users, groups, computers).<br />
<br />
For this blog I'm focusing on the ActiveDirectory module and not other modules such as ADDSDeployment, DNS, and GroupPolicy that are also heavily used by AD admins.<br />
<br />
Getting the total number of AD cmdlets is a quick one liner:<br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAWvPduPOmk2v5MRHnzwS1C_39G8oyHGxSbep8Sayy2QmIk-HfXFIjH4234SoUY_2ko_n1PkaTnVwtsk0NhyphenhyphenjI7cF8cngTIXofA4GYIp4kE83K_p06JH10uUQIe-fC5g1Pk6QXa9rprK0/s1600/Get+Count.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="56" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAWvPduPOmk2v5MRHnzwS1C_39G8oyHGxSbep8Sayy2QmIk-HfXFIjH4234SoUY_2ko_n1PkaTnVwtsk0NhyphenhyphenjI7cF8cngTIXofA4GYIp4kE83K_p06JH10uUQIe-fC5g1Pk6QXa9rprK0/s640/Get+Count.jpg" width="640" /></a><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
The picture below is a snapshot of the different versions and what is included in each version. If anyone wants the slide please let me know and I'll send you the PowerPoint. <br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9pj0o20SPguIhrQBbNPA_QJRKMlxfk5OTZVNsYLe5qlAJNP_mZYfWelb-SJWKSkLZln8XxWn0yzLhCNTVxvLGe0acw41WH9UL4kOzLus3lyHjfob_f3xmZpL2_sa-pyeLK-mlCbUasuM/s1600/PowerShell+Slide+AD+Modules.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="330" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9pj0o20SPguIhrQBbNPA_QJRKMlxfk5OTZVNsYLe5qlAJNP_mZYfWelb-SJWKSkLZln8XxWn0yzLhCNTVxvLGe0acw41WH9UL4kOzLus3lyHjfob_f3xmZpL2_sa-pyeLK-mlCbUasuM/s640/PowerShell+Slide+AD+Modules.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Active Directory PowerShell Modules through the years</td></tr>
</tbody></table>
<br />
<br />
<br />
The 76 Active Directory cmdlets introduced in version 2.0 are listed below. <a href="https://twitter.com/jsnover">Jeffrey Snover</a> is the inventor of PowerShell (Thanks!). He often says his favorite cmdlet is Get-Help. I agree with that and find it very useful. Linux types "man" also works. I use the example switch the most but you can self discover and learn more about any of these cmdlets. There is also a lot of great material on the web for learning PowerShell. I recommend the <a href="http://www.microsoftvirtualacademy.com/Studies/SearchResult.aspx?q=powershell#fbid=F2YoQv161RK">Microsoft Virtual Academy courses on PowerShell</a>.<br />
<br />
<br />
<br />
<br />
<br />
<center>
<style type="text/css">
table.tableizer-table {
border: 1px solid #CCC; font-family: Arial, Helvetica, sans-serif
font-size: 14px;
}
.tableizer-table td {
padding: 4px;
margin: 3px;
border: 1px solid #ccc;
}
.tableizer-table th {
background-color: #104E8B;
color: #FFF;
font-weight: bold;
}
</style><table class="tableizer-table">
<tbody>
<tr class="tableizer-firstrow"><th>ACTIVE DIRECTORY POWERSHELL CMDETS VERSION 2</th><th>76 TOTAL AD CMDLETS IN v2</th></tr>
<tr><td>Add-ADComputerServiceAccount</td><td>New-ADGroup</td></tr>
<tr><td>Add-ADDomainControllerPasswordReplicationPolicy</td><td>New-ADObject</td></tr>
<tr><td>Add-ADFineGrainedPasswordPolicySubject</td><td>New-ADOrganizationalUnit</td></tr>
<tr><td>Add-ADGroupMember</td><td>New-ADServiceAccount</td></tr>
<tr><td>Add-ADPrincipalGroupMembership</td><td>New-ADUser</td></tr>
<tr><td>Clear-ADAccountExpiration</td><td>Remove-ADComputer</td></tr>
<tr><td>Disable-ADAccount</td><td>Remove-ADComputerServiceAccount</td></tr>
<tr><td>Disable-ADOptionalFeature</td><td>Remove-ADDomainControllerPasswordReplicationPolicy</td></tr>
<tr><td>Enable-ADAccount</td><td>Remove-ADFineGrainedPasswordPolicy</td></tr>
<tr><td>Enable-ADOptionalFeature</td><td>Remove-ADFineGrainedPasswordPolicySubject</td></tr>
<tr><td>Get-ADAccountAuthorizationGroup</td><td>Remove-ADGroup</td></tr>
<tr><td>Get-ADAccountResultantPasswordReplicationPolicy</td><td>Remove-ADGroupMember</td></tr>
<tr><td>Get-ADComputer</td><td>Remove-ADObject</td></tr>
<tr><td>Get-ADComputerServiceAccount</td><td>Remove-ADOrganizationalUnit</td></tr>
<tr><td>Get-ADDefaultDomainPasswordPolicy</td><td>Remove-ADPrincipalGroupMembership</td></tr>
<tr><td>Get-ADDomain</td><td>Remove-ADServiceAccount</td></tr>
<tr><td>Get-ADDomainController</td><td>Remove-ADUser</td></tr>
<tr><td>Get-ADDomainControllerPasswordReplicationPolicy</td><td>Rename-ADObject</td></tr>
<tr><td>Get-ADDomainControllerPasswordReplicationPolicyUsage</td><td>Reset-ADServiceAccountPassword</td></tr>
<tr><td>Get-ADFineGrainedPasswordPolicy</td><td>Restore-ADObject</td></tr>
<tr><td>Get-ADFineGrainedPasswordPolicySubject</td><td>Search-ADAccount</td></tr>
<tr><td>Get-ADForest</td><td>Set-ADAccountControl</td></tr>
<tr><td>Get-ADGroup</td><td>Set-ADAccountExpiration</td></tr>
<tr><td>Get-ADGroupMember</td><td>Set-ADAccountPassword</td></tr>
<tr><td>Get-ADObject</td><td>Set-ADComputer</td></tr>
<tr><td>Get-ADOptionalFeature</td><td>Set-ADDefaultDomainPasswordPolicy</td></tr>
<tr><td>Get-ADOrganizationalUnit</td><td>Set-ADDomain</td></tr>
<tr><td>Get-ADPrincipalGroupMembership</td><td>Set-ADDomainMode</td></tr>
<tr><td>Get-ADRootDSE</td><td>Set-ADFineGrainedPasswordPolicy</td></tr>
<tr><td>Get-ADServiceAccount</td><td>Set-ADForest</td></tr>
<tr><td>Get-ADUser</td><td>Set-ADForestMode</td></tr>
<tr><td>Get-ADUserResultantPasswordPolicy</td><td>Set-ADGroup</td></tr>
<tr><td>Install-ADServiceAccount</td><td>Set-ADObject</td></tr>
<tr><td>Move-ADDirectoryServer</td><td>Set-ADOrganizationalUnit</td></tr>
<tr><td>Move-ADDirectoryServerOperationMasterRole</td><td>Set-ADServiceAccount</td></tr>
<tr><td>Move-ADObject</td><td>Set-ADUser</td></tr>
<tr><td>New-ADComputer</td><td>Uninstall-ADServiceAccount</td></tr>
<tr><td>New-ADFineGrainedPasswordPolicy</td><td>Unlock-ADAccount</td></tr>
</tbody></table>
</center>
<br />
<br />
<br />
<br />
An additional 59 Active Directory cmdlets were introduce with version 3.0 bringing the total to 135. As you would expect the new cmdlets in v3 are centered around the new features introduced for Active Directory in Windows Server 2012 such as <a href="http://blogs.technet.com/b/windowsserver/archive/2012/05/22/introduction-to-windows-server-2012-dynamic-access-control.aspx">Dynamic Access Control</a> <br />
<br />
There are also new cmdlets in v3 that can be used to for <a href="http://technet.microsoft.com/en-us/library/jj574216.aspx">Replication and Topology Management</a> They are not a complete replacement for the powerful repadmin tool but they are another excellent resource for AD admins.<br />
<br />
<br />
<br />
<br />
<center>
<style type="text/css">
table.tableizer-table {
border: 1px solid #CCC; font-family: Arial, Helvetica, sans-serif
font-size: 14px;
}
.tableizer-table td {
padding: 4px;
margin: 3px;
border: 1px solid #ccc;
}
.tableizer-table th {
background-color: #246E2F;
color: #FFF;
font-weight: bold;
}
</style><table class="tableizer-table">
<tbody>
<tr class="tableizer-firstrow"><th>59 ADDITIONAL AD CMDLETS </th><th>POWERASHELL VERSION 3.0 </th><th>135 TOTAL AD CMDLETS IN v3</th></tr>
<tr><td>Add-ADCentralAccessPolicyMember</td><td>Get-ADResourcePropertyValueType</td><td>Remove-ADReplicationSiteLinkBridge</td></tr>
<tr><td>Add-ADResourcePropertyListMember</td><td>Get-ADTrust</td><td>Remove-ADReplicationSubnet</td></tr>
<tr><td>Clear-ADClaimTransformLink</td><td>New-ADCentralAccessPolicy</td><td>Remove-ADResourceProperty</td></tr>
<tr><td>Get-ADCentralAccessPolicy</td><td>New-ADCentralAccessRule</td><td>Remove-ADResourcePropertyList</td></tr>
<tr><td>Get-ADCentralAccessRule</td><td>New-ADClaimTransformPolicy</td><td>Remove-ADResourcePropertyListMember</td></tr>
<tr><td>Get-ADClaimTransformPolicy</td><td>New-ADClaimType</td><td>Set-ADCentralAccessPolicy</td></tr>
<tr><td>Get-ADClaimType</td><td>New-ADDCCloneConfigFile</td><td>Set-ADCentralAccessRule</td></tr>
<tr><td>Get-ADDCCloningExcludedApplicationList</td><td>New-ADReplicationSite</td><td>Set-ADClaimTransformLink</td></tr>
<tr><td>Get-ADReplicationAttributeMetadata</td><td>New-ADReplicationSiteLink</td><td>Set-ADClaimTransformPolicy</td></tr>
<tr><td>Get-ADReplicationConnection</td><td>New-ADReplicationSiteLinkBridge</td><td>Set-ADClaimType</td></tr>
<tr><td>Get-ADReplicationFailure</td><td>New-ADReplicationSubnet</td><td>Set-ADReplicationConnection</td></tr>
<tr><td>Get-ADReplicationPartnerMetadata</td><td>New-ADResourceProperty</td><td>Set-ADReplicationSite</td></tr>
<tr><td>Get-ADReplicationQueueOperation</td><td>New-ADResourcePropertyList</td><td>Set-ADReplicationSiteLink</td></tr>
<tr><td>Get-ADReplicationSite</td><td>Remove-ADCentralAccessPolicy</td><td>Set-ADReplicationSiteLinkBridge</td></tr>
<tr><td>Get-ADReplicationSiteLink</td><td>Remove-ADCentralAccessPolicyMember</td><td>Set-ADReplicationSubnet</td></tr>
<tr><td>Get-ADReplicationSiteLinkBridge</td><td>Remove-ADCentralAccessRule</td><td>Set-ADResourceProperty</td></tr>
<tr><td>Get-ADReplicationSubnet</td><td>Remove-ADClaimTransformPolicy</td><td>Set-ADResourcePropertyList</td></tr>
<tr><td>Get-ADReplicationUpToDatenessVectorTable</td><td>Remove-ADClaimType</td><td>Sync-ADObject</td></tr>
<tr><td>Get-ADResourceProperty</td><td>Remove-ADReplicationSite</td><td>Test-ADServiceAccount</td></tr>
<tr><td>Get-ADResourcePropertyList</td><td>Remove-ADReplicationSiteLink</td><td></td></tr>
</tbody></table>
</center>
<br />
<br />
Windows Server 2012 R2 introduced an additional 12 AD cmdlets bringing the total up to 147 AD cmdlets. The 12 new cmdlets are centered around <a href="http://technet.microsoft.com/en-us/library/dn408190.aspx">Authentication Policies and Authentication Policy Silos</a>. If you haven't seen them then open up the AD Admin Center on a 2012 R2 box<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdpY5CmY3fVxbuQcBuKkKY4yp7QvAMfajvn3mZfkDXxDiUxzJ8NMw4xdMBTcOSQPYvCvf8iKTSBlPtsGMO3Xx7OHMyM24TU7f-XPoddnFNFL71Ay0Lzl_VTOLDnV_uqGY5ZCz0UE5zoWY/s1600/AuthPoliciesandSilos.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="370" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdpY5CmY3fVxbuQcBuKkKY4yp7QvAMfajvn3mZfkDXxDiUxzJ8NMw4xdMBTcOSQPYvCvf8iKTSBlPtsGMO3Xx7OHMyM24TU7f-XPoddnFNFL71Ay0Lzl_VTOLDnV_uqGY5ZCz0UE5zoWY/s400/AuthPoliciesandSilos.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
I'm personally still learning about these new features myself. Authentication policies can control which hosts an account can sign into. Windows Server 2012 R2 is also being called the "CloudOS" so many of the new features are based around Azure and the cloud.<br />
<br />
<br />
<center>
<style type="text/css">
table.tableizer-table {
border: 1px solid #CCC; font-family: Arial, Helvetica, sans-serif
font-size: 12px;
}
.tableizer-table td {
padding: 4px;
margin: 3px;
border: 1px solid #ccc;
}
.tableizer-table th {
background-color: #104E8B;
color: #FFF;
font-weight: bold;
}
</style><table class="tableizer-table">
<tbody>
<tr class="tableizer-firstrow"><th>12 ADDITIONAL AD CMDLETS</th><th>POWERSHELL VERSION 4.0</th><th>147 TOTAL AD CMDLETS IN v4</th></tr>
<tr><td>Get-ADAuthenticationPolicy</td><td>New-ADAuthenticationPolicySilo</td><td>Set-ADAccountAuthenticationPolicySilo</td></tr>
<tr><td>Get-ADAuthenticationPolicySilo</td><td>Remove-ADAuthenticationPolicy</td><td>Set-ADAuthenticationPolicy</td></tr>
<tr><td>Grant-ADAuthenticationPolicySiloAccess</td><td>Remove-ADAuthenticationPolicySilo</td><td>Set-ADAuthenticationPolicySilo</td></tr>
<tr><td>New-ADAuthenticationPolicy</td><td>Revoke-ADAuthenticationPolicySiloAccess</td><td>Show-ADAuthenticationPolicyExpression</td></tr>
</tbody></table>
</center>
mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com3tag:blogger.com,1999:blog-7365513794075231499.post-81533703918185719662013-07-08T12:21:00.002-07:002013-07-10T09:01:42.723-07:0020 Years Ago - Army Boot CampIt was 20 years ago this week that I left my home in Virginia and headed to<a href="http://www.jackson.army.mil/sites/bct/"> Ft. Jackson, SC for Army boot camp</a> I didn't know what to expect because I didn't know anyone in the Army at the time. I had a good friend in the Marines and another who had gone to the Navy around the same time but this was a new adventure.<br />
<br />
I was a very naive 19 year old leaving for boot camp. I thought I should be in college and that was the only road to success. I couldn't have been more wrong. The problem with college is that it cost money and I didn't have enough. In 1993 things were also much different. I did join after the <a href="https://en.wikipedia.org/wiki/1993_World_Trade_Center_bombing">first World Trade Center bombing</a> but we didn't have war to truly worry about. I was also involved in <a href="https://en.wikipedia.org/wiki/Implementation_Force">Operation Joint Endeavor </a> but again not the same fear of war that exists for a young person joining today. I truly admire the post 9/11 military generation. Joining during two major wars takes a lot of courage.<br />
<br />
By the way I'm not saying school is not important I also went to George Mason after I got out but I would not be where I am today without my service.<br />
<br />
Looking back 20 years later it was one of the best decisions I ever made. I met some great people and the entire experience expanded my view of everything. You will often hear guys in the military talk about fighting/serving with their brothers. I can attest to that being true. In my case Daryl Penn, Todd Hurley, and Will "Big Perm" Forbes are my brothers. Todd ended up going back in and fighting post 9/11. In addition to those three guys there were countless other people. The list is way too long for this blog but a heartfelt thank you to those I served with.<br />
<br />
Everyone joins for different reasons but the military fraternity and camaraderie is something that will stay with you forever. I'm now in IT and a few years ago I got to go back to <a href="http://huachuca-www.army.mil/">Ft. Huachuca</a> for work with the Army. I had gone to MOS (job) training there and all those years later I still carry many of the lessons with me. <br />
<br />
<b>Hooah! and thanks to all that are serving or have served!</b><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSM5ZvBn-SnNZvNTDkZgSGEUKf5TyGwHGel2N-1-qyWpXhrh5iZ4DKSACSfPmbgs-JQB7gkp7P-a5GO0AVTn4DX4D7ixL794vZzaVe6lFGwBLZ7qet_Gp3KPT76uDPP9C89DhlOmKvY9E/s1600/Army1.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSM5ZvBn-SnNZvNTDkZgSGEUKf5TyGwHGel2N-1-qyWpXhrh5iZ4DKSACSfPmbgs-JQB7gkp7P-a5GO0AVTn4DX4D7ixL794vZzaVe6lFGwBLZ7qet_Gp3KPT76uDPP9C89DhlOmKvY9E/s400/Army1.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Laid back off-duty look...I wish I was that thin and in-shape now<br />
<br />
<br /></td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKmBOuPLu0DfFdyOQw7OvOoJgjymUmbHv8M32_fmSlou5Of5D9ze7ohBnhmDIVl25Wz-x4PfYN5X9UVrP7_HANfM-_5ddn0n9YixDH8d0JIjU5QFWTKUnBahqzaUYmgYmzONK2L_kFXvc/s1600/MKArmy2.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKmBOuPLu0DfFdyOQw7OvOoJgjymUmbHv8M32_fmSlou5Of5D9ze7ohBnhmDIVl25Wz-x4PfYN5X9UVrP7_HANfM-_5ddn0n9YixDH8d0JIjU5QFWTKUnBahqzaUYmgYmzONK2L_kFXvc/s400/MKArmy2.jpg" width="371" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Post Gas Chamber...old school BDU </td></tr>
</tbody></table>
<br />mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com1tag:blogger.com,1999:blog-7365513794075231499.post-39448708302883518752013-07-01T07:00:00.000-07:002013-10-22T18:29:38.256-07:00Microsoft MVP Year 5 I received an email this morning letting me know that I have been renewed as a Microsoft MVP in Directory Services for the fifth year.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixRBo4efaybucf206CFxE3HS9_WavJ-41wVSLhEnobNMcmRUknVySJtkqLTEBWw4B3_NIfdoHUewkvJaRWA8XG6CF4VDKkCKmWKyokG5e0nFP2jO9-eRrS2-7bZpSU7bmgyZrQeO5VR04/s1311/MVP5.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="169" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixRBo4efaybucf206CFxE3HS9_WavJ-41wVSLhEnobNMcmRUknVySJtkqLTEBWw4B3_NIfdoHUewkvJaRWA8XG6CF4VDKkCKmWKyokG5e0nFP2jO9-eRrS2-7bZpSU7bmgyZrQeO5VR04/s640/MVP5.jpg" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
I get excited every time I receive the award and I'm so humbled to be in such great company. The five year mark is an important mark. I'm glad that I have been able to make a contribution to the community which has helped me much more than I've helped it.<br />
<br />
I <a href="http://adisfun.blogspot.com/2009/07/im-microsoft-mvp-now-thank-you.html">previously thanked</a> a lot of <a href="http://adisfun.blogspot.com/2010/07/thank-you-again-mvp-award.html">people</a>. I won't go through the list again but the same things I said before still apply.<br />
<br />
I would like to thank a few new folks this year. DeLise and everyone at the Microsoft Reston and Chevy Chase Offices. This is the first year that I started speaking and it is something that I've come to enjoy. I'm glad to be part of the events. Shameless plug for<a href="http://techgate.azurewebsites.net/speakers.html"> TechGate 2013</a><br />
<br />
I've also been a part of several book projects and want to thank the folks at Packt Publishing and O'Reilly Publishing for letting me be a part of them.<br />
<br />
Lastly all the people on Twitter working with Active Directory. I really like the interaction on Twitter and I've met some great and passionate people over there.<br />
<br />
Active Directory is starting to make a shift to the cloud (slow shift; it won't happen tomorrow). I'm hoping to turn and pivot as the product evolves (hint everyone learn ADFS). There are some very smart people in Redmond working on AD and lots of great PFEs in the field. Active Directory is not going anywhere so stay tuned for more ADISFUN.<br />
<br />
<br />
<br />
<br />mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com13tag:blogger.com,1999:blog-7365513794075231499.post-85705150177780186872013-06-25T05:30:00.000-07:002013-06-25T09:19:40.957-07:00Windows Server 2012 R2 Preview - Schema Version<span style="background-color: #efefef; font-family: Arial, Helvetica, sans-serif; line-height: 16.883333206176758px;">I previously posted a "quick-hitter" blog about the schema version in <a href="http://adisfun.blogspot.com/2012/09/windows-2012-ad-schema-version.html">Windows Server 2012</a>. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br style="background-color: #efefef; line-height: 16.883333206176758px;" /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://blogs.technet.com/b/askds/archive/2013/06/25/windows-server-2012-r2-preview-available-for-download.aspx">Windows Server 2012</a><span style="background-color: #efefef; line-height: 16.883333206176758px;"><a href="http://blogs.technet.com/b/askds/archive/2013/06/25/windows-server-2012-r2-preview-available-for-download.aspx"> R2 preview</a> was released today! The current version is <b><span style="color: red; font-size: large;">69</span></b></span><span style="background-color: #efefef; color: red; font-size: large; line-height: 16.883333206176758px;"><b> </b></span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="background-color: #efefef; color: red; line-height: 16.883333206176758px;"><b><br /></b></span><span style="background-color: #efefef; line-height: 16.883333206176758px;">I once again used </span><a href="http://www.joeware.net/freetools/tools/adfind/index.htm" style="background-color: #efefef; color: #336699; line-height: 16.883333206176758px;">adfind</a><span style="background-color: #efefef; line-height: 16.883333206176758px;"> to quickly find the schema version.</span></span><br />
<br />
<div class="separator" style="background-color: #efefef; clear: both; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px; margin-bottom: 0.75em; text-align: center;">
</div>
<div class="separator" style="background-color: #efefef; clear: both; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px; margin-bottom: 0.75em; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRPmctc3PzxIWB3O7viJ_tkxoEyjG1nyCi18Xb8kBYK2TDqMU3OedgX_FRHwS0Yp8Rd1TLZwyxqSRDWuXLIeCf54uWDZ4RNGP_zIhfThBR1GxwvI0krNRN2OcCMcJZlCOIDJW1oA0mX6g/s1600/2012R2SchemaAdfind.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRPmctc3PzxIWB3O7viJ_tkxoEyjG1nyCi18Xb8kBYK2TDqMU3OedgX_FRHwS0Yp8Rd1TLZwyxqSRDWuXLIeCf54uWDZ4RNGP_zIhfThBR1GxwvI0krNRN2OcCMcJZlCOIDJW1oA0mX6g/s640/2012R2SchemaAdfind.jpg" width="640" /></a></div>
<br style="background-color: #efefef; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px;" />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">For those that prefer to use powershell; you can also find the object version that way. </span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzTy6QbGfiOePUCjLCU3O9XMpZp7dCHqpNg6jxIBSuoXiqugxZLUhtpt_O8f6crEBb5n7HILiCRYw5oA61RhPZwVENM7LXUbxZNTI7_f2d4sYiHXsKuNV6Wb_9gC0TO2eoFxnRBjzHUOo/s1600/Windows2012R2+Schema+Powershell.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzTy6QbGfiOePUCjLCU3O9XMpZp7dCHqpNg6jxIBSuoXiqugxZLUhtpt_O8f6crEBb5n7HILiCRYw5oA61RhPZwVENM7LXUbxZNTI7_f2d4sYiHXsKuNV6Wb_9gC0TO2eoFxnRBjzHUOo/s640/Windows2012R2+Schema+Powershell.jpg" width="640" /></a></div>
<br />
<div class="separator" style="background-color: #efefef; clear: both; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px; margin-bottom: 0.75em; text-align: center;">
</div>
<div class="separator" style="background-color: #efefef; clear: both; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px; margin-bottom: 0.75em; text-align: center;">
<br /></div>
<div class="separator" style="background-color: #efefef; clear: both; font-size: 13px; line-height: 16.883333206176758px; margin-bottom: 0.75em;">
<span style="font-family: Arial, Helvetica, sans-serif;">The current (as of 25 June 2013) Active Directory Schema version table is listed below.</span></div>
<div class="separator" style="background-color: #efefef; clear: both; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px; margin-bottom: 0.75em;">
<br /></div>
<table border="1" cellpadding="0" cellspacing="3" class="MsoNormalTable" style="background-color: #33ff99; text-align: left; width: 400px;">
<tbody>
<tr>
<td style="padding: 2.25pt 2.25pt 2.25pt 2.25pt;"><div class="MsoNormal" style="line-height: 12.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<b><span style="color: #cc0000; font-family: "Verdana","sans-serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">Windows Server 2012 R2 Preview</span></b><span style="font-family: Verdana, sans-serif; font-size: 10pt;"><o:p></o:p></span></div>
</td>
<td style="padding: 2.25pt 2.25pt 2.25pt 2.25pt;"><div class="MsoNormal" style="line-height: 12.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<b><span style="color: #cc0000; font-family: "Verdana","sans-serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">69</span></b><span style="font-family: Verdana, sans-serif; font-size: 10pt;"><o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="padding: 2.25pt 2.25pt 2.25pt 2.25pt;"><div class="MsoNormal" style="line-height: 12.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "Verdana","sans-serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-bidi-font-weight: bold; mso-fareast-font-family: "Times New Roman";">Windows Server 2012 <o:p></o:p></span></div>
</td>
<td style="padding: 2.25pt 2.25pt 2.25pt 2.25pt;"><div class="MsoNormal" style="line-height: 12.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: Verdana, sans-serif; font-size: 10pt;">56</span><span style="color: #cc0000; font-family: "Verdana","sans-serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-bidi-font-weight: bold; mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="padding: 2.25pt 2.25pt 2.25pt 2.25pt;"><div class="MsoNormal" style="line-height: 12.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: Verdana, sans-serif; font-size: 10pt;">Windows 2008 R2<o:p></o:p></span></div>
</td>
<td style="padding: 2.25pt 2.25pt 2.25pt 2.25pt;"><div class="MsoNormal" style="line-height: 12.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: Verdana, sans-serif; font-size: 10pt;">47<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="padding: 2.25pt 2.25pt 2.25pt 2.25pt;"><div class="MsoNormal" style="line-height: 12.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: Verdana, sans-serif; font-size: 10pt;">Windows 2008<o:p></o:p></span></div>
</td>
<td style="padding: 2.25pt 2.25pt 2.25pt 2.25pt;"><div class="MsoNormal" style="line-height: 12.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: Verdana, sans-serif; font-size: 10pt;">44<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="padding: 2.25pt 2.25pt 2.25pt 2.25pt;"><div class="MsoNormal" style="line-height: 12.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: Verdana, sans-serif; font-size: 10pt;">Windows 2003 R2<o:p></o:p></span></div>
</td>
<td style="padding: 2.25pt 2.25pt 2.25pt 2.25pt;"><div class="MsoNormal" style="line-height: 12.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: Verdana, sans-serif; font-size: 10pt;">31<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="padding: 2.25pt 2.25pt 2.25pt 2.25pt;"><div class="MsoNormal" style="line-height: 12.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: Verdana, sans-serif; font-size: 10pt;">Windows 2003<o:p></o:p></span></div>
</td>
<td style="padding: 2.25pt 2.25pt 2.25pt 2.25pt;"><div class="MsoNormal" style="line-height: 12.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: Verdana, sans-serif; font-size: 10pt;">30<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="padding: 2.25pt 2.25pt 2.25pt 2.25pt;"><div class="MsoNormal" style="line-height: 12.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: Verdana, sans-serif; font-size: 10pt;">Windows 2000<o:p></o:p></span></div>
</td>
<td style="padding: 2.25pt 2.25pt 2.25pt 2.25pt;"><div class="MsoNormal" style="line-height: 12.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: Verdana, sans-serif; font-size: 10pt;">13<o:p></o:p></span></div>
</td>
</tr>
</tbody></table>
<div class="separator" style="background-color: #efefef; clear: both; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px; margin-bottom: 0.75em; text-align: center;">
<br /></div>
<div class="separator" style="background-color: #efefef; clear: both; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px; margin-bottom: 0.75em; text-align: center;">
<br /></div>
<div class="separator" style="background-color: #efefef; clear: both; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px; margin-bottom: 0.75em; text-align: center;">
</div>
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="background-color: #efefef; line-height: 16.883333206176758px;">You can download an </span><span style="background-color: #efefef; line-height: 16.883333206176758px;">evaluation copy of </span><a href="http://technet.microsoft.com/en-US/evalcenter/dn205292?WT.mc_id=Blog_SC_TEE_WS12R2" style="background-color: #efefef; line-height: 16.883333206176758px;">Windows Server 2012 R2</a><span style="background-color: #efefef; line-height: 16.883333206176758px;"> </span><span style="background-color: #efefef; line-height: 16.883333206176758px;"> and go start to learn and have fun. Thanks to all the hard work put in by the many people at Microsoft that made today happen.</span></span>mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com0tag:blogger.com,1999:blog-7365513794075231499.post-56653095602710598152013-05-02T03:00:00.000-07:002013-05-03T04:23:35.939-07:00Software and Security on Domain ControllersThis post was inspired by someone who I consider a friend and a mentor in the Active Directory world...11 time <a href="http://mvp.microsoft.com/en-us/mvp/Joe%20Richards-7590">AD MVP Joe Richards</a><br />
<br />
Microsoft recently published an excellent Active Directory Security document. Laura Robinson is the lead author of the document and there are serious heavy hitters in the acknowledgements section including Laura Hunter, Dean Wells, and others. You can download the document using the link below:<br />
<br />
<span style="font-size: large;"><a href="http://www.microsoft.com/en-us/download/details.aspx?id=38785">Best Practices for Securing Active Directory</a></span><br />
<br />
Joe brought up an excellent point on the DS-MVP list stating that we all know that best practice is to not run additional and unnecessary software on domain controllers but was this documented. The document above addresses this.<br />
<br />
From page 27 of the document:<br />
<br />
<br />
<blockquote class="tr_bq">
<i>Protecting Domain Controllers</i><span style="font-family: 'Segoe UI', sans-serif; font-style: italic;">Domain
controllers should be treated as critical infrastructure components, secured
more stringently and configured more rigidly than file, print, and application
servers. <b>Domain controllers should not run any software that is not required
for the domain controller to function or doesn’t protect the domain controller against
attacks. </b>Domain controllers should not be permitted to access the Internet, and
security settings should be configured and enforced by Group Policy Objects
(GPOs). Detailed recommendations for the secure installation, configuration,
and management of domain controllers are provided in the Securing Domain Controllers Against Attack</span><span style="font-family: "Segoe UI","sans-serif";"><i> section of this document.</i></span></blockquote>
<br />
Microsoft also recently released a shorter document that is worth downloading and reading.<br />
<br />
<span style="font-size: large;"><a href="http://www.microsoft.com/en-us/download/details.aspx?id=38815">Securing Active Directory: An Overview of Best Practices</a> </span><br />
<br />
I appreciate Microsoft and everyone who took time to write, edit, and review this important document.. Many times we can tell our customers best practices but they often don't believe it unless they see it come from a Microsoft site or document.<br />
<br />
If you have worked around Active Directory long enough this is a common problem. Domain Controllers used as file servers/app servers/etc. This is simple, reduce your attack vectors don't install unnecessary software on your DCs. Also look into RODCs and Server Core as other easy ways to help secure DCs. <br />
<br />
You may also see similar posts on other MVP blogs. <a href="https://twitter.com/joewaredotnet">Joe</a> has asked us to get the word out about this. <br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com0tag:blogger.com,1999:blog-7365513794075231499.post-19474535514696046512013-03-14T05:00:00.000-07:002013-03-14T19:25:33.377-07:00Active Directory MVPs on TwitterI've become a big fan of twitter over the last few years; it is one of the best sources for information and news in my opinion. I still like RSS feeds for checking blogs and new entries but I'm using twitter more these days. It is also much easier to interact using twitter. With the <a href="http://googleblog.blogspot.com/2013/03/a-second-spring-of-cleaning.html">impending closure of Google Reader</a> I'll probably be a bigger twitter user. <br />
<br />
I've started compiling a list of Active Directory/Directory Services MVPs on twitter. Tweet frequency ranges from multiple daily tweets to rarely. I will try and keep this list up to date. I'm sure there are folks that I missed. Please send me an email or leave a comment if any entry needs updating. I don't want to leave anyone out.<br />
<br />
I'll try to update and go through this list every quarter (MVPs are selected every quarter Jan/April/July/October)<br />
<br />
<br />
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse; width: 522px;">
<colgroup><col style="mso-width-alt: 11264; mso-width-source: userset; width: 231pt;" width="308"></col>
<col style="mso-width-alt: 7826; mso-width-source: userset; width: 161pt;" width="214"></col>
</colgroup><tbody>
<tr height="25" style="height: 18.75pt;">
<td class="xl66" height="25" style="height: 18.75pt; width: 231pt;" width="308"><b><a href="http://mvp.microsoft.com/en-US/findanmvp/Pages/profile-results.aspx?tx=Directory%20Services&ty=a&so=n&pa=1">Microsoft MVPs - Directory Services </a></b></td>
<td class="xl67" style="width: 161pt;" width="214"><b>Twitter Name and Profile</b></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Mesut Aladag</td><td class="xl65"><a href="https://twitter.com/mesutaladag">@mesutaladag</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Zubair Alexander</td>
<td class="xl65"><a href="https://twitter.com/ZubairAlexander">@ZubairAlexander</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Jimmy Andersson</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Brian Arkills</td>
<td class="xl65"><a href="https://twitter.com/barkills">@barkills</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Hank Arnold</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Alexandre
Augagneur</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Edoardo Benussi</td>
<td class="xl65"><a href="https://twitter.com/ebenussi">@ebenussi</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Paul
Bergson</td>
<td class="xl65"><a href="https://twitter.com/pbbergs">@pbbergs</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Sander Berkouwer</td>
<td class="xl65" height="20" style="height: 15.0pt; width: 161pt;" width="214"><!--[if gte vml 1]><v:shapetype
id="_x0000_t202" coordsize="21600,21600" o:spt="202" path="m,l,21600r21600,l21600,xe">
<v:stroke joinstyle="miter"/>
<v:path gradientshapeok="t" o:connecttype="rect"/>
</v:shapetype><v:shape id="TextBox_x0020_1" o:spid="_x0000_s1025" type="#_x0000_t202"
style='position:absolute;margin-left:71.25pt;margin-top:6.75pt;width:.75pt;
height:13.5pt;z-index:1;visibility:visible;mso-wrap-style:none;
v-text-anchor:top' o:gfxdata="UEsDBBQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKSRvU7DMBSF
dyTewfKKEqcMCKEmHfgZgaE8wMW+SSwc27JvS/v23KTJgkoXFsu+P+c7Ol5vDoMTe0zZBl/LVVlJ
gV4HY31Xy4/tS3EvRSbwBlzwWMsjZrlprq/W22PELHjb51r2RPFBqax7HCCXIaLnThvSAMTP1KkI
+gs6VLdVdad08ISeCho1ZLN+whZ2jsTzgcsnJwldluLxNDiyagkxOquB2Knae/OLUsyEkjenmdzb
mG/YhlRnCWPnb8C898bRJGtQvEOiVxjYhtLOxs8AySiT4JuDystlVV4WPeM6tK3VaILeDZxIOSsu
ti/jidNGNZ3/J08yC1dNv9v8AAAA//8DAFBLAwQUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAF9y
ZWxzLy5yZWxzhI/NCsIwEITvgu8Q9m7TehCRpr2I4FX0AdZk2wbbJGTj39ubi6AgeJtl2G9m6vYx
jeJGka13CqqiBEFOe2Ndr+B03C3WIDihMzh6RwqexNA281l9oBFTfuLBBhaZ4ljBkFLYSMl6oAm5
8IFcdjofJ0z5jL0MqC/Yk1yW5UrGTwY0X0yxNwri3lQgjs+Qk/+zfddZTVuvrxO59CNCmoj3vCwj
MfaUFOjRhrPHaN4Wv0VV5OYgm1p+LW1eAAAA//8DAFBLAwQUAAYACAAAACEAUWvfnPMCAACgDAAA
HwAAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWzUl99P2zAQx98n7X+w/DqxNKFt2oqA
NjbQJDQQhT/AdZw2mmNHtikpf/3uHKfpuk0T4ykvqX/cXb4fx/Zdzy6aSpKtMLbUKqPxxxElQnGd
l2qd0ceHq5MZJdYxlTOplcjoTlh6cf7+3RlbrA2rNyUnEEHZBcvoxrl6EUWWb0TF7EddCwVzhTYV
c9A16yg37BkiVzJKRqNpVLFS0fM+1BfmGHky5X+Ekpr/EPklU1tmIaTki8ORoFHyt0dmC7W9NvWy
vjOonH/f3hlS5hmFlVOsgiWiUZgIZtCNjrzWfYCmMBXa66IgTUbH83kcjyDWDr7GbD4Zp5M2nmgc
4WAwnVDCcTJNkiQN79rc/sObb77+1R/EtSKgcSDM1ihLbX8nTTrSBxD1WTck3iOjMXENDIJCHPXk
XQgbFu3tzHvNbFEb666Frgg2MmoEd35Pse2Nda2CzsQD6atSyna80+OapYdF4fkOrVbwCyRwMNwt
PAqpnzPKZVlTstHm5XjsGY5CRhWcEErkN2X9bnBdw3SNVdcwTl5q6a2Y4hAxo61oW396cqAwCG9l
oCBp3dLtpPDtrYxxnStmbnyMUuVCAfvIg+eiuIdZ+wKfALcSulgtyxzBfQcPqLiUwMdAhGu6L/WL
lWSuVMTtalEwDtv6Q6VOpAubkR1NCBa2gD2a4DbsglaV3xCy1R9Qkh5lPEnhXqBkeDwIEXhOe555
PB4PkwchAs+454lP03g6TCCkCECTA6BZMpsNEwgpAtC0B0qSGXygQR4hpAhA6QFQOj4d6J2AFAFo
1gMhzUAvBaQIQPMDoOkkHeilgBRtRjrIrr4SECq/Y4ZhHpUMS2GhTh6XUAp3STUUFt67LxuerFjW
91CBtNNdXWH3mVvdiwKqRaiOQl7mZr3CTAwVAJxaeBE8V/hsI0h0wDUvIHe/0je4oLcoChD1Sv+9
k3+/Vr1/VSptKA77Wv9PpUTR2vv1CfhQs2FNGR3V5t4k/JfAPwCH/fOfAAAA//8DAFBLAwQUAAYA
CAAAACEA7Y3ZnkUGAAAOGgAAGgAAAGNsaXBib2FyZC90aGVtZS90aGVtZTEueG1s7FlLbxs3EL4X
6H9Y7L2x3oqNyIGtR9zESoJISZEjpaV2GXOXC5Kyo1uRHAsUKJoWvRTorYeibYAE6CX9NW5TtCmQ
v9Ah9yFSomrHyCEtYgHG7uw3w+HM7Dck98rVhzH1jjEXhCUdv3qp4ns4mbKAJGHHvzsefHTZ94RE
SYAoS3DHX2DhX9398IMraGdKSTphiAfjCMfYA0OJ2EEdP5Iy3dnaElMQI3GJpTiBZzPGYyThlodb
AUcnMEBMt2qVSmsrRiTxd8GiVIb6FP4lUijBlPKRMoO9BMUw+q3ZjEyxxgZHVYUQC9Gl3DtGtOOD
zYCdjPFD6XsUCQkPOn5F//lbu1e20E6uROUGXUNvoP9yvVwhOKrpMXk4KQdtNJqN1l5pXwOoXMf1
2/1Wv1Xa0wA0ncJMM19Mm8397f1eM8caoOzSYbvX7tWrFt6wX1/zea+pfhZegzL7jTX8YNCFKFp4
DcrwzTV8o9GudRsWXoMyfGsN367s9RptC69BESXJ0Rq60mzVu8VsS8iM0QMnfLvZGLRrufElCqqh
rC41xIwlclOtxegB4wMAKCBFkiSeXKR4hqZQk11EyYQT75CEERReihImQFypVQaVOvxXv4a+0hFB
OxgZ2sov8ESsiZQ/nphyksqOfx2s+gbk9YsfX7945r1+8fT00fPTR7+cPn58+ujnzJaleICS0FR8
9f0Xf3/7qffXs+9ePfnKjRcm/vefPvvt1y/dQJjsMgovv376x/OnL7/5/M8fnjjgexxNTPiYxFh4
N/GJd4fFMDcdBdtzPOFvpjGOELE0UAS2Hab7MrKANxeIunD72A7ePQ4E4wJemz+wfB1FfC6JY+Qb
UWwBh4zRfcadAbihxjIiPJ4noXtwPjdxdxA6do3dRYmV2v48BWYlLpPdCFtu3qYokSjECZaeesaO
MHbM7j4hVlyHZMqZYDPp3SfePiLOkIzJxCqkpdIBiSEvC5eDkGorNsN73j6jrln38LGNhBcCUYfz
Y0ytMF5Dc4lil8kxiqkZ8EMkI5eTowWfmri+kJDpEFPm9QMshEvnFof5Gkm/AeTiTvuQLmIbySU5
ctk8RIyZyB476kYoTl3YEUkiE/uxOIISRd5tJl3wIbPfEHUPeUDJxnTfI9hK99lEcBd41XRpWSDq
yZw7cnkNM6t+Rws6Q1izDNC+xeYxSc6k9hVSb74n9awrrZL6HifOV+tghco34f6DBN5D8+Q2hndm
vYG95+/3/O3/7/l707v89ll7SdTA4WqpmK3W9do93rh0nxFKR3JB8aHQq3cB7SkYgFDp6S0qLrdy
aQSX6k2GASxcyJHW8TiTnxAZjSKUwhK/6isjochNh8JLmYCVvxY7bSs8ncdDFmQ71mpV7U4z8hBI
LuWVZimH3YbM0K32chdWmtfehnq3XDigdN/ECWMw24m6w4l2IVRB0ntzCJrDCT2zt+LFtsOLy8p8
kao1L8C1MiuwfvJg1dXxmw1QASXYVCGKA5WnLNVFdnUy32amNwXTqgBYTBQVsMz0tvJ14/TU7LJS
O0emLSeMcrOd0JHRPUxEKMB5dSrpedx401xvL1NquadCoceD0lq60b78b15cNNegt8oNNDGZgibe
Scdv1ZtQMlOUdvwZ7PzhMk6hdoRa9yIawpnZVPLshb8Is6RcyB4SURZwTToZG8REYu5REnd8Nf0y
DTTRHKJ9q9aAEN5Z57aBVt415yDpdpLxbIan0ky7IVGRzm6B4TOucD7V6hcHK002h3SPouDEm9A5
v4OgxJrtqgpgQAQcAFWzaAYETjRLIlvW30pjymnXPFLUNZTJEU0jlHcUk8wzuKby0h19V8bAuMvn
DAE1QpI3wkmoGqwZVKubll0j82Fj1z1bSUXOIM1lz7RYRXVNN4tZIxRtYCWWF2vyhldFiIHTzA6f
Ufcq5W4XXLeyTii7BAS8jJ+j656jIRiuLQezXFMer9Ow4uxcaveOYoJnuHaeJmGwfqswuxK3skc4
hwPhhTo/6K1WLYhmxbpSR9r1dWKIUm8SVjs+fCGAQ4qHcAXfGHyQ1ZSspmRwBR8OoF1kp/0dP78o
JPA8k5SYeiGpF5hGIWkUkmYhaRaSViFp+Z4+FodPMepE3PeKU2/oYfkpeb62sD/h7P4DAAD//wMA
UEsDBBQABgAIAAAAIQCcZkZBuwAAACQBAAAqAAAAY2xpcGJvYXJkL2RyYXdpbmdzL19yZWxzL2Ry
YXdpbmcxLnhtbC5yZWxzhI/NCsIwEITvgu8Q9m7SehCRJr2I0KvUBwjJNi02PyRR7Nsb6EVB8LIw
s+w3s037sjN5YkyTdxxqWgFBp7yenOFw6y+7I5CUpdNy9g45LJigFdtNc8VZ5nKUxikkUigucRhz
DifGkhrRykR9QFc2g49W5iKjYUGquzTI9lV1YPGTAeKLSTrNIXa6BtIvoST/Z/thmBSevXpYdPlH
BMulFxagjAYzB0pXZ501LV2BiYZ9/SbeAAAA//8DAFBLAQItABQABgAIAAAAIQC75UiUBQEAAB4C
AAATAAAAAAAAAAAAAAAAAAAAAABbQ29udGVudF9UeXBlc10ueG1sUEsBAi0AFAAGAAgAAAAhAK0w
P/HBAAAAMgEAAAsAAAAAAAAAAAAAAAAANgEAAF9yZWxzLy5yZWxzUEsBAi0AFAAGAAgAAAAhAFFr
35zzAgAAoAwAAB8AAAAAAAAAAAAAAAAAIAIAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54
bWxQSwECLQAUAAYACAAAACEA7Y3ZnkUGAAAOGgAAGgAAAAAAAAAAAAAAAABQBQAAY2xpcGJvYXJk
L3RoZW1lL3RoZW1lMS54bWxQSwECLQAUAAYACAAAACEAnGZGQbsAAAAkAQAAKgAAAAAAAAAAAAAA
AADNCwAAY2xpcGJvYXJkL2RyYXdpbmdzL19yZWxzL2RyYXdpbmcxLnhtbC5yZWxzUEsFBgAAAAAF
AAUAZwEAANAMAAAAAA==
" filled="f" stroked="f">
<v:textbox style='mso-fit-shape-to-text:t' inset="0,0,0,0"/>
</v:shape><![endif]--><a href="https://twitter.com/SanderBerkouwer">@SanderBerkouwer</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Xiaolong Cai</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Paul
Clement</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Ragael Correa</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Eugene Delprato</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Brian Desmond</td>
<td class="xl65"><a href="https://twitter.com/brdesmond">@brdesmond</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Olivier Detilleux</td>
<td class="xl65"><a href="https://twitter.com/olivierdx">@olivierdx</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Sean Deuby</td>
<td class="xl65"><a href="https://twitter.com/shorinsean">@shorinsean</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Freddy Elmaleh</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Marius Ene</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Salman Farizy</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Ace Fekay</td>
<td class="xl65"><a href="https://twitter.com/AceFekay">@AceFekay</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Liang Feng</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Lee Flight</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Tamas Gai</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Ermanno Goletto</td>
<td class="xl65"><a href="https://twitter.com/ermannog">@ermannog</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Guido Grillenmeier</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Chunlong Han</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">LiGang Han</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Junxian Huang</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Nils Kaczenski</td>
<td class="xl65"><a href="https://twitter.com/Kaczenski">@Kaczenski</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Joe
Kaplan</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Sainath KEV</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Gil
Kirkpatrick</td>
<td class="xl65"><a href="https://twitter.com/gkirkpatrick">@gkirkpatrick</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Jyrki Kivimaki</td>
<td class="xl65"><a href="https://twitter.com/jykivima">@jykivima</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Mike Kline</td>
<td class="xl65"><a href="https://twitter.com/mekline">@mekline</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Michinari Kobuna</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Suguru Kunii</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Roberto Di Lello</td>
<td class="xl65"><a href="https://twitter.com/RaDiansBlog">@RaDiansBlog</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Guangji Liang</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Qiang Liu</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Fernando Lopez</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Thiago Cardosa Luiz</td>
<td class="xl65"><a href="https://twitter.com/t_cardoso">@t_cardoso</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Ahmed
Malek</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Tadayoshi Manabe</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Mark
Minasi</td>
<td class="xl65"><a href="https://twitter.com/mminasi">@mminasi</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Richard Mueller</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Tony Murray</td>
<td class="xl65"><a href="https://twitter.com/MrTweetTastic">@MrTweetTastic</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Gary
Olsen</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Niyi Omotoyinbo</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Mark
Parris</td>
<td class="xl65"><a href="https://twitter.com/markparris">@markparris</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Suttipan Passorn</td>
<td class="xl65"><a href="https://twitter.com/passorn">@passorn</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Jorge de Almeida Pinto</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Pawel Plawiak</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">John Policelli</td>
<td class="xl65"><a href="https://twitter.com/JohnPolicelli">@JohnPolicelli</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Marcin Policht</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Leonardo
Ponti</td>
<td class="xl65"><a href="https://twitter.com/pontileo">@PontiLeo</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Bobby
Primasta</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Yuwei Qi</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Shengrong Qu</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Slamet Raharjo</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Leone Randazzo</td>
<td class="xl65"><a href="https://twitter.com/LeoneRandazzo">@LeoneRandazzo</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Joe
Richards</td>
<td class="xl65"><a href="https://twitter.com/joewaredotnet">@joewaredotnet</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Llya Rud</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Marc Salvador</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Mario Serra</td>
<td class="xl65"><a href="https://twitter.com/Marioserra72">@Marioserra72</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Morgan Simonsen</td>
<td class="xl65"><a href="https://twitter.com/msimonsen">@msimonsen</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Ulf Simon-Weidner</td>
<td class="xl65"><a href="https://twitter.com/DSGeek">@DSGeek</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Santhosh Sivarajan</td>
<td class="xl65"><a href="https://twitter.com/Santhosh_Sivara">@Santhosh_Sivara</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Chris Spanougakis</td>
<td class="xl65"><a href="https://twitter.com/spanougakis">@spanougakis</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Jacek Swiatowiak</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Yanyang Tian</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Hakan Uzuner</td>
<td class="xl65"><a href="https://twitter.com/hakanuzuner">@hakanuzuner</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Awinish Vishwakarma</td>
<td class="xl65"><a href="https://twitter.com/Awinishv">@Awinish</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Gabrizio Volpe</td>
<td class="xl65"><a href="https://twitter.com/fabriziovlp">@fabriziovlp</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Meinolf
Weber</td>
<td class="xl65"><a href="https://twitter.com/mei_web">@mei_web</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Ralf Wigand</td>
<td class="xl65"><a href="https://twitter.com/ralfwigand">@ralfwigand</a></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Haidong Wu</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Chenggang Xiang</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Haji Yakub</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Shuyong Yan</td>
<td class="xl64"></td>
</tr>
<tr height="20" style="height: 15.0pt;">
<td height="20" style="height: 15.0pt;">Bobby
Zulkarnain</td>
<td class="xl65"><a href="https://twitter.com/bobbyiz">@bobbyiz</a></td>
</tr>
</tbody></table>
<br />
<br />
<br />
Honorary MVP<br />
<br />
Laura Hunter <a href="https://twitter.com/adfskitteh">@adfskitteh</a><br />
**Laura was a long time MVP and now a blue badger. Microsoft employees can't be MVPs.<br />
<br />
<br />
<br />
<br />
<div style="text-align: center;">
<span style="color: white; font-family: Arial, sans-serif; font-size: medium;"><span style="line-height: 24px;">Gil dasdfsadf</span></span></div>
mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com3tag:blogger.com,1999:blog-7365513794075231499.post-67315502258580989052013-03-07T08:00:00.000-08:002013-03-09T15:29:41.965-08:00My Friend Wrote a Book - Part 2<span style="font-family: inherit;">In 2009 I wrote a blog about <a href="http://adisfun.blogspot.com/2009/10/my-friend-wrote-book.html">my friend Kevin writing a book.</a> Friend is really not a good word here. Kevin and I have been like brothers for 30 years now. I've always said that I have two brothers, my biological brother <a href="http://www.andykline.com/">Andy</a>, and Kevin.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">In 2009 Kevin's book was mentioned in the local county paper. Since that book was released Kevin has been working on his second book that tells the important story of blacks in Loudoun County, VA during the Civil War.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">The book is called <a href="http://www.lulu.com/shop/kevin-grigsby/from-loudoun-to-glory/hardcover/product-20726443.html;jsessionid=504C199FFB7BE0FBB805B056C2193B17">From Loudoun To Glory</a></span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<blockquote class="tr_bq">
<span style="background-color: #fcfcfc; font-family: inherit; font-size: 12px; white-space: pre-wrap;">This is Kevin Grigsby's second book, which highlights Loudoun County's African-American heritage. From Loudoun To Glory is about the important role that African-Americans from Loudoun County, Virginia played in the Civil War. They would serve as soldiers, sailors, nurses, spies, and scouts. Over two hundred and fifty African-American soldiers and a dozen sailors from Loudoun served in the Union military during the Civil War.</span></blockquote>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">The same things I said in my first blog about Kevin's book goes for this one. This book has made a bigger initial splash. When I woke up on Sunday morning and saw the Washington Post I saw that Kevin's book was featured on the front page of the paper on <b>A1, above the fold.</b> WOW!!!</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">The full Washington Post article can be found in the link below. I've also included some screenshots from the paper.</span><br />
<br />
<div style="text-align: center;">
<a href="http://www.washingtonpost.com/local/ghosts-of-the-unions-black-soldiers-rise-from-loudoun-countys-past/2013/03/02/2273e41e-7f7c-11e2-8074-b26a871b165a_story.html"><b>Ghosts of the Union's black solders rise from Loudoun County's past</b></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0bWGjG6-RMdXujtQZeIGa7t4i5N0BPUmMj6a4Mk9J-RHIkWqB-k_rEXTe7_uOVHRfUdoQ7j0YLY2cAT1AgnuF-PNmIaEuCs6YKMq2-r36h_Zazl0cExGBOpNPwApkONfJRyP8vAmz-FM/s1600/Image1.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0bWGjG6-RMdXujtQZeIGa7t4i5N0BPUmMj6a4Mk9J-RHIkWqB-k_rEXTe7_uOVHRfUdoQ7j0YLY2cAT1AgnuF-PNmIaEuCs6YKMq2-r36h_Zazl0cExGBOpNPwApkONfJRyP8vAmz-FM/s640/Image1.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b><span style="font-size: small;">Sunday, March 3, 2013 Washington Post front page, I put the red box around the book mention</span></b><br />
<span style="font-family: inherit;"><br /></span>
<br />
<div style="text-align: left;">
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<span style="font-size: small;"><span style="font-family: inherit;">A mention on the front page of one of the biggest papers on the planet. It doesn't get much bigger than that. It is cool to be on the same page with President Obama. I thought that I'd see the book story in the Loudoun weekly section (small weekly insert). I was wrong on that! The book was </span>prominently<span style="font-family: inherit;"> featured on </span></span><span style="font-size: small;">the</span><span style="font-family: inherit; font-size: small;"> front page of the Washington Post Metro section. </span><br />
<div>
<span style="font-family: inherit;"><br /></span></div>
<br />
<br />
<br /></div>
<div style="text-align: left;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglyaMD-4pavW8QAR6enKMmgykCCuvE4z6eEofbZDWjbvg7U_GrQXddbl-Pvi-8xZMQMK8mJq5MDR52tSRGSZBCKQ2EL3i3yFS1ZioNA5MafKhQDvI7ggViXAPRueyqWiqe-WLhCDmFDFY/s1600/Image2.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglyaMD-4pavW8QAR6enKMmgykCCuvE4z6eEofbZDWjbvg7U_GrQXddbl-Pvi-8xZMQMK8mJq5MDR52tSRGSZBCKQ2EL3i3yFS1ZioNA5MafKhQDvI7ggViXAPRueyqWiqe-WLhCDmFDFY/s640/Image2.jpg" width="494" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b><span style="font-size: small;">Sunday, March 3, 2013 Washington Post Metro Section </span></b></td></tr>
</tbody></table>
<br />
<br />
<br /></td></tr>
</tbody></table>
<div style="text-align: left;">
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">This is one of the proudest moment's in Kevin's life (his kids are #1 and #2 by a long shot) . I couldn't imagine being happier for someone. Years of hard work and dedication will keep this important story alive for many generations to come. </span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Today - mentioned on the same page with President Obama...tomorrow a picture and meeting with President Obama where you present him with a signed copy...sky is the limit :)</span></div>
<div style="text-align: left;">
<br />
<br />
<br /></div>
<div style="text-align: left;">
<br /></div>
<br />
<br />mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com0tag:blogger.com,1999:blog-7365513794075231499.post-7099737471920479572013-02-03T12:15:00.000-08:002013-02-04T12:18:38.248-08:00Microsoft IT Camp - Speaking EventI am honored to once again be working at a Microsoft event at the Microsoft office in Reston, VA on March 9, 2013 from 8 AM - 4 PM. The District of Columbia Maryland Virginia Management User Group is holding an event that includes an IT camp focused on Windows Server 2012. I'll be working with <a href="https://twitter.com/yungchou">Microsoft Senior Evangelist Yung Chou</a> during the IT camp. We will be going over many topics including Active Directory Hyper-V, Installation, Storage Spaces and more. <br />
<br />
There are also System Center and Windows Deployment sessions for those interested in those subjects. The Windows deployment sessions will be led by<a href="http://mvp.microsoft.com/profiles/Rhonda"> Microsoft MVP Rhonda Layfield</a><br />
<br />
The Microsoft Reston location is easy to get to with plenty of parking and they have a great setup there for events like this. It is also a great chance to meet other enthusiastic IT Pros. I know that may sound cliche but the type of people that come out to events on Saturdays and put in the extra time and my type of people :)<br />
<br />
You can register for the event and find more information about the session and speaker bios by going to<br />
<br />
<br />
<div style="text-align: center;">
<span style="font-size: x-large;"><a href="http://dmvmug.eventbrite.com/">http://dmvmug.eventbrite.com/</a></span></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<span style="color: red;"><b>DATE: Saturday, March 9, 2013</b></span></div>
<div style="text-align: center;">
<span style="color: red;"><b>Time: 8:00 AM to 4:00 PM</b></span></div>
<div style="text-align: center;">
<span style="color: red;"><b>Location: Microsoft Reston, 12012 Sunset Hills Rd, Reston, VA 20190</b></span></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
You can see the flyer for the event below.</div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRtNDUL-ic9BEoaBriB0ZtiMjcp3-cbPQAygi4EFZhX1wky4VIwF9EoqkULJSfPnFTAy7gcPHhD7XlPziilTYJP1ne8jgUWwQ9NEWafDbo86PZOvOHqj5erhrEvGK-wcD_9QMVZlKB3B4/s1600/dmvmug+flyer.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRtNDUL-ic9BEoaBriB0ZtiMjcp3-cbPQAygi4EFZhX1wky4VIwF9EoqkULJSfPnFTAy7gcPHhD7XlPziilTYJP1ne8jgUWwQ9NEWafDbo86PZOvOHqj5erhrEvGK-wcD_9QMVZlKB3B4/s640/dmvmug+flyer.jpg" width="494" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I'm looking forward to the event and hope to have a full house. I'm sure everyone is going to learn something as we move forward with Windows Server 2012.</div>
<div style="text-align: left;">
<br /></div>
mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com1United States34.597041516144166 -84.023437531.278926016144165 -89.1870115 37.915157016144164 -78.8598635tag:blogger.com,1999:blog-7365513794075231499.post-8464199378858460232012-10-02T06:00:00.000-07:002012-10-02T13:36:23.747-07:00Future Server Service PacksAs an MVP we have MVP leads that share information and are our main connection to the MVP program. Recently my MVP lead sent out a great Q&A that I wanted to share. I checked with her to make sure this is not NDA information and it was not. (thanks Michelle!)<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRjIUa324hALwDUXxsiozV1cYB8qUgvtLfhZylJpfz1OmupAI4outnZUtg-6NL-yBxTYcTWEBlv-ZXA1aTfa-2TYPUtvgZJl_-MiWbKvBQC-cRv7gIu-o4km5ZOugufagU-5xfb55SFDc/s1600/service+packs.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="352" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRjIUa324hALwDUXxsiozV1cYB8qUgvtLfhZylJpfz1OmupAI4outnZUtg-6NL-yBxTYcTWEBlv-ZXA1aTfa-2TYPUtvgZJl_-MiWbKvBQC-cRv7gIu-o4km5ZOugufagU-5xfb55SFDc/s640/service+packs.jpg" width="640" /></a></div>
<br />
<br />
There are still a lot of organizations that still believe that they should wait for a service pack before deploying a new Server OS. If you were around 10 years ago or more you might remember that Windows NT had <a href="http://en.wikipedia.org/wiki/Windows_NT_4.0#Service_Packs">seven service packs</a> (1-6a). Windows 2000 had <a href="http://en.wikipedia.org/wiki/Windows_2000#Service_packs">four service packs</a> With that many service packs you can see why some old timers still think waiting for service packs is the way to go.<br />
<br />
The days of four, six ,or more service packs are probably gone forever. I can't speak for the future of the Microsoft development life-cycle; but with major releases being released every four years and R2 releases every two years there is not much room for service packs. In addition Microsoft does a really great job with patch Tuesday patches and zero-day patches when applicable.<br />
<br />
The point here is you can tell your manager that there is no reason to wait for a service pack. <b>Windows 2012 is ready now</b>. It is ready to be tested and deployed now. I'm in the field just like the rest of you. Looking forward to this journey.<br />
<br />
<br />mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com0tag:blogger.com,1999:blog-7365513794075231499.post-13921535226261687082012-09-17T06:00:00.000-07:002012-09-17T09:57:35.027-07:00TechGate Conference - Speaking Review<br />
I spoke at the <a href="http://techgateconference.com/index.html">TechGate conference</a> sponsored by Microsoft this weekend. My topic was new Active Directory features in Windows Sever 2012.<br />
<br />
I first want to thank Andy and DeLise from Microsoft. The Microsoft facilities were outstanding and we were treated well. This was my first speaking engagement at a conference like this and I'm honored that they allowed me to speak. I know they had a lot of people that wanted slots and glad I was selected for one of the featured slots.<br />
<br />
The room was packed and some people had to stand. There were some lessons learned on my part that I want to share for others that may be starting out on their speaker journey. I would also love to hear tips from others that have been doing this for a while.<br />
<br />
<b><u><span style="font-size: large;">Lessons Learned</span></u></b><br />
<br />
<div>
<br /></div>
<div>
<ul>
<li>50 minutes is not enough time to give a talk with demos about Active Directory features in Windows 2012. I should have either cut out sections or not attempted demos. I definitely rushed a bit at the end.</li>
<li>The crowd was about 80 percent developers/those not familiar with AD and 20 percent were IT pros that knew AD. I let that fluster me for the first few slides. When I asked how many people are familiar with dcpromo and only 4 people raised their hands I was thinking "oh shit" in my head....once I got over that I was fine.</li>
<li>I tried to switch between the PowerPoint presentation view (slides with notes on my laptop monitor and slide show on projector) and the duplicate screens (for the demos). Next time I will just use duplicate screens at all times and have my notes on the side.</li>
<li>Dynamic Access Control is a great feature but I can tell that it's going to take a lot time for IT Pros to understand and "get it". I might try and present 50 minutes just on that feature next time...but that might not be enough time either.</li>
<li>Thanks to the lady in the back, the MCS engineer and a few others that did have a good working knowledge of AD...the questions and back and forths with you all was great. </li>
<li>I have seen speakers at other conferences having conversations after their talks in the hallways. That happened to me too. That was great, met some really great and enthusiastic people. </li>
<li>Thanks to my co-workers Shumbey, Nate, and Kurt for coming.</li>
<li>Thanks to my AD buddies (Mark especially) who sat through some dry runs.</li>
</ul>
<div>
<br /></div>
</div>
<div>
Overall I give myself a <span style="color: #38761d; font-size: x-large; font-weight: bold;">B- </span><b> </b>I learned a lot and hope to go back in the spring. Someday I want to be as good as Dean Wells (he had the #1 talk at TechEd North America 2012)....I know that won't happen but it is a good goal to strive for :)</div>
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_bvd_A0o62k4KQ9_QmmEpGdHYgWRdC9OA1E1Bb2OAFxNv1yLFaO3Zi9pQSVPU09yPVG8WIFP2M2nuwq16Z8kerxfuiFZXIlUov6dfqg0iJlZyDHLUH_qY3ZOVjIzVz3dLFYx6_1faDME/s1600/techgate.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_bvd_A0o62k4KQ9_QmmEpGdHYgWRdC9OA1E1Bb2OAFxNv1yLFaO3Zi9pQSVPU09yPVG8WIFP2M2nuwq16Z8kerxfuiFZXIlUov6dfqg0iJlZyDHLUH_qY3ZOVjIzVz3dLFYx6_1faDME/s320/techgate.JPG" width="238" /></a></div>
<br />mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com5tag:blogger.com,1999:blog-7365513794075231499.post-62177746753321417352012-09-04T15:13:00.001-07:002012-09-04T15:13:56.540-07:00Windows 2012 AD Schema Version<span style="background-color: #efefef; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px;">I previously posted "quick-hitter" blogs about the schema versions in </span><a href="http://adisfun.blogspot.com/2011/09/windows-server-8-schema-version-quick.html" style="background-color: #efefef; color: #336699; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px;">Windows 8 Developers Preview</a><span style="background-color: #efefef; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px;">, </span><a href="http://adisfun.blogspot.com/2012/03/windows-server-8-beta-schema-version.html" style="background-color: #efefef; color: #336699; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px;">Windows Server 8 Beta</a><br />
<br style="background-color: #efefef; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px;" />
<a href="http://www.microsoft.com/en-us/server-cloud/windows-server/default.aspx" style="background-color: #efefef; color: #336699; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px;">Windows Server 2012</a><span style="background-color: #efefef; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px;"> was released today!! The schema version did not change from the RC version. The final version is </span><span style="background-color: #efefef; color: red; font-family: Verdana, Arial, sans-serif; font-size: medium; line-height: 16.883333206176758px;"><b>56 </b></span><br />
<span style="background-color: #efefef; color: red; font-family: Verdana, Arial, sans-serif; font-size: medium; line-height: 16.883333206176758px;"><b><br /></b></span>
<span style="background-color: #efefef; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px;">I once again used </span><a href="http://www.joeware.net/freetools/tools/adfind/index.htm" style="background-color: #efefef; color: #336699; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px;">adfind</a><span style="background-color: #efefef; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px;"> to quickly find the schema version.</span><br />
<br />
<div class="separator" style="background-color: #efefef; clear: both; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px; margin: 0px 0px 0.75em; text-align: center;">
</div>
<div class="separator" style="background-color: #efefef; clear: both; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px; margin: 0px 0px 0.75em; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfIpJ32K029_m2b1AsY5wGDhDvf9QYunNPlGFshQNshsvbeiSakI5QArA3JcedELHBH1GR3SGEGnrPQ9ABVTAzwO2pB7a9wxnpLjTORQjINbY-KYP1ol6mkfuzo8esuRd-wIjdTta2oC0/s1600/adfind+windows+2012+schema.png" imageanchor="1" style="color: #336699; margin-left: 1em; margin-right: 1em;"><img border="0" height="257" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfIpJ32K029_m2b1AsY5wGDhDvf9QYunNPlGFshQNshsvbeiSakI5QArA3JcedELHBH1GR3SGEGnrPQ9ABVTAzwO2pB7a9wxnpLjTORQjINbY-KYP1ol6mkfuzo8esuRd-wIjdTta2oC0/s640/adfind+windows+2012+schema.png" style="border: 1px solid rgb(0, 0, 0); padding: 4px;" width="640" /></a></div>
<br style="background-color: #efefef; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px;" />
<div class="separator" style="background-color: #efefef; clear: both; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px; margin: 0px 0px 0.75em; text-align: center;">
</div>
<div class="separator" style="background-color: #efefef; clear: both; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px; margin: 0px 0px 0.75em; text-align: center;">
<br /></div>
<div class="separator" style="background-color: #efefef; clear: both; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px; margin: 0px 0px 0.75em;">
The final Active Directory Schema version table is listed below.</div>
<div class="separator" style="background-color: #efefef; clear: both; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px; margin: 0px 0px 0.75em; text-align: center;">
<br /></div>
<div class="separator" style="background-color: #efefef; clear: both; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px; margin: 0px 0px 0.75em; text-align: center;">
<br /></div>
<div class="separator" style="background-color: #efefef; clear: both; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px; margin: 0px 0px 0.75em; text-align: center;">
</div>
<table border="1" bordercolor="#990000" cellpadding="3" cellspacing="3" style="background-color: #33ff99; color: black; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16px; text-align: left; width: 400px;"><tbody>
<tr><td><b><span style="color: #cc0000;">Windows Server 2012 </span></b></td><td><b><span style="color: #cc0000;">56</span></b></td></tr>
<tr><td>Windows 2008 R2</td><td>47</td></tr>
<tr><td>Windows 2008</td><td>44</td></tr>
<tr><td>Windows 2003 R2</td><td>31</td></tr>
<tr><td>Windows 2003</td><td>30</td></tr>
<tr><td>Windows 2000</td><td>13</td></tr>
</tbody></table>
<br style="background-color: #efefef; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px;" />
<div style="background-color: #efefef; font-family: Verdana, Arial, sans-serif; font-size: 13px; line-height: 16.883333206176758px; margin: 0px 0px 0.75em;">
<br />
<a href="https://mvp.support.microsoft.com/profile=BEFD6E37-0E3F-4CF6-B500-7184D0CE23A7" style="color: #336699;">MVP Brian Arkills</a> posted a link to the changes made in adprep in Windows 2012 from version 48 to 56. You can find that here<br />
<br />
<a href="http://technet.microsoft.com/en-us/library/hh994609" style="color: #336699;">Windows Server 2012: Changes made by adprep.exe</a><br />
<br />
You can download an <a href="http://technet.microsoft.com/en-US/evalcenter/hh670538.aspx?ocid=&wt.mc_id=TEC_108_1_33" style="color: #336699;">evaluation copy of Windows Server 2012</a> and go start to learn and have fun. This will be an OS that most of us will be using for the next 10+ years and it is an exciting day for those of us in the Windows Server world. Thanks to all the hard work put in by the many people at Microsoft that made today happen.</div>
mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com5tag:blogger.com,1999:blog-7365513794075231499.post-32029204669933312812012-08-23T07:00:00.000-07:002012-08-23T11:35:58.322-07:00Find Inactive Users using PowershellThis is a quick hitter that came about when I was chatting with a few friends online. We were talking about finding inactive users using powershell. We also wanted to output their userid(samaccountname) and their last logon time.<br />
<br />
In this case the LastLogonTimeStamp attribute was good enough for this query. Note that this attribute is replicated but it is <a href="http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx">9-14 days behind the current date</a><br />
<br />
For full disclosure this is something I'd usually use <a href="http://www.joeware.net/freetools/tools/oldcmp/">oldcmp</a> for but in this case the customer wasn't allowing third party tools.<br />
<br />
The main problem I was having was the output of LastLogonTimeStamp via powershell. The date doesn't get automatically converted from its native 64 bit format. Luckily the Microsoft team has included the LastLogonDate which is the conversion of the LastLogonTimestamp. MVP Richard Mueller has a great explanation of the <a href="http://social.technet.microsoft.com/Forums/en/winserverDS/thread/838b1e09-7fcb-4ea2-95f4-b21c5bb2c37e">LastLogonDate attribute in Powershell </a> It is important to emphasize that LastLogonDate is not an actual Active Directory attribute. LastLogonDate was key otherwise it makes this query more complex because we would have had to include a conversion into the command. <br />
<br />
For the query I went with the <a href="http://technet.microsoft.com/en-us/library/ee617247.aspx">search-adaccount cmdlet.</a> We were looking for accounts that had not been active within 90 days<br />
<br />
<b>search-adaccount -usersonly -accountinactive -timespan "76" | select-object samaccountname, lastlogondate</b><br />
<b><br /></b>
If you want to export that to a CSV then that command can be piped into export-csv<br />
<br />
<b>search-adaccount -usersonly -accountinactive -timespan "76" | select-object samaccountname, lastlogondate | export-csv Users.csv</b><br />
<b><br /></b>
Why did I choose 76 instead of 90? That goes back to the DS blog about lastlogontimestamp being up to 14 days behind.<br />
<br />
Active Directory Administrative Center also has some handy built-in searches that can help if you prefer a GUI<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhntmuZJjSNOABHv4904axNuTN8GAyOYzo8aEsQ4TFK6ZO9pBycpUv5ygguKhyOxcVE7sZegM7xUdlWtHSo04QHlsHsGtkBPWFh0nKFTLVHof7AmcAqKpM7TokNDAa8WbYG9QcNstJuLik/s1600/ADAC1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="311" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhntmuZJjSNOABHv4904axNuTN8GAyOYzo8aEsQ4TFK6ZO9pBycpUv5ygguKhyOxcVE7sZegM7xUdlWtHSo04QHlsHsGtkBPWFh0nKFTLVHof7AmcAqKpM7TokNDAa8WbYG9QcNstJuLik/s400/ADAC1.jpg" width="400" /></a></div>
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7kPNwRozIn6U0AHZC9agyostFeWf6gSWDeKrnNGrW2GynaQ104cd4f2yHGQR2aAG091g-Oh0u9owwYrgscV7mGFy0HiF6YY-PNsXDfe2161PCcqTs8uxhcbZxeCwiDw4lmwCYmzqXnWY/s1600/ADAC2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="113" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7kPNwRozIn6U0AHZC9agyostFeWf6gSWDeKrnNGrW2GynaQ104cd4f2yHGQR2aAG091g-Oh0u9owwYrgscV7mGFy0HiF6YY-PNsXDfe2161PCcqTs8uxhcbZxeCwiDw4lmwCYmzqXnWY/s400/ADAC2.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<b>Update </b>Good friend and Microsoft PFE Eric J suggested that I add a screenshot with the Windows 2012 version of ADAC and the<a href="http://technet.microsoft.com/en-us/library/hh831702.aspx#windows_powershell_history_viewer"> powershell history viewer</a> output. Great suggestion Eric!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOB9J7-On9bXpmVD1ok1M-yjDGUx0OOPaR1PNCb-fLRZz4A2xihA9ogUottMIuQMz9Huj7TzQJRc31XOCxbYGewpqe1uSIrdQ_SO7djLRxMitKDLSkY1aFqRlY9OK85YusipiG4a74q8g/s1600/ADAC2PSViewer.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="273" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOB9J7-On9bXpmVD1ok1M-yjDGUx0OOPaR1PNCb-fLRZz4A2xihA9ogUottMIuQMz9Huj7TzQJRc31XOCxbYGewpqe1uSIrdQ_SO7djLRxMitKDLSkY1aFqRlY9OK85YusipiG4a74q8g/s400/ADAC2PSViewer.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<br />
The powershell command in the history viewer is interesting. I like the version above a lot better :)<br />
<br />
<quote> Get-ADObject -LDAPFilter:"(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(|(lastLogonTimestamp<=129888720000000000)(!lastLogonTimestamp=*)))" -Properties:allowedChildClassesEffective,allowedChildClasses,lastKnownParent,sAMAccountType,systemFlags,userAccountControl,displayName,description,whenChanged,location,managedBy,memberOf,primaryGroupID,objectSid,msDS-User-Account-Control-Computed,sAMAccountName,lastLogonTimestamp,lastLogoff,mail,accountExpires,msDS-PhoneticCompanyName,msDS-PhoneticDepartment,msDS-PhoneticDisplayName,msDS-PhoneticFirstName,msDS-PhoneticLastName,pwdLastSet,operatingSystem,operatingSystemServicePack,operatingSystemVersion,telephoneNumber,physicalDeliveryOfficeName,department,company,manager,dNSHostName,groupType,c,l,employeeID,givenName,sn,title,st,postalCode,managedBy,userPrincipalName,isDeleted,msDS-PasswordSettingsPrecedence -ResultPageSize:"100" -ResultSetSize:"20201" -SearchBase:"DC=MK2012,DC=com" -SearchScope:"Subtree" -Server:"w2012DC1.MK2012.com" </quote> <br />
<br />
<br />
The issue I have with the ADAC method is that it doesn't allow the user to export the findings and include the LastLogonTimeStamp date in a converted form.<br />
<br />
<br />
I'm looking forward to other suggestions comments on how to improve this powershell command. Remember we are talking quick-hitter one liner here.
mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com1tag:blogger.com,1999:blog-7365513794075231499.post-88986350108793895072012-07-20T07:00:00.000-07:002012-07-24T08:13:08.493-07:00Is It a Domain ControllerI recently went into our test lab and there was a guy working in there and he asked me. <br />
<br />
<blockquote class="tr_bq">
<i>If I'm on a machine how do I know if it is a Domain Controller</i></blockquote>
These are often my favorite types of questions. No time to check Bing/Google, no time to check a book. Just a quick question that is answered in seconds. By the way in those situations it is also ok to say "I don't know" or "I'll get back to you". A lot of times you will see people blowing smoke and making stuff up.<br />
<br />
The guy wasn't trying to be an ass but trying to learn AD and the lab is a perfect place for it. We have a lot of VMs in our lab and I didn't know what box he was on when I walked in.<br />
<br />
My initial thought was to tell him to look for admin tools etc but then after a second I realized not every box has the admin tools installed. Then I thought look for the AD Domain Services and see if they are started. That thought lasted for a half second. We still have 2003 DCs too so if he was on one of those then no services.<br />
<br />
The answer I gave him was to run:<br />
<br />
<div style="text-align: left;">
<b>net share<span style="font-size: large;"> </span></b></div>
<b><span style="font-size: large;"><br /></span></b><br />
If the sysvol share is present then it is a domain controller.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi29PyZAeS7zGCqU6z3an669nDJm8jpZN8alGbsjGF91YLYzcF3ugjqiTWIpoMbg6_tAHOqRpCOT9QoB1ScJYpyiX_XG2SJHoWjSsWXy0bpIVRLsu4ip0Af5WV99bx2qvtY64kgzayqGuA/s1600/netshare.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="131" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi29PyZAeS7zGCqU6z3an669nDJm8jpZN8alGbsjGF91YLYzcF3ugjqiTWIpoMbg6_tAHOqRpCOT9QoB1ScJYpyiX_XG2SJHoWjSsWXy0bpIVRLsu4ip0Af5WV99bx2qvtY64kgzayqGuA/s400/netshare.jpg" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
I started thinking of other ways and reached out to some friends and asked what they would have suggested for this quick question.<br />
<br />
<br />
One suggestion by my friend Troy was to run<br />
<br />
<br />
<b>netdom query dc</b><br />
<span style="font-size: large;"><b><br /></b></span><br />
I thought that was a good one and team that with hostname so that the person knows the name of the machine works great.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0abDCZovraznPbr-fnx27MnuTuSHa-AR7Vmj5f4FflzxcZe_4emjIsK9j2aHApbECm_ikOzEKzcdER9e-5FeXzLQkk0-TAailpghLayfwXMSwbIrDM7GI6B2aE4W9frDBF1T8k04tUHA/s1600/netdom.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0abDCZovraznPbr-fnx27MnuTuSHa-AR7Vmj5f4FflzxcZe_4emjIsK9j2aHApbECm_ikOzEKzcdER9e-5FeXzLQkk0-TAailpghLayfwXMSwbIrDM7GI6B2aE4W9frDBF1T8k04tUHA/s400/netdom.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
My buddy Eric had a good one, it is a bit more involved because it would require the person to know about AD ports...but if they are learning they should know some of these. Use netstat -ano and look for AD ports (88, 389, 3268, and others)<br />
<br />
<span style="font-weight: bold;">netstat -ano </span> or <b>netstat -ano | findstr /i listening</b><br />
<b><span style="font-size: large;"><br /></span></b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2OffFBftaKbFsMDxXmMUW4KZwXiHUIrVy5nCFQoeYh9s0mUMgqSgZjief3osKga7iJUYu8jKNyqvoL0hJMciKap_6hF8h7mva-RPvxLRHMZUBD2wCZj6lVJFPTI8zfZLglDY8P-sWkAs/s1600/netstat.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="370" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2OffFBftaKbFsMDxXmMUW4KZwXiHUIrVy5nCFQoeYh9s0mUMgqSgZjief3osKga7iJUYu8jKNyqvoL0hJMciKap_6hF8h7mva-RPvxLRHMZUBD2wCZj6lVJFPTI8zfZLglDY8P-sWkAs/s400/netstat.jpg" width="400" /></a></div>
<b><span style="font-size: large;"><br /></span></b><br />
There are a lot of ways to do this. You could look for SRV records. If ADUC was installed you could have them check there for the DC.<br />
<br />
If you also look at the drop down when you login and it has no local server name then that is another good indication. In this case he was already logged in.<br />
<br />
So what answers would you have given? Are there quicker easier ways that you would have told someone just starting out with AD to check if they are at a domain controller?<br />
<br />
<b>Update from Kurt</b> (thanks for your service in the Army...in war zones). I posed this question to a mid-level AD admin. His response was "run dcpromo, it will tell you if it is a DC". That is true and something I didn't think of in the 5 second response. This is why I love AD...so many ways to do something and a lot of great solutions.<br />
<br />
My only caveat about this method is that if someone was being careless didn't read and clicked next next and finished the wizard then they could also be demoting a DC....I'm hoping people using AD can read :)<br />
<br />
In the example below the computer is obviously a DC.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEil7XODRl6wQj-NQUOVMCyAoL8wKoDB0vHqg-Fsl2NKWLZq1NyGpL3X3N63i6-u0Z6MK793hqAa7eMcTUAXapuXkdFc6NfttJ-HFwrbTJFBjv4gHww3n03HCCwn98Mi4E0QCWBlqtKHWV4/s1600/dcpromo.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="375" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEil7XODRl6wQj-NQUOVMCyAoL8wKoDB0vHqg-Fsl2NKWLZq1NyGpL3X3N63i6-u0Z6MK793hqAa7eMcTUAXapuXkdFc6NfttJ-HFwrbTJFBjv4gHww3n03HCCwn98Mi4E0QCWBlqtKHWV4/s400/dcpromo.jpg" width="400" /></a></div>
<br />
<br />
<br />
Note: The<span style="font-size: large;"><b> </b></span>dcpromo method won't work in Windows 2012...because they killed that off...more on that in future posts. I'm guessing very few folks are currently running Windows 2012 in production. Example of start > run > dcpromo on a Windows 2012 DC below.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjRG_KdG8ycrm7ulOcJ4Bde6kQAyvj-yIPpb9aNkwddsdAEIQj-OHk7pYFpXjSB9m-D8S9NuNNxGTS0PVff7C85sfXwJ58b3rsxUeuiVRbekZgNDFnPmnY6Moel72CAJJUNnrkpm6qV7A/s1600/dcpromo2012.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjRG_KdG8ycrm7ulOcJ4Bde6kQAyvj-yIPpb9aNkwddsdAEIQj-OHk7pYFpXjSB9m-D8S9NuNNxGTS0PVff7C85sfXwJ58b3rsxUeuiVRbekZgNDFnPmnY6Moel72CAJJUNnrkpm6qV7A/s400/dcpromo2012.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Update 2</b>:<a href="http://kpytko.wordpress.com/"> Krzystof</a> had a great suggestion in the comments and that was to use systeminfo </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
systeminfo /i "os configruation"</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmDY66XlvHREFbv0cG5e2VXKpL45Ss0FCK3uHrgXeL00mDRR_k_nKXM3U0GiTIZcSW4KtgfBDFLbbrqxeBvDT2K-v0Q6LQUm9GBVbo4kRos3ewI_NLS9iESNfR1TTpclDc8OmKj4Ylclw/s1600/systeminfo.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="33" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmDY66XlvHREFbv0cG5e2VXKpL45Ss0FCK3uHrgXeL00mDRR_k_nKXM3U0GiTIZcSW4KtgfBDFLbbrqxeBvDT2K-v0Q6LQUm9GBVbo4kRos3ewI_NLS9iESNfR1TTpclDc8OmKj4Ylclw/s400/systeminfo.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com8tag:blogger.com,1999:blog-7365513794075231499.post-4495851127300095252012-07-13T07:46:00.000-07:002012-07-13T11:24:24.340-07:00Speaking at Microsoft TechGate Conference on 9/15This mainly applies to readers that are in the DC, Virginia, and Maryland region as I don't think anyone is going to fly in for this :)<br />
<br />
Microsoft is sponsoring TechGate 2012 on September 15, 2012 at their Reston, VA office. There are 15 sessions and five workshops so it should be a good day. It will also not be 100 degrees every day by that time so come out if you can. <br />
<br />
You can find more information and register for the conference here:<br />
<br />
<br />
<div style="text-align: center;">
<a href="http://techgateconference.com/index.html"><span style="font-size: x-large;">http://techgateconference.com/</span></a></div>
<br />
As you can see I will be speaking about new Active Directory features in Windows Server 2012. I'm really looking forward to it. l'm also hoping to devote 10 minutes at the end to discuss what features folks would like to see in R2 or future versions. That is feedback I'll take back to the AD team during the MVP summit in early 2013.<br />
<br />
I'm really looking forward to meeting other members of the DC IT community in a few months.mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com0tag:blogger.com,1999:blog-7365513794075231499.post-38043173041056030582012-07-02T07:00:00.000-07:002012-07-02T12:18:31.281-07:00MVP Award - Year FourI woke up yesterday to great news that I've been awarded the <a href="http://mvp.microsoft.com/profiles/Kline">MVP award in Directory Services</a> for the fourth year. I have previously <a href="http://adisfun.blogspot.com/2010/07/thank-you-again-mvp-award.html">written blog</a>s with <a href="http://adisfun.blogspot.com/2009/07/im-microsoft-mvp-now-thank-you.html">long thank you lists</a> so I won't do that again. Just a continued huge thanks to everyone I mentioned in those two blog entries. I've learned from a lot of people and glad to help others.<br />
<br />
My favorite part about being an MVP is the MVP summit and I'm really looking forward to going to Seattle again in the late winter.<br />
<br />
This is an exciting time for Active Directory. Windows 2012 is being released later this year. Windows Azure Active Directory is coming online. We will have a lot to learn but that is the fun part for me.<br />
<br />
<br />mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com3tag:blogger.com,1999:blog-7365513794075231499.post-65085514913888459902012-05-24T06:42:00.000-07:002012-05-24T11:06:25.046-07:00Outstanding Cloud & Identity TalkI generally don't post videos or presentations as blog entries but this is one I haven't seen posted by a lot of folks and is a must watch for anyone in the Identity, Active Directory, Directory Services field.<br />
<br />
The main reason I love this talk is because the presenter. Microsoft's <a href="http://www.identityblog.com/?p=360">Kim Cameron </a> Kim is the Chief Architect of Identity in the Identity and Access Division at Microsoft. In other words when it comes to anything Active Directory/DS. Kim is "the man"<br />
<br />
Vittorio had an <a href="http://blogs.msdn.com/b/vbertocci/archive/2011/05/08/thank-you-kim.aspx">excellent blog about Kim</a> (Kim was retiring when that blog was written but has come back and he talked about that in this presentation)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/6qbwTFyJa7k?feature=player_embedded' frameborder='0'></iframe></div>
<br />
This is a twenty minute Kim's keynote from the <a href="http://www.id-conf.com/">European Identity & Cloud Conference 2012.</a><br />
<br />
Some things I liked<br />
<br />
<br />
<ul>
<li>Use the efficiencies of the cloud to enable efficiencies in identity</li>
<li>The Cloud Motor Runs on Identity</li>
<li>Identity Management as a service is an inevitability</li>
<li>There ae other vendors who have similar directories...not as good of course :)</li>
</ul>
<div>
There are a lot of people that talk about the cloud and give talks. This is one from a guy who truly knows his stuff. Kim also has an <a href="http://www.identityblog.com/?p=1205">excellent blog entry</a> that goes with this video.</div>
<div>
<br /></div>
<div>
I'm personally excited that AD and Directory Services types can evolve our skills and have work for years to come.</div>
<div>
<br /></div>
<div>
<br /></div>
<br />
<br />
<br />mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com0tag:blogger.com,1999:blog-7365513794075231499.post-8597224710456240932012-04-16T05:34:00.000-07:002012-04-17T16:57:07.238-07:00New MCSE - Personal FAQsAs most blog readers know Microsoft has brought back the MCSE & MCSA certifications and titles. For those newer to the field the MCSE was one of Microsoft's most popular certifications and tracks. I'm on the AD/Server side of the house so for me this goes back to an MCSE in Windows NT, 2000, & 2003.<br />
<br />
With the 2008 tracks Microsoft did away with the MCSE & MCSA and introduced the MCITP an MCTS tracks and certifications.<br />
<br />
The MCSE and MCSA are back again but this time they stand for<br />
<br />
<b>Microsoft Certified Solutions Expert</b><br />
<b>Microsoft Certified Solutions Associate</b><br />
<br />
The Microsoft Learning team has put together a nice page with a lot of information.<br />
<br />
<div style="text-align: center;">
<a href="http://www.microsoft.com/learning/en/us/certification/mcse.aspx"><span style="font-size: large;">MSCE: Reinvented for the Cloud</span></a></div>
<br />
There are also some good videos on the site and the<a href="http://www.youtube.com/user/microsoftlearning"> Microsoft Learning YouTube Channel</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<object class="BLOGGER-youtube-video" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" data-thumbnail-src="http://0.gvt0.com/vi/b3dbPx2_85Q/0.jpg" height="266" width="320"><param name="movie" value="http://www.youtube.com/v/b3dbPx2_85Q&fs=1&source=uds" />
<param name="bgcolor" value="#FFFFFF" />
<embed width="320" height="266" src="http://www.youtube.com/v/b3dbPx2_85Q&fs=1&source=uds" type="application/x-shockwave-flash"></embed></object></div>
<br />
<br />
<br />
There was a lot of great information on the site, but I still had questions and after asking around I noticed others had the same questions. <a href="https://twitter.com/#!/MSLearning">MSLearning has a Twitter Account</a> and that is where I learned a lot more about the new certs and the future. I compiled some of my FAQs here:<br />
<br />
<br />
<br />
<br />
<div style="text-align: left;">
<span style="color: red; font-size: large;"><u>MK FAQ 1 : What happens if I have the MCITP:SA do I need to start from scratch?</u></span></div>
<div style="text-align: left;">
<span style="color: red; font-size: large;"><b><u><br /></u></b></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPu6wbTyubyK16o3jPrWpaJ0MLkHcLngqBQBlMX8lgpygFZPmmcyaaHW4gJngFJju5EuEBE75u2ayhjFAMEWymL6YW0b2teGd8L96DTptFdwQiUK7Hn1ROfXuAgkiCVhYfmW8p-qdsZLs/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPu6wbTyubyK16o3jPrWpaJ0MLkHcLngqBQBlMX8lgpygFZPmmcyaaHW4gJngFJju5EuEBE75u2ayhjFAMEWymL6YW0b2teGd8L96DTptFdwQiUK7Hn1ROfXuAgkiCVhYfmW8p-qdsZLs/s400/1.png" width="390" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: -webkit-auto;">
<br /></div>
<div class="separator" style="clear: both; text-align: -webkit-auto;">
So that was good news, as you can see the MCITP:SA will automatically receive the new <a href="http://www.microsoft.com/learning/en/us/certification/cert-windows-server-MCSA.aspx">MCSA: Windows Server 2008 Certification.</a></div>
<div class="separator" style="clear: both; text-align: -webkit-auto;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: red; font-size: large;"><u>MK FAQ 2 : What happens if I have the MCITP:EA?</u></span>
</div>
<div class="separator" style="clear: both; text-align: -webkit-auto;">
<b style="color: red; font-size: x-large;"><u><br /></u></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5E-pC6dM2fCJ4VlLtN-PZSdKQERht9JSBKGBZ4BFs1i0KCV_AcM0zENHGv2u4FDJsA0stgiqbL7i7NeW-l5E42n8AR8cAXbLQSeel_7GRvefGoA0PadsMfEU5T1Rhzx0iZXmICgI9aow/s1600/EA+Role.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5E-pC6dM2fCJ4VlLtN-PZSdKQERht9JSBKGBZ4BFs1i0KCV_AcM0zENHGv2u4FDJsA0stgiqbL7i7NeW-l5E42n8AR8cAXbLQSeel_7GRvefGoA0PadsMfEU5T1Rhzx0iZXmICgI9aow/s640/EA+Role.png" width="393" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This was interesting because the MCITP: EA and MCITP: SA will both have the same MCSA: WS2008 title. I was hoping for two certs as I have both :) </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Note: It was common for people to get both the MCITP:EA and MCITP:SA certifications.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: red; text-align: -webkit-auto;"><u><span style="font-size: large;">MK FAQ 3 : When will our transcripts be updated?</span></u></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
According to the twitter conversation above transcripts should change on April 24, 2012.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="color: #274e13;">UPDATE: Blog reader let me know in the comments that his transcript was updated on 4/17/2012. Nice job by Microsoft getting ahead of schedule.</span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: red; text-align: -webkit-auto;"><u><span style="font-size: large;">MK FAQ 4 : What happens to our old certifications?</span></u></span></div>
<div class="separator" style="clear: both; text-align: left;">
<b style="color: red; text-align: -webkit-auto;"><u><br /></u></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLGC0Ts84Cq0DmzdgKpA7hjQIh8QNEAGCEo1hmKfSVU1LtDw5EJ6hRKCOzUcAesFIovnUKwwau9u6WPb6oiwOdqcE7gYhDIASwWJIrAJP8vjBBFrIrIXKho6FWsw_EH6QUgsURFHSu4eQ/s1600/Legacy.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="66" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLGC0Ts84Cq0DmzdgKpA7hjQIh8QNEAGCEo1hmKfSVU1LtDw5EJ6hRKCOzUcAesFIovnUKwwau9u6WPb6oiwOdqcE7gYhDIASwWJIrAJP8vjBBFrIrIXKho6FWsw_EH6QUgsURFHSu4eQ/s640/Legacy.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<b style="color: red; font-size: x-large; text-align: -webkit-auto;"><u><br /></u></b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpUIEUzX21xi0qbW796zVbScaeazKdqMD_b7o5tP3r6-7i3Gkj-bwkOofiAWz1pPqRs3etwJZVGWuMltj9NRIw-Vy3-w1ADDSecWPH3t2bC0YEkbWDVsz9V-aS8KJyI6FS6NuxXjo49l0/s1600/retire.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpUIEUzX21xi0qbW796zVbScaeazKdqMD_b7o5tP3r6-7i3Gkj-bwkOofiAWz1pPqRs3etwJZVGWuMltj9NRIw-Vy3-w1ADDSecWPH3t2bC0YEkbWDVsz9V-aS8KJyI6FS6NuxXjo49l0/s400/retire.png" width="385" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This one I really like a lot! I like that old certs will enter a legacy state and be stated that way on the official Microsoft transcript.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I also like that new exams and certifications will also retire. It makes people need to stay somewhat current and re-certify. Other companies already use the model the most famous probably being Cisco. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I know there are going to be cynics out there that remember MCSE's being referred to as "paper tigers" or MCSEs that got their certs through brain dumps and that made us all look bad but Microsoft is definitely moving in the right direction in my opinion.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I'll take an analogy from the Army. Every Army soldier goes through bootcamp and has "basic" skills but there is a lot more training and experience needed to become a Ranger or Special forces and deal with the advanced issues/topics. That is how I look at a lot of these certs (from any company). They are a good step but getting an MCSA or MCSE doesn't mean someone knows everything....it is an ongoing process.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
One of my AD Heroes is Joe Richards and he once <a href="http://blog.joeware.net/2008/08/11/1420/">rated himself a 6 out of 10</a> in AD. Again it is a lifelong learning process...no one knows it all not even a guy like Joe (love how humble and cool he is)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I'd like to hear from the community. What do you think about the new changes and updates?</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com2tag:blogger.com,1999:blog-7365513794075231499.post-27251485767928049462012-04-04T05:00:00.000-07:002012-04-04T08:00:21.656-07:00Security Compliance Manager 2.5 Released<div class="tr_bq">
Ned Pyle wrote a blog entry in January on the <a href="http://blogs.technet.com/b/askds/">Microsoft askds blog </a> about <a href="http://blogs.technet.com/b/askds/archive/2012/01/25/security-compliance-manager-2-5-beta-is-out.aspx">Security Compliance Manager 2.5 Beta</a></div>
<br />
The tool has been <a href="http://www.microsoft.com/download/en/details.aspx?id=16776">officially released</a> and is no longer in beta.<br />
<br />
From the download center<br />
<br />
<blockquote>
<b><i><span style="background-color: rgba(255, 255, 255, 0.917969); color: #222222; font-family: arial, sans-serif; font-size: 13px;">We are pleased to announce that version 2.5 is released and now available for download from the Microsoft Download Center!</span></i></b></blockquote>
<i> <a href="http://www.microsoft.com/download/en/details.aspx?id=16776"> <b><span style="background-color: rgba(255, 255, 255, 0.917969); color: #222222; font-family: arial, sans-serif; font-size: 13px;">Download SCM 2.5 now</span></b></a></i><br />
<br />
<br />
I've been testing 2.5 Beta and really glad that it is now out of beta as it will be much easier to get the tool approved for use where I work.<br />
<br />
You can read about the key features & benefits on the Microsoft site so I won't copy and paste them again here.<br />
<br />
There will be follow up blog posts with more info and screen shots from the tool.<br />
<br />
<br />mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com0tag:blogger.com,1999:blog-7365513794075231499.post-15618740407119922562012-03-30T08:00:00.000-07:002012-03-30T10:03:31.000-07:00Active Directory Administrative Center Twitter QuestionI recently saw a question on Twitter about the <a href="http://blogs.technet.com/b/activedirectoryua/archive/2009/01/30/introducing-active-directory-administrative-center.aspx">Active Directory Administrative Center</a> (ADAC)<br />
<br />
Twitter is a site everyone knows but more and more it is a great place for tech information and sharing in the community. There are a lot of good tweets on Active Directory and links to information. There is also a fair amount of spam/bad links. Those are usually easy to spot though (picture is a "sexy" model for example)<br />
<br />
Thanks a lot to<a href="https://twitter.com/#!/samerde"> @SamErde</a> for letting me use his post for this blog. <br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFC0_NfY3tEARTyDdmx9KR_urtahfnEzo-GF-C21FDy1gKcAvkUaF8LRLC5Ig-sQQVVgSGO11T6LgcWWENtxU-GmBQZ8qvKitvrKRXkg2N2JXe0_0hzPcqlj4VN0HLuYSBHQ27FZqt_Qs/s1600/sam+AD+twitter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFC0_NfY3tEARTyDdmx9KR_urtahfnEzo-GF-C21FDy1gKcAvkUaF8LRLC5Ig-sQQVVgSGO11T6LgcWWENtxU-GmBQZ8qvKitvrKRXkg2N2JXe0_0hzPcqlj4VN0HLuYSBHQ27FZqt_Qs/s640/sam+AD+twitter.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://technet.microsoft.com/en-us/library/dd560651(v=ws.10).aspx">ADAC</a> was released with Windows 2008 R2. It has gained some traction but currently it is definitely still not the GUI tool of choice for Active Directory Administration. AD Users & Computers still wins but that may change in Windows 8 when features like the AD Recycle Bin and Fine-Grained Passwords are brought into ADAC giving both of those features a much needed GUI.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In order to truly test I created three forests in my lab and created a forest trusts between the first forest and the other two forests. I did see TechNet articles that this could be done but I like to verify.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgopsfXP5hJcfRip2a9ZV1KFMDy3yIMCYgh5sIrzeg6y6GPRMJxZy3cpg2M2CsuqFfRYulIGoeKaLHz9saTI7oRn8gcOTQ8ZuchdFgCOyIlICS_wh9NHEjuKnUPsG07Xc_bfr780pZXtng/s1600/Blog+Forest+Trusts.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="308" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgopsfXP5hJcfRip2a9ZV1KFMDy3yIMCYgh5sIrzeg6y6GPRMJxZy3cpg2M2CsuqFfRYulIGoeKaLHz9saTI7oRn8gcOTQ8ZuchdFgCOyIlICS_wh9NHEjuKnUPsG07Xc_bfr780pZXtng/s400/Blog+Forest+Trusts.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeDZHr5lDPSgBeQ-KqspjXbFn7R3jqlCGFrq7LhMQXUSnGwf7sjg97VZQ10nJhLM5tIGAiv3HE0JPByVQYmPF-oEA0o2eHi39uHWxI2dzVsSpbLb81ZgNlHpwdKj0UP3QqJjv8q2Myitg/s1600/trusts.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeDZHr5lDPSgBeQ-KqspjXbFn7R3jqlCGFrq7LhMQXUSnGwf7sjg97VZQ10nJhLM5tIGAiv3HE0JPByVQYmPF-oEA0o2eHi39uHWxI2dzVsSpbLb81ZgNlHpwdKj0UP3QqJjv8q2Myitg/s320/trusts.png" width="288" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I'm not just a blogger I also work in this world and I know setting up the trusts can be a pain. You have to have <a href="http://support.microsoft.com/kb/179442">proper ports open</a> That is often easier said than done. Become friends with the firewall admins :) You also need to ensure that name resolution is working. I used conditional forwarders to resolve the domain names in DNS. Stub zones and secondary zones would also work.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
There are a lot of posts and resources about setting up trusts. If you run into issues look at the basics first</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul>
<li>For potential port blockages tools like telnet, portqry, wireshark, and netmon are really good starting points.</li>
<li>For DNS issues nslookup is a good place to start troubleshooting. (wireshark/netmon are good there too)</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
At this point the forest trusts have been setup and the two way trusts are functional. The first thing we need to do is to try and add one of the other domains in ADAC.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVSSFWKyzIrP2WhvTEZ0BmZggKMtXD9cG_LzjWvvIbUxw2ZXO_sWtSYFcQuhF8glwiBi5ZX3gEodJGJXGeTllyeDbO43bqs5XmjfLfVHab-VSUQJ4nPqVZF93GLjnCFjlreoBvX0O0PYg/s1600/1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVSSFWKyzIrP2WhvTEZ0BmZggKMtXD9cG_LzjWvvIbUxw2ZXO_sWtSYFcQuhF8glwiBi5ZX3gEodJGJXGeTllyeDbO43bqs5XmjfLfVHab-VSUQJ4nPqVZF93GLjnCFjlreoBvX0O0PYg/s400/1.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Add Navigation Nodes in ADAC - Windows Server 2008 R2<br />
<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjf42QUb4iFIIo9NkpEa1dxNmoK7YmRC19hXwsF-WylxdF4cJZIukqN7M4FhY5X7Gn4xOCX940-VHSgWhv2h9MthP00PYThgwunMxyXm4iQP0yD6mtgfYDN-14be2FxUcMlXAuIQ63MBiU/s1600/windows8+Navigation+Nodes.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjf42QUb4iFIIo9NkpEa1dxNmoK7YmRC19hXwsF-WylxdF4cJZIukqN7M4FhY5X7Gn4xOCX940-VHSgWhv2h9MthP00PYThgwunMxyXm4iQP0yD6mtgfYDN-14be2FxUcMlXAuIQ63MBiU/s400/windows8+Navigation+Nodes.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Add Navigation Nodes in ADAC - Windows Server 8 Beta<br />
<br />
<br /></td></tr>
</tbody></table>
</td></tr>
</tbody></table>
I added the screenshot from a Windows Server 8 Beta box just to show that the location for adding the Navigation Nodes has changed.<br />
<div>
<div>
<br /></div>
<div>
I'm going to use Windows 2008 R2 for the rest of the examples. I select add navigation nodes from there I can add another domain. </div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgybSgRYdzGj2_psZSh_bW3b_T390dV64QPdpOTo1BVSQwR5rrC7tkVFzcFO2BHdip39GT5AjSahlok9Tdi3BpnNSNvq7zmKoigB4ptHmcrdwTMRq9HJtvLjwzb7T7vkuaerGKzZAx2ZKo/s1600/connect+to+other+domain.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-size: x-small;"><img border="0" height="155" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgybSgRYdzGj2_psZSh_bW3b_T390dV64QPdpOTo1BVSQwR5rrC7tkVFzcFO2BHdip39GT5AjSahlok9Tdi3BpnNSNvq7zmKoigB4ptHmcrdwTMRq9HJtvLjwzb7T7vkuaerGKzZAx2ZKo/s400/connect+to+other+domain.png" width="400" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Adding domain in another forest to ADAC via Navigation Node</td></tr>
</tbody></table>
<div style="text-align: left;">
<span style="font-size: x-small;"><br />
</span></div>
<div style="text-align: -webkit-auto;">
Once I add the domain from the trusted forest I can now see it in ADAC</div>
<div style="text-align: -webkit-auto;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6UXcPdpjeyXlEh0U14x2pqkJLxvwP_cP_qLwXodj8PMwaEr5u_HZJ03wEX4R8Tk50cOLSAIReS9qw8DNqqReM4PrJwbJ8GVHlZwIv9ru85Odo68EbRItlvBnVWFxT2HkOrCkBKj8gsuE/s1600/forest3+appears.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-size: x-small;"><img border="0" height="135" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6UXcPdpjeyXlEh0U14x2pqkJLxvwP_cP_qLwXodj8PMwaEr5u_HZJ03wEX4R8Tk50cOLSAIReS9qw8DNqqReM4PrJwbJ8GVHlZwIv9ru85Odo68EbRItlvBnVWFxT2HkOrCkBKj8gsuE/s400/forest3+appears.png" width="400" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Remote domain from trusted forest now appears in ADAC<br />
<br /></td></tr>
</tbody></table>
That is great but what does that really get me? I am able to view objects in the remote domain due to the default nature of AD allowing read access to most objects.</div>
<div>
<br /></div>
<div>
I'm not able to make any changes which is a good thing. The fact that the forest trust exists doesn't give any rights to administer the remote domain.</div>
<div>
<br /></div>
<div>
Notice in the screenshot below, I attempt to update/edit a user in the remote forest/domain. I'm unable to make any changes but can read his info.</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_Ku7NNjMa82ujuqF6wKwcdQ8WFXmIMkcfsaq7FbskfGBMNuSCHOxkXqwUYTJ7YJTtxSmyU3-NL1xrXDvOnarG4uC3T72vayJK-C1RpePOBK-u5mIHq5Qm5qSMp5j_LHNhS_7Td2h2yM4/s1600/change+user.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="327" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_Ku7NNjMa82ujuqF6wKwcdQ8WFXmIMkcfsaq7FbskfGBMNuSCHOxkXqwUYTJ7YJTtxSmyU3-NL1xrXDvOnarG4uC3T72vayJK-C1RpePOBK-u5mIHq5Qm5qSMp5j_LHNhS_7Td2h2yM4/s400/change+user.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Attempting to update a user </td></tr>
</tbody></table>
<div>
<br /></div>
<div>
Without any rights I can't really do much. In this case I want the same account to be able the objects in both forests.</div>
<div>
<br /></div>
<div>
There are several options here but I added my admin account into the Built-In Administrators group in the remote domain.</div>
<div>
<br /></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD2yqxmxHr50j4q9tHLfir4ZuoXoh2Osdny71XIO2TZFaxTbQe14MsFAgN0TYoUYm_OL_2jqq7CAGowVzB4czlBS8FcujJe_3_zVfU_ukiQxxXHSg20kXycifx_tJrKJeJySPGFibJlk4/s1600/adding+into+admin+group.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD2yqxmxHr50j4q9tHLfir4ZuoXoh2Osdny71XIO2TZFaxTbQe14MsFAgN0TYoUYm_OL_2jqq7CAGowVzB4czlBS8FcujJe_3_zVfU_ukiQxxXHSg20kXycifx_tJrKJeJySPGFibJlk4/s400/adding+into+admin+group.png" width="346" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">My admin account has been added into the Administrators group in the remote domain<br />
<br />
<br /></td></tr>
</tbody></table>
After the addition has replicated I then try to update the user account from ADAC again. This time you will notice that the fields are not grayed out and I can make changes.<br />
<div>
<div class="separator" style="clear: both; text-align: center;">
</div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_nnJdCweljFYVGdEUvDJMyu0x-PE5EsjopXX8yBZTrf7n6WFYc9reGzlLL6Ix9epuEvyrJurCsBZK7C4RBynI3KKtH_KBz5HHHRjV2vutBzF-IH0xUkR2C73ardX8n9gDgZSQZduMV1A/s1600/updated+after+added+to+admin.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="328" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_nnJdCweljFYVGdEUvDJMyu0x-PE5EsjopXX8yBZTrf7n6WFYc9reGzlLL6Ix9epuEvyrJurCsBZK7C4RBynI3KKtH_KBz5HHHRjV2vutBzF-IH0xUkR2C73ardX8n9gDgZSQZduMV1A/s400/updated+after+added+to+admin.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b style="color: red;">Wishlist: </b>I would like the ability to add another domain in the navigation node but also specify alternate credentials when I do that. That would be handy if an admin has a separate admin account in the remote forest/domain. I'm still researching that and will update the blog if I find something.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
There is a good article about <a href="http://technet.microsoft.com/en-us/library/dd560632(v=ws.10).aspx">ADAC on TechNet</a> that is worth reading. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
What are your thoughts on ADAC. For those at 2008 R2 is it gaining traction in your environments?</div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com0tag:blogger.com,1999:blog-7365513794075231499.post-7674139668182359442012-03-22T07:00:00.000-07:002012-03-27T15:38:10.368-07:00LastLogonTimestamp for Group MembersI was recently working in a secure environment and one of the issues was way too many domain admin accounts. This is not a problem just in secure environment. I've yet to encounter a federal organization that does an outstanding job of limiting the number of domain admins. I've seen <a href="http://blog.joeware.net/">Joe Richards</a> write about working at a Fortune 5 company where they ran with less than 5 domain administrators. More and more organizations are trying to limit domain admins. I doubt we will ever get to a point where less than five is the norm but things are getting better...slowly but surely.<br />
<br />
The first step the security team took was to identify members of the domain admin group and the last time they logged in. This is a good initial step to remove those that haven't logged on or used their accounts. If someone hasn't used their domain admin account in 120 days or longer then I would question if they need the account.<br />
<br />
Some folks on the security team were manually going and using a box that had the <a href="http://blogs.technet.com/b/askds/archive/2011/04/12/you-probably-don-t-need-acctinfo2-dll.aspx">additional account info tab from the acctinfo.dll</a>. They were then looking at lastlogon box within the tab and manually entering that into a spreadsheet. I knew there were easier ways to do this so I stepped in to help out.<br />
<br />
For this exercise I keyed off the<a href="http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx"> LastLogonTimeStamp</a> (LLTS) The lastlogontimestamp can be off by 9-14 days. The link to the askds blog entry on LLTS does a great job of explaining it. If 9-14 days is not acceptable then you would have to query lastlogon on every DC. Lastlogon does not replicate and that is why every DC would have to be queried.<br />
<br />
For the examples I'm in my lab domain which is mkw2k8R2.com and I only have three users in the domain admin group. I've only logged in with one of those users.<br />
<br />
<div style="text-align: center;">
<span style="color: #134f5c; font-size: large;"><b><u>Method 1 - Using ADFIND</u></b></span></div>
<div style="text-align: center;">
<span style="color: red; font-size: large;"><b><u><br />
</u></b></span></div>
<div style="text-align: left;">
Regular blog users will not be surprised to find out that I used <a href="http://www.joeware.net/freetools/tools/adfind/index.htm">adfind</a> from Joe Richards for method 1. </div>
<div style="text-align: left;">
<br /></div>
<blockquote class="tr_bq">
<i>adfind -default -f "memberof=cn=domain admins,cn=users,dc=mydomain,dc=mysuffix" samaccountname lastlogontimestamp -tdc -nodn -csv </i></blockquote>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyF_lFC9xsOTgSTbu-mzeP_cBG8IJZeyLGp6_DBEhlMXYBYp00dN-jT2pFQrhY5_P2X6GukV4H7wKhwsweZf3Mtkr3Lenihib0FVYWEhLBx9chukquSSp4CKATrJ3iqDiddr7k-8p1Zos/s1600/adfind.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="33" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyF_lFC9xsOTgSTbu-mzeP_cBG8IJZeyLGp6_DBEhlMXYBYp00dN-jT2pFQrhY5_P2X6GukV4H7wKhwsweZf3Mtkr3Lenihib0FVYWEhLBx9chukquSSp4CKATrJ3iqDiddr7k-8p1Zos/s320/adfind.png" width="320" /></a></div>
<br />
<div style="text-align: center;">
<span style="color: #134f5c; font-size: large;"><b><u>Method 2 - Using Quest AD Powershell Cmdlets</u></b></span></div>
<div style="text-align: center;">
<span style="color: #134f5c; font-size: large;"><b><u><br />
</u></b></span></div>
<div style="text-align: left;">
Many people that started with powershell and AD years ago are probably familiar with the <a href="http://www.quest.com/powershell/activeroles-server.aspx">free AD cmdlets from Quest. </a></div>
<div style="text-align: center;">
<span style="color: red; font-size: large;"><b><u><br />
</u></b></span></div>
<blockquote class="tr_bq">
<i>get-qaduser -memberof "domain admins" | select-object samaccountname, lastlogontimestamp</i></blockquote>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKMy9YTCCPd6Pl0UZwJ_13p9JtvAiKM4SSzsfiGqDmFSktZEHF8OwspokiIWgF-kGFEEaaXVuYJox6cEVGwM_UpotcH5uNQZK_b1w6YvGJdNUOg4zZSF50r4rMenRmVLbLOeRqgo60Tks/s1600/quest+cmdlets.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="47" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKMy9YTCCPd6Pl0UZwJ_13p9JtvAiKM4SSzsfiGqDmFSktZEHF8OwspokiIWgF-kGFEEaaXVuYJox6cEVGwM_UpotcH5uNQZK_b1w6YvGJdNUOg4zZSF50r4rMenRmVLbLOeRqgo60Tks/s320/quest+cmdlets.png" width="320" /></a></div>
<br />
<div style="text-align: center;">
<span style="color: #134f5c; font-size: large;"><b><u>Method 3 - Using Microsoft's AD Powershell v2 Cmdlets</u></b></span></div>
<div style="text-align: center;">
<span style="color: #134f5c; font-size: large;"><b><u><br />
</u></b></span></div>
<div style="text-align: left;">
With the introduction of Windows 2008 R2 and Windows 7 Microsoft <a href="http://technet.microsoft.com/en-us/library/dd378937(v=ws.10).aspx">introduced the AD module for Windows Powershell.</a> There is already a lot of good information about the <a href="http://blogs.msdn.com/b/adpowershell/archive/2009/02/25/ad-powershell-quick-start-guide.aspx">AD Module for Powershell</a> so I won't go over that here. I also admit I'm not a powershell master/guru.</div>
<div style="text-align: left;">
<br /></div>
<blockquote class="tr_bq">
<i>get-aduser -LDAPFilter "(memberof=cn=domain admins,cn=users,dc=mkw2k8r2,dc=com)" -property lastlogondate | ft samaccountname, lastlogondate</i></blockquote>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkrjU0GHvzhyphenhyphenXBwSl_2Th78BC_PK6MAtwndBeymxfM385ziDTZJXJUWAiArq5_BpQ0ueZKrQc4Nj2UlvtuLJZzBu5VhGHIft_wjs-Duj_aDhvwOv0ZTXaLzvHx34gMZgQ0_5EKbx5AW2M/s1600/adcmdlets.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="43" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkrjU0GHvzhyphenhyphenXBwSl_2Th78BC_PK6MAtwndBeymxfM385ziDTZJXJUWAiArq5_BpQ0ueZKrQc4Nj2UlvtuLJZzBu5VhGHIft_wjs-Duj_aDhvwOv0ZTXaLzvHx34gMZgQ0_5EKbx5AW2M/s320/adcmdlets.png" width="320" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
If you noticed I used lastlogondate which is not an actual AD attribute. My friend <a href="https://mvp.support.microsoft.com/profile=947B5A4C-AD73-461F-A133-A5B9923DAC2E">Richard Mueller</a> had a <a href="http://social.technet.microsoft.com/Forums/en/winserverDS/thread/838b1e09-7fcb-4ea2-95f4-b21c5bb2c37e">good writeup on lastlogondate. </a> See the link and Richard's answer for more info on lastlogondate which is essentially the same as lastlogontimestamp</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: center;">
<span style="color: #134f5c; font-size: large;"><b><u>Method 4 - Using CSVDE</u></b></span></div>
<div style="text-align: left;">
<span style="color: red; font-size: large;"><b><u><br />
</u></b></span></div>
<div style="text-align: left;">
<a href="http://technet.microsoft.com/en-us/library/cc732101(v=ws.10).aspx">CSVDE </a>is what you call an old school tool. Those that have been around AD for years have definitely used the tool at some point. It was around before adfind and powershell. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<blockquote class="tr_bq">
<i>csvde -f c:\userslogon.csv -r "(memberof=cn=domain admins,cn=users,dc=mkw2k8r2,dc=com)" -l samaccountname, lastllogontimestamp </i></blockquote>
<br />
<br />
One problem with the CSVDE method is how it handles the output. LastLogonTimeStamps are Integer8 (64-bit numbers) that CSVDE can't handle. You will notice in methods 1-3 those tools did a good job of decoding the attribute.<br />
<br />
<a href="http://myserverstuff.blogspot.com/2009/03/csvde-to-excel-human-readable-lastlogon.html">Elizabeth Greene has a really good blog entry</a> that has a formula you can use in excel to convert it into a readable date.<br />
<br />
Notice in the screenshot the difference between the native format in cell C2 and what it looks like after I applied the formula<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgelZGmK2faneDi_2JQVcTzXfstIi8nPkbxdf6KZGVLWztsUFunbIIkGHj0D6_oPoXqS9eAh386v-bQgaQQnwM2YAO0_Cupck22-Ei3TD0lJcBVBONeAx2wFMPaRTck0u9rtyXnNZgO_xs/s1600/csvde.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="48" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgelZGmK2faneDi_2JQVcTzXfstIi8nPkbxdf6KZGVLWztsUFunbIIkGHj0D6_oPoXqS9eAh386v-bQgaQQnwM2YAO0_Cupck22-Ei3TD0lJcBVBONeAx2wFMPaRTck0u9rtyXnNZgO_xs/s320/csvde.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="text-align: center;">
<span style="color: #134f5c; font-size: large;"><b><u>Method 5 - Using Repadmin</u></b></span></div>
<div style="text-align: center;">
<span style="color: #134f5c; font-size: large;"><b><u><br />
</u></b></span></div>
<div style="text-align: left;">
This method I first saw used in the blog from the askds team that I linked to earlier and I'll link to again <a href="http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx">here</a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<i>repadmin /showattr dc1root dc=mkw2k8r2,dc=com /subtree /filter:"(memberof=cn=domain admins,cn=users,dc=mkw2k8r2,dc=com)" /attrs:lastlogontimestamp</i><br />
<i><br />
</i><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHKlYTCV3C_q4HSaUvUBs1j4ecbiJQrYmPIjQ-OrIzzxBgEw9LBNdzmKkYUPQ40asKs6NednxK0k54qu1zVDQFlU2iTv41xFK0Ggogaom5pE0kewkBTQBDCwNogg8wWdWk85Pw78AHMT8/s1600/repadmin.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="32" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHKlYTCV3C_q4HSaUvUBs1j4ecbiJQrYmPIjQ-OrIzzxBgEw9LBNdzmKkYUPQ40asKs6NednxK0k54qu1zVDQFlU2iTv41xFK0Ggogaom5pE0kewkBTQBDCwNogg8wWdWk85Pw78AHMT8/s320/repadmin.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: #134f5c; font-size: large;"><b><u>Other Methods</u></b></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: #134f5c; font-size: large;"><b><u><br />
</u></b></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #134f5c;"><br />
</span></div>
I really like methods 1-3 the best. There are other methods that I have not included here but I figured five is a good start for anyone. Some other things you might see out there<br />
<br />
<br />
<ul>
<li>VBScript - <a href="http://www.rlmueller.net/Last%20Logon.htm">Richard is the king</a> in this category and if you want to use VBScript I recommend testing his scripts out.</li>
<li>Powershell v1 without AD cmdlets - remember when I said I was not a powershell guru yet. I'm guessing that is something that can be done but haven't tried to do it yet. The AD cmdlets from Microsoft and Quest both work for me so I try to stick to them.</li>
</ul>
<div>
<br /></div>
<div>
You can use these examples and modify them if you are looking for other groups. There are other/better ways to identify old/stale accounts in a domain if you want to do it domain wide. More to come on that.</div>
<div>
<br /></div>
<div>
I'm really looking forward to hearing from readers and the community on other methods for doing this. If there are better ways to do it in Powershell please leave a comment and I'll definitely update the blog.</div>
<div>
<br /></div>
<div>
Inactive Domain Admins beware....you will be removed :)</div>
<div>
<br /></div>mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com2tag:blogger.com,1999:blog-7365513794075231499.post-71277397597455684142012-03-19T13:55:00.008-07:002012-03-19T14:26:46.162-07:00Windows Server 8 AD Cloning, Virtualization, and Snapshots WarningWindows Server 8 Beta has a lot of nice features. Two features that are getting a lot of buzz in the Active Directory World are the ability to easily clone domain controllers and the support to restore Active Directory using snapshots.<br />
<br />
Using snapshots can cause USN Rollback and <a href="http://support.microsoft.com/kb/2028495">other problems</a>. <a href="http://blogs.technet.com/b/askds/archive/2009/06/05/dc-s-and-vm-s-avoiding-the-do-over.aspx">Mark Ramey from the Microsoft AD team has an excellent blog entry that you can read for more info.</a><br />
<br />
I added the word Warning to the title of this blog because I've seen a few blogs, posts, and articles that may lead people to believe that this can all be done with a few mouse clicks. This is not the case, it is not hard but there are some major prerequisites and steps that people have to be aware of.<br />
<br />
A few screenshots from my lab using VMware workstation. These options exist in most hypervisor products.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiU44dnERPPkc5EqJbs9YeGvBGTKxV_ejeDu55o40mO8a1M3npAuphSrsYp9hKiewdPkyvfgeQSUnMWPvKKKFzbLohp787lOgLfrk4c81tE-Zs-K_MkPJhiiRuCeqAXH-x8whFC9L5wZe8/s1600/clone.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiU44dnERPPkc5EqJbs9YeGvBGTKxV_ejeDu55o40mO8a1M3npAuphSrsYp9hKiewdPkyvfgeQSUnMWPvKKKFzbLohp787lOgLfrk4c81tE-Zs-K_MkPJhiiRuCeqAXH-x8whFC9L5wZe8/s320/clone.png" width="301" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Cloning in VMware Workstation 8</td></tr>
</tbody></table><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKkPuQWD00clkcu962mbzERdwEy0-Uk4jCe9k0BGzS5DtOqMzuNhNG15UCsEBGxRF-GkRH_5UVInBB16dpd23cBIqns82xad7j6Wg_z43jcLe4ywwdQMYK-CAudgVbuVQ2TRqkP_aDw3Y/s1600/SnapShots.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="301" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKkPuQWD00clkcu962mbzERdwEy0-Uk4jCe9k0BGzS5DtOqMzuNhNG15UCsEBGxRF-GkRH_5UVInBB16dpd23cBIqns82xad7j6Wg_z43jcLe4ywwdQMYK-CAudgVbuVQ2TRqkP_aDw3Y/s320/SnapShots.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Snapshot in VMWare Workstation 8<br />
<br />
<br />
</td></tr>
</tbody></table><br />
<span style="color: red;"><b>***WARNING***</b> </span>You can't just use the GUI and start cloning and taking snapshots without causing issues in a domain/forest with multiple DCs. You can't manually copy the virtual machine files. VMWare workstation 8 and the current VMWare products don't support these features. <br />
<br />
To take advantage of these features the virtualization host must support VM Generation ID. I'm guessing by the time Windows 8 is released all major vendors will support this but that means most folks will have to upgrade their hypervisor.<br />
<br />
Microsoft currently has two really good documents that are a must read for anyone interested in these new features<br />
<br />
<span style="font-size: large;"><a href="http://www.microsoft.com/download/en/details.aspx?id=29027">Test Lab Guide: Demonstrate Virtualized Domain Controller (VDC) in Windows Server "8" Beta</a></span><br />
<br />
<span style="font-size: large;"><a href="http://www.microsoft.com/download/en/details.aspx?id=29001">Understand and Troubleshoot Virtualized Domain Controller (VDC) in Windows Server "8" Beta</a> - written by Ned Pyle - Outstanding document!!</span><br />
<br />
I won't repeat the documents but some important sections<br />
<br />
<br />
<b>Steps to deploy a cloned virtualized domain controller</b><br />
<br />
<br />
<div class="NumberedList1" style="margin-left: .5in; mso-list: l0 level1 lfo2; tab-stops: .25in;">1.<span style="font-size: 7pt;"> </span>Create the customized DcCloneConfig.xml file on a source domain controller<o:p></o:p></div><div class="NumberedList1" style="margin-left: .5in; mso-list: l0 level1 lfo2; tab-stops: .25in;">2.<span style="font-size: 7pt;"> </span>Detect incompatible programs on the source domain controller<o:p></o:p></div><div class="NumberedList1" style="margin-left: .5in; mso-list: l0 level1 lfo2; tab-stops: .25in;">3.<span style="font-size: 7pt;"> </span>Ensure the PDC emulator runs Windows Server "8" Beta, is not the clone source, and is available<o:p></o:p></div><div class="NumberedList1" style="margin-left: .5in; mso-list: l0 level1 lfo2; tab-stops: .25in;">4.<span style="font-size: 7pt;"> </span>Authorize the source domain controller for cloning<o:p></o:p></div><div class="NumberedList1" style="margin-left: .5in; mso-list: l0 level1 lfo2; tab-stops: .25in;">5.<span style="font-size: 7pt;"> </span>Shutdown the source domain controller and copy its disk<o:p></o:p></div><div class="NumberedList1" style="margin-left: .5in; mso-list: l0 level1 lfo2; tab-stops: .25in;">6.<span style="font-size: 7pt;"> </span>Create a new clone virtual machine using the copied disks<o:p></o:p></div><div class="NumberedList1" style="margin-left: .5in; mso-list: l0 level1 lfo2; tab-stops: .25in;">7.<span style="font-size: 7pt;"> </span>Start the source and cloned domain controller, then allow cloning to occur<o:p></o:p></div><div class="NumberedList1" style="margin-left: 0.5in; text-align: -webkit-auto;"><br />
</div><br />
<h1 bi:title="item" id="top" style="background-color: white; color: #4f4f4f; display: table-cell; font-family: 'Segoe UI Light', 'Segoe UI', Arial, Verdana, Tahoma, sans-serif; font-size: 30px; font-weight: normal; height: 75px; line-height: 37px; margin-bottom: 0px; margin-left: 0px; margin-right: 10px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: middle;"></h1><h1 bi:title="item" id="top" style="display: table-cell; height: 75px; margin-bottom: 0px; margin-left: 0px; margin-right: 10px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: middle;"><span style="font-size: small; font-weight: normal;">For those that are fans of the GUI</span><br />
<blockquote class="tr_bq"><i style="font-size: medium; font-weight: normal;">There is no task-oriented graphical management program for VDC cloning in Windows Server "8" Beta; the provisioning steps are performed manually or using Windows PowerShell</i> </blockquote><span style="font-size: small;"><span style="font-weight: normal;"><br />
</span></span></h1><br />
<b> Steps to restore a DC snapshot</b><br />
<br />
<br />
<div class="NumberedList1" style="margin-left: 0.5in;">1.<span style="font-size: 7pt;"> </span>Take snapshot of DC<o:p></o:p></div><div class="NumberedList1" style="margin-left: 0.5in;">2.<span style="font-size: 7pt;"> </span>Create a new Group Policy<o:p></o:p></div><div class="NumberedList1" style="margin-left: 0.5in;">3.<span style="font-size: 7pt;"> </span>Validate GP replication (SYSVOL replication)<o:p></o:p></div><div class="NumberedList1" style="margin-left: 0.5in;">4.<span style="font-size: 7pt;"> </span>Restore DC Snapshot</div><br />
<br />
<br />
You can read the the documents to get a lot more info. Ned's document is 162 pages...Ned is the king of documentation and writing :)<br />
<br />
As I start using this feature more and eventually use this in production in the future I hope to write more on these features. I won't try to replicate Ned's excellent document but there is going to be more to come.mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com4tag:blogger.com,1999:blog-7365513794075231499.post-14603723022904415602012-03-15T08:15:00.008-07:002012-03-15T11:39:16.796-07:00HSPD-12 and Active Directory Domains -Documents UpdatedMicrosoft has updated their documentation regarding <a href="http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=9427">HSPD-12 Logical Access Authentication and Active Directory Domains</a><br />
<br />
These documents are probably going to be more valuable to those that support federal customers in the US but they are a good read for anyone planning to deploy smart cards in their environment.<br />
<br />
For those not familiar with <a href="http://www.microsoft.com/industry/government/solutions/HSPD12/default.aspx">HSPD-12</a> in a nut shell it is a mandate for federal organizations to issue common ID/Smart cards to their users. This comes into play in the Active Directory arena as the cards are used for login using two-factor authentication/smart card login. The two-factors in this case are:<br />
<br />
<ul><li>Something the user has - the smart card</li>
<li>Something the user knows - PIN</li>
</ul><div><br />
</div><div>Everyone has seen this referenced in the Account tab of a user in AD Users & Computers.</div><div><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgS0ajCxrah6uqofZcoHlEOMbfb90Fbo9YieVajEs2Q9eWhnj6azxMJVVwhUPDpsZCg29xM6K3BboMUbwAsSTx1ZXZ_DVoy54u3yPNVsNe6xkN5xY9v3lXQgWMe-NNTmyLZlB-tVVaOcg/s1600/smartcards.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgS0ajCxrah6uqofZcoHlEOMbfb90Fbo9YieVajEs2Q9eWhnj6azxMJVVwhUPDpsZCg29xM6K3BboMUbwAsSTx1ZXZ_DVoy54u3yPNVsNe6xkN5xY9v3lXQgWMe-NNTmyLZlB-tVVaOcg/s320/smartcards.png" width="235" /></a></div><div><br />
</div><div><br />
</div><div>Those in the military or who have supported US Military customers will hear the term <a href="http://www.cac.mil/">CAC Card</a> used for their smart cards. Those supporting civilian agencies/.gov will hear the term <a href="http://www.va.gov/pivproject/faq.asp">PIV Card</a> for their smart cards.</div><div><br />
</div><div>You can get the updated Microsoft documentation here:</div><div><br />
</div><div><h3 class="post-name" style="background-color: white; clear: both; font-family: 'Segoe UI Semibold', 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; line-height: 25px; margin-bottom: 12px; margin-left: 0px; margin-right: 0px; margin-top: 7px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-align: center;"><span style="color: red; font-size: large;"><a href="http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=9427">HSPD-12 Logical Access Authentication and 2008 Active Directory Domains </a></span></h3></div><div><a href="http://social.technet.microsoft.com/profile/kurt%20l%20hudson/">Kurt Hudson</a> has a good quote about the documents on the <a href="http://blogs.technet.com/b/pki/archive/2012/03/14/hspd-12-logical-access-authentication-and-2008-active-directory-domains-on-download-center.aspx">Windows PKI Blog</a></div><div><br />
</div><blockquote class="tr_bq"><i><span style="background-color: white; color: #333333; font-family: 'Segoe UI', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; line-height: 18px; text-align: left;">Included within this document are detailed steps to configure Windows Server 2008 R2 Active Directory Domain Services (AD DS), Active Directory Certificate Services (AD CS), Windows® 7, and Microsoft® Office 2010 to perform traditional UPN based smart card logon, explicit smart card logon (client authentication certificate mapped to multiple accounts), explicit cross-forest smart card logon and NIST SP800-78-3 compliant S/MIME email exchanges.</span> </i></blockquote>Smart card/HSPD-12 adoption within agencies varies. DoD has definitely been the leader in this space. There are other agencies that I've been at that are also rolling but there are also those that haven't even started issuing smart cards to the majority of their users yet. I'm not naming names here :)<br />
<br />
<br />
<div><br />
</div>mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com1tag:blogger.com,1999:blog-7365513794075231499.post-31517186951072984132012-03-13T18:27:00.007-07:002015-02-24T09:20:08.686-08:00Windows Server 8 Member Server - ADAC Recycle Bin<a href="http://technet.microsoft.com/en-us/evalcenter/hh670538">Windows Server 8 Beta</a> was released a few weeks ago and I understand that many organizations may be hesitant to start deploying domain controllers.<br />
<br />
One nice thing is that some of the new features can easily run on a member server or workstation and work fine in your current domains. You don't need to convince anyone about a schema update or new Windows 8 Domain Controllers right now. Enjoy the new features with no risk (I'd argue there is not a lot of risk in adding a domain controller but I understand leadership wanting to wait on domain controllers)<br />
<br />
One of those features is the <a href="http://adisfun.blogspot.com/2011/09/windows-server-8-active-directory_14.html">AD Recycle Bin GUI</a>. That is a nice addition that system administrators have been asking for since 2008 R2 was released. Your forest does have to be at 2008 R2 Forest Functional Level to enable the recycle bin.<br />
<br />
Many people enabled and used the <a href="http://blogs.technet.com/b/askds/archive/2009/08/27/the-ad-recycle-bin-understanding-implementing-best-practices-and-troubleshooting.aspx">AD Recycle Bin in 2008 R2 </a> There are even some <a href="http://www.overall.ca/index.php?option=com_content&view=article&id=40:adrecyclebin&catid=15:adrecyclebinexe&Itemid=64">3rd party tools</a> that can help and put a <a href="http://www.powergui.org/entry.jspa?externalID=2461">GUI front end</a> around the Recycle Bin. In my opinion the GUI in Windows Server 8 is much nicer and is definitely a reason to add a Windows Server 8 member server now.<br />
<br />
In my lab I have a 2008 R2 (forest functional level 2008 R2) Domain Controller and a Windows Server 8 Beta member server.<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTpYKpzgnaz1i9x_aM_hkg0CU9nIIgDZsJpa4L8MCcFoEyP2fBCbapg7H3RqD4i7HLJmSuzrnvVGgR6NO3pBsYjnEC0f9Ch1FWQCRAbheXlQyqDuYXy9F6qxzcmXHwHcv53J-A5l0eHP0/s1600/1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTpYKpzgnaz1i9x_aM_hkg0CU9nIIgDZsJpa4L8MCcFoEyP2fBCbapg7H3RqD4i7HLJmSuzrnvVGgR6NO3pBsYjnEC0f9Ch1FWQCRAbheXlQyqDuYXy9F6qxzcmXHwHcv53J-A5l0eHP0/s320/1.png" height="294" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Windows 2008 R2 Domain<br />
<br />
<br /></td></tr>
</tbody></table>
<br />
<b style="color: red;">SIDE NOTE: </b>As you can see my test domain is named <b>USMCThanksForYourService.mil </b>I've heard there might be some Marines stationed in Afghanistan reading this entry so a heartfelt thanks for all you all do. It takes a lot of courage to be in the military right now and you all are on the front lines. THANK YOU!!<br />
<b style="color: red;"><br />
</b><br />
<b style="color: red;">SIDE NOTE II: </b>. Any other military members reading my blog? Leave a comment, I'd love to hear from you.<br />
<br />
So people don't think I'm cheating I'll first verify that the Recycle Bin is not enabled by using the powershell command <i>Get-ADOptionalFeature -Filter {name -like "*Recycle Bin*"}</i> If EnabledScopes is empty that indicates the Recycle Bin has not been enabled.<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjV85znn6hbRQHC7T9bVuPflEIHTpFhOiYx2pEBURtJgM4nqX0SJWIh5HJy79hjlMkDLQCcexayyU9Q5CrAJrC9TMa389SGfIxVJx2Jhz89YHPSUt-AkToQu7aJOr7Qf3o5laBgTZXmf5k/s1600/4.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjV85znn6hbRQHC7T9bVuPflEIHTpFhOiYx2pEBURtJgM4nqX0SJWIh5HJy79hjlMkDLQCcexayyU9Q5CrAJrC9TMa389SGfIxVJx2Jhz89YHPSUt-AkToQu7aJOr7Qf3o5laBgTZXmf5k/s320/4.png" height="163" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">AD Recycle Bin not enabled</td></tr>
</tbody></table>
<br />
I also join the Windows Server 8 Beta machine to the domain.<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiV0lNHL_LI2od7VawgMdyJP6RUV6uJkwxJhfTFpEcZ9jbylUhdhSXdwyKwfSzpiYwEp5WDSJaI-tGJqPiATYVQGmv7qq1YFHcJg2pUSG5uijoL6YZjQqa2yqNz87WZwUez46nyN94uTA4/s1600/2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiV0lNHL_LI2od7VawgMdyJP6RUV6uJkwxJhfTFpEcZ9jbylUhdhSXdwyKwfSzpiYwEp5WDSJaI-tGJqPiATYVQGmv7qq1YFHcJg2pUSG5uijoL6YZjQqa2yqNz87WZwUez46nyN94uTA4/s320/2.png" height="225" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Adding Windows 8 Server to the domain<br />
<br /></td></tr>
</tbody></table>
<br />
Once the server is added to the USMCThanksForYourService.mil domain I have to install the Remote Server Administration Tools (RSAT) Feature for Active Directory so I can have access to the necessary AD tools and fetures.<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgdL7fm0wYsjhHg_HBLSwCY5_fCuvyAF_e20fr0IZr5zKdohN4GjcEQbatwH1bPCDeTMUESOw8aPjGbjeEU41yrvXrztog5R8vXROsavIf-9luEisl87unSJ8Fpb-emabF4hvAr4iu_5Y/s1600/3.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgdL7fm0wYsjhHg_HBLSwCY5_fCuvyAF_e20fr0IZr5zKdohN4GjcEQbatwH1bPCDeTMUESOw8aPjGbjeEU41yrvXrztog5R8vXROsavIf-9luEisl87unSJ8Fpb-emabF4hvAr4iu_5Y/s320/3.png" height="129" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Adding Roles and Features in Server Manager<br />
<br />
<br />
<br /></td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQB0eAND7X07iaka-6b5ZOhBTz5Fq4J27ErkH100_T8Kk3BwLv50pYfPMH-oABsoEMuGQFVF_9qEziNuPZDggV0CiJVtnxtOoVopZ4eeAnGaP8q1pBuzBzbHqs8I6c0jKAKn0VC21iQUQ/s1600/5.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQB0eAND7X07iaka-6b5ZOhBTz5Fq4J27ErkH100_T8Kk3BwLv50pYfPMH-oABsoEMuGQFVF_9qEziNuPZDggV0CiJVtnxtOoVopZ4eeAnGaP8q1pBuzBzbHqs8I6c0jKAKn0VC21iQUQ/s320/5.png" height="233" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Adding RSAT Features</td></tr>
</tbody></table>
<span style="font-size: x-small;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsu7Q4mQ8u9y5baPC1syK7epAuhhLK_v9v-cVBKk3hLcbBrsTu1svYlGn7U3gE4duCVMMsj-1Cd8Y9DkKehnlyyF-CJdltM8VJvoJGcRTfpd1t0YufwmCgJG6ql1zl-D17DMzKFxO8kT0/s1600/6.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsu7Q4mQ8u9y5baPC1syK7epAuhhLK_v9v-cVBKk3hLcbBrsTu1svYlGn7U3gE4duCVMMsj-1Cd8Y9DkKehnlyyF-CJdltM8VJvoJGcRTfpd1t0YufwmCgJG6ql1zl-D17DMzKFxO8kT0/s320/6.png" height="234" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Adding RSAT Features Part II<br />
<br />
<br /></td></tr>
</tbody></table>
Once the RSAT tools have been installed you are ready to use Active Directory Administrative Center (ADAC) against your 2008 R2 domain.<br />
<div>
<br /></div>
<div>
You can enable the AD Recycle Bin from the GUI now instead of the old way<a href="http://technet.microsoft.com/en-us/library/dd379481(v=ws.10).aspx"> using Powershell </a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9HGahtndbwCXo4f0oqtTRaIyp6nNi0U_pOTqFWMPtsR6MV4I08pNiDO1soEdLHi7ryMtwYCz5Z2NewjofPyzaGxfqTS_kIdDAs0K9hUiJU51HzPoFzfqofebNoxBVIFwn9B33UhSqgwQ/s1600/7.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9HGahtndbwCXo4f0oqtTRaIyp6nNi0U_pOTqFWMPtsR6MV4I08pNiDO1soEdLHi7ryMtwYCz5Z2NewjofPyzaGxfqTS_kIdDAs0K9hUiJU51HzPoFzfqofebNoxBVIFwn9B33UhSqgwQ/s320/7.png" height="148" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Selecting ADAC from Server Manager in Windows 8</td></tr>
</tbody></table>
<div>
<br /></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7vYLO7ZlPpXq8S2JAcNsN7tKi33Z0skvnZsyqi6uA5OcHRUzKpt3vU5a7n75K5xUrr1HyVaGoM9DhNiMrj7eMms0oC6u4sIz6X0zX5BCzBGoHJeACvMpuHbztv3tpDw3uWgdeYaMVcF0/s1600/8.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7vYLO7ZlPpXq8S2JAcNsN7tKi33Z0skvnZsyqi6uA5OcHRUzKpt3vU5a7n75K5xUrr1HyVaGoM9DhNiMrj7eMms0oC6u4sIz6X0zX5BCzBGoHJeACvMpuHbztv3tpDw3uWgdeYaMVcF0/s320/8.png" height="170" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Enabling the AD Recycle Bin from Windows Server 8 Member Server ADAC<br />
<br /></td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzMYkiUMf2YYTF6XzdS4rtae7pq4vSUMXFWPxa4U4TcLvR4dN63ij-zuWJnHGA_0oT1uzX1Kde03x51VTqVCy8kMg33vWSJwO7X3o86f7WhhjrBX_3o2EqU8wUsncN5AOrnyv0gRHlQzo/s1600/9.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzMYkiUMf2YYTF6XzdS4rtae7pq4vSUMXFWPxa4U4TcLvR4dN63ij-zuWJnHGA_0oT1uzX1Kde03x51VTqVCy8kMg33vWSJwO7X3o86f7WhhjrBX_3o2EqU8wUsncN5AOrnyv0gRHlQzo/s320/9.png" height="117" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">AD Recycle Bin Confirmation 1<br />
<br />
<div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi782MRpp5z_5xsbtL36AUReMA7iNpHXab5iFAouDchlD0qt_vCQe6OTsKlT1Iju-45zk-lUTEqsFMmzoSBoSwaq9nY4zap6PHYwHUnSYTPpI90n6hJK8q6e3DmMtiQoDKizPb5lYtQVl8/s1600/10.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi782MRpp5z_5xsbtL36AUReMA7iNpHXab5iFAouDchlD0qt_vCQe6OTsKlT1Iju-45zk-lUTEqsFMmzoSBoSwaq9nY4zap6PHYwHUnSYTPpI90n6hJK8q6e3DmMtiQoDKizPb5lYtQVl8/s320/10.png" height="140" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: 13px;">AD Recycle Bin Confirmation 2</span><br />
<br />
<br /></td></tr>
</tbody></table>
</div>
</td></tr>
</tbody></table>
Just want to confirm that the AD Recycle Bin has been enabled. Notice this time the same command yielded an entry in "EnabledScopes"...success<br />
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyD3Kyo3I0Goz5HBtSfm364QyQ__1fzvgTwC0OgbfIZv1HTZViZz5lunGvFw8OYeGnHkqDNcMMZcnvRlGrS55s-o5B83C_FYtkgealH1DDALjvtTVFNAJvkWkS42EuL7YN54X9evyE2Cc/s1600/11.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyD3Kyo3I0Goz5HBtSfm364QyQ__1fzvgTwC0OgbfIZv1HTZViZz5lunGvFw8OYeGnHkqDNcMMZcnvRlGrS55s-o5B83C_FYtkgealH1DDALjvtTVFNAJvkWkS42EuL7YN54X9evyE2Cc/s320/11.png" height="151" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">AD Recycle Bin Enabled - Confirmation</td></tr>
</tbody></table>
<div>
A quick tutorial of the new feature now that it is enabled and the member server is up and ready to go.<span style="font-size: xx-small;"><br />
</span></div>
<div>
<br /></div>
<div>
As you can see there is a user named <a href="http://en.wikipedia.org/wiki/Dakota_Meyer">Dakota Meyer</a> who is in the group "MedalofHonor"</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6HDxOQvuMMAMjVWVME8gcywV4Ipqjl3YvaUNI1bmMT2fhg6X9N0DN-3DqRSkOYON7RQ9Xra-dF85RhAKnluEPwc5uFCPDmJONmazlzfXDnUdi8Ri9QH1KcWewcaNaEXYxKV6F0Ga19qo/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6HDxOQvuMMAMjVWVME8gcywV4Ipqjl3YvaUNI1bmMT2fhg6X9N0DN-3DqRSkOYON7RQ9Xra-dF85RhAKnluEPwc5uFCPDmJONmazlzfXDnUdi8Ri9QH1KcWewcaNaEXYxKV6F0Ga19qo/s320/12.png" height="285" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
A young contractor was really excited and lost his mind and accidentally deleted the account. Luckily the USMC leadership had allowed this Windows 8 Member Server and Dakota's account would be restored in a few clicks.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDEXumIaDIgYBg6WwDn-s8sAddkAiMYsVXXtb39k1rK_plk6X_kMpQd5sX96U4z2w-4zNTcZfJw9E0fKFlhc2EIfgDzx8_xFWjGbzZhKH6ZwOVhgNk3k_87eY1P1UZYoXlI7ie39B5VRs/s1600/13.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDEXumIaDIgYBg6WwDn-s8sAddkAiMYsVXXtb39k1rK_plk6X_kMpQd5sX96U4z2w-4zNTcZfJw9E0fKFlhc2EIfgDzx8_xFWjGbzZhKH6ZwOVhgNk3k_87eY1P1UZYoXlI7ie39B5VRs/s320/13.png" height="203" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">In ADAC Navigate to the Deleted Objects Container</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz_kkw-wqWzijuqLe9OpmgPYEmluQbqInGeMxhDrQEN9LXZKyf_xKOrIIUX1bOd-5T6AfUWi3nkcC7KFJb5EHIT5uSzMbA_JHpRkinCXoZT2gMcL-51aqPHI2dE3FS1uWMYuSObgMIfi0/s1600/14.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz_kkw-wqWzijuqLe9OpmgPYEmluQbqInGeMxhDrQEN9LXZKyf_xKOrIIUX1bOd-5T6AfUWi3nkcC7KFJb5EHIT5uSzMbA_JHpRkinCXoZT2gMcL-51aqPHI2dE3FS1uWMYuSObgMIfi0/s320/14.png" height="133" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Notice the deleted user is listed. Right click on the user for Restore Options<br />
<br /></td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikPeif3nC_VO0tKMYSykoJy0WWDL6mZm7DTCvA_4f9p6YQXhvQ2ZKBd2JhSKx-SWbrxMfXCaBf0OEgxzDP09vEFMcmT83QDICkpDxvlSePOu64UbAXzy8v3l6L3r20mlGAIwj-Ypmj0lY/s1600/15.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikPeif3nC_VO0tKMYSykoJy0WWDL6mZm7DTCvA_4f9p6YQXhvQ2ZKBd2JhSKx-SWbrxMfXCaBf0OEgxzDP09vEFMcmT83QDICkpDxvlSePOu64UbAXzy8v3l6L3r20mlGAIwj-Ypmj0lY/s320/15.png" height="175" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">In ADAC we confirm that the user has been successfully restored<br />
<br />
<br />
<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNmnFddpkrMeZt6p230NLacg8g92yRPTJtuz23PBxd0CTF8TEp9qCmihtbDJHOvKxyaC_sRua8JwpVMT-g9x1RoTDHgS8sUKN-N-3KwTIbMgO_PTfQOUYZykhLoFr7dswkbiP4mpI96vY/s1600/16.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNmnFddpkrMeZt6p230NLacg8g92yRPTJtuz23PBxd0CTF8TEp9qCmihtbDJHOvKxyaC_sRua8JwpVMT-g9x1RoTDHgS8sUKN-N-3KwTIbMgO_PTfQOUYZykhLoFr7dswkbiP4mpI96vY/s320/16.png" height="161" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: x-small;">On the 2008 R2 DC the restore is confirmed using ADUC</span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<br /></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
mklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.com1