Complete Windows 2012 & 2012 R2 Documentation

I generally don't write posts that link to docs but this one is really good and I haven't seen a lot of traffic on it. Microsoft has released the entire contents of the Windows Server 2012 and Windows Server 2012 R2 sections of the TechNet Library.

You can find it here:

Windows Server 2012 R2 and Windows Server 2012 TechNet Library documentation as a PDF

 From the Details:

This download is an Adobe® PDF of the entire contents of the Windows Server 2012 R2 and Windows Server 2012 section of the Microsoft TechNet Library, for the convenience of Windows Server users who have limited Internet access, or require a portable version of the Windows Server 2012 R2 and Windows Server 2012 documentation. The PDF is 116 MB, and 7,970 pages in length.

That's right folks that is almost 8,000 pages.   This is not something you are going to read cover to cover quickly but it is a great reference and ctrl+F always works.   I really like that the document also points you to other great sources like the askds blog.   The next version will have askpfe entries as they are taking over much of the on-prem blogging these days.  There is a lot of Active Directory content but there is a lot more in this document.

I also posted this to reddit/sysadmin a few days ago and it received a good response.  One of the comments said that we also need a similar PDF for exchange.

There are not many companies that document and provide anything this thorough so a huge thanks to all the Microsoft teams that have worked to make this happen.  Anyone that has been involved in writing documents or tech writing knows that this takes a lot of time and effort.

Active Directory Demo Fail Club Lessons Learned

Earlier this year I was speaking at a Microsoft event in the Washington DC area (Reston, VA to be exact).   During this talk I was talking about Windows Server 2012 and Active Directory.   I always like to have demos during the talks so people can actually see what the features look like.

In previous talks I only had a single DC and the demos always work great in that environment.   This time I decided to go with multiple DCs and two domains to make it more realistic.  As anyone that does live demos knows the picture below says it all.  We want our demos to be smooth and to have no issues.

What Every Presenter Thinks

I'll go over what happened and point out lessons learned (good and bad) and hopefully this will help others. I do highly recommend going out and speaking and being involved in the community.  I'm not saying try for the national conferences first but there are usually local events that people can get involved with.  I'm still at the regional level (DC area).

My talk started and I was rolling along and had my slides working fine and showed the audience about the changes in the domain controller promotion process and that went well with no hiccups.   Then I get to the Recycle Bin feature in 2012 using Active Directory Administrative Center (ADAC).  My environment consisted of two 2012 domain controllers in the root domain and one DC in the child.

I show the slide and then I switch to the demo to show everyone how it works since most have not seen it. The first thing I do is go into ADAC and try to enable the recycle bin.  This is where the demo fail club starts

I received several errors when I tried to enable the AD recycle bin

The Good

The first thing I did was take a second to look at what the errors were telling me. I calmly typed services.msc to verity the Active Directory Web Services were running.  

The next thing I did was a quick netdom query fsmo.  All my FSMOs were on my current DCs.

I also verified replication with repadmin.

The So-So

While this was going on I had a single DC/VM that I turned on.  It is much harder for things to go wrong in a single DC demo environment.  I've lately been staying away from this as this doesn't simulate any real production environment.   I should have turned this machine on the second something went wrong or even better just had this machine on the entire time "just in case"

The Bad

After checking the services/replication using repadmin I next went into the event logs.   As I was typing e..v..e..n..t..v..w..r..m..s..c I knew this was a wrong move but kept doing it anyway.  The audience is not there for me to go through an entire troubleshooting course.  The Internet connection was spotty so what if I would have found something useful in event viewer then what?  Would I have also sat there and looked it up and found a KB and taken the time to read that.   You get the point, I only had limited time and this was going to take way too long.

After Action Report/Lessons Learned

I ended up going into my single machine and showing them the features and then continued the rest of my presentation.  The entire incident took less than 5 minutes but it feels a lot longer when 100 people are staring at you.   Some things I learned and have used in subsequent talks

1. Always have a backup presentation on an external drive and even a backup laptop if possible.  At a minimum a backup on a USB flash drive because if the laptop dies someone will most likely let you borrow their laptop.
2. If you encounter an error remember that these are mostly IT Pros listening to your IT pro talk so they deal with errors and issues all the time.  That is the reason they hire us
3. Don't expect to fix every issue in a few minutes; time is usually not on your side.
4. Always have a backup plan.  In my case it was a backup VM.  I've seen some folks just skip the planned demo.
5. Remember that you are not the first one to encounter "demo fail"   Some very high visible examples below.  The first is Bill gates at CES 2005 and the second is Steve Jobs showing off iPhone 4 features.   The point I'm making is it doesn't matter who you are; if you speak at enough events and give enough demos you will eventually join the "Demo Fail Club".   It's sort of like a comedian...there is no comedian no matter how funny that has not bombed at some point.
6. The fail is usually not as bad as you think and the audience is usually forgiving and wants to see you succeed and they want to learn.
7. Microsoft has since asked me to speak at several events and I've taken these lessons learned and have yet to encounter another demo fail club...knock on wood.

I'm in very good company.  Gates & Jobs are also members of this club.

PostScript

When I got back to my desk I left my VM's on but didn't work on them.  That is extremely rude in my opinion.  Give the next speaker respect and listen if you are going to sit in the room.  During the next break an hour later I logged on and enabled the recycle bin and of course it worked then after I gave it a few minutes.

Active Directory Powershell Cmdlets in 2012 R2

Windows Server 2012 R2 was released on Oct 18, 2013.   Last Friday was a big day for everyone in the Microsoft community.   In future blog posts I'll be going over some of the new features available for Active Directory in 2012 R2.   I first want to get to know the features well before I blog about them :)

One area that most Active Directory admins are familiar with is PowerShell.   Not everyone is a PowerShell Expert but I'm seeing a lot of folks trying to learn PowerShell and this is definitely true in the Active Directory community.

Windows 2012 R2 and Windows 8.1 introduced PowerShell version 4.   This blog goes over the various versions of PowerShell and what is included for Active Directory in each version.

It is also important to know that you can run various versions of the AD cmdlets against DCs with the Active Directory Web Services running  Ashley McGlone aka GoateePFE has an excellent blog on how to use the PowerShell v 3.0 cmdlets from Windows 7.   I'd personally use a Windows 8 or 8.1 admin workstation if possible.

PowerShell was known by the Code Name "Monad" and first shown off publically in 2003.  It has come a long way since then.   In PowerShell version 1.0 there were no native Active Directory cmdlets.   Quest released PowerShell cmdlets that worked in version 1.  The Quest cmdlets are still used today and also work in versions 2-4.

Starting with PowerShell version 2 the Microsoft Active Directory team introduced a native AD module. The initial native AD module contains 76 cmdlets and deals with many common tasks that AD admins deal with including object manipulation (users, groups, computers).

For this blog I'm focusing on the ActiveDirectory module and not other modules such as ADDSDeployment, DNS, and GroupPolicy that are also heavily used by AD admins.

Getting the total number of AD cmdlets is a quick one liner:

The picture below is a snapshot of the different versions and what is included in each version.  If anyone wants the slide please let me know and I'll send you the PowerPoint.

Active Directory PowerShell Modules through the years

The 76 Active Directory cmdlets introduced in version 2.0 are listed below.  Jeffrey Snover is the inventor of PowerShell (Thanks!).  He often says his favorite cmdlet is Get-Help.  I  agree with that and find it very useful.  Linux types "man" also works.  I use the example switch the most but you can self discover and learn more about any of these cmdlets.  There is also a lot of great material on the web for learning PowerShell.  I recommend the Microsoft Virtual Academy courses on PowerShell.

ACTIVE DIRECTORY POWERSHELL CMDETS VERSION 2	76 TOTAL AD CMDLETS IN v2
Add-ADComputerServiceAccount	New-ADGroup
Add-ADDomainControllerPasswordReplicationPolicy	New-ADObject
Add-ADFineGrainedPasswordPolicySubject	New-ADOrganizationalUnit
Add-ADGroupMember	New-ADServiceAccount
Add-ADPrincipalGroupMembership	New-ADUser
Clear-ADAccountExpiration	Remove-ADComputer
Disable-ADAccount	Remove-ADComputerServiceAccount
Disable-ADOptionalFeature	Remove-ADDomainControllerPasswordReplicationPolicy
Enable-ADAccount	Remove-ADFineGrainedPasswordPolicy
Enable-ADOptionalFeature	Remove-ADFineGrainedPasswordPolicySubject
Get-ADAccountAuthorizationGroup	Remove-ADGroup
Get-ADAccountResultantPasswordReplicationPolicy	Remove-ADGroupMember
Get-ADComputer	Remove-ADObject
Get-ADComputerServiceAccount	Remove-ADOrganizationalUnit
Get-ADDefaultDomainPasswordPolicy	Remove-ADPrincipalGroupMembership
Get-ADDomain	Remove-ADServiceAccount
Get-ADDomainController	Remove-ADUser
Get-ADDomainControllerPasswordReplicationPolicy	Rename-ADObject
Get-ADDomainControllerPasswordReplicationPolicyUsage	Reset-ADServiceAccountPassword
Get-ADFineGrainedPasswordPolicy	Restore-ADObject
Get-ADFineGrainedPasswordPolicySubject	Search-ADAccount
Get-ADForest	Set-ADAccountControl
Get-ADGroup	Set-ADAccountExpiration
Get-ADGroupMember	Set-ADAccountPassword
Get-ADObject	Set-ADComputer
Get-ADOptionalFeature	Set-ADDefaultDomainPasswordPolicy
Get-ADOrganizationalUnit	Set-ADDomain
Get-ADPrincipalGroupMembership	Set-ADDomainMode
Get-ADRootDSE	Set-ADFineGrainedPasswordPolicy
Get-ADServiceAccount	Set-ADForest
Get-ADUser	Set-ADForestMode
Get-ADUserResultantPasswordPolicy	Set-ADGroup
Install-ADServiceAccount	Set-ADObject
Move-ADDirectoryServer	Set-ADOrganizationalUnit
Move-ADDirectoryServerOperationMasterRole	Set-ADServiceAccount
Move-ADObject	Set-ADUser
New-ADComputer	Uninstall-ADServiceAccount
New-ADFineGrainedPasswordPolicy	Unlock-ADAccount

An additional 59 Active Directory cmdlets were introduce with version 3.0 bringing the total to 135.  As you would expect the new cmdlets in v3 are centered around the new features introduced for Active Directory in Windows Server 2012 such as Dynamic Access Control

There are also new cmdlets in v3 that can be used to for Replication and Topology Management   They are not a complete replacement for the powerful repadmin tool but they are another excellent resource for AD admins.

59 ADDITIONAL AD CMDLETS	POWERASHELL VERSION 3.0	135 TOTAL AD CMDLETS IN v3
Add-ADCentralAccessPolicyMember	Get-ADResourcePropertyValueType	Remove-ADReplicationSiteLinkBridge
Add-ADResourcePropertyListMember	Get-ADTrust	Remove-ADReplicationSubnet
Clear-ADClaimTransformLink	New-ADCentralAccessPolicy	Remove-ADResourceProperty
Get-ADCentralAccessPolicy	New-ADCentralAccessRule	Remove-ADResourcePropertyList
Get-ADCentralAccessRule	New-ADClaimTransformPolicy	Remove-ADResourcePropertyListMember
Get-ADClaimTransformPolicy	New-ADClaimType	Set-ADCentralAccessPolicy
Get-ADClaimType	New-ADDCCloneConfigFile	Set-ADCentralAccessRule
Get-ADDCCloningExcludedApplicationList	New-ADReplicationSite	Set-ADClaimTransformLink
Get-ADReplicationAttributeMetadata	New-ADReplicationSiteLink	Set-ADClaimTransformPolicy
Get-ADReplicationConnection	New-ADReplicationSiteLinkBridge	Set-ADClaimType
Get-ADReplicationFailure	New-ADReplicationSubnet	Set-ADReplicationConnection
Get-ADReplicationPartnerMetadata	New-ADResourceProperty	Set-ADReplicationSite
Get-ADReplicationQueueOperation	New-ADResourcePropertyList	Set-ADReplicationSiteLink
Get-ADReplicationSite	Remove-ADCentralAccessPolicy	Set-ADReplicationSiteLinkBridge
Get-ADReplicationSiteLink	Remove-ADCentralAccessPolicyMember	Set-ADReplicationSubnet
Get-ADReplicationSiteLinkBridge	Remove-ADCentralAccessRule	Set-ADResourceProperty
Get-ADReplicationSubnet	Remove-ADClaimTransformPolicy	Set-ADResourcePropertyList
Get-ADReplicationUpToDatenessVectorTable	Remove-ADClaimType	Sync-ADObject
Get-ADResourceProperty	Remove-ADReplicationSite	Test-ADServiceAccount
Get-ADResourcePropertyList	Remove-ADReplicationSiteLink

Windows Server 2012 R2 introduced an additional 12 AD cmdlets bringing the total up to 147 AD cmdlets. The 12 new cmdlets are centered around Authentication Policies and Authentication Policy Silos.   If you haven't seen them then open up the AD Admin Center on a 2012 R2 box

I'm personally still learning about these new features myself.   Authentication policies can control which hosts an account can sign into. Windows Server 2012 R2 is also being called the "CloudOS" so many of the new features are based around Azure and the cloud.

12 ADDITIONAL AD CMDLETS	POWERSHELL VERSION 4.0	147 TOTAL AD CMDLETS IN v4
Get-ADAuthenticationPolicy	New-ADAuthenticationPolicySilo	Set-ADAccountAuthenticationPolicySilo
Get-ADAuthenticationPolicySilo	Remove-ADAuthenticationPolicy	Set-ADAuthenticationPolicy
Grant-ADAuthenticationPolicySiloAccess	Remove-ADAuthenticationPolicySilo	Set-ADAuthenticationPolicySilo
New-ADAuthenticationPolicy	Revoke-ADAuthenticationPolicySiloAccess	Show-ADAuthenticationPolicyExpression

Software and Security on Domain Controllers

This post was inspired by someone who I consider a friend and a mentor in the Active Directory world...11 time AD MVP Joe Richards

Microsoft recently published an excellent Active Directory Security document.   Laura Robinson is the lead author of the document and there are serious heavy hitters in the acknowledgements section including Laura Hunter, Dean Wells, and others.   You can download the document using the link below:

Best Practices for Securing Active Directory

Joe brought up an excellent point on the DS-MVP list stating that we all know that best practice is to not run additional and unnecessary software on domain controllers but was this documented.   The document above addresses this.

From page 27 of the document:

Protecting Domain ControllersDomain controllers should be treated as critical infrastructure components, secured more stringently and configured more rigidly than file, print, and application servers. Domain controllers should not run any software that is not required for the domain controller to function or doesn’t protect the domain controller against attacks. Domain controllers should not be permitted to access the Internet, and security settings should be configured and enforced by Group Policy Objects (GPOs). Detailed recommendations for the secure installation, configuration, and management of domain controllers are provided in the Securing Domain Controllers Against Attack section of this document.

Microsoft also recently released a shorter document that is worth downloading and reading.

Securing Active Directory: An Overview of Best Practices 

I appreciate Microsoft and everyone who took time to write, edit, and review this important document..  Many times we can tell our customers best practices but they often don't believe it unless they see it come from a Microsoft site or document.

If you have worked around Active Directory long enough this is a common problem.  Domain Controllers used as file servers/app servers/etc.  This is simple, reduce your attack vectors don't install unnecessary software on your DCs.  Also look into RODCs and Server Core as other easy ways to help secure DCs.

You may also see similar posts on other MVP blogs. Joe has asked us to get the word out about this.

Active Directory MVPs on Twitter

I've become a big fan of twitter over the last few years; it is one of the best sources for information and news in my opinion.  I still like RSS feeds for checking blogs and new entries but I'm using twitter more these days.  It is also much easier to interact using twitter.   With the impending closure of Google Reader I'll probably be a bigger twitter user.  

I've started compiling a list of Active Directory/Directory Services MVPs on twitter.   Tweet frequency ranges from multiple daily tweets to rarely.  I will try and keep this list up to date.  I'm sure there are folks that I missed.  Please send me an email or leave a comment if any entry needs updating.   I don't want to leave anyone out.

I'll try to update and go through this list every quarter (MVPs are selected every quarter Jan/April/July/October)

Microsoft MVPs - Directory Services	Twitter Name and Profile
Mesut Aladag	@mesutaladag
Zubair Alexander	@ZubairAlexander
Jimmy Andersson
Brian Arkills	@barkills
Hank Arnold
Alexandre  Augagneur
Edoardo Benussi	@ebenussi
Paul  Bergson	@pbbergs
Sander Berkouwer	@SanderBerkouwer
Xiaolong Cai
Paul  Clement
Ragael Correa
Eugene Delprato
Brian Desmond	@brdesmond
Olivier Detilleux	@olivierdx
Sean Deuby	@shorinsean
Freddy Elmaleh
Marius Ene
Salman Farizy
Ace Fekay	@AceFekay
Liang Feng
Lee Flight
Tamas Gai
Ermanno Goletto	@ermannog
Guido Grillenmeier
Chunlong Han
LiGang Han
Junxian Huang
Nils Kaczenski	@Kaczenski
Joe  Kaplan
Sainath KEV
Gil  Kirkpatrick	@gkirkpatrick
Jyrki Kivimaki	@jykivima
Mike Kline	@mekline
Michinari Kobuna
Suguru Kunii
Roberto Di Lello	@RaDiansBlog
Guangji Liang
Qiang Liu
Fernando Lopez
Thiago Cardosa Luiz	@t_cardoso
Ahmed  Malek
Tadayoshi Manabe
Mark  Minasi	@mminasi
Richard Mueller
Tony Murray	@MrTweetTastic
Gary  Olsen
Niyi Omotoyinbo
Mark  Parris	@markparris
Suttipan Passorn	@passorn
Jorge de Almeida Pinto
Pawel Plawiak
John Policelli	@JohnPolicelli
Marcin Policht
Leonardo  Ponti	@PontiLeo
Bobby  Primasta
Yuwei Qi
Shengrong Qu
Slamet Raharjo
Leone Randazzo	@LeoneRandazzo
Joe  Richards	@joewaredotnet
Llya Rud
Marc Salvador
Mario Serra	@Marioserra72
Morgan Simonsen	@msimonsen
Ulf Simon-Weidner	@DSGeek
Santhosh Sivarajan	@Santhosh_Sivara
Chris Spanougakis	@spanougakis
Jacek Swiatowiak
Yanyang Tian
Hakan Uzuner	@hakanuzuner
Awinish Vishwakarma	@Awinish
Gabrizio Volpe	@fabriziovlp
Meinolf  Weber	@mei_web
Ralf Wigand	@ralfwigand
Haidong Wu
Chenggang Xiang
Haji Yakub
Shuyong Yan
Bobby  Zulkarnain	@bobbyiz

Honorary MVP

Laura Hunter                                                    @adfskitteh
**Laura was a long time MVP and now a blue badger.  Microsoft employees can't be MVPs.

Gil dasdfsadf

Microsoft IT Camp - Speaking Event

I am honored to once again be working at a Microsoft event at the Microsoft office in Reston, VA on March 9, 2013 from 8 AM - 4 PM.   The District of Columbia Maryland Virginia Management User Group is holding an event that includes an IT camp focused on Windows Server 2012.     I'll be working with Microsoft Senior Evangelist Yung Chou during the IT camp.  We will be going over many topics including Active Directory  Hyper-V, Installation, Storage Spaces and more.

There are also System Center and Windows Deployment sessions for those interested in those subjects.  The Windows deployment sessions will be led by Microsoft MVP Rhonda Layfield

The Microsoft Reston location is easy to get to with plenty of parking and they have a great setup there for events like this.  It is also a great chance to meet other enthusiastic IT Pros.   I know that may sound cliche but the type of people that come out to events on Saturdays and put in the extra time and my type of people :)

You can register for the event and find more information about the session and speaker bios by going to

http://dmvmug.eventbrite.com/

DATE: Saturday, March 9, 2013

Time: 8:00 AM to 4:00 PM

Location:  Microsoft Reston, 12012 Sunset Hills Rd, Reston, VA 20190

You can see the flyer for the event below.

I'm looking forward to the event and hope to have a full house.  I'm sure everyone is going to learn something as we move forward with Windows Server 2012.

Windows 2012 AD Schema Version

I previously posted  "quick-hitter" blogs about the schema versions in   Windows 8 Developers Preview, Windows Server 8 Beta

Windows Server 2012 was released today!!   The schema version did not change from the RC version.  The final version is  56 

I once again used adfind to quickly find the schema version.

The final Active Directory Schema version table is listed below.

Windows Server 2012	56
Windows 2008 R2	47
Windows 2008	44
Windows 2003 R2	31
Windows 2003	30
Windows 2000	13

MVP Brian Arkills posted a link to the changes made in adprep in Windows 2012 from version 48 to 56.  You can find that here

Windows Server 2012: Changes made by adprep.exe

You can download an evaluation copy of Windows Server 2012 and go start to learn and have fun.  This will be an OS that most of us will be using for the next 10+ years and it is an exciting day for those of us in the Windows Server world.   Thanks to all the hard work put in by the many people at Microsoft that made today happen.

Find Inactive Users using Powershell

This is a quick hitter that came about when I was chatting with a few friends online.   We were talking about finding inactive users using powershell.   We also wanted to output their userid(samaccountname) and their last logon time.

In this case the LastLogonTimeStamp attribute was good enough for this query.  Note that this attribute is replicated but it is 9-14 days behind the current date

For full disclosure this is something I'd usually use oldcmp for but in this case the customer wasn't allowing third party tools.

The main problem I was having was the output of LastLogonTimeStamp via powershell.  The date doesn't get automatically converted from its native 64 bit format.  Luckily the Microsoft team has included the LastLogonDate which is the conversion of the LastLogonTimestamp.  MVP Richard Mueller has a great explanation of the LastLogonDate attribute in Powershell    It is important to emphasize that LastLogonDate is not an actual Active Directory attribute.  LastLogonDate was key otherwise it makes this query more complex because we would have had to include a conversion into the command.

For the query I went with the search-adaccount cmdlet.  We were looking for accounts that had not been active within 90 days

search-adaccount -usersonly -accountinactive -timespan "76" | select-object samaccountname, lastlogondate

If you want to export that to a CSV then that command can be piped into export-csv

search-adaccount -usersonly -accountinactive -timespan "76" | select-object samaccountname, lastlogondate | export-csv Users.csv

Why did I choose 76 instead of 90?  That goes back to the DS blog about lastlogontimestamp being up to 14 days behind.

Active Directory Administrative Center also has some handy built-in searches that can help if you prefer a GUI

Update  Good friend and Microsoft PFE Eric J suggested that I add a screenshot with the Windows 2012 version of ADAC and the powershell history viewer output.  Great suggestion Eric!

The powershell command in the history viewer is interesting. I like the version above a lot better :)

Get-ADObject -LDAPFilter:"(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(|(lastLogonTimestamp<=129888720000000000)(!lastLogonTimestamp=*)))" -Properties:allowedChildClassesEffective,allowedChildClasses,lastKnownParent,sAMAccountType,systemFlags,userAccountControl,displayName,description,whenChanged,location,managedBy,memberOf,primaryGroupID,objectSid,msDS-User-Account-Control-Computed,sAMAccountName,lastLogonTimestamp,lastLogoff,mail,accountExpires,msDS-PhoneticCompanyName,msDS-PhoneticDepartment,msDS-PhoneticDisplayName,msDS-PhoneticFirstName,msDS-PhoneticLastName,pwdLastSet,operatingSystem,operatingSystemServicePack,operatingSystemVersion,telephoneNumber,physicalDeliveryOfficeName,department,company,manager,dNSHostName,groupType,c,l,employeeID,givenName,sn,title,st,postalCode,managedBy,userPrincipalName,isDeleted,msDS-PasswordSettingsPrecedence -ResultPageSize:"100" -ResultSetSize:"20201" -SearchBase:"DC=MK2012,DC=com" -SearchScope:"Subtree" -Server:"w2012DC1.MK2012.com"


The issue I have with the ADAC method is that it doesn't allow the user to export the findings and include the   LastLogonTimeStamp date in a converted form.


I'm looking forward to other suggestions comments on how to improve this powershell command.   Remember we are talking quick-hitter one liner here.

Is It a Domain Controller

I recently went into our test lab and there was a guy working in there and he asked me.

If I'm on a machine how do I know if it is a Domain Controller

These are often my favorite types of questions.  No time to check Bing/Google, no time to check a book.  Just a quick question that is answered in seconds.   By the way in those situations it is also ok to say "I don't know" or "I'll get back to you".  A lot of times you will see people blowing smoke and making stuff up.

The guy wasn't trying to be an ass but trying to learn AD and the lab is a perfect place for it.  We have a lot of VMs in our lab and I didn't know what box he was on when I walked in.

My initial thought was to tell him to look for admin tools etc but then after a second I realized not every box has the admin tools installed.  Then I thought look for the AD Domain Services and see if they are started.  That thought lasted for a half second.  We still have 2003 DCs too so if he was on one of those then no services.

The answer I gave him was to run:

net share 

If the sysvol share is present then it is a domain controller.

I started thinking of other ways and reached out to some friends and asked what they would have suggested for this quick question.


One suggestion by my friend Troy was to run


netdom query dc


I thought that was a good one and team that with hostname so that the person knows the name of the machine works great.

My buddy Eric had a good one, it is a bit more involved because it would require the person to know about AD ports...but if they are learning they should know some of these. Use netstat -ano and look for AD ports (88, 389, 3268, and others)

netstat -ano  or netstat -ano | findstr /i listening

There are a lot of ways to do this.  You could look for SRV records.  If ADUC was installed you could have them check there for the DC.

If you also look at the drop down when you login and it has no local server name then that is another good indication.  In this case he was already logged in.

So what answers would you have given?  Are there quicker easier ways that you would have told someone just starting out with AD to check if they are at a domain controller?

Update from Kurt (thanks for your service in the Army...in war zones).    I posed this question to a mid-level AD admin.  His response was "run dcpromo, it will tell you if it is a DC".   That is true and something I didn't think of in the 5 second response.  This is why I love AD...so many ways to do something and a lot of great solutions.

My only caveat about this method is that if someone was being careless didn't read and clicked next next and finished the wizard then they could also be demoting a DC....I'm hoping people using AD can read :)

In the example below the computer is obviously a DC.

Note: The dcpromo method won't work in Windows 2012...because they killed that off...more on that in future posts.   I'm guessing very few folks are currently running Windows 2012 in production.  Example of start > run > dcpromo on a Windows 2012 DC below.

Update 2: Krzystof  had a great suggestion in the comments and that was to use systeminfo 

systeminfo /i "os configruation"

Security Compliance Manager 2.5 Released

Ned Pyle wrote a blog entry in January on the  Microsoft askds blog  about Security Compliance Manager 2.5 Beta

The tool has been officially released and is no longer in beta.

From the download center

We are pleased to announce that version 2.5 is released and now available for download from the Microsoft Download Center!

          Download SCM 2.5 now


I've been testing 2.5 Beta and really glad that it is now out of beta as it will be much easier to get the tool approved for use where I work.

You can read about the key features & benefits on the Microsoft site so I won't copy and paste them again here.

There will be follow up blog posts with more info and screen shots from the tool.

Active Directory Administrative Center Twitter Question

I recently saw a question on Twitter about the Active Directory Administrative Center (ADAC)

Twitter is a site everyone knows but more and more it is a great place for tech information and sharing in the community.  There are a lot of good tweets on Active Directory and links to information.  There is also a fair amount of spam/bad links.  Those are usually easy to spot though (picture is a "sexy" model for example)

Thanks a lot to @SamErde for letting me use his post for this blog.

ADAC was released with Windows 2008 R2.  It has gained some traction but currently it is definitely still not the GUI tool of choice for Active Directory Administration.  AD Users & Computers still wins but that may change in Windows 8 when features like the AD Recycle Bin and Fine-Grained Passwords are brought into ADAC giving both of those features a much needed GUI.

In order to truly test I created three forests in my lab and created a forest trusts between the first forest and the other two forests.  I did see TechNet articles that this could be done but I like to verify.

I'm not just a blogger I also work in this world and I know setting up the trusts can be a pain.  You have to have proper ports open  That is often easier said than done.  Become friends with the firewall admins :)   You also need to ensure that name resolution is working.  I used conditional forwarders to resolve the domain names in DNS.  Stub zones and secondary zones would also work.

There are a lot of posts and resources about setting up trusts.  If you run into issues look at the basics first

• For potential port blockages tools like telnet, portqry, wireshark, and netmon are really good starting points.
• For DNS issues nslookup is a good place to start troubleshooting.  (wireshark/netmon are good there too)

At this point the forest trusts have been setup and the two way trusts are functional.   The first thing we need to do is to try and add one of the other domains in ADAC.

Add Navigation Nodes in ADAC - Windows Server 2008 R2

Add Navigation Nodes in ADAC - Windows Server 8 Beta

I added the screenshot from a Windows Server 8 Beta box just to show that the location for adding the Navigation Nodes has changed.

I'm going to use Windows 2008 R2 for the rest of the examples.   I select add navigation nodes from there I can add another domain.  

Adding domain in another forest to ADAC via Navigation Node

Once I add the domain from the trusted forest I can now see it in ADAC

Remote domain from trusted forest now appears in ADAC

That is great but what does that really get me?  I am able to view objects in the remote domain due to the default nature of AD allowing read access to most objects.

I'm not able to make any changes which is a good thing.  The fact that the forest trust exists doesn't give any rights to administer the remote domain.

Notice in the screenshot below, I attempt to update/edit a user in the remote forest/domain.  I'm unable to make any changes but can read his info.

Attempting to update a user 

Without any rights I can't really do much.  In this case I want the same account to be able the objects in both forests.

There are several options here but I added my admin account into the Built-In Administrators group in the remote domain.

My admin account has been added into the Administrators group in the remote domain

After the addition has replicated I then try to update the user account from ADAC again.  This time you will notice that the fields are not grayed out and I can make changes.

Wishlist:  I would like the ability to add another domain in the navigation node but also specify alternate credentials when I do that.  That would be handy if an admin has a separate admin account in the remote forest/domain.   I'm still researching that and will update the blog if I find something.

There is a good article about ADAC on TechNet that is worth reading.  

What are your thoughts on ADAC.  For those at 2008 R2 is it gaining traction in your environments?

LastLogonTimestamp for Group Members

I was recently working in a secure environment and one of the issues was way too many domain admin accounts.  This is not a problem just in secure environment.  I've yet to encounter a federal organization that does an outstanding job of limiting the number of domain admins.  I've seen Joe Richards write about working at a Fortune 5 company where they ran with less than 5 domain administrators.  More and more organizations are trying to limit domain admins.  I doubt we will ever get to a point where less than five is the norm but things are getting better...slowly but surely.

The first step the security team took was to identify members of the domain admin group and the last time they logged in.  This is a good initial step to remove those that haven't logged on or used their accounts.  If someone hasn't used their domain admin account in 120 days or longer then I would question if they need the account.

Some folks on the security team were manually going and using a box that had the additional account info tab from the acctinfo.dll.  They were then looking at lastlogon box within the tab and manually entering that into a spreadsheet.  I knew there were easier ways to do this so I stepped in to help out.

For this exercise I keyed off the LastLogonTimeStamp (LLTS) The lastlogontimestamp can be off by 9-14 days.  The link to the askds blog entry on LLTS does a great job of explaining it.  If 9-14 days is not acceptable then you would have to query lastlogon on every DC.  Lastlogon does not replicate and that is why every DC would have to be queried.

For the examples I'm in my lab domain which is mkw2k8R2.com and I only have three users in the domain admin group.  I've only logged in with one of those users.

Method 1 - Using ADFIND

Regular blog users will not be surprised to find out that I used adfind from Joe Richards for method 1.  

adfind -default -f "memberof=cn=domain admins,cn=users,dc=mydomain,dc=mysuffix" samaccountname lastlogontimestamp -tdc -nodn -csv 

Method 2 - Using Quest AD Powershell Cmdlets

Many people that started with powershell and AD years ago are probably familiar with the free AD cmdlets from Quest.  

get-qaduser -memberof "domain admins" | select-object samaccountname, lastlogontimestamp

Method 3 - Using Microsoft's AD Powershell v2 Cmdlets

With the introduction of Windows 2008 R2 and Windows 7 Microsoft introduced the AD module for Windows Powershell.  There is already a lot of good information about the AD Module for Powershell so I won't go over that here.   I also admit I'm not a powershell master/guru.

get-aduser -LDAPFilter "(memberof=cn=domain admins,cn=users,dc=mkw2k8r2,dc=com)" -property lastlogondate | ft samaccountname, lastlogondate

If you noticed I used lastlogondate which is not an actual AD attribute.  My friend Richard Mueller had a good writeup on lastlogondate.    See the link and Richard's answer for more info on lastlogondate which is essentially the same as lastlogontimestamp

Method 4 - Using CSVDE

CSVDE is what you call an old school tool.  Those that have been around AD for years have definitely used the tool at some point.  It was around before adfind and powershell. 

csvde -f c:\userslogon.csv -r "(memberof=cn=domain admins,cn=users,dc=mkw2k8r2,dc=com)" -l samaccountname, lastllogontimestamp  

One problem with the CSVDE method is how it handles the output.   LastLogonTimeStamps are Integer8 (64-bit numbers) that CSVDE can't handle.  You will notice in methods 1-3 those tools did a good job of decoding the attribute.

Elizabeth Greene has a really good blog entry that has a formula you can use in excel to convert it into a readable date.

Notice in the screenshot the difference between the native format in cell C2 and what it looks like after I applied the formula

Method 5 - Using Repadmin

This method I first saw used in the blog from the askds team that I linked to earlier and I'll link to again here

repadmin /showattr dc1root dc=mkw2k8r2,dc=com /subtree /filter:"(memberof=cn=domain admins,cn=users,dc=mkw2k8r2,dc=com)" /attrs:lastlogontimestamp

Other Methods

I really like methods 1-3 the best.  There are other methods that I have not included here but I figured five is a good start for anyone.  Some other things you might see out there

• VBScript - Richard is the king in this category and if you want to use VBScript I recommend testing his scripts out.
• Powershell v1 without AD cmdlets - remember when I said I was not a powershell guru yet.  I'm guessing that is something that can be done but haven't tried to do it yet.   The AD cmdlets from Microsoft and Quest both work for me so I try to stick to them.

You can use these examples and modify them if you are looking for other groups.  There are other/better ways to identify old/stale accounts in a domain if you want to do it domain wide.  More to come on that.

I'm really looking forward to hearing from readers and the community on other methods for doing this.  If there are better ways to do it in Powershell please leave a comment and I'll definitely update the blog.

Inactive Domain Admins beware....you will be removed :)