Something I’ve noticed in the on-line forums is that people are still advising others to use NTDSUTIL to perform a metadata cleanup to remove references to Domain Controllers that have been removed from AD without using DCPROMO (e.g. following a DC failure where demotion was not possible). Since Windows Server 2008 it has been possible… Read More »
You probably know this, but for some reason I only found out about it when someone showed it to me the other day. Anyway, in the interests of sharing…. A really quick way to find the domain password and account lockout policy is to run the following from a CMD prompt: net accounts The output… Read More »
For those of you planning to extend your AD DS or AD LDS schema, you will need to find a unique object identifier (OID) for each new schema class and attribute. The process by which you can acquire the OIDs is described by Microsoft here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms677619(v=vs.85).aspx In summary, Microsoft suggests two methods for obtaining an… Read More »
I’ve been having a look at the free ADManager Plus software from the team at ManageEngine. The product is designed to simplify AD management and provide useful reports. It falls under the category of “freemium” software whereby the basic offering is free, but premium features incur a licence cost. There are three variants available: Standard… Read More »
I recently came across an old blog post by fellow MVP Joe Richards. In the post Joe points out that whenChanged is not a replicated attribute, which makes it a poor candidate for accurately determining when an object was last modified. He does however indicate that the whenChanged attribute provides a handy way to report… Read More »
If you’re familiar with LDAP searches you will probably at some point have been frustrated at the inability to exclude objects in a specific Organisational Unit, i.e “Give me all User objects in the domain, except those in the Sales OU”. To workaround the problem you typically need to do some scripting. There are several… Read More »
Something you may have noticed in your journey on the road to AD enlightenment is that if you deploy a new Microsoft Enterprise Certificate Authority (CA) and publish the default templates, your Domain Controllers will automatically enroll for a certificate. The template used is the DomainController V1 certificate, which has been around since Windows 2000… Read More »
If you come across this error when using Powershell to delete an object, it is most likely because the object has child objects associated with it. The most obvious example is computer objects that have print queue, service connection point, RRAS or various other types of child objects. The workaround is to determine the child… Read More »
It is sometimes helpful to be able to search for objects in AD by their creation date. The whenCreated attribute is useful for this as it is a replicated attribute (i.e. is consistent across all DCs). The challenge for using whenCreated in LDAP filters is the syntax. The attribute uses the GeneralizedTime syntax to represent… Read More »
After an absence of a couple of years, the Wellington Windows Infrastructure User Group has been brought back to life! If you’re in Wellington on Wednesday 4th July, come along and watch me and Daniel Bowbyes presenting on some Windows Server 2012 goodness. http://www.mscommunities.co.nz/Events/Wellington-Windows-Infrastructure-User-Group—Win.aspx