netdom query fsmo
It's much easier than using the MMC GUI
22 Jul 2015
List FSMO Roles via Command Line
To list FSMO via the command line, use the following command
It's much easier than using the MMC GUI
It's much easier than using the MMC GUI
7 Jun 2015
Security Accounts Manager Failed
NTDS (460) NTDSA: Corruption was detected during soft recovery in logfile C:\WINDOWS\NTDS\edb.log. The failing checksum record is located at position END. Data not matching the log-file fill pattern first appeared in sector 14418 (0x00003852). This logfile has been damaged and is unusable.When restarting the server, the following message was appearing and when clicking 'OK', the DC would then reboot.
By entering Directory Services Restore Mode, several checks were preformed using NTDSUTIL from the Command Prompt.
NTDSUTIL > FILES > INFO showed that all files were present and the correct size.
NTDSUTIL > FILES > INTEGRITY showed that the Database was corrupt.
NTDSUTIL > FILES > RECOVER would not recover the database.
Finally I tried,
esentutl /p “C:\Windows\NTDS\ntds.dit” /!10240 /8 /o
Deleted all log files present in the NTDS folder, in this case C:\Windows\NTDS
Then a DB analysis which completed successfully.
NTDSUTIL > Semantic Database Analysis > Go
Upon rebooting the server, no more error messages and I was now in a point where I could gracefully Demote the server and replace it with a dedicated Domain Controller.
30 Mar 2015
Troubleshooting AD Replication & Lingering Objects
Some handy links for better understanding the troubleshooting of AD replication, Lingering objects and their removal, with a guide coming soon.
Removing Lingering Objects
Information about Lingering Objects in an AD Foresthttps://support.microsoft.com/en-us/kb/910205
Removing Lingering Objects
http://blogs.technet.com/b/askds/archive/2014/09/15/remove-lingering-objects-that-cause-ad-replication-error-8606-and-friends.aspx
Fixing Lingering Object Problems
https://technet.microsoft.com/en-us/library/cc738018%28v=ws.10%29.aspx
Strict Replication Consistency
Contrary to popular belief, Strict Replication Consistency isn't enabled by default on DCs that reside in forests upgraded from 2000 functional levelshttp://blogs.technet.com/b/askds/archive/2010/02/15/strict-replication-consistency-myth-versus-reality.aspx
Troubleshooting Replication
AD Replication Status ToolA very useful tool for troubleshooting replication, think of repladmin but in a GUI and more.
http://blogs.technet.com/b/askds/archive/2012/08/23/ad-replication-status-tool-is-live.aspx
ReplDiag
http://activedirectoryutils.codeplex.com/releases/view/13664
24 Mar 2015
Scheduling PowerShell Scripts
I have a requirement to run a PowerShell .ps1 file each evening to perform a backup in an AWS environment. Having written the .ps1 script and placed it on the server. I've now created the Task with the following parameters using the Task Scheduler GUI.
Program/script C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Add arguments -File ".\EC2_Backup.ps1"
Start in D:\Scripts
To invoke the AWS connection details for the region and access keys, I also added the following to the top of the script
Initialize-AWSDefaults
Program/script C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Add arguments -File ".\EC2_Backup.ps1"
Start in D:\Scripts
To invoke the AWS connection details for the region and access keys, I also added the following to the top of the script
Initialize-AWSDefaults
My take on Stub Zones vs Conditional Forwarders
I'm lucky/unfortunate enough (delete depending on the day) to architect and manage a geographically distributed Active Directory environment consisting of multiple domains and forests. The forests are connected using a variety of AD trusts and they all hinge on our DNS infrastructure.
I've typically been a big advocate for AD integrated stub zones rather than Conditional Forwarders due to the ability to centrally manage them by virtue of their AD integration whether it be Domain or Forest wide scope and also their ability to update the name servers belonging to the DNS zone.
To be clear, stub zones contain three record types (SOA, NS and A) which reference the name servers responsible for the source DNS zone. Periodically the SOA, NS and A records are updated from the Master Server list for the particular zone. When a query is performed against the server hosting and matching the Stub Zone, the server references the NS and then A records contained in the zone to direct the query to a suitable name server for an answer. This is perfectly acceptable when the source zone is located on a number of Domain Controllers in a central location such as a data centre but may add complications when the Domain Controllers are geographically distributed, such as in Hub/Spoke topologies where the spokes consist of DCs in remote offices connected to small/slow links. While answers to name queries are cached by the server hosting the stub zone, attempting to perform name lookups across such links may introduce delays or add to the traffic on the links. Microsoft indirectly acknowledge this eventuality by virtue of the behaviour of stub zones in the Technet - Contrasting stub zones and conditional forwarders but in the context of security and not being able to directly influence server to server connections when compared to the static configuration of Conditional Forwarders.
Based on the above statements, interpretation and my experience, my recommendations are as follows..
Conditional Forwarders - Great for server to server connections for name resolution such as specifically defining server A will always forward to server X,Y,Z for contoso.com when contoso.com is a hosted on a geographically heavy distributed AD infrastructure or where not all sites are routable from server A. The obvious downside with all Conditional Forwarders is maintaining the list of forwarders on a per server basis.
Stub Zones - Ideal when referencing DNS zones hosted on resource forests/infrastructures which are hosted centrally, fully routable/reachable from the server hosting the stub zone. Obvious benefits are that the name server list is maintained as part of the stub and the zone can be AD integrated to ensure that it is available throughout the Domain or Forest. Be careful when creating a stub zone which references a zone which is hosted on geographically distributed infrastructure.
I've typically been a big advocate for AD integrated stub zones rather than Conditional Forwarders due to the ability to centrally manage them by virtue of their AD integration whether it be Domain or Forest wide scope and also their ability to update the name servers belonging to the DNS zone.
To be clear, stub zones contain three record types (SOA, NS and A) which reference the name servers responsible for the source DNS zone. Periodically the SOA, NS and A records are updated from the Master Server list for the particular zone. When a query is performed against the server hosting and matching the Stub Zone, the server references the NS and then A records contained in the zone to direct the query to a suitable name server for an answer. This is perfectly acceptable when the source zone is located on a number of Domain Controllers in a central location such as a data centre but may add complications when the Domain Controllers are geographically distributed, such as in Hub/Spoke topologies where the spokes consist of DCs in remote offices connected to small/slow links. While answers to name queries are cached by the server hosting the stub zone, attempting to perform name lookups across such links may introduce delays or add to the traffic on the links. Microsoft indirectly acknowledge this eventuality by virtue of the behaviour of stub zones in the Technet - Contrasting stub zones and conditional forwarders but in the context of security and not being able to directly influence server to server connections when compared to the static configuration of Conditional Forwarders.
Stub zones do not provide the same server-to-server benefit because a DNS server hosting a stub zone in one network will reply to queries for names in the other network with a list of all authoritative DNS servers for the zone with that name, instead of the specific DNS servers you have designated to handle this traffic.
Based on the above statements, interpretation and my experience, my recommendations are as follows..
Conditional Forwarders - Great for server to server connections for name resolution such as specifically defining server A will always forward to server X,Y,Z for contoso.com when contoso.com is a hosted on a geographically heavy distributed AD infrastructure or where not all sites are routable from server A. The obvious downside with all Conditional Forwarders is maintaining the list of forwarders on a per server basis.
Stub Zones - Ideal when referencing DNS zones hosted on resource forests/infrastructures which are hosted centrally, fully routable/reachable from the server hosting the stub zone. Obvious benefits are that the name server list is maintained as part of the stub and the zone can be AD integrated to ensure that it is available throughout the Domain or Forest. Be careful when creating a stub zone which references a zone which is hosted on geographically distributed infrastructure.
18 Mar 2015
Pause and Resume Bitlocker Encryption Operation
Maybe a bit of a useless one but you can control the encryption process of a drive if you find that the process is hindering your progress on a machine using the commands below.
manage-bde –pause driveletter :
When you are ready to start encrypting the drive again, type the following command:
Manage-bde –resume driveletter :
I'm not sure how much value this offers as with MDT 2012, you can now pre-encrypt drives to negate the need to perform the encryption step post Windows deployment
manage-bde –pause driveletter :
When you are ready to start encrypting the drive again, type the following command:
Manage-bde –resume driveletter :
I'm not sure how much value this offers as with MDT 2012, you can now pre-encrypt drives to negate the need to perform the encryption step post Windows deployment
Lack of Updates - sorry.. but more soon!
I thought it best to apologise for the lack of updates which have been posted for almost the last two years. Since my last post, I've had a promotion and moved to the other side of the world and found that my workload has greatly increased.
I checked my analytics figures today for the first time since 2013 and can see that the blog is as popular as ever, so that's spurred me on to start putting more effort into posting.
Hopefully I'll have something up soon..
I checked my analytics figures today for the first time since 2013 and can see that the blog is as popular as ever, so that's spurred me on to start putting more effort into posting.
Hopefully I'll have something up soon..
Subscribe to:
Posts (Atom)