Active Directory Troubleshooting Help

A friend and former co-worker of mine (Sean Deuby) has some excellent Active Directory Troubleshooting guides available online for free.  These aren’t going to solve every problem for you but are great to ensure you have covered your basis when trying to troubleshoot Active Directory.  Take a look at the link to see all the great help he has.

You know…is the Internet great?  I mean really think about all the great things that are available at our finger tips, things like these great troubleshooting guides.  The Internet hasn’t always been great but I’d say over the last 5 years it has really blossomed well.  I know there is bad and harmful things out there but I really do believe that there is more good than bad…OK, time for me to stop thinking out loud again.  Smile

Windows Server 2008 Server Core R2 Reboot Avoidance

I’ve been a fan of Server Core since I heard about it and you can see by the 20+ posts I have on the product.  Server Core has been out since Windows 2008 which is just under 40 months.  Server Core R2 has been out for about 20 months.  One of the selling points that Microsoft made on server core was that it would have a reduced attack surface and thus you would have fewer reboots due to patches.  While preparing for a talk on Server Core I wanted to investigate this a bit more.  I reached out for some help to Andrew Mason (if you don’t know that name you aren’t a Server Core hard core freak like me).  Andrew runs the official Server Core blog over on TechNet.  Andrew sent me some wonderful information on the subject that I’d like to share with you.

Take a look at these numbers.  I’ll explain in more detail below.

Core

We are comparing both Server Core 2008 and R2.  The Reduction column is % reduced based off the hotfixes Microsoft released during their existing lifespan.  Critical Only is just that, the reduction of patches Microsoft rated Critical for both versions of Server Core.

Now lets look at the rows starting with All applicable patches.
  • All roles are all available roles for those versions of Server Core.
  • Months without a reboot is really cool.  It shows how many months went by with no reboots required on Server Core.  Although it is not consecutive months it is still pretty impressive that Server Core R2 has not needed a reboot during half its existence!
  • Next we see the reduction of patches with the basic OS installed an none of the major features and roles installed.

Now we see the area called Necessary patches only.  What does that mean?  That is referencing the patches that are really needed for Server Core.  There are some vulnerabilities that show Server Core as vulnerable but its not exploitable.  That is what is called out on the bottom of the graphic.  Microsoft does this because it has changed the file and would probably prefer you to update the file eventually too.  IMHO I’d patch these but would bundle them with the necessary patches.

I remember reading an article from David Cross on TechNet stating the following “In some cases, customers can see up to a 60% reduction in patch requirements and the number of reboots on a monthly basis”  These are the numbers that back up statements such as that.

Those are some pretty impressive numbers. Great job to the whole Server Core team.  I really hope Microsoft continues with this product and from recent announcements on the next version of SQL it looks like they are sticking with it.

*Numbers updated through the May 2011 patch Tuesday

Tech Immersion 2011

Last week I was a speaker at Tech Immersion 2011 here in Phoenix Arizona.  I gave four talks on a range of topics that covered Active Directory, PowerShell and Server Core.  Hopefully I have some new followers since the conference and if so make sure to say hi in the comments.

The highlight for myself was meeting Jeffrey Snover.  If you don’t know who he is then you better Bing or Google him now.  This is the father of PowerShell and now the Lead Architect for the Windows Server Division.  He was really great to talk, in fact there were a lot of great presenters there including, PowerShell gurus Don Jones & James Brundage, Microsoft Certified Master’s Miguel Wood & Mike Pfeiffer, MVPs and MCTs such as Simon Allardice, Scott Cate, Jeff Jones, Spike Xavier as well as Microsoft employees Michael Palermo, Harold Wong, Tony Harris & Kathrine Lord and ITIL/COBIT Master Mark Thomas.  I left one person out and that was on purpose.  Jason Helmick…what can I say.  He along with the rest of Interface Technical Training put on an excellent conference that will only grow more and more as time goes on.  Great job Jason and Lynn from Interface as well as everyone else that supported this event.

Brian_Snover_Pic

Here is a pic of Jeffrey and I after the event hanging out at Dick’s Hideaway.

I can’t wait for Interface to host another great event like this.

Acctinfo2.dll to get Additional Account info

Some of you may have used Acctinfo.dll in to get the additional Account Info tab when managing Active Directory from 2003 or Windows XP.  It was a great add on that should you additional info about Users such as their GUID and SID amongst many other things. 

I’ve heard rumors that some people have seen Acctinfo2.dll out in the wild…aka the Internet and that it works on Server 2008 R2.  Please don’t download anything called Acctinfo2.dll from the Internet unless it is officially from Microsoft.  I’m not saying that Acctinfo2.dll doesn’t exist…to be honest I have no idea because I’ve never tried to install it.  But like you I’m not a fan on downloading something that could potentially do harm to my environment.

For those looking to get those “Additional Account” attributes you can still do it.  The first way is to just use the Attributes tab in Active Directory Users and Computers, but there is a an even better way.  All you really need to do is use the Active Directory Administration Center.  Let me show you.

Once you open the Active Directory Administration Center up you can do a search for the user you want additional info on:

1

Now either double-click on that account or click the Properties from the Tasks on the right side.

2

These are the standard account properties…but…did you notice the area called Modified on the bottom?  That is where the magic really happens.

3

Here you can see all sorts of goodies including an account’s SID.  Just take a look at all that goodness.

4

Good stuff indeed.  Now stop trying to download something that doesn’t exist except in Area 51.

Using PowerShell to Verify Your Schema Version

I love PowerShell.  The more I learn the better it becomes.

There are several versions of the Active Directory Schema available.  You must know what version you are running to fully understand the capabilities it allows for.  Below shows the different versions of the Active Directory Schema.

Windows 2000 RTM with all Service packs = Schema version 13
Windows Server 2003 RTM with all Service packs = Schema version 30
Windows Server 2003 R2 RTM with all Service packs = Schema version 31
Windows Server 2008 RTM with all Service packs = Schema version 44
Windows Server 2008 R2 RTM with all Service packs = Schema version 47

Now to see what version you are running just open up PowerShell (make sure you’ve loaded the native AD Cmdlets) and type the following:

Get-ADObject "cn=schema,cn=configuration,dc=domain_name,dc=local" -properties objectversion

Just check the objectversion results for the corresponding number above to check your schema version.

The Move to Word Press

I’ve moved my blog over to use Word Press instead of the previous Community Server that it was hosted on.  Hopefully all the redirects are set up and the migration worked.  The URL has changed slightly and is now http://blog.msmvps.com/ad.  I’m still playing with the theme and picture (the current one is from last summer in Hawaii).

Hopefully this will motivate me to post more. I’ve actually got a few projects that I’m working on that should lead to more content.  Please feel free to give me feedback on the new site and requests for content wouldn’t be bad either.

In the mean time I also need to test a post with a picture so here is one of Santa and I on the couch at work!

_DSC5053

While I’ve got Santa up here I just want to say thanks to him for personally visiting my house the last two Christmas Eve nights and making my girls wide eyed and extremely happy to see him.

Posted in Life of Brian. 2 Comments »

rsAccessDenied Error When Accessing Ops Mgr Reports

While setting up some performance reports in Ops Mgr 2007 I’ve been getting an rsAccessDenied message when I try to dig down into the report.

I setup and scheduled several performance reports to run every day and save them as a Web Archive.  I did so using an Admin account through the Ops Mgr console.  I’m able to view the report that is generated but when I click on it to get further details I get the following error:
The permissions granted to user ”DOMAINusername” are insufficient for performing this operation. (rsAccessDenied) Get Online Help

If I run this as the admin user that created it I am able to view it.  I tried searching online to find the answer (thus the reason for this post) and there are thousands are possible solutions but none worked for me.  It seems I’ve found out the issue and wanted to share with you…and me when I forget in the future  Smile

From the SQL Reporting server I opened the following page with an admin account – http://localhost/reports
I clicked Home in the top right corner
Select the second tab Properties
Click New Role Assignment
Add the user you want to have access to browse the report
Check the Role you want (I selected Browser)
Click Ok

That was it for me.  Now that user had access to browse the report.
Posted in Ops Mgr, Reporting. No Comments »

A Couple Quick Active Directory One-Liners

Here is a few one-liner commands to help get info on your Active Directory environment.  I don’t think there is any mind blowing commands here but they’ve helped me out.  There are literally hundreds of these around the web as well as PowerShell ones but these are the ones that I’ve been using lately. 

How to view the Domains you trust and see what those Domain SIDs are:

nltest /domain_trusts /v

A quick listing of your AD Sites:

dsquery * "CN=Sites,CN=Configuration,DC=forestRootDomain" -attr cn description location -filter (objectClass=site)

A quick listing of your AD sites and their Site Links and Costs (sure would be nice if you could spit this out to Visio or something):

dsquery * "CN=Sites,CN=Configuration,DC=forestRootDomain" -attr cn costdescription replInterval siteList -filter (objectClass=siteLink)

Compare time against your forest root PDCe:

w32tm /monitor /computers:ForestRootPDC

Find out which DC for a site is the ISTG:

dsquery * "CN=NTDS Site Settings,CN=siteName,CN=Sites,CN=Configuration,DC=forestRootDomain" -attr interSiteTopologyGenerator

Using PowerShell to Resolve SIDs to Friendly Names

Time and time again I run into an issue that presents me with a SID which I need to resolve.  I’ve used a number of tools and scripts over the years to address this issue.  I think I have the best and easiest method for me to solve this issue that always seems to pop up.

If you’re new to PowerShell you will want to make sure you have it installed if you want to use this script…and yes it is a script not a command.  I do this by opening a text file and renaming it from a .txt file to a .ps1 file.  When you try to open a .ps1 file it may open in your text editor but for this you will want to Right Click it and select Edit which will open up whatever you have as your PowerShell editor.  Copy the following code into the Script Pane:

$objSID = New-Object System.Security.Principal.SecurityIdentifier
    ("S-1-5-21-768745588-123456789-987654321-500")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value

Now just save this file and you can run it to return the results of the SID that you place in there.  The one thing that will change is the actual SID.  In this example i’m using S-1-5-21-768745588-123456789-987654321-500 which is the Well Known SID for the domain Administrator.  My results should show me the friendly name.  Anytime you change the SID you will have to resave the file but then just Run the script and it will show you the results.

I’m sure there is a way I could make this into an application but I”ll leave that fun for those looking to take this to the next step.

Everything you wanted to know about Active Directory Replication but were afraid to ask

I was thinking about writing a post about Active Directory replication but thankfully soon realized that by doing so I could be severely depriving my kids and wife of a happy life.  Its not that Active Directory replication is bad or harmful, its just that there is so much about it.  I don’t care who you are you probably don’t know it all…I certainly don’t and have never claimed too.

While I was doing my research for this post I found what I”d like to call the bible to Active Directory replication.  I’m also thankful this was one of the first resources I picked up on and didn’t have to much time invested.  Without further ado – How the Active Directory Replication Model Works.  I think if you printed this out it would be about 100 pages or so (not confirmed but it is long). 

This article goes over every little detail needed to fully understand the Active Directory replication model.  I’d love to know the person/team that wrote this and give them my gratitude.  I wish stuff like existed for new products.  I still remember trying to learn Active Directory when it was in beta back in 1999 and not fully understanding USNs, Up-to-Dateness Vectors and Watermarks.

If you have any good resources on Active Directory replication please feel free to share so others can learn as well.