I know its been a long time since my last public blog…keyword being public. I’ve been active with some more private things at work but thought I’d get back on the saddle and start blogging again. Where have I been you ask??? Well I’m still at Intel but recently my job has changed. In fact as I look at my last post back in mid 2011 that was about the time I moved into a position managing an IT team supporting Intel’s factories. It was a great experience that taught me a lot about our business. I’ve now moved back to my roots and am involved with Active Directory.
I hope to share some more best practices with you as well as give you updates on my crazy life…and it has gotten a lot more crazy with more animals than ever. In fact I think I live in a zoo sometimes.
How are you all doing? I hope people still see this and if so I’d love to hear from you. Hit me up in the comments and let me know what is going on in your world. What keeps you up at night? Are you going to the cloud for AD? What would you like to see up here? Who are the power players in this space now?
I hope to start integrating myself back into the community. In the meantime make sure you follow me on Twitter too @mvpbrian
A friend and former co-worker of mine (Sean Deuby) has some excellent Active Directory Troubleshooting guides available online for free. These aren’t going to solve every problem for you but are great to ensure you have covered your basis when trying to troubleshoot Active Directory. Take a look at the link to see all the great help he has.
You know…is the Internet great? I mean really think about all the great things that are available at our finger tips, things like these great troubleshooting guides. The Internet hasn’t always been great but I’d say over the last 5 years it has really blossomed well. I know there is bad and harmful things out there but I really do believe that there is more good than bad…OK, time for me to stop thinking out loud again.
I’ve been a fan of Server Core since I heard about it and you can see by the 20+ posts I have on the product. Server Core has been out since Windows 2008 which is just under 40 months. Server Core R2 has been out for about 20 months. One of the selling points that Microsoft made on server core was that it would have a reduced attack surface and thus you would have fewer reboots due to patches. While preparing for a talk on Server Core I wanted to investigate this a bit more. I reached out for some help to Andrew Mason (if you don’t know that name you aren’t a Server Core hard core freak like me). Andrew runs the official Server Core blog over on TechNet. Andrew sent me some wonderful information on the subject that I’d like to share with you.
Take a look at these numbers. I’ll explain in more detail below.
We are comparing both Server Core 2008 and R2. The Reduction column is % reduced based off the hotfixes Microsoft released during their existing lifespan. Critical Only is just that, the reduction of patches Microsoft rated Critical for both versions of Server Core.
Now lets look at the rows starting with All applicable patches.
Now we see the area called Necessary patches only. What does that mean? That is referencing the patches that are really needed for Server Core. There are some vulnerabilities that show Server Core as vulnerable but its not exploitable. That is what is called out on the bottom of the graphic. Microsoft does this because it has changed the file and would probably prefer you to update the file eventually too. IMHO I’d patch these but would bundle them with the necessary patches.
I remember reading an article from David Cross on TechNet stating the following “In some cases, customers can see up to a 60% reduction in patch requirements and the number of reboots on a monthly basis” These are the numbers that back up statements such as that.
Those are some pretty impressive numbers. Great job to the whole Server Core team. I really hope Microsoft continues with this product and from recent announcements on the next version of SQL it looks like they are sticking with it.
*Numbers updated through the May 2011 patch Tuesday
Last week I was a speaker at Tech Immersion 2011 here in Phoenix Arizona. I gave four talks on a range of topics that covered Active Directory, PowerShell and Server Core. Hopefully I have some new followers since the conference and if so make sure to say hi in the comments.
The highlight for myself was meeting Jeffrey Snover. If you don’t know who he is then you better Bing or Google him now. This is the father of PowerShell and now the Lead Architect for the Windows Server Division. He was really great to talk, in fact there were a lot of great presenters there including, PowerShell gurus Don Jones & James Brundage, Microsoft Certified Master’s Miguel Wood & Mike Pfeiffer, MVPs and MCTs such as Simon Allardice, Scott Cate, Jeff Jones, Spike Xavier as well as Microsoft employees Michael Palermo, Harold Wong, Tony Harris & Kathrine Lord and ITIL/COBIT Master Mark Thomas. I left one person out and that was on purpose. Jason Helmick…what can I say. He along with the rest of Interface Technical Training put on an excellent conference that will only grow more and more as time goes on. Great job Jason and Lynn from Interface as well as everyone else that supported this event.
Here is a pic of Jeffrey and I after the event hanging out at Dick’s Hideaway.
I can’t wait for Interface to host another great event like this.
Some of you may have used Acctinfo.dll in to get the additional Account Info tab when managing Active Directory from 2003 or Windows XP. It was a great add on that should you additional info about Users such as their GUID and SID amongst many other things.
I’ve heard rumors that some people have seen Acctinfo2.dll out in the wild…aka the Internet and that it works on Server 2008 R2. Please don’t download anything called Acctinfo2.dll from the Internet unless it is officially from Microsoft. I’m not saying that Acctinfo2.dll doesn’t exist…to be honest I have no idea because I’ve never tried to install it. But like you I’m not a fan on downloading something that could potentially do harm to my environment.
For those looking to get those “Additional Account” attributes you can still do it. The first way is to just use the Attributes tab in Active Directory Users and Computers, but there is a an even better way. All you really need to do is use the Active Directory Administration Center. Let me show you.
Once you open the Active Directory Administration Center up you can do a search for the user you want additional info on:
Now either double-click on that account or click the Properties from the Tasks on the right side.
These are the standard account properties…but…did you notice the area called Modified on the bottom? That is where the magic really happens.
Here you can see all sorts of goodies including an account’s SID. Just take a look at all that goodness.
Good stuff indeed. Now stop trying to download something that doesn’t exist except in Area 51.
I love PowerShell. The more I learn the better it becomes.
There are several versions of the Active Directory Schema available. You must know what version you are running to fully understand the capabilities it allows for. Below shows the different versions of the Active Directory Schema.
Windows 2000 RTM with all Service packs = Schema version 13
Windows Server 2003 RTM with all Service packs = Schema version 30
Windows Server 2003 R2 RTM with all Service packs = Schema version 31
Windows Server 2008 RTM with all Service packs = Schema version 44
Windows Server 2008 R2 RTM with all Service packs = Schema version 47
Now to see what version you are running just open up PowerShell (make sure you’ve loaded the native AD Cmdlets) and type the following:
Get-ADObject "cn=schema,cn=configuration,dc=domain_name,dc=local" -properties objectversion
Just check the objectversion results for the corresponding number above to check your schema version.
I’ve moved my blog over to use Word Press instead of the previous Community Server that it was hosted on. Hopefully all the redirects are set up and the migration worked. The URL has changed slightly and is now http://blog.msmvps.com/ad. I’m still playing with the theme and picture (the current one is from last summer in Hawaii).
Hopefully this will motivate me to post more. I’ve actually got a few projects that I’m working on that should lead to more content. Please feel free to give me feedback on the new site and requests for content wouldn’t be bad either.
In the mean time I also need to test a post with a picture so here is one of Santa and I on the couch at work!
While I’ve got Santa up here I just want to say thanks to him for personally visiting my house the last two Christmas Eve nights and making my girls wide eyed and extremely happy to see him.
While setting up some performance reports in Ops Mgr 2007 I’ve been getting an rsAccessDenied message when I try to dig down into the report.
I setup and scheduled several performance reports to run every day and save them as a Web Archive. I did so using an Admin account through the Ops Mgr console. I’m able to view the report that is generated but when I click on it to get further details I get the following error:
The permissions granted to user ”DOMAINusername” are insufficient for performing this operation. (rsAccessDenied) Get Online Help
If I run this as the admin user that created it I am able to view it. I tried searching online to find the answer (thus the reason for this post) and there are thousands are possible solutions but none worked for me. It seems I’ve found out the issue and wanted to share with you…and me when I forget in the future
From the SQL Reporting server I opened the following page with an admin account – http://localhost/reports
I clicked Home in the top right corner
Select the second tab Properties
Click New Role Assignment
Add the user you want to have access to browse the report
Check the Role you want (I selected Browser)
That was it for me. Now that user had access to browse the report.
Here is a few one-liner commands to help get info on your Active Directory environment. I don’t think there is any mind blowing commands here but they’ve helped me out. There are literally hundreds of these around the web as well as PowerShell ones but these are the ones that I’ve been using lately.
How to view the Domains you trust and see what those Domain SIDs are:
nltest /domain_trusts /v
A quick listing of your AD Sites:
dsquery * "CN=Sites,CN=Configuration,DC=forestRootDomain" -attr cn description location -filter (objectClass=site)
A quick listing of your AD sites and their Site Links and Costs (sure would be nice if you could spit this out to Visio or something):
dsquery * "CN=Sites,CN=Configuration,DC=forestRootDomain" -attr cn costdescription replInterval siteList -filter (objectClass=siteLink)
Compare time against your forest root PDCe:
w32tm /monitor /computers:ForestRootPDC
Find out which DC for a site is the ISTG:
dsquery * "CN=NTDS Site Settings,CN=siteName,CN=Sites,CN=Configuration,DC=forestRootDomain" -attr interSiteTopologyGenerator
Time and time again I run into an issue that presents me with a SID which I need to resolve. I’ve used a number of tools and scripts over the years to address this issue. I think I have the best and easiest method for me to solve this issue that always seems to pop up.
If you’re new to PowerShell you will want to make sure you have it installed if you want to use this script…and yes it is a script not a command. I do this by opening a text file and renaming it from a .txt file to a .ps1 file. When you try to open a .ps1 file it may open in your text editor but for this you will want to Right Click it and select Edit which will open up whatever you have as your PowerShell editor. Copy the following code into the Script Pane:
$objSID = New-Object System.Security.Principal.SecurityIdentifier
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
Now just save this file and you can run it to return the results of the SID that you place in there. The one thing that will change is the actual SID. In this example i’m using S-1-5-21-768745588-123456789-987654321-500 which is the Well Known SID for the domain Administrator. My results should show me the friendly name. Anytime you change the SID you will have to resave the file but then just Run the script and it will show you the results.
I’m sure there is a way I could make this into an application but I”ll leave that fun for those looking to take this to the next step.