Archive for Active Directory

There are a ton of methods to backup Active Directory.  I’m not going to get into each method with this post.  What I am going to do is share another little command that can be run to check to see if your Active Directory was backed up and when.

Before I discuss that command one point I would like to make is to be very careful about who you let backup and restore your Active Directory DB.  From a security standpoint this could be a major violation of your company’s security policy.  Think it about for a minute.  Let’s say I work in a support group in your company that provides backup and restore services for all systems, including Domain Controllers.  I could take that backup of Active Directory and restore it to a private system that I have.  Now I could use a number of tools to help try to crack into it.  Sure it may take a bit of time but I”ve got plenty of time.

If you have a group that is responsible for backups and restores on Domain Controllers then I believe you need to put some really good policies and guidelines in place to protect your most important asset…Active Directory.  I actually don’t like anyone backing up Active Directory that isn’t an Administrator and I always select the option that only and Administrator can restore the backup.  I understand that a rouge admin could do harm but at least there was some mitigation put in place.

Now, finally to the point.  Is my Active Directory backed up?  For this one we are going to run another Repadmin command.

repadmin /showbackup

This will show you when your last backup of Active Directory ran.  You don’t need to run it against a specific DC because Active Directory doesn’t care.  If you have child domains in your environment and want to run this against them all just put a  * at the end of the command and it will check all the domains.

Now go out there and make sure your Active Directory is backed up!!!

It seems I”m always trying to remember this little command and its about time I put here where I can always access it in the future.  This isn’t a new command but it is a nifty little one that will initiate replication across your environment. 

Repadmin /syncall  /APed

I prefer to run it from the DC (thus the reason DC_name is taken out after /syncall) and from the  command line to pipe it out to a text file.

There are quite a few ways to view what your FSMO roles are.  You can use the GUI tools or even the following netdom command that I”ve shared in the past – netdom query fsmo

However if you are working in a trusted multi-domain environment the following command can help you view the FSMO role holders remotely.

netdom query /domain:%domainname% fsmo

This is just a huge time saver and hopefully you can add it to your tool belt of commands.

If you’ve got time on such short notice try to check out the webcast O’Reilly is hosting on What’s New in Active Directory for Server 2008 R2.  It is going to be hosted by two other Directory Services MVPs Brian Desmond and Laura Hunter.

This is a free event and is scheduled for 90 mins.
Date: Friday, April 24, 2009

Time: 10am San Francisco | 6pm  London | 1pm – New York | Sat, Apr 25th at 3am – Sydney | Sat, Apr 25th at 2am – Tokyo | Sat, Apr 25th at 1am – Beijing | 10:30pm – Mumbai

Registration Link –

Hopefully some of you have been playing with Server 2008 R2 while it has been in Beta.  One of the features I’m looking forward to most is the AD Recycle Bin.  Yes you heard me correct.  We now have an easy method for restoring accidently deleted objects. 

In the past our only recovery method out of the box was to perform an authoritative restore of an object. That method had several issues that always rubbed me the wrong way.  First you had to be in Directory Services Restore Mode (DRSM).  And ever since Server 2003 we could use tombstone reanimation but that removed most of the non-link-valued attributes.  This lead to additional work after the restore. The default tombstone lifetime was 180 days with Server 2003 and 2008.

You are probably already familiar with tombstones and the garbage collection process.  If not read Gil’s excellent article on that here.  With Server 2008 R2 you will need to now become aware of Deleted Object and Recycled Object.  The first thing to realize here is that the AD Recycle Bin is not enabled by default with Server 2008 R2.  The following steps/requirements must first be met:

  1. Raise the Forest Functional Level to Server 2008 R2
  2. Enable AD Recycle Bin (my example uses PowerShell…get use to it now)
    1. Enable-ADOptionalFeature –Identity “CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=AdminPrep,DC=com” –Scope ForestOrConfigurationSet –Target “”
    2. Just make sure to replace AdminPrep with your domain

Now when an object is deleted it is not marked for tombstone it is marked as deleted.  It places the object in the Deleted Objects container which is hidden but can be located here – CN=Deleted Objects.  When you want to restore an object there are two methods that I”m aware of, one using PowerShell and the other using LDP.

Using LDP:

  1. Using elevated credentials, open LDP by typing ldp.exe from the Run Dialog box
  2. Click Connections and select Connect and then go back and select Bind
  3. Navigate to the CN=Deleted Objects
  4. Find the object you wish to restore and right-click it and select Modify
  5. In the Modify dialog box:
    1. In Edit Entry Attribute, type isDeleted
    2. Leave the Values box empty
    3. Under Operation, click Delete,and then click Enter
    4. In Edit Entry Attribute,type distinguishedName
    5. In Values, type the original distinguished name (also known as DN) of this Active Directory object
    6. Under Operation, click Replace
    7. Make sure that the Extended check box is selected, click Enter, and then click Run

To restore an object using PowerShell you must use the Get-ADObject and Restore-ADObject cmdlets.  Using PowerShell:

  1. Open the Active Directory PowerShell command Prompt and use the following syntax:
    1. Get-ADObject-Filter {String} -IncludeDeletedObjects | Restore-ADObject
  2. Here is an example of restoring a deleted user account named Brian:
    1. Get-ADObject -Filter {displayName -eq “Brian”} -IncludeDeletedObjects | Restore-ADObject

When restoring multiple items that may be linked (OU or Group that contains Users) you will want to start at the highest level.

An object can only be restored using those methods if it is still within the Deleted Object Lifetime.  The attribute is msDS-deletedObjectLifetime and if you look it up it will have a null value which the default time is 180 days.

Here is a look at what AD Recycle Bin looks like visually

I just found out that there is an Active Directory PowerShell Blog run by Microsoft’s AD PowerShell team.  I gathered that info from reading up on Jason’s post.  Its amazing how much info you can get from reading other people’s blogs…now on to the regularly scheduled post…

After writing my article on the AD Recycle Bin I thought I would include a few PowerShell scripts here that can be used to modify the tombstone lifetime along with the deleted object lifetime.  Remember that the default for both of these is going to be 180 days and will show up as Null if you use LDP to view the attributes.

PowerShell Script to change the tombstone lifetime of my domain (AdminPrep.Local) to 250 days:

Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=AdminPrep,DC=Local” –Partition “CN=Configuration,DC=AdminPrep,DC=Local” –Replace:@{“tombstoneLifetime” = 250}

PowerShell Script to change the deleted object lifetime:

Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=AdminPrep,DC=Local” –Partition “CN=Configuration,DC=AdminPrep,DC=Local” –Replace:@{“msDS-DeletedObjectLifetime” = 250}

I’ve removed plenty of DCs and Domains in my years.  In fact I recently blogged about how remove a failed DC here.  It seems sometimes after removing a domain from your environment doesn’t remove it entirely. 

You may see a message that says the following:
The trusts between this domain (abc.local) and the following domain(s) are in an error state: (inbound), the error is:
The specified domain either does not exist or could not be contacted. (0x54B)

Normally this message is pretty self explanatory.  However if you removed the domain and it still shows up then it can cause some unrest.

To remove those messages and to completely remove those messages you will want to open ADSIEdit.msc from a DC and expand out the Domain partition.  From there select CN=System.  Now you should see in the results pane a listing of objects.  In there you should find the domain in question as a trustedDomain class.  If indeed the domain has been removed go ahead and right click it and delete it.


I was working an issue where I couldn’t import Group Policy’s settings to a new policy from one environment to another using GPMC.  The error message I got was the following:

GPO: Test GPO V1.0…Failed

The overall error was: The system cannot find the file specified.
Additional details follow.

[Error] The task cannot be completed. There was an error with extension [Registry]. The file [domain_namesysvoldomain_namePolicies{AAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE}Admadmfiles.ini] cannot be accessed.
The following error occurred:
The system cannot find the file specified.

I got the policy from in a zipped format and all seemed well when I unzipped it.  The first thing I did was try to copy the admfiles.ini from another policy into the new policy I was trying to import the settings to.  That didn’t work.  I then took a closer look into the policy that was unzipped.  I noticed after digging further into the guts of this policy that it was in fact missing not only this file but also GptTmpl.inf and install.ins.  The culprit was Outlook blocking certain types of files due to a security configuration.

To resolve this I had to password protect the zip file to ensure those three files came through.  Once I tried to import the settings with all the files there…it worked!  Imagine that.

I pulled together a few links to help point people in the right direction on resources for AD in Windows Server 2008.  You’ll find all kinds of goodies, from virtual labs to videos by some of your favorite public speakers and of course what I think are the must have…the Guides!

Links and Documents:
AD DS Operations Guide

AD DS Design Guide

AD DS Deployment Guide

Server 2008 Auditing AD DS Changes Step-by-Step Guide

Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration

Step-by-Step Guide for Read-Only Domain Controllers

Free Virtual Labs:
Managing Active Directory – Directory Services

Fine Grained Password Settings in Windows Server 2008 (Beta 3)

AD in Server 2008

Fine Grained Password Policies

Prepare for RODCs

Install a RODC from IFM

Group Policy in 2008

I’ve seen this issue come up time and time again.  Some administrator decided to remove an old DC from the network but forgot to remove it from Active Directory or the DC has entered a failed state and cannot be recovered from.  In a perfect world DCPROMO is all you have to do to remove a DC from the environment.  However, if that DC was already shutdown or DCPROMO is giving you problems you will have to remove it the manual way.  That method involves using a command called NTDSUTIL.  NTDSUTIL is a command line tool that allows you to perform some of the more advanced Active Directory maintenance tasks.

Below are the steps needed to remove a failed or offline Domain Controller from your environment.
TIP: NTDSUTIL does not require the full command to be entered…you only have to enter enough of the command that is unique.  For Example, instead of typing metadata cleanup you could just type met cle…or better yet m c

  1. Open the Command Prompt
  2. Type ntdsutil (all the commands will be entered via this command prompt)
  3. Type metadata cleanup
  4. Type connections
  5. Type connect to server <ServerName> and replace <ServerName> with the name of a functional DC in your environment…even if you are logged in locally.  This step is not needed post W2K3 SP1.
  6. Type quit
  7. Type select operations target
  8. Type lists sites
  9. Type select site <#> where <#> is the site where the failed or offline DC resided
  10. Type list servers in site
  11. Type select server <#>  where <#> is the DC that is failed or offline
  12. Type list domains
  13. Type select domain <#>  where <#> is the domain where the failed or offline DC resided (at this point you should verify that the site, server and domain are all selected)
  14. Type quit (this should set you back to the metadata cleanup menu)
  15. Type remove selected server ( a warning message will pop up…verify that this is the correct DC…in fact get a peer to verify it for you too)
  16. Click Yes
  17. Open Active Directory Sites and Services
  18. Expand out the site that the failed or offline DC resided in
  19. Verify the DC cannot be expanded out (no connection objects and such)
  20. Right Click the DC and select Delete
  21. Close Active Directory Sites and Services
  22. Open Active Directory Users and Computers
  23. Expand the Domain Controllers OU
  24. Delete the failed or offline DC from the OU (if it even exists)
  25. Close Active Directory Users and Computers
  26. Open DNS Manager
  27. Expand the zones where this DC was also a DNS server and perform the following steps
  28. Right click the zone and select Properties
  29. Click the Name Servers tab
  30. Remove the failed or offline DC from the Name Servers tab
  31. Click OK to also remove the HOST (A) or Pointer (PTR) record if asked
  32. Verify the zone no longer has a DNS record for the failed or offline DC

You can also find more info located on Microsoft site here and here for removing orphaned domains.