Archive for Windows Server 2008

There are a ton of methods to backup Active Directory.  I’m not going to get into each method with this post.  What I am going to do is share another little command that can be run to check to see if your Active Directory was backed up and when.

Before I discuss that command one point I would like to make is to be very careful about who you let backup and restore your Active Directory DB.  From a security standpoint this could be a major violation of your company’s security policy.  Think it about for a minute.  Let’s say I work in a support group in your company that provides backup and restore services for all systems, including Domain Controllers.  I could take that backup of Active Directory and restore it to a private system that I have.  Now I could use a number of tools to help try to crack into it.  Sure it may take a bit of time but I”ve got plenty of time.

If you have a group that is responsible for backups and restores on Domain Controllers then I believe you need to put some really good policies and guidelines in place to protect your most important asset…Active Directory.  I actually don’t like anyone backing up Active Directory that isn’t an Administrator and I always select the option that only and Administrator can restore the backup.  I understand that a rouge admin could do harm but at least there was some mitigation put in place.

Now, finally to the point.  Is my Active Directory backed up?  For this one we are going to run another Repadmin command.

repadmin /showbackup

This will show you when your last backup of Active Directory ran.  You don’t need to run it against a specific DC because Active Directory doesn’t care.  If you have child domains in your environment and want to run this against them all just put a  * at the end of the command and it will check all the domains.

Now go out there and make sure your Active Directory is backed up!!!

It seems I”m always trying to remember this little command and its about time I put here where I can always access it in the future.  This isn’t a new command but it is a nifty little one that will initiate replication across your environment. 

Repadmin /syncall  /APed

I prefer to run it from the DC (thus the reason DC_name is taken out after /syncall) and from the  command line to pipe it out to a text file.

Not sure how many people modify the size of the Windows Event Logs but it is something that I like to do simply because the default sizes of most them is just not enough.  For example you may remember the default for your System and Application log files was a measly 512kb.  That logged all of about a day of a really busy application server. 

The problem with Server 2003 was the recommended maximum size for a log file was only around 300mb and the maximum total size for all Event Log files was around 400mb.  You do the math and you can see that realistically you aren’t going be able to realize the benefits of having larger Event Log file sizes.

This has to do with Windows storing the logs in memory.  As you can tell a 32bit system would run into some serious memory issues if you wanted to expand the size of several of these.  Thankfully in Server 2008 this has changed.  Microsoft has increased the recommended maximum size of a log file up to 4gb and all of them up to 16gb.  Of course you will want to make sure you’re running the x64 flavor of Server 2008 to really see this advantage.

Take a look at the following knowledgebase from Microsoft for more info.

Just saw over on the Server Core blog that Andrew posted some links to a couple excellent resources.  The first one is what I consider to be the Server Core Bible.  It has just about everything you can think of when it comes to configuring Server Core.  The next link is to a couple job aids that give you a quick look at some common commands. 

These job aids actually gives me some ideas on some things I’d like to create…now if I only had more time. 

There are quite a few ways to view what your FSMO roles are.  You can use the GUI tools or even the following netdom command that I”ve shared in the past – netdom query fsmo

However if you are working in a trusted multi-domain environment the following command can help you view the FSMO role holders remotely.

netdom query /domain:%domainname% fsmo

This is just a huge time saver and hopefully you can add it to your tool belt of commands.

As I’ve done with Active Directory and Failover Clustering I”m going to share with you some links and resources for Server 2008’s Terminal Services.  I for one really like some of the new features of Terminal Services.  I also seen some really cool customizations that people have been doing with these components.  Although I’m not completely sold on renaming the service to Remote Desktop Services when R2 comes out for Server 2008.

The links are bucketed in three categories but not placed in any specific order.

General Resources


Terminal Server Performance Posts

I pulled together a few links to help point people in the right direction on resources for AD in Windows Server 2008.  You’ll find all kinds of goodies, from virtual labs to videos by some of your favorite public speakers and of course what I think are the must have…the Guides!

Links and Documents:
AD DS Operations Guide

AD DS Design Guide

AD DS Deployment Guide

Server 2008 Auditing AD DS Changes Step-by-Step Guide

Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration

Step-by-Step Guide for Read-Only Domain Controllers

Free Virtual Labs:
Managing Active Directory – Directory Services

Fine Grained Password Settings in Windows Server 2008 (Beta 3)

AD in Server 2008

Fine Grained Password Policies

Prepare for RODCs

Install a RODC from IFM

Group Policy in 2008

I’ve seen this issue come up time and time again.  Some administrator decided to remove an old DC from the network but forgot to remove it from Active Directory or the DC has entered a failed state and cannot be recovered from.  In a perfect world DCPROMO is all you have to do to remove a DC from the environment.  However, if that DC was already shutdown or DCPROMO is giving you problems you will have to remove it the manual way.  That method involves using a command called NTDSUTIL.  NTDSUTIL is a command line tool that allows you to perform some of the more advanced Active Directory maintenance tasks.

Below are the steps needed to remove a failed or offline Domain Controller from your environment.
TIP: NTDSUTIL does not require the full command to be entered…you only have to enter enough of the command that is unique.  For Example, instead of typing metadata cleanup you could just type met cle…or better yet m c

  1. Open the Command Prompt
  2. Type ntdsutil (all the commands will be entered via this command prompt)
  3. Type metadata cleanup
  4. Type connections
  5. Type connect to server <ServerName> and replace <ServerName> with the name of a functional DC in your environment…even if you are logged in locally.  This step is not needed post W2K3 SP1.
  6. Type quit
  7. Type select operations target
  8. Type lists sites
  9. Type select site <#> where <#> is the site where the failed or offline DC resided
  10. Type list servers in site
  11. Type select server <#>  where <#> is the DC that is failed or offline
  12. Type list domains
  13. Type select domain <#>  where <#> is the domain where the failed or offline DC resided (at this point you should verify that the site, server and domain are all selected)
  14. Type quit (this should set you back to the metadata cleanup menu)
  15. Type remove selected server ( a warning message will pop up…verify that this is the correct DC…in fact get a peer to verify it for you too)
  16. Click Yes
  17. Open Active Directory Sites and Services
  18. Expand out the site that the failed or offline DC resided in
  19. Verify the DC cannot be expanded out (no connection objects and such)
  20. Right Click the DC and select Delete
  21. Close Active Directory Sites and Services
  22. Open Active Directory Users and Computers
  23. Expand the Domain Controllers OU
  24. Delete the failed or offline DC from the OU (if it even exists)
  25. Close Active Directory Users and Computers
  26. Open DNS Manager
  27. Expand the zones where this DC was also a DNS server and perform the following steps
  28. Right click the zone and select Properties
  29. Click the Name Servers tab
  30. Remove the failed or offline DC from the Name Servers tab
  31. Click OK to also remove the HOST (A) or Pointer (PTR) record if asked
  32. Verify the zone no longer has a DNS record for the failed or offline DC

You can also find more info located on Microsoft site here and here for removing orphaned domains.

This has to be the mother of all resource collections on Microsoft clustering and high availability.  I’ve copied over the links directly from the MS Cluster blog so that I have quick access to them in the future.

General Resources


Exchange Server

File Server


Multi-Site Clustering

Network Load Balancing

SQL Server

From time to time I’ve had to figure out which user account has a specific email address.  Actually its more like finding who has the “” so another “more senior” person can get it.  Well if you work in a smaller company this can be kind of easy…but if your directory has thousands of accounts it becomes more difficult and time consuming.

What you will want to do is open up Active Directory Users and Computers and right-click the domain and select Search.  Select the drop-down arrow in the Find field to select Custom Search.  If you have multiple domains make sure to select Entire Directory on the In field.  Now just click on the Advanced tab and put the following text in the LDAP Query – proxyaddresses=smtp:<whatever the email is you’re looking for>.  Now all you have to do is click on Find Now and if the email is in use it will show the user account that is using it.