November 2022


Archive for Directory Services

Windows 8 Developer Preview…Dcpromo

January 20th, 2012 by and tagged

After reading various articles, i decided to try my hands on windows 8 developer edition too. I managed to download the vhd file available on the MSDN, created the VM using Vmware virtual machine 8 workstation to configure domain controller on windows 8. Trying to promote the server as a DC, i thought of older way running it in run box, but i was not able to locate it and i can’t see anywhere to get it on my home screen. I tried to disable Metro interface first, since it is more suitable to the mobile devices then on servers desktop.

I then tried to look for the run/cmd window again i was not able to find those to disable metro UI. I was finally able to open windows explorer and typed cmd and wohaa..its poped it out and in same windows explorer, by typing regedit, it too appeared and finally able to disable metro UI locating below registry path.

Locate  HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer

Disable RPEnabled key to “0” from “1” shown in below image and to revert the setting configure the value back to “0”.




























Now i got classic Start menu interface which I’m used to it. Then, i tried to configure AD using DCPROMO and i received below error. From the error it is understandable that you can’t execute dcpromo directly from run or cmd and you need to first install AD role from the server manager.







Open Server manager > Click Add role > Select check mark Active Directory Domain Services, click next select all default option and click finish. DO NOT check to install install DNS server at this time as this will give you error during prerequisite check and ultimately failing the dcpromo on the server. We will be installing DNS server service at the later stage.

You need to go to the dashboard and under roles and server groups , you will see  Roles listed. Click on more in-front of configuration requirement under Active Directory domain services.


If you notice in below image, you will find there is faded text written as “promote this server to a domain controller”. It took more than 10 mins to me to locate this option, firstly i need to scroll towards right and its was almost hidden.



Once i clicked on the “promote this server to a domain controller”, i got below screen and started my configuration.



I clicked next to proceed, but once i reached the windows to confirm installation, i found it has not provided me the option to configure Netbios name option. So, the fact is you can’t choose netbios name in the GUI, you need to use powershell script for that.

In the below screenshot the prerequisite is complete without any error and now click on the install button.




Close the console and server will be rebooted. Now the server is Domain Controller now…Enjoy playing with AD Now.






















Windows 8 promised to offer lot more then previous version of the OS and it is going to be a revolution for the powershell users. Few features related with AD and windows 8 are:

  • Remote DCPROMO capability.
  • Running adprep on particular FSMO role will not be required in windows 8.
  • GUI Interface for AD Recycle and fine grained password policy.
  • Virtualization aware Domain controllers means virtualizing the domain controller using image or snapshot will not be issue any more.
  • GUI can be turned on and off.
  • Troubleshooting Replication cmdlets will be available  in the powersheell.
  • Forcing group policy to single or multiple clients.
  • New file format Refs (Resilient file system) support in the windows 8 .
  • AD DS integration with Server manager console.
  • Adprep is provided as a inbuilt functionality.


Posted in Directory Services | No Comments »

Wish You A Great 2012 Year Ahead..!!

December 31st, 2011 by

Wishing you all my blog readers a very happy and learning New Year 2012 ahead. I’ll try to come up with more articles in a coming year, so my blog can help mpre and more people to learn and shape up their career path.









Awinish & Family

Posted in Directory Services | No Comments »

Active Directory Users and Groups Restore

October 8th, 2011 by and tagged

With windows 2008 R2, you can use AD Recycle bin feature to restore object and its group membership without need of system state backup and booting the DC into DSRM mode. This saves lot of time as well as hardwork required to restore the object and group membership, but organization having large number of domain controller running on windows 2003 will take time to upgrade the DC OS to windows 2008 R2. Windows 2008 R2 is only available in x64 bit, so hardware have to be supportive before you can install x64 bit OS. Due to this constraint it is difficult to upgrade all the DC to 2008 R2 to take benefit of windows 2008 R2 AD Recycle bin feature.

The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting

Active Directory Recycle Bin Step-by-Step Guide

Restoring group and its membership in windows 2003 is complex and require deeper understanding of AD concepts, so its difficult to say whether to perform authoritative restore in first attempt in the production will be successful or not. The viable approach is to first try in a lab and then into production environment to achieve desired results in without hiccups.

The approach and best practices are outlined in below article to perform authoritative restore of AD objects and its membership.

Disaster Recovery: Active Directory Users and Groups

Best practices around Active Directory Authoritative Restores in Windows Server 2003 and 2008


Posted in Directory Services | No Comments »

Windows Time Server Role In Active Directory Forest/Domain

October 7th, 2011 by and tagged

I have seen various queries related with the windows time service configuration in Active Directory forest and domain architecture, so I decided to pen down an article which might be helpful to answer the queries. Foremost, let’s try to understand what is the time server role, how it works and why it is important to configured it right in the Active Directory forest/domain and issues faced if it is not configured or assigned to the right DC.

Time server’s role is assigned to the DC holding PDC role in the domain. Considering a different scenario where multiple domains exists in the same forest, how would you assign the time server role and which domain DC should be synchronizing the time server role either from the external or reliable source?

To answer the above: By default, there is only one PDC Emulator in each and every domain. The reason to assign time server role to only DC holding PDC role is DC with FSMO role acts like king of the kingdom which has ability to authorize the changes for resolving or avoiding conflicts. When new objects are created or existing objects are modified in AD (Active Directory), it is first being validated by the PDC FSMO role holder DC and post authorization it is allowed to replicate to all other DC’s in the forest/domain. User login to the domain, Kerberos ticket assignment,  AD/DNS replication, Creation/Change/modification in AD etc. are all dependent on time service sync with the PDC. If, there is any time mismatch of time between the DC’s in the domain, then authentication will fail, changes will not be replicated to other DC’s, resource access will fail and you could face several other issues. By default, domain allows time skew of 5 min, which means systems in the domain including DC can have time difference of 5 min but not more or less. In that case, users will not be able to login to the domain joined systems and will get authentication fail error messages.

If  there is single domain in the forest, then its easy to configure the time server role on the PDCEmulator. Considering the different scenarios, where multiple domain environments like Parent-Child or Tree-Root domains architecture are involved, in that case configure a DC with PDC FSMO role in the Parent/Root domain to be the time server role which is syncing its time from the external or reliable source and let all other domain to follow the Parent/Root DC time hierarchy. By default, DC holding the PDC role syncs its time from the reliable/external source and all other domain joined clients follow the PDC FSMO role holder DC to sync their time. The protocol used by the time server is NTP/SNTP.

In some cases, you might have to completely reset the time service, due to messed up time service registry keys settings which can be on the DC or member machine. The simplest fix is to un-register the time service on the problem domain joined machine(can be dc or member machine) and re-register it using below cmd. It worked for me most of the time and it might work for you too.

– Type CMD in the run windows

–  Type Net stop w32time to stop the time service

–  Type W32tm /unregister to unregister the time service registry

–  Type W32tm /register to register the time service registry back

–  Type Net start w32time

 Port Assignments for the Windows Time Service

Service name



NTP 123 NA

August 2011 cumulative time zone update for Windows operating systems


Configure the Windows Time service on the PDC emulator in the Forest Root Domain

You are required to run cmd given below on the DC holding the PDCEmulator role in the forest to sync the time from the external or reliable source. If its Tree-Root or Parent-Child domain then allow only the Root/Parent DC to sync its time from the external or reliable source and other domain(tree or child domain) should follow the time from the Root/Parent PDC hierarchy. External source can be internet and reliable source can be router or hardware clock.

w32tm /config /manualpeerlist: peers /syncfromflags:manual /reliable:yes /update

Change the Windows Time service configuration on the previous PDC emulator or the domain client machines

Run the below cmd to reconfigure the DC previously holding the PDC role to sync the time from the new DC holding the PDC Emulator role, post moving the PDC role to the new DC. The below command can be used on any domain member client/server machine to reconfigure the time services to follow domain hierarchy.

w32tm /config /syncfromflags:domhier /reliable:no /update

You need to stop and start the time service using services.msc console or simply run this net stop w32time && netstart w32time on the cmd prompt.

How to configure authoritative time server

Configuring a time source for the forest

Keeping the Domain On Time

Windows Time Service Tools and Settings

How to turn on debug logging in the Windows Time Service

A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet

Windows Time Service Technical Reference

Windows Time and the W32TM service

High Accuracy W32time Requirements

NET TIME and w32time

Windows Time Service


Posted in Directory Services | 16 Comments »

Quest and ADMT comparison

October 4th, 2011 by and tagged , ,

There are various tools used for migration such as ADMT(Active Directory Migration Tool) from Microsoft, DMM(Domain Migration Manager) from the Quest, Netiq etc.

ADMT is the free tool from the MS and there is no licensing cost involved. Any number of AD objects/servers/computers can be migrated to other domain without need to pay single penny whereas Quest tool is paid and licensing is based on the number of enabled users migrated or mailbox migration for exchange.

Each tool has its own pros and cons, but features and support should be considered in the first place while opting for any migration tool. ADMT has its own advantages like support through MS forum, ability to handle and its working is known to most, getting reference on the internet is easy where as handling/using quest tool requires some kind of skill and learning, quest documents are not easily available, support might be pocket burning here, so both the tool has its own benefits and demerits.

The table below shows the features available with the Quest DMM tool and ADMT tool.





Continuous synchronization



Since migration can last for a long time, migrated data might become obsolete and need to be updated. To address this, ADMT performs remigrations throughout the process with different options. This means that it is necessary to repeat the same actions every day, requiring more time and manual effort. Migration Manager greatly simplifies this task, providing real-time directory synchronization and ensuring that critical data is kept up to date. Additionally, Migration Manager  also provides two-way synchronization, making it possible to manage both directories simultaneously. This is especially critical for keeping passwords   and group memberships up to date between the  two environments.




Migration Manager Statistics Portal gives you detailed information about the migration project.




Migration Manager allows you to revert any performed changes at any time without restoring data from backup. ADMT cannot roll back resource updating tasks. Directory migration undo is restricted to the last session only; account

Inter-forest migration



ADMT cannot roll back resource updating tasks. Directory migration undo is restricted to the last session only; account merging cannot be undone.

Intra-forest migration



In case of intra-forest migration, ADMT deletes a source account and its tombstone immediately after moving it to the target domain. Functionality to roll back this operation is not provided – it is necessary to re-migrate the account and workstation from the target back to the source.

Migration without trusts



In some organizations, trusts between source and target domains cannot be established due to security reasons. Unlike ADMT, Migration Manager allows migration in this case.

Advanced object selection capabilities



ADMT uses a standard “select users and groups” dialog for object selection. It shows objects in flat list and doesn’t allow filtering of disabled, expired, or system accounts.

Property population rules



Migration Manager lets you modify any object properties before the migration data is actually applied to the target domain, using import file technology. It allows you to populate values from  an HR database or according to some other rules. ADMT does not allow you to modify all object properties, only the Container Name (CN), Relative Distinguished Name (RDN), sAMAccountName and userPrincipalName.

Security descriptor migration



If administrative rights are delegated on the OU level and you plan to preserve the existing delegation model after migration, security descriptors of OUs and accounts should be migrated. ADMT does not migrate security descriptors, and all permissions must be granted manually.

Consolidated resource updating



If you migrate multiple domains, resources should be updated for users from all domains. With ADMT, you have to update the same resources multiple times, separately for each source-target domain pair.

Workstation update



Migration Manager provides complete user workstation update. Whereas ADMT requires a reboot of the workstation in order to complete migration, only a logoff/logon is needed with Migration Manager. When migrating the workstation with Migration Manager, you can automatically change the default domain name on the workstations’ logon prompt, making the switch invisible to users. In contrast to ADMT, it also includes update of scheduled tasks and migration   of certificates for encrypted files and mail.

Laptop update



Usually laptops are disconnected from the corporate network and cannot be updated as ordinary workstations. Migration Manager allows you to update laptops via user logon scripts and without additional interaction with users.

Server infrastructure update

• Active Directory

• Exchange 5.5/2000/2003/2007

• SharePoint Services 2.0/3.0, SharePoint Portal Server 2003/2007

• Internet Information Services 5.0/6.0

• SQL Server 7.0/2000/2005

• Systems Management Server 2003/System Center Configuration Manager 2007

• NAS/SAN devices

Exchange 5.5

ADMT has incomplete server resource updating. It requires a great deal of administrator effort because all permissions must be updated manually.

Clean-up SIDHistory



To preserve network security, the SIDHistory attribute of objects should be cleaned up after migration. ADMT does not provide this functionality.

Note:  I’m neither a Quest agent nor MS agent, the above reference posted for reference and informational purpose only during migration tool selection for performing forest/domain migration based on the cost and complexity.

The table posted above is taken from the Quest site.


Posted in Directory Services, Exchange, SCCM/SCOM | 8 Comments »

All About (RODC)Read Only Domain Controllers

October 4th, 2011 by and tagged

RODC is the new feature introduced from the windows 2008 means domain controller with read only partitions which includes AD database and Sysvol/Netlogon folder. In order to introduce RODC in existing windows 2003 environment you need to prepare your existing environment Adprep /Rodcprep (Adprep32.exe or Adprep.exe is dependents on OS means Adprep32.exe required to be executed on 32bit OS and Adprep.exe on 64 bit OS). Adprep /rodcprep should be executed on the DC holding  Domain Naming Master FSMO role not on any DC. It is not mandatory to run Adprep /rodcprep in existing windows 2000 or 2003 AD environment until you plan to deploy RODC may be now or in future. There is one more prerequisite you need at least one writable DC in windows 2008 before you can deploy RODC in existing windows 2003 AD environment, since RODC doesn’t consider windows 2003 DC.

Rodc is basically fitted to be deployed in the sites/locations where you can’t afford or don’t want to keep an AD Experts to manage/modify any changes in the AD. RODC hold the read only database means the location where RODC is deployed you can’t make any changes and changes made on the RODC is not replicated to any other DC since replication is unidirectional from RWDC to RODC only not vice versa.

RODC enhances the authentication locally where it is been placed, but again it should not be considered as replacement of writable DC. You can configure RODC as GC and DNS server too for enhancing authentication locally.

RODC can safely host RODC on virtual machine where as RWDC should not be because of performance issues. I’m not big fan of RODC, reason is RODC alone doesn’t work like a domain controller but for each and everything it relies on RWDC(Writable domain controller) causing heavy replication traffic.

The replication happens in RODC is unidirectional means changes made on RODC is not replicated to RWDC, but you can still connect to RWDC console from RODC and make modification on RWDC which is still vulnerable. RODC can’t provide substitute for a DC when WAN link is down and the reason is RODC can’t issue Kerberos ticket to the domain clients. RODC can’t navigate the trust and it only utilizes the RWDC in other domains.

One of the biggest drawback feature of RODC is that it doesn’t work with any version of Exchange servers(2000-2010 SP1), so if you have deployed a Exchange server in site or want to deploy you can’t utilize RODC in that site you need to have RWDC’s only. There are few other application too which doesn’t work with RODC.

RODC can actually enhance the local authentication but you need to cache the local computes password to form a secure channel with RODC else it will query RWDC.

RODCs don’t register the generic DClocator record by default & they only register the site specific locator records in DNS. RODC doesn’t point itself for SOA records like RWDC. RODC doesn’t register NameServer records in dns. When client wants to update/modify its records in DNS, it contacts RODC and using SOA record RODC find the best/suitable RWDC, update takes place on RWDC and back to RODC.

MSA(Managed service account) doesn’t support RODC’s but only writable domain controllers, but there is hotfix to resolve the issue.

RODC References

Read-Only Domain Controllers Step-by-Step Guide

Chris has nice writeup on RODC integration with DNS .

Windows Server 2008 RODC Interview Questions !

Read-Only Domain Controller Planning and Deployment Guide

Windows 2008 RODC Tick List for Deployment

Steps for Deploying an RODC

Read-Only Domain Controller (RODC) Branch Office Guide

RODC Post-Installation Configuration

Designing RODCs in the Perimeter Network

Deploying RODCs in the Perimeter Network

AD DS/RODC in the Perimeter Network (Windows Server 2008)

Understanding “Read Only Domain Controller” authentication

RODC Frequently Asked Questions

Read-Only Domain Controllers Application Compatibility Guide

Performing a Staged RODC Installation

Testing Application Compatibility with RODCs

Known Issues for Deploying RODCs

Troubleshooting RODC’s: Troubleshooting RODC location in the DMZ

Microsoft KB’s and Hotfixes

You cannot create or delete managed service accounts in a perimeter network in Windows 7 or in Windows Server 2008 R2

Description of the Windows Server 2008 read-only domain controller compatibility pack for Windows Server 2003 clients and for Windows XP clients and for Windows Vista

Authentication fails when an external client tries to log on to a Windows Server 2008 server by using a read-only domain controller in a perimeter network


Posted in Directory Services | No Comments »

Improvements in windows 2008/2008 R2(AD/DNS)

July 11th, 2011 by and tagged

There are few good enhancements in windows 2008/2008 R2 & it is not to known to all. I thought of putting at a single place, which will help me as well as others for reference.

What’s New in AD DS in Windows Server 2008

What’s New in AD DS in Windows Server 2008 R2

What’s New in DNS

Windows Server 2008 – DNS enhancement nuggets

Review Bridgehead Server Load-Balancing Improvements with Windows Server 2008 RODCs

Changes in Functionality from Windows Server 2008 to Windows Server 2008 R2

Bridgehead Server Selection

Windows Server 2008 resolve Domain Controller Load Balancing problems


Posted in Directory Services | No Comments »

Active Directory/GPO Guides

July 2nd, 2011 by and tagged , ,

Post-Graduate AD Studies

Infrastructure Planning and Design

Active Directory Domain Services Operations Guide

Windows Server 2008 Step-by-Step Guides

Active Directory Design Guide by Microsoft

Remote Desktop Services in Windows Server 2008 R2: Step-by-Step Guides

Microsoft has released group policy for beginners. I saw the guide & found really helpful for beginners who actually wants to start from basics. It can be found at below link.

For reading it online, refer below.

Group policy master site(Videos,Guides etc.)

Group policy webcast series video


Posted in Directory Services, Group Policy | 3 Comments »

Received MVP award for Directory Services 2011-2012

July 1st, 2011 by

Yippee….Today, i have received an email that I’m rewarded with the MVP for Directory Services for the year 2011-2012.

Dear Awinish Vishwakarma,

Congratulations! We are pleased to present you with the 2011 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Directory Services technical communities during the past year.







Thank you all for your support & wishes.


Posted in Directory Services | 24 Comments »

Remove References of a Failed DC/Domain Or Perform Metadata Cleanup

May 8th, 2011 by and tagged

I have found misconception regarding Metadata cleanup reading various forums & question, so I decided to write something which will be useful to help them understand, what is metadata cleanup & when it’s required to be run.

Consider, one of the DC which was serving as a PDC got crashed, what you did, you seized the FSMO role on the healthy DC as well as followed by transferring all other AD services like DNS/GC/DHCP etc on it. You thought you are done now, but here you skipped an important to remove/clean the crashed DC objects & its references from AD to inform that this DC is no more.

There is two types of demoting a DC one is normal demotion using DCPROMO other is forceful removal using DCPROMO /FORCEREMOVAL, which requires additional steps of metadata cleanup, but keep in mind, your first option should be always to try for graceful demotion, if it doesn’t work then only use force removal. If the server is crashed then there is no question of graceful demotion, because graceful can be used when on DC you can run dcpromo to remove AD, but if the DC is already crashed then metadata cleanup is the only option.

Metadata cleanup is process which is required to remove the failed DC from the domain which can’t be demoted gracefully. Do metadata cleanup removes all the entry from AD, the answer is NO, it doesn’t remove all the records from AD & from few places manual cleaning of those objects are required & one being DNS server. But, why it doesn’t remove all the records while I performed metadata cleanup following the steps. The reason is there is different aging/scavenging configuration defined on DNS to remove the entries from DNS when it becomes stale. When a system/DC is removed, the computer object is deleted from AD but not from AD database for later deletion in TSL(Tombstone Lifetime). In DNS each records has attribute called Dnstombstoned value which can be either True or False. When a host record is removed, its actually not removed but its Dnstombstoned attribute is set to true for later point of deletion using again/scavenging configured interval, so the records still exists in AD.

The places required to look after either using normal demotion or force demotion of a DC are below.

-Each & every sub folder inside _msdcs folder in DNS

-Name server tab in DNS

-Host records in DNS

-Server object under NTDS setting in AD sites & services.

-Open ADSIEDIT.MSC, connect to configuration partition

CN=Configuration, DC=domain, DC=com > CN=Sites > locate DC to be removed from the sites.

Note: ADSIEDIT is a powerful tool to edit AD database objects & modification made is permanent, so if you are unsure what you are doing it, take System state backup & then modify from there as anything deleted from there will require system state backup to restore the deleted objects.

Metadata cleanup is made simple in windows 2008, which provides GUI interface, so if you got any DC running on windows 2008, you can use metadata cleanup from that DC, but it doesn’t matter which DC you choose the cleanup failed DC records.

Note: Once you perform the metadata cleanup of DC, don’t immediately reuse the same Hostname/IP of failed DC to configure it back to a new DC, because you have to allow changes to be replicated to all other domain controllers in the forest by allowing & waiting for at least one replication cycle to complete. But if you got few DC’s & good bandwidth, you can force the replication using repadmin /syncall /Aped

E switch will force the replication between all the dc’s in the forest & there might be extra traffic generation during business hours, so use it at COB(Close of Business) hours.

Few Questions:

-Do metadata cleanup is required on all the DC or from particular DC?

The answer is No & NO.

-Metatdata cleanup removes all the records from AD?

The answer is no & never. There is no such tool from Microsoft which removes all the records of failed DC.

-Metadata cleanup is also required post normal demotion of DC?

The answer is no, as its only used for removing failed domain controller which can’t be removed gracefully.

-Metadata cleanup is required for removing member server?

The answer is no, its only required for Domain controller.

Related link for Metadata cleanup in windows 2003

Metadata cleanup in windows 2008

I have posted the below article at Technet Wiki too, below is the link.


Posted in Directory Services, DNS/DHCP | 14 Comments »

« Previous Entries