October 2021


Performance Tuning Guidelines for Windows Server 2008/2008 R2

October 12th, 2011 by and tagged

I was looking for the performance tuning guidelines and was surprised it already exists without being noticed by me. I thought of sharing with others, so they can be benefited too.

Performance Tuning Guidelines for Windows Server 2008 R2

Choosing and Tuning Server Hardware
Performance Tuning for the Networking Subsystem
Performance Tuning for the Storage Subsystem
Performance Tuning for Web Servers
Performance Tuning for File Servers
Performance Tuning for Active Directory Servers
Performance Tuning for Remote Desktop Session Host (formerly Terminal Server)
Performance Tuning for Remote Desktop Gateway
Performance Tuning for Virtualization Servers
Performance Tuning for File Server Workload (NetBench)
Performance Tuning for File Server Workload (SPECsfs2008)
Performance Tuning for Network Workload (NTttcp)
Performance Tuning for Remote Desktop Services Knowledge Worker Workload
Performance Tuning for SAP Sales and Distribution Two-Tier Workload
Performance Tuning for TCP-E Workload

Updated later

Performance Tuning for Web Servers” – Updated guidance to reflect that Http.sys manages connections automatically.
Performance Tuning for File Servers” – Fixed typos in NFS Server tuning parameter registry keys.
Performance Tuning for Virtualization Servers” – Added information about Dynamic Memory tuning.
Performance Tuning for TPC-E Workload” – Clarified tuning guidance.

Performance Tuning Guidelines for Windows Server 2008(Updated for SP2)

Performance Tuning for Server Hardware
Performance Tuning for Networking Subsystem
Performance Tuning for Storage Subsystem
Performance Tuning for Web Servers
Performance Tuning for File Servers
Performance Tuning for Active Directory Servers
Performance Tuning for Terminal Server
Performance Tuning for Terminal Server Gateway
Performance Tuning for Virtualization Servers
Performance Tuning for File Server Workload (NetBench)
Performance Tuning for Network Workload (NTttcp)
Performance Tuning for Terminal Server Knowledge Worker Workload
Performance Tuning for SAP Sales and Distribution Two-Tier Workload

One of the tool from the Codeplex which will help you to analyze the logs.


Posted in OS/Certificates, Performance | No Comments »

Active Directory Users and Groups Restore

October 8th, 2011 by and tagged

With windows 2008 R2, you can use AD Recycle bin feature to restore object and its group membership without need of system state backup and booting the DC into DSRM mode. This saves lot of time as well as hardwork required to restore the object and group membership, but organization having large number of domain controller running on windows 2003 will take time to upgrade the DC OS to windows 2008 R2. Windows 2008 R2 is only available in x64 bit, so hardware have to be supportive before you can install x64 bit OS. Due to this constraint it is difficult to upgrade all the DC to 2008 R2 to take benefit of windows 2008 R2 AD Recycle bin feature.

The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting

Active Directory Recycle Bin Step-by-Step Guide

Restoring group and its membership in windows 2003 is complex and require deeper understanding of AD concepts, so its difficult to say whether to perform authoritative restore in first attempt in the production will be successful or not. The viable approach is to first try in a lab and then into production environment to achieve desired results in without hiccups.

The approach and best practices are outlined in below article to perform authoritative restore of AD objects and its membership.

Disaster Recovery: Active Directory Users and Groups

Best practices around Active Directory Authoritative Restores in Windows Server 2003 and 2008


Posted in Directory Services | No Comments »

Windows Time Server Role In Active Directory Forest/Domain

October 7th, 2011 by and tagged

I have seen various queries related with the windows time service configuration in Active Directory forest and domain architecture, so I decided to pen down an article which might be helpful to answer the queries. Foremost, let’s try to understand what is the time server role, how it works and why it is important to configured it right in the Active Directory forest/domain and issues faced if it is not configured or assigned to the right DC.

Time server’s role is assigned to the DC holding PDC role in the domain. Considering a different scenario where multiple domains exists in the same forest, how would you assign the time server role and which domain DC should be synchronizing the time server role either from the external or reliable source?

To answer the above: By default, there is only one PDC Emulator in each and every domain. The reason to assign time server role to only DC holding PDC role is DC with FSMO role acts like king of the kingdom which has ability to authorize the changes for resolving or avoiding conflicts. When new objects are created or existing objects are modified in AD (Active Directory), it is first being validated by the PDC FSMO role holder DC and post authorization it is allowed to replicate to all other DC’s in the forest/domain. User login to the domain, Kerberos ticket assignment,  AD/DNS replication, Creation/Change/modification in AD etc. are all dependent on time service sync with the PDC. If, there is any time mismatch of time between the DC’s in the domain, then authentication will fail, changes will not be replicated to other DC’s, resource access will fail and you could face several other issues. By default, domain allows time skew of 5 min, which means systems in the domain including DC can have time difference of 5 min but not more or less. In that case, users will not be able to login to the domain joined systems and will get authentication fail error messages.

If  there is single domain in the forest, then its easy to configure the time server role on the PDCEmulator. Considering the different scenarios, where multiple domain environments like Parent-Child or Tree-Root domains architecture are involved, in that case configure a DC with PDC FSMO role in the Parent/Root domain to be the time server role which is syncing its time from the external or reliable source and let all other domain to follow the Parent/Root DC time hierarchy. By default, DC holding the PDC role syncs its time from the reliable/external source and all other domain joined clients follow the PDC FSMO role holder DC to sync their time. The protocol used by the time server is NTP/SNTP.

In some cases, you might have to completely reset the time service, due to messed up time service registry keys settings which can be on the DC or member machine. The simplest fix is to un-register the time service on the problem domain joined machine(can be dc or member machine) and re-register it using below cmd. It worked for me most of the time and it might work for you too.

– Type CMD in the run windows

–  Type Net stop w32time to stop the time service

–  Type W32tm /unregister to unregister the time service registry

–  Type W32tm /register to register the time service registry back

–  Type Net start w32time

 Port Assignments for the Windows Time Service

Service name



NTP 123 NA

August 2011 cumulative time zone update for Windows operating systems


Configure the Windows Time service on the PDC emulator in the Forest Root Domain

You are required to run cmd given below on the DC holding the PDCEmulator role in the forest to sync the time from the external or reliable source. If its Tree-Root or Parent-Child domain then allow only the Root/Parent DC to sync its time from the external or reliable source and other domain(tree or child domain) should follow the time from the Root/Parent PDC hierarchy. External source can be internet and reliable source can be router or hardware clock.

w32tm /config /manualpeerlist: peers /syncfromflags:manual /reliable:yes /update

Change the Windows Time service configuration on the previous PDC emulator or the domain client machines

Run the below cmd to reconfigure the DC previously holding the PDC role to sync the time from the new DC holding the PDC Emulator role, post moving the PDC role to the new DC. The below command can be used on any domain member client/server machine to reconfigure the time services to follow domain hierarchy.

w32tm /config /syncfromflags:domhier /reliable:no /update

You need to stop and start the time service using services.msc console or simply run this net stop w32time && netstart w32time on the cmd prompt.

How to configure authoritative time server

Configuring a time source for the forest

Keeping the Domain On Time

Windows Time Service Tools and Settings

How to turn on debug logging in the Windows Time Service

A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet

Windows Time Service Technical Reference

Windows Time and the W32TM service

High Accuracy W32time Requirements

NET TIME and w32time

Windows Time Service


Posted in Directory Services | 16 Comments »

Quest and ADMT comparison

October 4th, 2011 by and tagged , ,

There are various tools used for migration such as ADMT(Active Directory Migration Tool) from Microsoft, DMM(Domain Migration Manager) from the Quest, Netiq etc.

ADMT is the free tool from the MS and there is no licensing cost involved. Any number of AD objects/servers/computers can be migrated to other domain without need to pay single penny whereas Quest tool is paid and licensing is based on the number of enabled users migrated or mailbox migration for exchange.

Each tool has its own pros and cons, but features and support should be considered in the first place while opting for any migration tool. ADMT has its own advantages like support through MS forum, ability to handle and its working is known to most, getting reference on the internet is easy where as handling/using quest tool requires some kind of skill and learning, quest documents are not easily available, support might be pocket burning here, so both the tool has its own benefits and demerits.

The table below shows the features available with the Quest DMM tool and ADMT tool.





Continuous synchronization



Since migration can last for a long time, migrated data might become obsolete and need to be updated. To address this, ADMT performs remigrations throughout the process with different options. This means that it is necessary to repeat the same actions every day, requiring more time and manual effort. Migration Manager greatly simplifies this task, providing real-time directory synchronization and ensuring that critical data is kept up to date. Additionally, Migration Manager  also provides two-way synchronization, making it possible to manage both directories simultaneously. This is especially critical for keeping passwords   and group memberships up to date between the  two environments.




Migration Manager Statistics Portal gives you detailed information about the migration project.




Migration Manager allows you to revert any performed changes at any time without restoring data from backup. ADMT cannot roll back resource updating tasks. Directory migration undo is restricted to the last session only; account

Inter-forest migration



ADMT cannot roll back resource updating tasks. Directory migration undo is restricted to the last session only; account merging cannot be undone.

Intra-forest migration



In case of intra-forest migration, ADMT deletes a source account and its tombstone immediately after moving it to the target domain. Functionality to roll back this operation is not provided – it is necessary to re-migrate the account and workstation from the target back to the source.

Migration without trusts



In some organizations, trusts between source and target domains cannot be established due to security reasons. Unlike ADMT, Migration Manager allows migration in this case.

Advanced object selection capabilities



ADMT uses a standard “select users and groups” dialog for object selection. It shows objects in flat list and doesn’t allow filtering of disabled, expired, or system accounts.

Property population rules



Migration Manager lets you modify any object properties before the migration data is actually applied to the target domain, using import file technology. It allows you to populate values from  an HR database or according to some other rules. ADMT does not allow you to modify all object properties, only the Container Name (CN), Relative Distinguished Name (RDN), sAMAccountName and userPrincipalName.

Security descriptor migration



If administrative rights are delegated on the OU level and you plan to preserve the existing delegation model after migration, security descriptors of OUs and accounts should be migrated. ADMT does not migrate security descriptors, and all permissions must be granted manually.

Consolidated resource updating



If you migrate multiple domains, resources should be updated for users from all domains. With ADMT, you have to update the same resources multiple times, separately for each source-target domain pair.

Workstation update



Migration Manager provides complete user workstation update. Whereas ADMT requires a reboot of the workstation in order to complete migration, only a logoff/logon is needed with Migration Manager. When migrating the workstation with Migration Manager, you can automatically change the default domain name on the workstations’ logon prompt, making the switch invisible to users. In contrast to ADMT, it also includes update of scheduled tasks and migration   of certificates for encrypted files and mail.

Laptop update



Usually laptops are disconnected from the corporate network and cannot be updated as ordinary workstations. Migration Manager allows you to update laptops via user logon scripts and without additional interaction with users.

Server infrastructure update

• Active Directory

• Exchange 5.5/2000/2003/2007

• SharePoint Services 2.0/3.0, SharePoint Portal Server 2003/2007

• Internet Information Services 5.0/6.0

• SQL Server 7.0/2000/2005

• Systems Management Server 2003/System Center Configuration Manager 2007

• NAS/SAN devices

Exchange 5.5

ADMT has incomplete server resource updating. It requires a great deal of administrator effort because all permissions must be updated manually.

Clean-up SIDHistory



To preserve network security, the SIDHistory attribute of objects should be cleaned up after migration. ADMT does not provide this functionality.

Note:  I’m neither a Quest agent nor MS agent, the above reference posted for reference and informational purpose only during migration tool selection for performing forest/domain migration based on the cost and complexity.

The table posted above is taken from the Quest site.


Posted in Directory Services, Exchange, SCCM/SCOM | 8 Comments »

All About (RODC)Read Only Domain Controllers

October 4th, 2011 by and tagged

RODC is the new feature introduced from the windows 2008 means domain controller with read only partitions which includes AD database and Sysvol/Netlogon folder. In order to introduce RODC in existing windows 2003 environment you need to prepare your existing environment Adprep /Rodcprep (Adprep32.exe or Adprep.exe is dependents on OS means Adprep32.exe required to be executed on 32bit OS and Adprep.exe on 64 bit OS). Adprep /rodcprep should be executed on the DC holding  Domain Naming Master FSMO role not on any DC. It is not mandatory to run Adprep /rodcprep in existing windows 2000 or 2003 AD environment until you plan to deploy RODC may be now or in future. There is one more prerequisite you need at least one writable DC in windows 2008 before you can deploy RODC in existing windows 2003 AD environment, since RODC doesn’t consider windows 2003 DC.

Rodc is basically fitted to be deployed in the sites/locations where you can’t afford or don’t want to keep an AD Experts to manage/modify any changes in the AD. RODC hold the read only database means the location where RODC is deployed you can’t make any changes and changes made on the RODC is not replicated to any other DC since replication is unidirectional from RWDC to RODC only not vice versa.

RODC enhances the authentication locally where it is been placed, but again it should not be considered as replacement of writable DC. You can configure RODC as GC and DNS server too for enhancing authentication locally.

RODC can safely host RODC on virtual machine where as RWDC should not be because of performance issues. I’m not big fan of RODC, reason is RODC alone doesn’t work like a domain controller but for each and everything it relies on RWDC(Writable domain controller) causing heavy replication traffic.

The replication happens in RODC is unidirectional means changes made on RODC is not replicated to RWDC, but you can still connect to RWDC console from RODC and make modification on RWDC which is still vulnerable. RODC can’t provide substitute for a DC when WAN link is down and the reason is RODC can’t issue Kerberos ticket to the domain clients. RODC can’t navigate the trust and it only utilizes the RWDC in other domains.

One of the biggest drawback feature of RODC is that it doesn’t work with any version of Exchange servers(2000-2010 SP1), so if you have deployed a Exchange server in site or want to deploy you can’t utilize RODC in that site you need to have RWDC’s only. There are few other application too which doesn’t work with RODC.

RODC can actually enhance the local authentication but you need to cache the local computes password to form a secure channel with RODC else it will query RWDC.

RODCs don’t register the generic DClocator record by default & they only register the site specific locator records in DNS. RODC doesn’t point itself for SOA records like RWDC. RODC doesn’t register NameServer records in dns. When client wants to update/modify its records in DNS, it contacts RODC and using SOA record RODC find the best/suitable RWDC, update takes place on RWDC and back to RODC.

MSA(Managed service account) doesn’t support RODC’s but only writable domain controllers, but there is hotfix to resolve the issue.

RODC References

Read-Only Domain Controllers Step-by-Step Guide

Chris has nice writeup on RODC integration with DNS .

Windows Server 2008 RODC Interview Questions !

Read-Only Domain Controller Planning and Deployment Guide

Windows 2008 RODC Tick List for Deployment

Steps for Deploying an RODC

Read-Only Domain Controller (RODC) Branch Office Guide

RODC Post-Installation Configuration

Designing RODCs in the Perimeter Network

Deploying RODCs in the Perimeter Network

AD DS/RODC in the Perimeter Network (Windows Server 2008)

Understanding “Read Only Domain Controller” authentication

RODC Frequently Asked Questions

Read-Only Domain Controllers Application Compatibility Guide

Performing a Staged RODC Installation

Testing Application Compatibility with RODCs

Known Issues for Deploying RODCs

Troubleshooting RODC’s: Troubleshooting RODC location in the DMZ

Microsoft KB’s and Hotfixes

You cannot create or delete managed service accounts in a perimeter network in Windows 7 or in Windows Server 2008 R2

Description of the Windows Server 2008 read-only domain controller compatibility pack for Windows Server 2003 clients and for Windows XP clients and for Windows Vista

Authentication fails when an external client tries to log on to a Windows Server 2008 server by using a read-only domain controller in a perimeter network


Posted in Directory Services | No Comments »

Windows 8 developer edition is out

September 15th, 2011 by and tagged ,

Windows 8 developer edition is out & can be downloaded from here , but features provided may or may not work depends on future release. Windows 8 offers lots of new features comparing to the windows 2008 R2 . It promises less memory utilization,better throughput and much faster then previous version of OS.

Mark has great listing of windows 8 features in details

Windows 8 offers image based login comparing to old model of entering passwords. They got normal desktop changed to MetroUI with constant dynamic updating of favorite links like Facebook, weather stats, news etc. right on the desktop. Windows 8 promises lot more to be added and improved and promise value for money.

The major enhancement is including NIC teaming software with the OS, so no more third part software required for teaming in windows 8. Windows 8 offers GUI features in core edition which can be turned on and off based on the requirements like patch installations etc.

Form active directory load of new features has been added some are like remote DCPROMO, virtualization aware domain controllers, AD Recycle Bin/Fine Grained password management is included in ADAC GUI.

In Hyper-V some improvements are replicating VM from one Hyper-V host to another Hyper-V host w/o the need of any software, VM on file server, new VHDX format which is faster and allowing size of greater than 1 TB is possible etc.

Windows 8 promise lot more with the final release. I have not tested being busy with the client project, will add more materials on Windows 8, once i test in a lab.

Till then, enjoy the Windows 8 developer edition.


Posted in OS/Certificates | No Comments »

How Microsoft Monitors More Efficiently with System Center Operations Manager 2007 R2

August 22nd, 2011 by and tagged

I was browsing stuff on SCOM(System Center Operations Manager) 2007 & found below article useful to me & thought of sharing with others.

How Microsoft Monitors More Efficiently with System Center Operations Manager 2007 R2 (Video Link)

Repository for SCOM

Repository for SCCM(2007, 2007 R2, 2007 R3 & 2012)

Posted in SCCM/SCOM | No Comments »

Internet Explorer 9 blocks 99% malware attacks: NSS Lab study!

August 19th, 2011 by

Internet Explorer 9 blocks 99% malware attacks: NSS Lab study! 

IE9 continues to protect consumers

 With one third of internet users in Asia-Pacific alone becoming victims of threats like malware, the need for online security is more relevant than ever. To address these online concerns, Microsoft created their latest browser Internet Explorer 9, which provides a safe, secure yet beautiful and speedy browsing experience. Today, NSS Labs released two reports which show that SmartScreen feature in Internet Explorer continues to offer industry leading protection against socially engineered malware. As per the report “Internet Explorer 9 blocks an exceptional 99% malware. 96% of the live threats were caught with SmartScreen URL reputation in IE9, and an additional 3.2% with Application Reputation.”

What’s more, since the October 2010 NSS report, the average time taken by SmartScreen filter to block a threat has gotten 28% faster, if Application Reputation is considered, then the average time has improved by 85%. The graph below compares the test results from various browsers and shows that Internet Explorer blocks 5X more malware than competitive browsers.











The other reports looked at socially engineered malware targeted towards people living in Asia Pacific region and in Europe. As you can see below, in each region the results remained consistent – Internet Explorer 9 maintains a lead in protecting users from live threats.











* You check out the entire web browser security report by NSS Labs by clicking here:

It is no surprise that a browser is the first line of defense against attacks from the web and it plays an important role to help keep you safe online. Internet Explorer is designed with your security and privacy in mind. The new browser has a robust set of built-in security, privacy, and reliability technologies that helps keep consumers safe and their browsing experience virtually uninterrupted. With IE9, we have introduced new functionalities like Tracking Protection, Tracking Protection Lists, ActiveX Filtering to name a few. IE9 makes browsing the web even safer & protected experience from here on.

IE9 has received positive feedback from consumers globally. As of today, Internet Explorer 9 has over 18% usage share worldwide on Windows 7. You can download Internet Explorer 9 to see how you can enjoy a more beautiful – and trusted web!

Posted in OS/Certificates | No Comments »

New release queued for Exchange 2010 later this year

July 17th, 2011 by and tagged

Much awaited PST Capture tool to search & destroy PST files in domain systems due to data theft & misuse is going to be available by the year end. It will also be used for importing the PST into Exchange server as well Exchange online.  You can read more at below links.

Exchange server 2010 SP2 has been marked for release at the year end with some nice enhancements, more at below link.


Posted in Exchange | No Comments »

Improvements in windows 2008/2008 R2(AD/DNS)

July 11th, 2011 by and tagged

There are few good enhancements in windows 2008/2008 R2 & it is not to known to all. I thought of putting at a single place, which will help me as well as others for reference.

What’s New in AD DS in Windows Server 2008

What’s New in AD DS in Windows Server 2008 R2

What’s New in DNS

Windows Server 2008 – DNS enhancement nuggets

Review Bridgehead Server Load-Balancing Improvements with Windows Server 2008 RODCs

Changes in Functionality from Windows Server 2008 to Windows Server 2008 R2

Bridgehead Server Selection

Windows Server 2008 resolve Domain Controller Load Balancing problems


Posted in Directory Services | No Comments »

« Previous Entries Next Entries »