Dedicated Exchange Sites in Active Directory

A comment I received on a previous post on sites and subnets in Active Directory was “what benefit(s) does a dedicated Exchange site provide?”. There’s a couple things to consider here with the advent of Exchange 2007. The first is the great degree of dependency Exchange has on Active Directory data for everything it does. The second, applicable to Exchange 2007 deployments is that Exchange now uses the Active Directory site topology to route email. I’m not familiar enough with this scenario yet to speak to it, but I will speak to the need for fast and reliable global catalog … Continue reading Dedicated Exchange Sites in Active Directory

Subnet Definitions in Active Directory

One of the common misunderstandings I see working with organizations and their Active Directory deployments is with regard to subnet definitions in Active Directory. This discussion came up recently on the mailing list so I thought I would write up a quick summary of how this works. Subnets are defined in Active Directory solely for defining what sites in Active Directory a set of machines belong to. The subnet definitions do not correspond to the actual layer 3 routing within the organization. This is a key misunderstanding – the layer 3 routing design does not have to correspond to … Continue reading Subnet Definitions in Active Directory

How to get the Windows 2003 Admin Tools Working on Vista

Out of the box, the Windows 2003 Adminpak tools do not run on Windows Vista. When they are loaded, MMC claims that “MMC could not create the snap-in.”. This is due to some DLLs not being registered properly. To fix this, paste the following commands into a command prompt or batch file running with elevated privileges (right click and “Run as Administrator”): regsvr32 /s adprop.dll regsvr32 /s azroles.dll regsvr32 /s azroleui.dll regsvr32 /s ccfg95.dll regsvr32 /s certadm.dll regsvr32 /s certmmc.dll regsvr32 /s certpdef.dll regsvr32 /s certtmpl.dll regsvr32 /s certxds.dll regsvr32 /s cladmwiz.dll regsvr32 /s clcfgsrv.dll regsvr32 /s clnetrex.dll regsvr32 /s … Continue reading How to get the Windows 2003 Admin Tools Working on Vista

How to Authenticate against Active Directory from a Cisco PIX

A few months ago I posted an article with steps to configure Windows IAS and Cisco IOS for authentication to Active Directory via RADIUS. I wanted to follow up on that with a quick overview of how to setup a PIX for management access authentication via Windows IAS and Active Directory. All of the steps for configuring IAS are identical, so I’m not going to cover that again. Remember that if you have a failover pair to add the standby partner to IAS as well. This example was built on a PIX 7.1 box, it will work on 7.X and … Continue reading How to Authenticate against Active Directory from a Cisco PIX

Manually Removing a Domain Controller from Active Directory

Another one from the questions I answer all the time on the newsgroups – what do I do when a domain controller is permanently failed and needs to be removed from Active Directory? The first thing to do is to make sure the DC is really gone – wipe it. You don’t want it coming back up after all this for whatever reason. The second thing is don’t just delete the DC from AD Users & Computers or AD Sites & Services. There are a bunch of things under the hood that have to take place first. Microsoft has several … Continue reading Manually Removing a Domain Controller from Active Directory

How to Determine What Domain Controller Authenticated the User

A frequent question on the newsgroups is how do I know what domain controller logged me in? To find this out, open a command prompt and type "set logonserver". echo %logonserver% has the same functionality. This is an environment variable so you could use it from a script if you wanted. Share this post: email it! | digg it! | bookmark it! | live it!

Delegating Enable/Disable Account Rights in Active Directory

I answer this question a lot on the newsgroups – "How do I delegate enabling and disabling Active Directory accounts?". The long and short of it is you can't. More precisely you can't without delegating access to set a whole bunch of other stuff. The enabled/disabled flag is set as part of a larger bitmask which controls various other properties of a user account. The attribute that this is stored in is the userAccountControl bitmask which is on every user account. The vast majority of options in this bitmask are the checkboxes that you see on the account tab of … Continue reading Delegating Enable/Disable Account Rights in Active Directory

Active Directory GUI Tools on a Member Server

A useful tip I've found people tend not to know about is that the Active Directory GUI tools (AD Users and Computers, Sites and Services, etc) are installed on every Windows 2000 and 2003 server regardless of whether or not the server is a domain controller. When the server is promoted to domain controller status, the shortcuts are just added to the Start Menu. To launch the tools without the shortcuts (e.g. from Start>Run) you just need to know the filenames of the tools: Active Directory Users and Computers – dsa.msc Active Directory Sites and Services – dssite.msc Active Directory … Continue reading Active Directory GUI Tools on a Member Server

New Look for the Site

After a couple hours of customization, I activated a new theme for the site. The old look was the same theme I had when I started a blog on in 2003. I felt like it was kind of depressing to look at the old colors – there was a lot of gray in there. With that in mind I settled on a new theme which is far brighter and certainly less visually depressing. I also recently added a little "Share this post" bar at the bottom of each post – it has links for emailing the post, as well … Continue reading New Look for the Site

How to implement Windows Forms Based Authentication in ASP.Net

This is an updated version of an article I wrote in March 2003 for ASPAlliance. I corrected some minor errors and updated the code samples a bit. C# and VB.Net samples are both attached at the bottom of the page. Introduction The Windows authentication prompt can often be an intimidating dialog for users. It asks for two or three things: username, password, and sometimes domain. Users may (and should) know their network username and password combination, but how many of them know the name of the domain their account is kept on? To make matters more complex, depending on the … Continue reading How to implement Windows Forms Based Authentication in ASP.Net