Jason Yoder, MCT

Traditionally, the Active Directory Recycle Bin is enabled by typing in a command similar to the one below in PowerShell. Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=contoso,DC=com’ –Scope ForestOrConfigurationSet –Target ‘contoso.com’   It is no secrete that I am a big PowerShell fan, but let’s not forget to work smarter, not harder.  If you have a Windows 8 client available to you, you can manage the AD Recycle Bin graphically even with only Windows Server 2008 R2 domain controllers.  This is because the Active Directory Administrative Center in Windows 8 gives us the ability to graphically manage the AD Recycle bin. Once you install RSAT for Windows 8 on you client, open the Administrative Tools . Next, open the Active Directory Administrative Center . Select your Domain The AD Recycle Bin requires that both your domain and forest functional levels are...

For those of you who have taken classes with me that involve Group Policy, you know the warnings that I have given about not using local policy.  Well, here is a link to an article at Microsoft that shows you how to disable them.  I would look at doing this to your deployment image since it is a one-to-one operation. http://technet.microsoft.com/en-us/library/cc730760.aspx

This question came from one of my Active Directory classes. To find the solution, I installed RSAT on a Windows 8 client.  I also created a user named JYoder who is not a member of any special group. I also had to do a little bit of detective work to figure out a small piece of this puzzle. The first real big problem is that I noticed the Last Name field is missing from the Delegate Control Wizard. We are missing the SN attribute which is the last name.  Here is where the fun starts.  On the client that you are using to delegate rights, Open dssec.dat   You will find it in %Systemroot%\System32 .  Make a copy of this first and then open it in Notepad. Now, scroll close to the bottom.  You will notice that the file is divided into object types.  Close to the bottom, you will find the User object.  Look for the SN field in the user object.  Make sure, you are in the user object. Now, look for SN=7.  Change this to SN=0.  Save the ...

In class we received audit logs that contained only a SID.  Since we were interested in getting the name of the client associated with that SID, we turned to PowerShell for the answer. The SID actually contains two parts.  A unique code for the domain and then the Relative Identifier (RID) for the the client. This RID is the last portion of the SID and is unique in the network.  Below is an example. S-1-5-21-3400766600-4132462866-2336755051-1149 The RID is the numbers 1149 .  This is what we need to search for in Active Directory.  For a client, use this PowerShell command. Get-ADComputer –Filter * –Properties | Where-Object {$_.SID –like “*1149”} | Select-Object –Property Name, SID The Get-ADComputer cmdlet will retrieve all computer objects in Active Directory. The – Properties parameter will add the SID to the default set of attributes that are returned from the Get-ADComputer cmdlet. The Where-Object cmdlet will filter all the computer objects for ...

Sometimes you come across a user account or maybe a resource that is named in a way that is not common to your native language.  When users search for this resource they may have some difficulty.  In Active Directory there is now several phonetic attributes to help your users out. ms-DS-Phonetic-First-Name Contains the phonetic given name or first name of the person. ms-DS-Phonetic-Last-Name Contains the phonetic last name of the person. ms-DS-Phonetic-Department Contains the phonetic department name where the person works. ms-DS-Phonetic-Company-Name Contains the phonetic company name where the person works. ms-DS-Phonetic-Display-Name The phonetic display name of an object. In the absence of a phonetic display name the existing display name is used.   To test this I manually populated the ms-DS-Phonetic-First-Name attribute with Bbrraadd for the user named Brad.  In Active Directory Users and computers, I did a search for the name Bbrr .  It returned th...

On some installation of Server 2008, the Reliability Monitor does not record data.  The instructions below are from Microsoft and I’ve tested them out.  They do work.   Click Start , type Task Scheduler in the Search box, and then click Task Scheduler . Enable the trigger that regularly starts the RacTask task. In Task Scheduler, expand Task Scheduler Library , expand Microsoft , and then expand Windows . Right-click RAC , click View , and then click to select the Show Hidden Tasks command. Note If the Show Hidden Tasks command is already selected, go to step 2c. Double-click RacTask . In the RacTask Properties dialog box, click the Triggers tab. On the Triggers tab, double-click the One time trigger. In the Edit Trigger dialog box, click to select the Enabled option, and then click OK . In the RacTask Properties dialog box, click OK . Close Task Scheduler. Update a registry setting. Click Start , type Regedit in the Search box, and then clic...

If you need to populate users or domain group in the built-in groups on your clients, you have 2 choices.  You can use restricted groups.  The problem with restricted groups is that they will remove any existing members of that group and prevent you from adding anymore without using Group Policy.  Another option is to your GPO preferences. Create a GPO to hold this GPO preference. Edit the policy and expand Computer Configuration / Preferences / Control Panel Settings . Click Local Users and Groups and then right mouse click it. Select New –> Local Group In the Action drop down list, ensure Update is selected.  The Update action will not remove the group if it already exists.  If it does not exist, the group will be created. In the Group Name field, type the name of the group that you want to add members to. Under Members , click Add. Click OK when completed. Apply this policy to the appropriate portion of Active Directory. Refresh ...

During a DFSR sysvol migration on Windows Server 2008, problems can occur with the migration of Read Only Domain Controllers. See the image below. The RODC is stuck trying to move to the Prepared state.  First go to the RODC and type Repadmin /SyncAll /AeD .   On the PDC Emulator, run dfsrmig /GetMigrationState . If the migration completed, continue on.  If not type dfsrmig /CreateGlobalObjects . This will manually create the global objects for DFS replication. On the PDC Emulator, run dfsrmig /GetMigrationState . You should be ready to move on to the next step in the migration process.

To test this out, I used NETDOM QUERY FSMO to make sure that all the FSMO roles were on the server that I was about to demote to a member server. When DCPromo was executed, the FSMO roles were transferred to another DC.

It is rare these days that I use a DS command, but in this case it worked out well.  Use the command below do return the attributes that are currently stored on in the Global Catalog in your domain.  This command was executed with administrative level permissions on a Domain Controller.  Replace YourDomain with the correct LDAP information. dsquery * "cn=Schema,cn=Configuration,dc=YourDomain,dc=com" -filter "(&(objectCategory=AttributeSchema)(IsMemberOfPartialAttributeSet=TRUE))" -attr LDAPDisplayName -limit 0   The resulting list are the attributes in Active Directory that are also in the Global Catalog.

    PSO’s (Password Setting Objects) is another name for Fine Grain Password Policy.  A PSO allows an organization to have different password policies based on a security group.  That means that unlike in an Windows 2003 domain where all password meet the same rules, in a 2008 domain you can have multiple rules for your passwords.   The code below allows you two obtain a list of all user accounts that have a PSO assigned to and that PSO is.  It is designed to be used as a function or dot sourced into PowerShell.   <# . SYNOPSIS Returns a list of user names and there PSO . . DESCRIPTION Returns a list of user names and the Resultant PSO that is currently in effect on that user . . EXAMPLE Get - PSOUsers Returns a list to the pipeline of the username and the PSO currently in effect on the user account . . EXAMPLE Get - PSOUsers | Sort - Object PSO Returns a list...

In class, I discovered the hard way, that we not only need our Domain functional at Windows 2008 R2, but also the forest functional level to use the AD Recycle Bin.  In raising our 2003 forest function level to 2008, we gain no new functionality.  We do however gain the AD Recycle bin when raising our forest from 2008 to 2008 R2.  Below is a list of the features that are enable with each domain and forest level from Microsoft . Domain Functional Levels Windows 2000 native All default Active Directory features and the following features: Universal groups are enabled for both distribution groups and security groups. Group nesting. Group conversion is enabled, which makes conversion between security groups and distribution groups possible. Security identifier (SID) history. Windows Server 2003 All default Active Directory features, all features from the Windows 2000 native domain functional level, and the following features: The availability of the domain manage...

While attempting to access the Active Directory Recycle Bin, I received the following error:   Enable-ADOptionalFeature: The specified method is not supported. At line:1 char:25 +Enable-ADOptionalFeature <<<<  -Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service, CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com’ –Scope ForestorConfigurationSet –Target ‘contoso.com’   +CategoryInfo          : NotSpecified: (CN=Recycle Bin ..=contoso,DC=com:ADOptionalFeature) [Enable-ADOptionalFeature], ADException   + FullyQualifiedErrorID : The specified method is not supported,Microsoft.ActiveDirectory.Manegment.Commands.EnableADOptionalFeature This is caused by either your domain or forest functional level not being set to WIndows2008R2Domain or Windows2008R2Forest or higher.   To determine your current levels, type the following commands in PowerShell. Import-Modu...

For this test I created an RODC.  I added a user named Adam.Carter to the local administrators group using this procedure. Log on with an administrator account Open a command prompt. Type Dsmgmt and press Enter . Type Local Roles and press Enter . Type Add <UserName> Administrators where <UserName> is the name of the domain account that you want to assign as a local administrator on the RODC. Once Adam was logged in I repeated the process by trying to add a user named Aaron.Lee.  Aaron was added to the local administrators group.  I was also able to still log on locally with both accounts and use AD Users and Computers with both.  This is in contrast to Microsoft's Documentation on the topic. Remember, an RODC local administrator cannot manage other DCs or Active Directory.  They can: Install hardware devices, such as network adapters and disk drives Manage disk drives and other devices Install software updates and drivers Stop ...

Both the domain and forest functional modes in a Windows domain will determine what functionality that you get.  When you purchase a new Windows Server OS, it comes with more advanced functionality than the previous version.  Some of that functionality may not be compatible with previous versions of the server OS.  In order to raise the functional level to say, Windows Server 2008, you need to upgrade all your domain controllers to a minimum of Windows Server 2008.  You can still have Windows 2000 and 2003 member servers, just not as domain controllers. You can use PowerShell to raise both your functional levels.  Here is an example of how to raise both levels to Windows Server 2008 R2. Open PowerShell Import-Module ActiveDirectory Set-ADDomainMode –Identity (Get-ADDomain) –DomainMode Windows2008R2Domain Set-ADForestMode –Identity (Get-ADDomain) –DomainMode Windows2008R2Forest The valid values are: ID Domain Forest ...

For those of use who need to have a server that can boot into multiple Operating systems, we may have an issue on the boot menu where we have different bootable operating systems with the same name.  Take a look below.   I got to this by clicking Start and then right clicking Computer and selecting Properties . In the upper left, I clicked  Advanced System Properties . On the System Properties window, I clicked the Advanced tab. In the Startup and Recovery box, I clicked Settings… You can see in the Default Operating System dropdown, I have two Windows Server 2008 R2 configurations listed, Which one do I want to use?  Here is how to fix that. Open an command prompt with Administrative level permissions. Type bcdedit /enum and press Enter We are interested in the Description and the Identifier .  Since the OS that I want to change the description is the current default boot, I simply need to look for an ID of {current}. Now type bcd...

The Active Directory Recycle Bin is available for: Windows Server 2008 R2 Standard Windows Server 2008 R2 Enterprise Windows Server 2008 R2 Datacenter The AD Recycle Bin is not available on: Windows Server 2008 R2 for Itanium-Based Systems Windows Web Server 2008 R2 Just remember that you must be at Windows Server 2008 R2 Forest functional level before AD Recycle Bin is available.

I believed that I have found most of them thanks to these MSDN sites: http://msdn.microsoft.com/en-us/library/ms677605(v=vs.85).aspx http://msdn.microsoft.com/en-us/library/ms677943(v=vs.85).aspx http://msdn.microsoft.com/en-us/library/ms674997(v=vs.85).aspx Be forewarned, it is a long list. userPrincipalName The userPrincipalName is a single-valued and indexed attribute that is a string that specifies the user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember. By convention, this should map to the user's e-mail name. The point of the UPN is to consolidate the e-mail and logon namespaces so that the user need only remember a single name. The UPN is the preferred logon name for Windows 2000 users. Users should be using their UPNs to log on to the domain. At logon time, a UPN is validated first by searching the local domai...