Category: Active Directory

  • Windows 2008R2 features part I: Offline domain join

    Since Windows NT4, clients who wanted to join a domain always needed a direct connection to the domain, either via VPN, dial-in or direct connection. New in Windows 2008R2 is the option for an offline domain join.. how does this work.. ? read on! A new program is introduced called djoin.exe. We can use this…

  • Delegate the right to start/stop replication

    Let’s say you want to isolate a domain controller for a certain time, you would issue the command: repadmin /options +DISABLE_INBOUND_REPL or/and +DISABLE_OUTBOUND_REPL normally this command requires Domain Admin/Enterprise Admin privileges. Why and how to change that below.. first the usual warnings: Playing with ADSIEDIT could damage your domain, please test everything in a lab…

  • Repadmin /expert

    Repadmin is the tool used to troubleshoot replication in an Active Directory forest.. commands like repadmin /replsum (to view replication summary) or repadmin /showutdvec (to view USN per domain controller).. are common commands.. it get’s tougher when we want to create or modify links during troubleshooting.. then we use /add to add replication links between…

  • Deleted DN's in attribute fields

    Let’s say an object in AD has an attribute that is a reference to another object based on DN The targeted object is deleted.. and the attribute field changes to the deleted objects CN like: CN=nameADEL:ff920d6f-d823-4fff-9448-b645bd40d5e2,CN=Deleted Objects,DC=child,DC=ROOTDOMAIN,DC=LOCAL Now when we try to clone that object to create a new object (for example user copy) the AD U&C…

  • Microsoft Certified Master: Windows 2008 – Directory

    !PASSED! As one of the first (now 27 worldwide), I can now call myself an MCM:Windows 2008-Directory!.. Congrats to all others!The Microsoft Certified Master: Windows Server 2008, Active Directory program provides the most in-depth and comprehensive training that is available today for the latest version of Windows Server 2008 with a focus on Active Directory.…

  • Next RID number

    So let’s say you want to know how many objects are created on a domain controller, you want to see shen it’s receiving a new RID pool? checkout the RID-SET Set ObjRid= GetObject (“LDAP://CN=RID Set,CN=DC01,OU=Domain Controllers,DC=fabrikam,DC=com”) it lists all the properties that the LOCAL! DC uses to handout RID numbers.. if the rIDPreviousAllocationPool and rIDAllocationPool…

  • Cross forest authentication

    Anyone installed a forest trust before.. probably else you would not be reading this post.. how does authentication work in a forest trust? Well there are two authentication mechanisms in Windows NTLM and Kerberos, both can be used in a forest trust, and both work differently. Setting it up brought me the following authentication schema..

  • Cross-forest Authenticate in VBS

    So the problem: All mailboxes of the users are migrated to a central Exchange server, comming from various Exchange 5.5/2003/2003 mailservers (contact me if you want to know how 🙂 ) . and mailboxes where cloned.. now the client needs to be pointed to the new exchange server else Outlook will not work. The challenge,…