Page 19 – blog.azureinfra.com

Windows 2008R2 features part II: Recycle Bin

By rzomerman | January 29, 2009 | No Comments | Active Directory, Windows 2008 R2

Windows 2008 R2 Active Directory introduces the Recycle Bin option. If you deployed Windows 2008 R2 or upgraded your domain to the Windows 2008 R2 schema and you think the recycle bin is active, you are wrong. You have to specifically enable the recycle bin feature.

So upgrade your forestlevel and run the following command within a poweshell console:

Enable-ADOptionalFeature -Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=DirectoryService,CN=Windows NT,CN=Services,CN=Configuration,DC=rootdomain,dc=local’

-Scope Forest -Target ‘rootdomain.local’

Windows 2008R2 features part I: Offline domain join

By rzomerman | January 29, 2009 | No Comments | Active Directory, Windows 2008 R2

Since Windows NT4, clients who wanted to join a domain always needed a direct connection to the domain, either via VPN, dial-in or direct connection. New in Windows 2008R2 is the option for an offline domain join.. how does this work.. ? read on!

A new program is introduced called djoin.exe. We can use this to join a computer to the domain which is not directly connected. What does it do? It creates a text file that can be used by a Windows 7 or Windows 2008R2 client to join the domain.

Delegate the right to start/stop replication

Let’s say you want to isolate a domain controller for a certain time, you would issue the command:

repadmin /options +DISABLE_INBOUND_REPL or/and +DISABLE_OUTBOUND_REPL

normally this command requires Domain Admin/Enterprise Admin privileges.
Why and how to change that below.. first the usual warnings:
Playing with ADSIEDIT could damage your domain, please test everything in a lab environment first blabla.

Read more

Repadmin /expert

By rzomerman | January 27, 2009 | No Comments | Active Directory

Repadmin is the tool used to troubleshoot replication in an Active Directory forest.. commands like repadmin /replsum (to view replication summary) or repadmin /showutdvec (to view USN per domain controller).. are common commands.. it get’s tougher when we want to create or modify links during troubleshooting.. then we use /add to add replication links between two servers..

But aren’t replication links the what we see in Sites & Services?
Actually no.. the links are the actual replication agreements between the two servers, each partition of the AD has it’s own replication link per server.. to view them we can use repadmin:

Deleted DN's in attribute fields

By rzomerman | December 29, 2008 | No Comments | Active Directory

Let’s say an object in AD has an attribute that is a reference to another object based on DN The targeted object is deleted.. and the attribute field changes to the deleted objects CN like: CN=nameADEL:ff920d6f-d823-4fff-9448-b645bd40d5e2,CN=Deleted Objects,DC=child,DC=ROOTDOMAIN,DC=LOCAL Now when we try to clone that object to create a new object (for example user copy) the AD U&C […]

Microsoft Certified Master: Windows 2008 – Directory

By rzomerman | August 21, 2008 | No Comments | Active Directory, Events

!PASSED! As one of the first (now 27 worldwide), I can now call myself an MCM:Windows 2008-Directory!.. Congrats to all others!The Microsoft Certified Master: Windows Server 2008, Active Directory program provides the most in-depth and comprehensive training that is available today for the latest version of Windows Server 2008 with a focus on Active Directory. […]

Next RID number

By rzomerman | July 29, 2008 | No Comments | Active Directory

So let’s say you want to know how many objects are created on a domain controller, you want to see shen it’s receiving a new RID pool? checkout the RID-SET Set ObjRid= GetObject (“LDAP://CN=RID Set,CN=DC01,OU=Domain Controllers,DC=fabrikam,DC=com”) it lists all the properties that the LOCAL! DC uses to handout RID numbers.. if the rIDPreviousAllocationPool and rIDAllocationPool […]

Kerberos multiple hops

By rzomerman | July 29, 2008 | No Comments | Kerberos

You all remember the maximum 2 hops for Kerberos right.. well in Microsoft land it works a little different and it is possible to create a multiple tier Kerberos delegation structure.

Basically we want the following to happen:

Client->IIS1->IIS2->IIS3->IIS4 where all hops require Kerberos authentication

In this case, IIS1, IIS2 and IIS3 need to be trusted for delegation. In my test lab I’ve used (http://support.microsoft.com/kb/314404) for the setup..

Cross forest authentication

By rzomerman | July 28, 2008 | No Comments | Active Directory

Anyone installed a forest trust before.. probably else you would not be reading this post.. how does authentication work in a forest trust?

Well there are two authentication mechanisms in Windows NTLM and Kerberos, both can be used in a forest trust, and both work differently. Setting it up brought me the following authentication schema..

Kerberos PAC validation

By rzomerman | July 20, 2008 | No Comments | Kerberos

http://support.microsoft.com/kb/906736

basically, all Kerberos tickets in windows have a PAC (that holds all the groups of the identity). If the resource that is accessed is NOT running under system account (but user/service), the resource will issue a verification of the PAC at the nearest domain controller. That DC will verify the PAC load and will give the green light.