We finally published the procedures for allowing a user or group to logon locally (at the console) to a domain controller. All the administrative groups, like server operators, backup operations, account operations, and administrators have this right by default. However, when an application gets installed on a domain controller and you want to logon to a domain controller using a management account for that application, you might need to grant that account the right to logon locally. The procedure for doing so is published as Grant a Member the Right to Logon Locally.
This posting is provided "AS IS" with no warranties, and confers no rights.
The Event ID 2042 update is now posted on the Windows Server 2008 library: Event ID 2042: It has been too long since this machine replicated
Now we have included some potential causes and some text to warn you not to initialize replication again until all the lingering objects are cleaned up from Active Directory. There are some additional explanations there as well. The Windows Server 2003 version has not yet been updated. However, if this new version does well in the ratings and feedback, then that might happen. I hope the expanded explanations turn out to be useful.
This posting is provided "AS IS" with no warranties, and confers no rights.
Though this is not a direct Active Directory post, I think many of you will find this video I ran across, Hypervisor is not running error: How to fix (http://www.microsoft.com/video/en/us/details/25d07f2e-b2e0-4c0c-b456-79b08bfe58be), interesting. Since a lot of us do our testing in a virtual environment, when I run across posts, videos, content, etc. that detail how to fix a problem in the virtual space, I like to share them.
If you have a comment, please don’t hesitate to leave it on this page or the page where the video is posted.
This posting is provided "AS IS" with no warranties, and confers no rights.
Microsoft has released a new technology (maybe not so new to many of you) that is designed to automate fixes in KB articles. Instead of performing the manual steps to fix a problem (i.e. sound issues), you can click the Fix it button or link, and a script will run that automatically fixes your issue.
Previously, this technology was targeted toward consumer KB articles. Now we have added this solution to the following AD TechNet articles:
By clicking the link from the client computer, Fix this problem (located under the Fix it icon), the fix will display a script dialog that you can run at the present time or save to run later.
Please give this technology a try and let us know what you think.
This posting is provided "AS IS" with no warranties, and confers no rights.
Lately, there have been lots of questions around placing more than one RODC in the same site for load balancing and disaster recovery purposes. We, the AD UA team, recently published an article, Placing Several RODCs in the Same Site (http://technet.microsoft.com/en-us/library/ee522995(WS.10).aspx).
Hopefully, this document should clear up the confusion that some of our customers have around this issue. We look forward to your feedback. Please use the comment tool (on the TechNet page) to rate and provide feedback for this topic.
This posting is provided "AS IS" with no warranties, and confers no rights.
Some people call it prune and graft, others call it breaking off a domain from the forest. These things are not supported by Microsoft in Windows Server 2008 R2 or earlier. You cannot move domains between forests, but you can migrate. For more information on this, please, check out Restructuring Limitations.
This posting is provided "AS IS" with no warranties, and confers no rights.
.
The Active Directory Management Gateway Service could be referred to as the Active Directory Web Service (ADWS) for Windows Server 2008 and Windows Server 2003. Why? Well, Windows Server 2008 R2 domain controllers have a built-in service called the Active Directory Web Service and the Active Directory Management Gateway Service is the implementation of that service that can be installed on Windows Server 2003 and Windows Server 2008. You can read more about these services and their purpose in the article What’s New in AD DS: Active Directory Web Services.
This posting is provided "AS IS" with no warranties, and confers no rights.
You can find the RTM version of the Windows 7 RSAT tools at the following location:
The download page gives instructions on how to install and configure the RSAT tools on Windows 7. The RSAT tools can be installed on computers running Enterprise, Professional, or Ultimate editions of Windows 7.
This posting is provided "AS IS" with no warranties, and confers no rights.
DMZ, which actually stands for demilitarized zone, is a very popular term to refer to the concept of a screened subnet, perimeter network, or essentially a network that is divided from your internal network by a firewall. The problem with the term DMZ is that it is actually a military and political term that is not allowed for use in official documentation on TechNet. So, when you are looking for guidance on TechNet related to firewalls, you should search on both screened subnet and perimeter network. That said, we are using social bookmarking, tagging, and blog entries (like this one) to try to surface our content when people search on DMZ using it as a network security term. So, the guidance on Active Directory in the DMZ is titled Active Directory Domain Services in the Perimeter Network. If you are looking for the network ports for Active Directory communications, you will want to review Active Directory and Active Directory Domain Services Port Requirements.
This posting is provided "AS IS" with no warranties, and confers no rights.
Metadata cleanup is a required procedure after a forced removal of Active Directory Domain Services (AD DS). You perform metadata cleanup on a domain controller in the domain of the domain controller that you forcibly removed. Metadata cleanup removes data from AD DS that identifies a domain controller to the replication system. Metadata cleanup also removes File Replication Service (FRS) and Distributed File System (DFS) Replication connections and attempts to transfer or seize any operations master (also known as flexible single master operations or FSMO) roles that the retired domain controller holds. These additional processes are performed automatically. You can use this procedure to clean up server metadata for a domain controller from which you have forcibly removed AD DS.
If you use the Active Directory Users and Computers console provided with Windows Server 2008, or Windows Server 2008 R2, or the Remote Server Administration Tools (RSAT) for Windows Vista or Windows 7, the metadata is automatically cleaned up when a domain controller account is removed from the Domain Controllers organizational unit (OU). You can also remove a computer account and metadata using the Active Directory Sites and Services (dsa.msc) console, but you must first remove the NTDS settings object below the domain controller account in order to have the metadata automatically removed. The standard methods for removing metadata, such as using a script or NTDSUTIL still work. For more information, see Clean Up Server Metadata.
This posting is provided "AS IS" with no warranties, and confers no rights.
If you are looking to sysprep your computers to remove the unique information, you can find sysprep in its new location under the %windir%\system32\sysprep folder. There isn’t much to the interface, but if you are just trying to remove the unique information, you can select the Generalize checkbox.
This posting is provided "AS IS" with no warranties, and confers no rights.
A few days ago we posted a document to TechNet that outlines some of the various port requirements for Active Directory. We gathered the port information from various KB articles and consolidated them into one document. I think it should serve as a great reference guide for those of you configuring Active Directory communication through internal and external firewalls. It details ports used by trusts, replication, global catalog, DNS, DHCP, etc. It also outlines the new default dynamic port range, 49152-65535, for Windows Server 2008 and Windows Vista and pointers to why the range was increased from previous versions of our operating systems.
Active Directory and Active Directory Domain Services Port Requirements (http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx)
As always, if you have any suggestions for improvement please leave us feedback.
This posting is provided "AS IS" with no warranties, and confers no rights.
Windows Server 2008 R2 domain controllers include a new feature named Offline Domain Join. A new utility named Djoin.exe lets you join a computer to a domain, without contacting a domain controller while completing the domain join operation, by obtaining a blob from a Windows Server 2008 R2 domain controller at an earlier point in time. The computer is domain-joined when it first starts, so no restart is needed as with a normal domain join. The general steps for using Djoin.exe are:
- Run djoin /provision to create the computer account metadata. The output of this command is a .txt file that includes a base-64 encoded blob.
- Run djoin /requestODJ to insert the computer account metadata from the .txt file into the Windows directory of the destination computer.
- Start the destination computer, and the computer will be joined to the domain.
The computer where you run djoin /provision and the destination computer both need to run Windows Server 2008 R2 or Windows 7. We have a step-by-step guide published at http://technet.microsoft.com/en-us/library/dd392267(WS.10).aspx and appreciate any feedback you have.
This posting is provided "AS IS" with no warranties, and confers no rights.
Account Operators is a default groups located in the Builtin container. Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Therefore, the Account Operators group has significant power in the domain and we recommend that you add members to it with caution.
On computers running Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2, by default, a newly created computer account is assigned an "Account Ops-FC" access control entry (ACE) that gives members of the Account Operators group full control over the computer account. If a server that is represented by this computer account is promoted to a domain controller, the computer account retains this "Account Ops-FC" ACE and therefore, members of the Account Operators group will have full control on this domain controller, which is not a recommended configuration.
The "Account Ops-FC" ACE is also assigned by default to domain controllers that you promote by running dcpromo.exe on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 machines and joining them to an existing Active Directory domain.
To modify permissions for Account Operators on such computer accounts and domain controller accounts, you can use the Active Directory Administrative Center (in Windows Server 2008 R2) or Active Directory Users and Computers (in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2) and complete the following steps:
- Right-click the computer account that represents the server that you want to promote to a domain controller status (or the affected domain controller account), and then click Properties.
- On the Security tab, (in the Active Directory Administrative Center, locate the Security tab in the Extensions section of the Properties window), select Account Operators in the Group or user names list, and then modify permissions according to the specifications of your environment.
This posting is provided "AS IS" with no warranties, and confers no rights.
When you delete or recover an Active Directory object with link-valued attributes, AD DS must process the object’s link value table to maintain referential integrity on the linked attribute’s values. Because deleting or recovering an Active Directory object results in modifications to the object’s link value table, if you attempt to delete or recover an object during its ongoing link-value-table processing time, the operation will be blocked. For example, if you use the Active Directory Recycle Bin to recover a deleted object with a large number of link-valued attributes (for example, a group object with 10 million users) immediately after it was deleted (or anytime throughout the duration of its link-value-table processing), the object recovery will be blocked. (If you are using Ldp.exe to perform the recovery, you might see the following error message: "Error 0x2093 The operation cannot continue because the object is in the process of being removed.") For more information about Active Directory Recycle Bin, see Active Directory Recycle Bin Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=133971).
This posting is provided "AS IS" with no warranties, and confers no rights.
