Though this is not a direct Active Directory post, I think many of you will find this video I ran across, Hypervisor is not running error: How to fix (http://www.microsoft.com/video/en/us/details/25d07f2e-b2e0-4c0c-b456-79b08bfe58be), interesting. Since a lot of us do our testing in a virtual environment, when I run across posts, videos, content, etc. that detail how to fix a problem in the virtual space, I like to share them.
If you have a comment, please don’t hesitate to leave it on this page or the page where the video is posted.
Microsoft has released a new technology (maybe not so new to many of you) that is designed to automate fixes in KB articles. Instead of performing the manual steps to fix a problem (i.e. sound issues), you can click the Fix it button or link, and a script will run that automatically fixes your issue.
Previously, this technology was targeted toward consumer KB articles. Now we have added this solution to the following AD TechNet articles:
By clicking the link from the client computer, Fix this problem (located under the Fix it icon), the fix will display a script dialog that you can run at the present time or save to run later.
Please give this technology a try and let us know what you think.
Lately, there have been lots of questions around placing more than one RODC in the same site for load balancing and disaster recovery purposes. We, the AD UA team, recently published an article, Placing Several RODCs in the Same Site (http://technet.microsoft.com/en-us/library/ee522995(WS.10).aspx).
Hopefully, this document should clear up the confusion that some of our customers have around this issue. We look forward to your feedback. Please use the comment tool (on the TechNet page) to rate and provide feedback for this topic.
Some people call it prune and graft, others call it breaking off a domain from the forest. These things are not supported by Microsoft in Windows Server 2008 R2 or earlier. You cannot move domains between forests, but you can migrate. For more information on this, please, check out Restructuring Limitations.
.
The Active Directory Management Gateway Service could be referred to as the Active Directory Web Service (ADWS) for Windows Server 2008 and Windows Server 2003. Why? Well, Windows Server 2008 R2 domain controllers have a built-in service called the Active Directory Web Service and the Active Directory Management Gateway Service is the implementation of that service that can be installed on Windows Server 2003 and Windows Server 2008. You can read more about these services and their purpose in the article What’s New in AD DS: Active Directory Web Services.
This posting is provided "AS IS" with no warranties, and confers no rights.
You can find the RTM version of the Windows 7 RSAT tools at the following location:
The download page gives instructions on how to install and configure the RSAT tools on Windows 7. The RSAT tools can be installed on computers running Enterprise, Professional, or Ultimate editions of Windows 7.
This posting is provided "AS IS" with no warranties, and confers no rights.
DMZ, which actually stands for demilitarized zone, is a very popular term to refer to the concept of a screened subnet, perimeter network, or essentially a network that is divided from your internal network by a firewall. The problem with the term DMZ is that it is actually a military and political term that is not allowed for use in official documentation on TechNet. So, when you are looking for guidance on TechNet related to firewalls, you should search on both screened subnet and perimeter network. That said, we are using social bookmarking, tagging, and blog entries (like this one) to try to surface our content when people search on DMZ using it as a network security term. So, the guidance on Active Directory in the DMZ is titled Active Directory Domain Services in the Perimeter Network. If you are looking for the network ports for Active Directory communications, you will want to review Active Directory and Active Directory Domain Services Port Requirements.
This posting is provided "AS IS" with no warranties, and confers no rights.
Metadata cleanup is a required procedure after a forced removal of Active Directory Domain Services (AD DS). You perform metadata cleanup on a domain controller in the domain of the domain controller that you forcibly removed. Metadata cleanup removes data from AD DS that identifies a domain controller to the replication system. Metadata cleanup also removes File Replication Service (FRS) and Distributed File System (DFS) Replication connections and attempts to transfer or seize any operations master (also known as flexible single master operations or FSMO) roles that the retired domain controller holds. These additional processes are performed automatically. You can use this procedure to clean up server metadata for a domain controller from which you have forcibly removed AD DS.
If you use the Active Directory Users and Computers console provided with Windows Server 2008, or Windows Server 2008 R2, or the Remote Server Administration Tools (RSAT) for Windows Vista or Windows 7, the metadata is automatically cleaned up when a domain controller account is removed from the Domain Controllers organizational unit (OU). You can also remove a computer account and metadata using the Active Directory Sites and Services (dsa.msc) console, but you must first remove the NTDS settings object below the domain controller account in order to have the metadata automatically removed. The standard methods for removing metadata, such as using a script or NTDSUTIL still work. For more information, see Clean Up Server Metadata.
This posting is provided "AS IS" with no warranties, and confers no rights.
If you are looking to sysprep your computers to remove the unique information, you can find sysprep in its new location under the %windir%\system32\sysprep folder. There isn’t much to the interface, but if you are just trying to remove the unique information, you can select the Generalize checkbox.
This posting is provided "AS IS" with no warranties, and confers no rights.
A few days ago we posted a document to TechNet that outlines some of the various port requirements for Active Directory. We gathered the port information from various KB articles and consolidated them into one document. I think it should serve as a great reference guide for those of you configuring Active Directory communication through internal and external firewalls. It details ports used by trusts, replication, global catalog, DNS, DHCP, etc. It also outlines the new default dynamic port range, 49152-65535, for Windows Server 2008 and Windows Vista and pointers to why the range was increased from previous versions of our operating systems.
Active Directory and Active Directory Domain Services Port Requirements (http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx)
As always, if you have any suggestions for improvement please leave us feedback.
This posting is provided "AS IS" with no warranties, and confers no rights.
Windows Server 2008 R2 domain controllers include a new feature named Offline Domain Join. A new utility named Djoin.exe lets you join a computer to a domain, without contacting a domain controller while completing the domain join operation, by obtaining a blob from a Windows Server 2008 R2 domain controller at an earlier point in time. The computer is domain-joined when it first starts, so no restart is needed as with a normal domain join. The general steps for using Djoin.exe are:
- Run djoin /provision to create the computer account metadata. The output of this command is a .txt file that includes a base-64 encoded blob.
- Run djoin /requestODJ to insert the computer account metadata from the .txt file into the Windows directory of the destination computer.
- Start the destination computer, and the computer will be joined to the domain.
The computer where you run djoin /provision and the destination computer both need to run Windows Server 2008 R2 or Windows 7. We have a step-by-step guide published at http://technet.microsoft.com/en-us/library/dd392267(WS.10).aspx and appreciate any feedback you have.
This posting is provided "AS IS" with no warranties, and confers no rights.
Account Operators is a default groups located in the Builtin container. Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Therefore, the Account Operators group has significant power in the domain and we recommend that you add members to it with caution.
On computers running Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2, by default, a newly created computer account is assigned an "Account Ops-FC" access control entry (ACE) that gives members of the Account Operators group full control over the computer account. If a server that is represented by this computer account is promoted to a domain controller, the computer account retains this "Account Ops-FC" ACE and therefore, members of the Account Operators group will have full control on this domain controller, which is not a recommended configuration.
The "Account Ops-FC" ACE is also assigned by default to domain controllers that you promote by running dcpromo.exe on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 machines and joining them to an existing Active Directory domain.
To modify permissions for Account Operators on such computer accounts and domain controller accounts, you can use the Active Directory Administrative Center (in Windows Server 2008 R2) or Active Directory Users and Computers (in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2) and complete the following steps:
- Right-click the computer account that represents the server that you want to promote to a domain controller status (or the affected domain controller account), and then click Properties.
- On the Security tab, (in the Active Directory Administrative Center, locate the Security tab in the Extensions section of the Properties window), select Account Operators in the Group or user names list, and then modify permissions according to the specifications of your environment.
This posting is provided "AS IS" with no warranties, and confers no rights.
When you delete or recover an Active Directory object with link-valued attributes, AD DS must process the object’s link value table to maintain referential integrity on the linked attribute’s values. Because deleting or recovering an Active Directory object results in modifications to the object’s link value table, if you attempt to delete or recover an object during its ongoing link-value-table processing time, the operation will be blocked. For example, if you use the Active Directory Recycle Bin to recover a deleted object with a large number of link-valued attributes (for example, a group object with 10 million users) immediately after it was deleted (or anytime throughout the duration of its link-value-table processing), the object recovery will be blocked. (If you are using Ldp.exe to perform the recovery, you might see the following error message: "Error 0x2093 The operation cannot continue because the object is in the process of being removed.") For more information about Active Directory Recycle Bin, see Active Directory Recycle Bin Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=133971).
This posting is provided "AS IS" with no warranties, and confers no rights.
This posting is provided "AS IS" with no warranties, and confers no rights.
In Windows Server 2008, there are new tools you can use to create a snapshot of your Active Directory database at a point in time, ntdsutil snapshot, and then you can view the contents of that snapshot by using dsamain.exe. This is a great tool for data recovery and comparing changes made to your Active Directory database when the snapshot was taken and how the database looks today.
In cases where you need to perform forest recovery, these tools can help you compare backups taken at different points in time without taking your domain controllers offline to restore the backup and then to later find out this was not the backup you wanted.
In instances where you accidentally delete an object from Active Directory Users and Computers, you can view a snapshot of your environment before that object was deleted and recover the stripped back link information that is needed to fully restore the object. In the case of a deleted user object, you can use the snapshot to determine the user’s group membership before the object was deleted and then restore that information after you have used LDP or the Active Directory Module for Windows PowerShell to reanimate the tombstone (deleted) object.
To fully take advantage of snapshots, you should schedule a task that regularly takes snapshots of your AD DS database. By doing this, you can keep detailed records of the changes made to your AD DS database over time.
For more information about the AD DS Mounting tool including information about snapshots see:
UPDATE: A faster way to open the UAC settings in Windows 7 was just brought to my attention by Dean Wells. Click Start, type UAC and press ENTER. Thanks, Dean!
If that doesn’t work for some reason, you can do the following:
- Run wscui.cpl from the Start Search or Run dialog box, or launch it from the command prompt.
- Then, select the User Account Control settings option on the left side of the screen
- Then you’ll see the UAC settings for Windows 7
This posting is provided "AS IS" with no warranties, and confers no rights.
