Friday Mail Sack – First Attempt Edition

Friday Mail Sack – First Attempt Edition

  • Comments 6
  • Likes

Hi all, Ned here again. Today I will share some recent questions we’ve gotten offline that never ended up as full blown blog posts. Naturally any names have been changed to protect the innocent and things are often paraphrased. This post starts a new series that will appear every Friday, barring some kind of disaster such as me being out sick, me taking the day off, or me just not feeling like it (so nyyyaaahhh).

Onward.

Question:

Is there any risk running Windows disk defrag on a DC? I need to defrag my drives and I’m worried about NTDS.DIT corruption.

Answer:

Nothing to worry about. In fact, starting in Windows Server 2008 and continuing in R2, you have been running a disk defrag every Wednesday at 1 AM whether you knew it or not. This is default behavior, even on domain controllers.

image

Note that the task is designed to run in idle state though, so if things stay really busy on a DC all night long, the automatic defrag may be preempted. The Task Scheduler Help has more info on what “Idle” means.

Question:

When I search AD for old computer accounts by using the whenChanged attribute that computers seem to be constantly “new”. How can I find old unused computer accounts using PowerShell?

Answer:

The attribute you want to use in this scenario is lastLogonTimeStamp; Warren wrote up a pretty comprehensive treatise in this older post. You can search for these inactive accounts using things like AD PowerShell’s cmdlet search-adaccount. For example, this would find all computers in the domain that have not logged into AD in a year:

Search-ADaccount -AccountInactive -Timespan 365 -ComputersOnly

Avoid looking at stale passwords, as password changes can be disabled. And before acting upon inactive accounts, make triple sure it’s really inactive. Cluster virtual computer objects don’t necessarily “logon” but if you arbitrarily get rid of them there will be heck to pay. Automating the removal is generally a bad idea.

Question:

I am trying to use the Delegate Control wizard within DSA.MSC. When I use a custom task delegation for User Objects I can’t specify certain attributes like Office, E-Mail, City, State, or Country. How can I get these?

Answer:

Choose the inetOrgPerson object class instead of User – this will get you the granularity you need with the delegation wizard. Chalk this up to vagaries of snap-in, schema, class, and inheritance.

image  image

Question:

Application X doesn’t seem to work correctly with Read-Only Domain Controllers, and I am not finding anything online that says it is compatible. What should I do?

Answer:

Find out who created that application and talk to their support staff. If it’s a Microsoft application or Windows component, open a support case and ask to speak that particular specialty. If not MS, call that vendor. If internal to your company, find that developer! There’s no way for the AD developers test everything against RODC’s – not even within the MS-developed gamut of applications, which is huge. They have to rely on application developers to add it to their test harnesses. If the conversation with the vendor starts with “What’s an RODC?”, they probably don’t test it. :)

No matter who you talk to, once it’s established that an RODC is or isn’t supported, make them document it publically; even if it’s just a blog post, you are helping out your fellow IT humans.

Question:

Hey, I think I found an error in KB article Y. Can you fix it?

Answer:

You betcha. Just tell us exactly what you think is wrong, making sure to give us repro steps. If we confirm it as factual error  the KB should be corrected within a few weeks. If it comes down to semantics or a difference of opinion…well, as my wife says “we’ll just have to agree to disagree” (i.e. Ned is wrong, Lisa is right, and there’s nothing Ned can do about it).

Question:

I need some deeper support than this blog is set up for and time is not an issue, but I am a bit strapped for cash. Is there anywhere reputable I can go?

Answer:

Our community forums are an excellent place to ask deeper specific questions. These are moderated by MS support engineers and MVP’s. Many questions can be answered quickly and reliably by trustworthy folks.

If time and live support is critical though, open a support case. Time is money.

I reckon that’s enough for today. Have a nice weekend folks.

- Ned ‘going postal’ Pyle

  • Are there any internal numbers that show that the disk defrag helps with performance?

    For old computers I still like Joe Richards old computer tool.  Joe has a lot of built in safety valves and we always disable first before deleting just in case there are cases like you mentioned (have run into the cluster issue)

    The activedir.org mailing list is another great place for DS questions.

    Be glad you all are a few hundred miles south of DC in Charlotte.  The blizzard of 2010 really sucks

    Thanks

    Mike

  • Helps with performance on DC's? Not that I have ever seen. I'd imagine it would mainly be helpful on file server workloads - so unless your DC does extra duty there, doubtful.

    Stay warm Mike!

    - Ned

  • Was playing with that find-old-computer-accounts sample.

    Was looking at the cmdlet help and under AccountInactive it says something about it will only work in Server 2003 Domain Functional Level. Is it AccountInactive that only works in the level, or is it the DateTime that only works in that domain level :) ?

    I tried the sample you posted in this blog. But for some reason computers with LastLogonDate at 2010-01-19 was listed as well. What did I miss?

    // Erik

  • See Warren's link above (http://blogs.technet.com/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx) - it talks about the functional levels and how the lastlogontimestamp attribute does't turn on until domain functional level 2003. What's your DFL?

  • you made up that last question, didn't you? :)

  • I paraphrased... nicely...

    :-D