Recently I have been working with a premier customer in South Africa to cleanup their forest from lingering objects.

It is a complex environment with 15 domains,30+ sites and 130+ DCs where power failures and network related issues frequently disrupt AD operations.

So I wanted to share with you the method I used to remove lingering objects and hopefully you find it useful somehow.

First download repldiag from http://activedirectoryutils.codeplex.com/releases/view/13664 as it will save you a lot of typing.

Then create a .bat file similar to the following:

/enable Strict Replication Consistency across the forest

repadmin /regkey * +strict

/dump all repldiag commands to a .txt file (repldiag enumerates all domains, finds all DCs and creates all necessary repadmin commands for removing lingering objects)

repldiag /removelingeringobjects /outputrepadmincommandlinesyntax >output.txt

/dump domain specific repldiag commands to a .bat file (this way you may cleanup one domain at a time)

findstr "domain_a" output.txt >domain_a.bat
(...)
findstr "domain_n" output.txt >domain_n.bat

/call all .bat files in order to remove lingering objects

call domain_a.bat
(...)
call domain_n.bat

/Then run repadmin /showrepl against all DCs in each domain and pipe it to a .txt file

repadmin /showrepl *.domain_a /errorsonly > domain_a.txt
(...)
repadmin /showrepl *.domain_n /errorsonly> domain_n.txt

/Look for "failed, result 8606 (0x219e): Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected."

/Identify the destination DC (the DC logging the event), Source DC (the DC that contains lingering objects) and affected Naming Context (the NC that contains lingering objects)

/With the information above force replication to resume on the affected DCs/NCs

repadmin /replicate destination sourceGUID NC /force

as an example:

**output from showrepl**

Repadmin: running command /SHOWREPL against full DC DC1.domain_a.fqdn

site1\DC1

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa

DSA invocationID: zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz

==== INBOUND NEIGHBORS ======================================

DC=domain_n,DC=fqdn

    Site30\DC via RPC

        DSA object GUID: nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn

        Last attempt @ 2014-10-16 10:55:42 failed, result 8606 (0x219e):

            Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.

        529 consecutive failure(s).

        Last success @ 2014-09-30 07:00:33.

In this example the command to force replication to resume would be

repadmin /replicate DC1.domain_a.fqdn  nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn DC=domain_n,DC=fqdn /force

Hope it helps!

Paulo

During my interactions with Premier Microsoft customers I have found out that the main reason for not using AGPM (Advanced Group Policy Management) in order to enforce change control procedures on Group Policy management is the lack of information on how to prevent GPOs from being created or edited outside of AGPM.
Basically their experience tells them that any Domain/GPO admin will be able to use the normal GPMC (Group Policy Management Console) to create/edit GPOs thus bypassing the desired change control enforcement supposedly provided by AGPM. I am writing these lines to address that problem.

This post explains how to install and configure AGPM in order to prevent the creation of GPOs from outside AGPM.

AGPM is a plug-in for GPMC that provides the following features:

Offline editing
Change control
Role-based delegation
Search and filter capabilities
Cross-forest management
 
AGPM can be found on the MDOP (Microsoft Desktop Optimization Pack) for Software Assurance.

To install the AGPM follow the steps below:

1. Create an AGPM Service Account
2. Add the AGPM Service Account to the following groups:
2.1. Group Policy Creator Owners
2.2. Backup Operators
2.3. Local Administrators (on the Client(s) and Server selected to install the AGPM Client and Server components respectively)
3. Install the AGPM Server component on the selected server.
4.1. Run the AGPM server installer
4.2. Select the Archive Path (can be a local folder or network share)
4.3. Select the AGPM Service Account under which the AGPM service will run.
4.4. Assign the Archive Owner/AGPM Administrator (Full Control) role to the Group (or individual User) that will have Full Control over AGPM thus will be able to assign AGPM roles and permissions to other Group Policy Administrators.
4.5. Select the port listener for AGPM service (default:4600)

NOTE: The AGPM Service Account requires (at least) the following permissions:
- Full Control to the AGPM Archive
- Full Control to %systemroot%\temp folder
- Full Control to existing GPOs

5. Install the AGPM Client component on the selected workstation.
5.1. Run AGPM client installer
5.2. Insert the AGPM Server and Port for connecting to the AGPM server service.

To prevent the creation of GPOs from outside AGPM do the following:

1. Remove All members (except the AGPM Service Account and the Archive Owner/AGPM Administrator) of the "Group Policy Creator Owners" group

To prevent changes of existing GPOs outside AGPM

1. Remove Domain Admins and Enterprise Admins permissions from every GPO in the domain.

NOTE: Domain Admins may re-add themselves permissions to all GPOs. Depending on your environment additional Groups may have to be removed from all GPOs. Ensure that Authenticated Users have Allow Read permissions and that target Groups have Allow Apply Group Policy. Also that you don't remove the AGPM Administrator account assigned in step 4.4.

In order to easy this task consider the use of GrantPermissionOnAllGPOs.wsf included in GPMCSampleScripts.msi which can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=14536
You may also find many other useful scripts there.

From now on the AGPM Administrator may configure e-mail notifications, control policies and manage roles and delegated permissions and approve requests via AGPM client without worrying about GPO admins circumventing change control with GPMC.

Hope it helps!

Hello my name is Paulo Viralhadas and I'm a Premier Field Engineer at Microsoft.

Have you ever used Fine Grained Password Policies?

This feature introduced in Windows Server 2008 allows you to override password policy set at the domain level.

It applies password settings to subsets of users that you may like to differentiate from the domain policy.

In Windows Server 2012 we added a GUI (Graphical User Interface) so now you don't have to use ADSIedit, LDP or Powershell to create PSOs (Password Settings Objects).

Note that PSOs are not like GPOs:

1. They're not managed via GPMC.

2. They're not linked to OUs, Sites or Domains.

PSOs apply to User and Group objects (ie. ultimately apply to User Accounts)

As an example, with FGPP you can have a Domain password policy that defines a minimum password length of 8 characters which will be applied to all users in the domain.

Then have a PSO that sets 24 characters for all user accounts that are members of the "All Service Accounts".

I added the following video that walks you through the steps needed to implement this (once again I've kept it short and simple and no sound).

Anyway here's the high level steps you have to follow:

1. Using ADAC (Windows 8 or Server 2012) open the Password Settings container (under System container).

2. Add a New PSO (Password Settings Object).

3. Configure the desired PSO properties (Max password Age, Min Password Length, etc).

4. Assign the PSO to a user or group

Hope it helps!

Enjoy!

Hello my name is Paulo Viralhadas and I'm a Premier Field Engineer at Microsoft.

The AD recycle bin feature has been released on Windows Server 2008 R2 without a graphical user interface, which made it's deployment and usability (I mean recovering deleted objects from AD) somewhat difficult for system admins.

In this post I will write about how to enable the ADRB feature on both WS2008 and WS2012.

This will provide you with the skills necessary to perform object recovery regardless of the operating system you are using currently.

Be amazed on how easy it is to recover deleted objects in WS2012.

This feature can be enabled if your forest is running at WIN2008R2 functional level.

If you already have all DCs in the forest running on Windows Server 2008R2 or higher you may use the following powershell command to raise the FFL:

Set-ADForestMode 4 -Identity <forestname>

which requires that all domains in the forest run at WIN2008R2 domain functional level, so if needed run:

Set-ADDomainMode 4 -Identity <domainname>

Before running the powershell commands above and if using WS2008R2 you have to import the Active Directory module for powershell (WS2012 does it automatically).

Important: Enabling Active Directory Recycle Bin is an irreversible procedure.

To enable the AD Recycle Bin feature using powershell run:

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com’ –Scope ForestOrConfigurationSet –Target ‘<forestname>’

To check if recycle bin is enabled:

Get-ADOptionalFeature -filter *

To restore a deleted object do the following:

Get-ADObject -Filter {displayName -eq "name"} -IncludeDeletedObjects | Restore-ADObject

Watch the video - Enable AD Recycle Bin and restore a single object using powershell on WS2008R2

Although restoring a single object is fairly simple, the restoration procedures get more complex when restoring multiple nested objects.

For example when you need to restore an OU with hundreds or thousands of objects in it (like users, groups, computers or even sub OUs which in its turn may contain more objects).

You will have to investigate how deep OU nesting is by querying deleted users lastknownparent attribute in order to understand the deleted OU structure.

Then you must start restoring from top to bottom so one hierarchy level at a time.

The reason behind is that when an object is deleted and moves to the deleted objects container, the object distinguished name (DN) gets mangled and the deleted objects container doesn't contain/keep an hierarchy.

The only way to return the objects hierarchy is by searching for it's lastknownparent attribute.

For example consider the following scenario:

[picture 1]

In this scenario we need to start by searching for known objects that have been deleted, for example in this case by finding the lastknownparent of a user named Peter:

Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -ldapFilter:"(msDs-lastKnownRDN=Peter)" – IncludeDeletedObjects –Properties lastKnownParent

Then by finding all objects that have HumanResources as lastknowparent (note: add another \ before 0ADEL:):

Get-ADObject –SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastKnownParent -eq 'OU=HumanResources\ \0ADEL:c876daac-da9b-57ce-bded-978aed9c0e2b,CN=Deleted Objects,DC=contoso,DC=com'} -IncludeDeletedObjects - Properties lastKnownParent | ft

At this stage we must go through the output and look for other OUs contained within HumanResources OU, then we need to search for other deleted objects inside it in case we find extra OUs (in this case we explore the Users OU within HumanResources):

Get-ADObject –SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastKnownParent -eq 'OU=Users\ \0ADEL:6b507c43-172b-8145-93bf-61e00302bb4a,CN=Deleted Objects,DC=contoso,DC=com'} -IncludeDeletedObjects - Properties lastKnownParent | ft

So far we found that HumanResources OU has been deleted (by noticing the mangled DN) and with the following command we may validate if there is any other OU above it and if it was also deleted (if so we have to perform the same steps as above to find other objects within it):

Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -ldapFilter:"(msDs-lastKnownRDN=HumanResources)" –IncludeDeletedObjects –Properties lastKnownParent

After investigation is complete, then we can start restoring the objects from top to bottom:

to restore the HumanResources OU:

Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=HumanResources)" –IncludeDeletedObjects | Restore-ADObject

to restore all deleted objects under it (including the Users OU):

Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastKnownParent -eq "OU=HumanResources,DC=contoso,DC=com"} -IncludeDeletedObjects | Restore-ADObject

To restore all deleted objects under the Users OU:

Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastKnownParent -eq "OU=Users,OU=HumanResources,DC=contoso,DC=com"} -IncludeDeletedObjects | Restore-ADObject

Note: Depending on your infrastructure you may have to go deeper into OU hierarchy, but then you just have to repeat the steps above accordingly.

Watch the video - Restore multiple objects using powershell on WS2008R2

Now that we covered how to restore deleted objects using the recycle bin attribute in WS2008R2 lets see how easy it is to do the same in WS2012 with the new recycle bin GUI:

You have to open the Deleted Objects container using ADAC and perform the same searches on it just by using the UI and by working out the hierarchy by looking at the Last Known Parent attribute.

If looking for specific objects we may click add criteria and in case we don't know exactly what to search for -this is one of the reasons why having AD proper documented is so important - an idea would be to add "and Last modified between these dates:")

Watch the video - Restore multiple objects using the NEW Recycle Bin GUI in WS2012

Hope it helps!

Enjoy!

PS: I will add the videos throughout the week.

In my next post I will share more information on how actually the AD recycle bin works.

Hello my name is Paulo Viralhadas and I'm a Premier Field Engineer at Microsoft.

On one of my previous posts I wrote about vDC cloning which is my preferred feature in Windows Server 2012 "http://blogs.technet.com/b/reference_point/archive/2012/12/11/so-you-wanted-to-deploy-domain-controllers-faster-now-you-can.aspx".

VDC cloning gives you the ability to scale up your production forest and to recover from disasters faster, or simply to build a lab in a blink of the eye.
 
In this post you may watch a number of videos that show how to clone a vDC.

Note: I tried to keep the videos as simple as possible for quick reference.

HOW TO CLONE A vDC

The Requirements are:
Hypervisor must have support for VMGID (VM-Generation ID).
ADDS schema version 56
Windows Server 2003 Forest Functional Level.
Source DC must be running Windows Server 2012.
PDCe must be running on a Windows Server 2012 DC.
PDCe and RID master online and available.

The video contents are:

Video 1 - Pre-requisit check.

Step 1 - Verify that the source VDC is running on a supported hypervisor.
Step 2 - Verify Schema version.
Step 3 - Verify Forest Functional Level.
Step 4 - Check if the VDC source Operating System.
Step 5 - Verify that the PDCe FSMO role is running on a Windows Server 2012 DC
Step 6 - Ensure that PDC and RID master are available during cloning process.

Video 2 - Getting the Clone ready.

Step 7 - Create DCCloneConfig.xml file.
Step 8 - Add the source VDC to the "Cloneable Domain Controllers" security group.
Step 9 - Shutdown the source VDC.

Video 3 - Cloning...

Step 10 - Export the source VM (Virtual Machine).
Step 11 - Import the VM with the option "Copy the virtual machine (create a new unique ID)".
Step 12 - Start the new VM.

Detailed steps:

Step 1 -  Verify that the source VDC is running on a supported hypervisor.

On the source vDC:
open [Device Manager]
expand [System Devices]
open properties of [Microsoft Hyper-V Generation Counter]
select the "Driver" tab
click "Driver details"
verify that the driver is "vmgencounter.sys"
This is the driver that makes vDC cloning and snapshot restore possible in Windows Server 2012.

Step 2 - Verify Schema version.

On any DC in the forest:
run [regedit]
browse to HKLM\System\CCS\Services\NTDS\Parameters
verify that "Schema Version" REG_DWORD value is 56.
This is the Windows Server 2012 version of the schema.

Step 3 - Verify Forest Functional Level.

On any DC in the forest:
open [Powershell]
run [Get-ADForest]
verify that "ForestMode" value is "Windows2003Forest" or higher.

Step 4 - Check the vDC source Operating System.

On the source vDC:
run [winver]
verify that source vDC is a Windows Server 2012.

Step 5 - Verify that the PDCe FSMO role is running on a Windows Server 2012 DC

On any DC in the domain:
open [cmd]
run [netdom query fsmo]
copy the PDC FQDN
open [Powershell]
run [Get-ADDomainController -server <paste the PDC FQDN here>
verify that OperatingSystemVersion value is 6.2 (9200) or higher

Step 6 - Ensure that PDC and RID master are available during cloning process.

Step 7 - Create DCCloneConfig.xml file.

open [Powershell]
run [New-ADDCCloneconfigFile]
(this will create an empty configuration file, you might want to have a look on the table below before you add
 configuration information to this file)

Step 8 - Add the source VDC to the "Cloneable Domain Controllers" security group.

open [ADAC]
browse your domain to the "Users" container
double-click "Cloneable Domain Controllers" security group
Select "Members" tab and click "Add" button to add the source domain controller account

Step 9 - Shutdown the source VDC.

Step 10 - Export the source VM (Virtual Machine).

open [Hyper-V Manager]
Right-click the source vDC VM
Select Export
Specify where you want to save the files

Step 11 - Import the VM with the option "Copy the virtual machine (create a new unique ID)".

open [Hyper-V Manager]
click on "Import Virtual Machine"
Locate Folder
Select Virtual Machine
Choose import type:  "Copy the virtual machine (create a new unique ID)"

Step 12 - Start the new VM.

(Refer to the diagram below in order to understand the cloning/snapshot restore decision process)

The Cloning/Snapshot safeguards are:

 The following table puts together the outcomes of the diagram above:

By the way you may find a playlist of all 3 videos above at: 

http://www.youtube.com/playlist?list=PLRiiq9ROPBOtJhPx2SciZcMfhJ4PN4K7y 

Hope it helps!

 Best regards

Paulo