Active Directory & Identity

 

Remove an Offline Domain Controller

Sometimes domain controllers encounter catastrophic failures that take them off the network permanently – perhaps a hardware failure or an extended network outage that exceeds the tombstone lifetime. In these cases, the traditional process of demoting the domain controller won’t work and you’ll be forced to manually clean up Active Directory instead. This manual process is known as metadata cleanup. Metadata cleanup removes all of the references to the domain controller from Active Directory so that things like replication continue to work without error. Depending on what version of Windows you’re working with, this can be as simple as deleting the domain controller’s computer account with AD Users and Computers, or it might require a trip to the command line to put ntdsutil to work.

Windows Server 2008 and Newer (Active Directory Users and Computers)

The Windows Server 2008 version of Active Directory Users and Computers (ADUC) introduced a convenient one click approach to performing metadata cleanup. To t…

Share »
 

How to Configure Time Synchronization on the PDC Emulator

Active Directory provides a time synchronization hierarchy that ensures that time dependent protocols such as Kerberos will work correctly. The PDC emulator in the forest root domain must be configured to synchronize with an authoritative external source – either a hardware clock, government time source, or another NTP server. As a matter of best practice, consider configuring a domain controller that has been identified as an alternate PDC emulator role holder to also synchronize with an external source. This way, if you transfer the PDCe FSMO role, you won’t need to reconfigure the time service on the new domain controller. This post teaches you how to properly configure the forest root domain PDC emulator for time synchronization.

Share »
 

How to Promote a Domain Controller

The process to convert a member server to a domain controller (DC) – known as promotion – requires a number of inputs to complete the wizard. As Active Directory has evolved, additional steps/inputs have been added to the wizard, but, the process itself has undergone very little change. If you are coming to Windows Server 2012 or newer from a previous version of Active Directory, the most noticeable change is that the dcpromo tool dating to Windows 2000 is gone. In fact, if you try to run dcpromo on a Windows Server 2012 or newer server, you’ll receive an error. This article walks you through the process and inputs necessary to promote a domain controller

Share »
 

Forcefully Demote a Domain Controller

If you have a domain controller that is no longer on the network, hasn’t replicated during the forest’s tombstone lifetime, or has been cleaned up in Active Directory via metadata cleanup, you’ll need to do a forced demotion in order to get the server back to a normal state. The procedure to do this varies depending on whether the server in question is running Windows Server 2012 or newer, or if it’s running a prior version of Windows Server. In this post, we'll look at the process for both the legacy and modern approaches to this problem.

Share »
Sponsored Content
 

Installing the Web Application Proxy to Publish AD FS

The final step to publish AD FS on the Internet is to install and configure the Web Application Proxy (WAP). Installing and configuring WAP is a simple process that requires an SSL certificate and a few details about the AD FS environment. Once WAP is installed, it can be used for much more than simply publishing AD FS. WAP can be used to publish claims aware applications as well as enable claims based authentication to applications that use Windows Integrated Authentication.

Share »
 

Install the First Active Directory Federation Services Farm Member

Active Directory Federation Services (AD FS) is a critical component of your identity infrastructure as you begin to examine and move services to the cloud. AD FS securely extends your existing Active Directory beyond the boundaries of the firewall in a standardized and interoperable manner that is accepted across the industry. In this article, we will explore the steps to install the first AD FS server on Windows Server 2012 R2 as well as the prerequisite tasks that you will need to complete prior to installing AD FS.

Share »

Exchange

 

Cisco ACE Sample Configuration for Exchange 2010

Cisco ACE appliances and modules are a common fixture in enterprise datacenters. This post documents a sample configuration for the Cisco ACE that enables reliable publishing of Exchange Server 2010. At the end of this post, you will have a complete sample configuration for a one-arm load balancer configuration with Source NAT (SNAT). We also will configure the load balancer to redirect clients to the secure (HTTPS) URL.
Share »
 

Setting Static Ports for Exchange Client Access

If you are deploying Exchange Server 2010 in an environment with load balancers or firewalls which aren’t able to handle dynamic RPC port ranges, you’ll need to define static ports for the RPC Client Access Service and the Address Book Service on each CAS server. If you are using Public Folders, you’ll also need a third static port on the Mailbox servers hosting Public Folders.

This post includes a script that configures the RPC Client Access service and Address Book service to use static ports. Run this script on each CAS server to configure the services. Finally, on each mailbox server, configure the registry value listed at the bottom of the post.

Share »
 

Add Office 365 Exchange Online to your PowerShell Profile

The Exchange Online service in Office 365 as exposes a variant of the Exchange Management Shell (EMS) that you would normally use if you were managing an on-premises Exchange organization. Connecting to the Exchange Online EMS requires a few tedious but well documented steps.

Rather than manually running these steps each time you need to connect, the samples in this post show how you can add a quick shortcut to your Windows PowerShell profile to connect to the Exchange Online EMS.

Share »
 

Configuring the Dell/Quest Free/Busy Connector for Lotus Notes and Exchange - Part 1

This is part one of a three part series on configuring the Dell/Quest Free/Busy Connector for Lotus Notes. The Connector is part of Coexistence Manager for Exchange (CMN). In this post, we'll discuss how the connector works and examine the interface with Exchange. Next, we'll configure the Dell/Quest Web Services and the Domino Free Busy Connector Service. Future posts in this series will discuss configuring the remaining components of the connector.

Share »
 

Configuring the Dell/Quest Free/Busy Connector for Lotus Notes and Exchange - Part 2

This is part two of a three part series on configuring the Dell/Quest Free/Busy Connector for Lotus Notes. In Part 1 we took at look at the architecture of the Quest Free/Busy (F/B) Connector in Coexistence Manager for Notes (CMN) as well as how Exchange interfaces with it. We also configured the F/B Connector web services and the Domino Free Busy Connector Service. In this post, we’ll configure the Exchange Free Busy Connector Service, the Domino QCALCON task, and the Exchange organization.

Share »
 

Configuring the Dell/Quest Free/Busy Connector for Lotus Notes and Exchange - Part 3

This is part three of a three part series on configuring the Dell/Quest Free/Busy Connector for Lotus Notes. In Part 1 we took at look at the architecture of the Quest Free/Busy (F/B) Connector in Coexistence Manager for Notes (CMN) as well as how Exchange interfaces with it. We also configured the F/B Connector web services and the Domino Free Busy Connector Service. In Part 2, we configured the Exchange Free Busy Connector Service, the Domino QCALCON task, and the Exchange organization. In this post, we’ll complete the configuration by configuring Lotus Notes as well as building a test user in Exchange and Lotus Notes to validate the configuration.

Share »

Windows Server

 

Using Device Manager Remotely

The Server Core variant of Windows Server offers a variety of benefits, especially with respect to security. The downside is that familiar GUI management tools are not always accessible. While Windows PowerShell and the command line offer alternatives, the learning curve can be steep. Device Manager is one example of a common GUI management tool that cannot be used on Server Core. Fortunately, Device Manager can be used remotely. This post explains how to enable remote access with Device Manager on Server Core.

Share »
Sponsored Content
 

Thoughts on Building a Server Image

Repeatable, consistent, and predictable are three things that add an incredible amount of value in IT, and building servers from a base image is one way to deliver on this. I was just replying to a thread on a discussion alias where the person who started the thread had reviewed a blog post on how to build such an image for VMWare. I and a number of people disputed the recommendations made in the referenced blog post in addition to the various other things the individual who started the thread was planning to install in his image/template.

At a high level, the most important thing from my reply, I think, is that you should not be customizing a server for it to be convenient to your work style. The server is there for a purpose driven task.

Share »
 

Script to Collect Hardware Inventory Data

This post includes a sample VBScript that will collect key hardware demographics from a list of hosts and output the results to a CSV file. The demographics collected are:

  • Host Name
  • Serial Number
  • Make
  • Model
  • BIOS Version
  • Operating System
  • CPU
  • Memory (MB)
  • Disk Drives

 

Share »
 

Date and Time Math with PowerShell

How many times have you had to figure out what date was X days, months, or years ago, or perhaps what time was Y minutes, hours, or seconds ago? In this post, you'll learn how easy it is to calculate date and time math with Windows PowerShell.

Share »
 

Installing WinPcap Silently

When silently installing WireShark, WireShark's critical dependency, WinPcap, is not installed automatically. This post shows you how to use a tool called AutoIt to develop a script that can silently automate a point and click process like installing WinPcap.

 

Share »