Active Directory & Identity

 

What Is The Global Catalog?

The Global Catalog (GC) is a critical component of Active Directory, particularly in multi-domain forests. In a multi-domain forest, objects (users, groups, computers, etc.) are spread across each domain. If an application needs to locate a user, for example, and the application does not know what domain the user is located in, then the application would need to contact a domain controller in each domain until the user is located. This approach is highly inefficient, and the Global Catalog is the solution. Domain Controllers that host a copy of the Global Catalog store a partial read-only copy of every object in the forest in the local database. When LDAP queries are submitted on TCP port 3268 (or TCP port 3269 for SSL), a single search can be conducted across all of the objects in the forest.

To conserve space and ensure efficient replication, objects in the Global Catalog are referred to as partial objects because only a subset of the attributes of the object are replicated to the Global Catalog. This su…

Full Article » Share »
Sponsored Content
 

What Are the Five FSMO Roles

Since the first days of Active Directory, the concept of FSMO (Flexible Single Master Operator, pronounced “fizmo”) roles has been a topic of endless discussion amongst IT Professionals. Furthermore, the five roles make for a quick and easy first question in an interview. As Active Directory has evolved over more than a decade, the duties of the FSMO role holders have changed very little, but broad understanding of the duties and optimal placement has not consistently matured.

The five FSMO roles are divided in to two categories: forest-wide and domain-wide. The two forest-wide roles, the Schema Master and the Domain Naming Master exist on a per-forest basis. Meanwhile, the three remaining domain-wide roles - the PDC (Primary Domain Controller) Emulator (PDCe), RID (Relative Identifier) Master, and Infrastructure Master - exist for each domain in the forest. So, for example, in a single domain forest, there are a maximum of five possible FSMO role holders. Meanwhile, in a three domain forest, there are a m…

Full Article » Share »
 

Seize a FSMO Role with NTDSUtil

If a domain controller that holds one or more of the five FSMO roles becomes permanently unavailable, you’ll ultimately need to seize the roles to another domain controller. Seizing FSMO roles is not a graceful process and is intended only to be performed when the unexpected occurs.

In normal day-to-day operations, if you need to change what domain controller a FSMO role is held by, you should instead transfer the role. In order to seize the RID Master, PDC Emulator, or Infrastructure Master, you’ll need to be logged in as a Domain Admin. To seize the Schema Master or Domain Naming Master, you must be logged in with Schema Admin or Enterprise Admin permissions, respectively.

Full Article » Share »
 

Promote a Domain Controller with Windows PowerShell

Learn how to quickly promote a domain controller with Windows PowerShell. Whether you're promoting a single DC, building a lab environment, or planning a large upgrade, automating this common task will make you more efficient and accurate. Starting with Windows Server 2012, servers can be promoted to be a domain controller using Windows PowerShell. Whether you’re running your domain controllers on the Server Core variant of Windows Server, or you simply need to automate the promotion of domain controllers, PowerShell is a great way to quickly complete this task. In this guide, we’ll look at promoting an additional domain controller in to an existing domain.

Full Article » Share »
Sponsored Content
 

Active Directory, 5th Edition

I’ve been remiss in posting anything here the past six months as my weekends have been consumed with an update to my book, . The writing and technical reviews  of the fifth edition are complete, thanks to , , and . We’ve now moved in to the production cycle and a copy editor is busy fixing up my writing to make the book a polished all-around easy-to-read product. Meanwhile,  the illustrators will soon be busy with the artwork – figures, diagrams, etc. The final book is now available!

So, to summarize, is now available:

  • The eBook is available from O’Reilly .
  • The printed book is available from O’Reilly .
  • The eBook is available via Safari Books Online at .
  • The printed book is available for from Amazon.com at
Full Article » Share »
 

Signing Active Directory, 5th Edition Books at TechEd North America

I’ll be at TechEd North America in New Orleans this week. On Monday, June 3rd from 6:00 to 6:30 PM, I’ll be at the O’Reilly/Microsoft Press booth, booth #511 signing copies of my new book – . If you can’t stop by then, I’ll be at the Access and Information Protection in the Microsoft Solutions Experience Monday from 12PM to 2PM and Tuesday from 12PM to 2:30PM. I’ll also be at the Ask The Experts evening event on Tuesday evening.



Full Article » Share »

Exchange

 

Cisco ACE Sample Configuration for Exchange 2010

Cisco ACE appliances and modules are a common fixture in enterprise datacenters. This post documents a sample configuration for the Cisco ACE that enables reliable publishing of Exchange Server 2010. At the end of this post, you will have a complete sample configuration for a one-arm load balancer configuration with Source NAT (SNAT). We also will configure the load balancer to redirect clients to the secure (HTTPS) URL.
Full Article » Share »
 

Setting Static Ports for Exchange Client Access

If you are deploying Exchange Server 2010 in an environment with load balancers or firewalls which aren’t able to handle dynamic RPC port ranges, you’ll need to define static ports for the RPC Client Access Service and the Address Book Service on each CAS server. If you are using Public Folders, you’ll also need a third static port on the Mailbox servers hosting Public Folders.

This post includes a script that configures the RPC Client Access service and Address Book service to use static ports. Run this script on each CAS server to configure the services. Finally, on each mailbox server, configure the registry value listed at the bottom of the post.

Full Article » Share »
 

Add Office 365 Exchange Online to your PowerShell Profile

The Exchange Online service in Office 365 as exposes a variant of the Exchange Management Shell (EMS) that you would normally use if you were managing an on-premises Exchange organization. Connecting to the Exchange Online EMS requires a few tedious but well documented steps.

Rather than manually running these steps each time you need to connect, the samples in this post show how you can add a quick shortcut to your Windows PowerShell profile to connect to the Exchange Online EMS.

Full Article » Share »
 

Configuring the Dell/Quest Free/Busy Connector for Lotus Notes and Exchange - Part 1

This is part one of a three part series on configuring the Dell/Quest Free/Busy Connector for Lotus Notes. The Connector is part of Coexistence Manager for Exchange (CMN). In this post, we'll discuss how the connector works and examine the interface with Exchange. Next, we'll configure the Dell/Quest Web Services and the Domino Free Busy Connector Service. Future posts in this series will discuss configuring the remaining components of the connector.

Full Article » Share »
 

Configuring the Dell/Quest Free/Busy Connector for Lotus Notes and Exchange - Part 2

This is part two of a three part series on configuring the Dell/Quest Free/Busy Connector for Lotus Notes. In Part 1 we took at look at the architecture of the Quest Free/Busy (F/B) Connector in Coexistence Manager for Notes (CMN) as well as how Exchange interfaces with it. We also configured the F/B Connector web services and the Domino Free Busy Connector Service. In this post, we’ll configure the Exchange Free Busy Connector Service, the Domino QCALCON task, and the Exchange organization.

Full Article » Share »
 

Configuring the Dell/Quest Free/Busy Connector for Lotus Notes and Exchange - Part 3

This is part three of a three part series on configuring the Dell/Quest Free/Busy Connector for Lotus Notes. In Part 1 we took at look at the architecture of the Quest Free/Busy (F/B) Connector in Coexistence Manager for Notes (CMN) as well as how Exchange interfaces with it. We also configured the F/B Connector web services and the Domino Free Busy Connector Service. In Part 2, we configured the Exchange Free Busy Connector Service, the Domino QCALCON task, and the Exchange organization. In this post, we’ll complete the configuration by configuring Lotus Notes as well as building a test user in Exchange and Lotus Notes to validate the configuration.

Full Article » Share »

Windows Server

 

Using Device Manager Remotely

The Server Core variant of Windows Server offers a variety of benefits, especially with respect to security. The downside is that familiar GUI management tools are not always accessible. While Windows PowerShell and the command line offer alternatives, the learning curve can be steep. Device Manager is one example of a common GUI management tool that cannot be used on Server Core. Fortunately, Device Manager can be used remotely. This post explains how to enable remote access with Device Manager on Server Core.

Full Article » Share »
Sponsored Content
 

Thoughts on Building a Server Image

Repeatable, consistent, and predictable are three things that add an incredible amount of value in IT, and building servers from a base image is one way to deliver on this. I was just replying to a thread on a discussion alias where the person who started the thread had reviewed a blog post on how to build such an image for VMWare. I and a number of people disputed the recommendations made in the referenced blog post in addition to the various other things the individual who started the thread was planning to install in his image/template.

At a high level, the most important thing from my reply, I think, is that you should not be customizing a server for it to be convenient to your work style. The server is there for a purpose driven task.

Full Article » Share »
 

Script to Collect Hardware Inventory Data

This post includes a sample VBScript that will collect key hardware demographics from a list of hosts and output the results to a CSV file. The demographics collected are:

  • Host Name
  • Serial Number
  • Make
  • Model
  • BIOS Version
  • Operating System
  • CPU
  • Memory (MB)
  • Disk Drives

 

Full Article » Share »
 

Date and Time Math with PowerShell

How many times have you had to figure out what date was X days, months, or years ago, or perhaps what time was Y minutes, hours, or seconds ago? In this post, you'll learn how easy it is to calculate date and time math with Windows PowerShell.

Full Article » Share »
 

Installing WinPcap Silently

When silently installing WireShark, WireShark's critical dependency, WinPcap, is not installed automatically. This post shows you how to use a tool called AutoIt to develop a script that can silently automate a point and click process like installing WinPcap.

 

Full Article » Share »