Active Directory


Editing Group Policies without ADUC or GPMC

Under Windows Server 2003 (and 2000), Active Directory Users and Computers was always available by just launching dsa.msc. From there you could use the legacy Group Policy management interface if you didn't have the GPMC loaded. Windows Server 2008 machines no longer have ADUC loaded by default unless you either are on a domain controller or install the management tools. This makes the scenario where you need to edit a Group Policy locally a bit more complicated.

The good news is that the Group Policy Editor itself is there on Windows Server 2008 machines, you just can't graphically browse to a GPO (so far as I know). If you launch gpedit.msc, the local machine policy is pulled up. Adding the snap-in manually to an MMC allows you to target another machine for editing its' local policy.

The gpedit.msc console will however accept an argument at startup pointing it to a GPO in the domain. To do this you'll need the GUID of the policy you're looking to edit. If you go to the Details tab after selecting the GPO …

Share »

Script for Bulk Import of Active Directory Subnets

I’ve been using this script for years now and was reminded of it by a post on the DL the other day. The script does exactly what the name implies – it takes a tab separated input file (supplied as the first argument) and generates Active Directory subnet objects for each line. If the subnet already exists, the associated site and description will be updated. The script targets the forest the user is currently logged in to.

The code is pasted in below, note the format for the input file (TSV). One field I noticed is missing is the canonical location field. You should be able to add this to the script pretty easily if you need this, or if there’s sufficient demand leave a comment and I can do it.

Note: You can export tab separated files from Excel via the File>Save As menu.
' NAME: Import Subnets from Tab Seperated File
' AUTHOR: Brian Desmond,
Share »
Sponsored Content

Script for Bulk Import of Active Directory Site Links

I wrote this script when I was frequently deploying replication topologies for large geographies. Rather than manually creating them one at a time, I would set everything up in a spreadsheet and then import the spreadsheet. There are a few assumptions made in this script. You may need to modify it a bit if the assumptions don’t work for you.

  • Site links only contain two sites
  • The replication schedule will be copied from another site link

The input file is expected to be in tab separated format which you can export from Excel (it’s one of the options under File>Save As). The order of the fields is documented at the top of the script. The Hub Site and Spoke Site fields should contain the common name (CN) of the relevant site objects. The Schedule field should contain the common name (CN) of the site link to duplicate the schedule from.

Note: I typically recommend creating template site links for each unique schedule which are only used for scripting. When you create the site link with Active Directory…
Share »

Enlisting in DNS Application Partitions

I for the first time this evening had to enroll a DNS server in some custom app partitions at a customer site. I've never actually done this before, though I knew it was a simple dnscmd command. I ran what I felt was the obviously correct command a couple times and got this error, DNS_ERROR_DP_DOES_NOT_EXIST. The name of the switch is "EnlistDirectoryPartition" which I mentally translated to mean I needed to supply the DN of the direction partition I wanted to enlist. This is in fact wrong if you take the time to read the help. You need to supply the FQDN of the directory partition. Totally unintuitive if you ask me, but whatever works.

So, if your NC is DC=CampusDnsZones,DC=BrianDesmond,DC=Com, the command to run is dnscmd MyDnsServer /EnlistDirectoryPartition "CampusDnsZones.BrianDesmond.Com".

Note: You can substitute a "." in lieu of the server name to do the operation on the local host. Further note you'll need to be running in the context of an enterprise admin.


Share »

More on Enlisting in DNS Application Partitions

Here's another error you might run into if you're setting up a DNS server to use some existing application partitions. I got it because I was being impatient and restarting the service constantly after enlisting in a couple of app partitions. By default DNS will only check AD once every five minutes for new data (though ACLs are special, those are checked every thirty seconds).

Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4521
Date: 12/8/2008
Time: 1:23:48 AM
User: N/A
Computer: MyDnsServer


The DNS server encountered error 9605 attempting to load zone from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle. This can be caused by high Active Directory load and may be a transient condition.

If you look up error 9605, the error in question is DNS_ERROR_ZONE_HAS_NO_SOA_RECORD.

What's happening here is AD has not completely replicated a zone (namely the SOA record isn't there yet). DNS can't load …

Share »

NEW BOOK - Active Directory, 4th Edition

If you’re serious about Active Directory, you should pick up a copy of my new book, Active Directory, 4th Edition. Even if Active Directory is just something you run into from time to time as part of your job, you should still pick up a copy.

I spent about eight months total from start to finish working on this project, and personally, I think it turned out pretty good. If you’re wondering what’s new and improved in this edition, here’s a quick list:

  • Windows Server 2008 coverage:
    • Read Only Domain Controllers (RODCs) - Chapter 7
    • Fine Grained Password Policies (FGPPs) - Chapter 9
    • Auditing and security improvements - Chapter 13
    • Windows Server 2008 upgrade procedures - Chapter 18
    • DNS enhancements (such as GlobalName zones) - Chapter 6
  • Exchange 2007 integration & scripting - Chapter 19 & Chapter 33
  • Windows PowerShell & Active Directory - Chapter 30 & Chapter 31
  • .NET Active Directory programming - Chapter 29
  • New user interface features
  • Lots of new diagrams and figures
  • Sc…
Share »
Sponsored Content

Active Directory Redundancy

One of the questions I frequently answer on the MS newsgroups is with regards to making a redundant active directory setup. Frankly, this is pretty easy to do in a small (one location) setup, and much harder as the number of remote sites grows.

For one site, the simple solution is additional domain controllers and DNS servers. In fact, I wouldn't recommend less than two if you're a single site. With one, you're completely out of luck if you don't have backups (note, this should never happen)! Mark both the DCs global catalogs, install DNS and make sure AD Integrated zones are setup, and you're good to go. Remember, nothing beats good backups, though!

Planning DC/GC placement in a large environment with multiple geographically dispersed sites is a completely different issue, and is very situation specific. With this in mind, I can't really give the end-all solution to this.

Share »

Ultrasound "Controller Offline" Error

If you have an Active Directory, and/or a Domain Based DFS setup, you're probably familiar with Ultrasound. It's Microsoft's graphical FRS monitoring tool. It provides a wealth of information, and logging capabilities.

Anyway, I went ahead and set it up on my workstation yesterday, which also happened to be hosting the SQL instance Ultrasound required. During setup, I specified the SQL Server using (local) notation. Setup created the database fine. Ultrasound, for whatever reason refused to contact the database though. I started poking through the help file today, and low and behold, here's a topic about how you have to specify the FQDN or NetBIOS name of the SQL box, not localhost, or something like that. I uninstalled & reinstalled with this in mind, and, guess what? Ultrasound works like a charm!

Why in the world does the setup program even accept (local) or localhost if the program won't work? Beats me.

Share »

Forest Functional Level & Member Servers

I'm writing this up here mostly because I answer this at least once a week on the msnews newsgroups. Hopefully Google will pick it up, and now, I can link to it:

The question goes something like this: “If I upgrade my forest or domain functional level to Windows 2003, can I still have NT4 or Windows 2000 member servers?”

The answer goes like this “Yes!”. Forest & domain functional levels control the OS of the domain controllers you can have in your domain only. If you have a 2000 Functional level , you can have 2000 and 2003 DCs. If you have a 2003 functional level, you can have 2003 DCs only.

If you have an Exchange 2000 organization in your AD setup, which many places do, here's the member server caveat. Microsoft added something called linked-value-replication (LVR) to Windows 2003 AD. Basically, rather than replicating the entire member attribute on agroup everytime someone is added/removed, just that single entry is replicated. This saves a ton of bandwidth when you think a…

Share »

Subnet Definitions in Active Directory

One of the common misunderstandings I see working with organizations and their Active Directory deployments is with regard to subnet definitions in Active Directory. This discussion came up recently on the mailing list so I thought I would write up a quick summary of how this works.

Subnets are defined in Active Directory solely for defining what sites in Active Directory a set of machines belong to. The subnet definitions do not correspond to the actual layer 3 routing within the organization. This is a key misunderstanding – the layer 3 routing design does not have to correspond to the subnet/site definitions in Active Directory at all. Second, Active Directory will match the most specific subnet. This means that if you have defined two subnet objects in Active Directory – and and a client with an IP of, it will match the second subnet object.

One of the common events that fills up the event log on domain controllers in large organizations is NetLogon warning…

Share »

Active Directory GUI Tools on a Member Server

A useful tip I've found people tend not to know about is that the Active Directory GUI tools (AD Users and Computers, Sites and Services, etc) are installed on every Windows 2000 and 2003 server regardless of whether or not the server is a domain controller. When the server is promoted to domain controller status, the shortcuts are just added to the Start Menu. To launch the tools without the shortcuts (e.g. from Start>Run) you just need to know the filenames of the tools:

  • Active Directory Users and Computers - dsa.msc
  • Active Directory Sites and Services - dssite.msc
  • Active Directory Domains and Trusts - domain.msc
  • ADSI Edit - adsiedit.msc
  • Schema Management - schmmgmt.msc
    • By default the DLL that supports this MMC is unregistered. To register it run "regsvr32 schmmgmt.msc"
Share »