Active Directory


What Are the Five FSMO Roles

Since the first days of Active Directory, the concept of FSMO (Flexible Single Master Operator, pronounced “fizmo”) roles has been a topic of endless discussion amongst IT Professionals. Furthermore, the five roles make for a quick and easy first question in an interview. As Active Directory has evolved over more than a decade, the duties of the FSMO role holders have changed very little, but broad understanding of the duties and optimal placement has not consistently matured. Learn what the FSMO roles do and best practices for placing them.

Share »

How to Seize a FSMO Role with NTDSUtil

If a domain controller that holds one or more of the five FSMO roles becomes permanently unavailable, you’ll ultimately need to seize the roles to another domain controller. Seizing FSMO roles is not a graceful process and is intended only to be performed when the unexpected occurs.

In normal day-to-day operations, if you need to change what domain controller a FSMO role is held by, you should instead transfer the role. In order to seize the RID Master, PDC Emulator, or Infrastructure Master, you’ll need to be logged in as a Domain Admin. To seize the Schema Master or Domain Naming Master, you must be logged in with Schema Admin or Enterprise Admin permissions, respectively.

Share »
Sponsored Content

Promote a Domain Controller with Windows PowerShell

Learn how to quickly promote a domain controller with Windows PowerShell. Whether you're promoting a single DC, building a lab environment, or planning a large upgrade, automating this common task will make you more efficient and accurate. Starting with Windows Server 2012, servers can be promoted to be a domain controller using Windows PowerShell. Whether you’re running your domain controllers on the Server Core variant of Windows Server, or you simply need to automate the promotion of domain controllers, PowerShell is a great way to quickly complete this task. In this guide, we’ll look at promoting an additional domain controller in to an existing domain.

Share »

Active Directory, 5th Edition

I’ve been remiss in posting anything here the past six months as my weekends have been consumed with an update to my book, Active Directory, 4th Edition. The writing and technical reviews  of the fifth edition are complete, thanks to Joe Richards, Mark Parris, and Mark Morowczynski. We’ve now moved in to the production cycle and a copy editor is busy fixing up my writing to make the book a polished all-around easy-to-read product. Meanwhile,  the illustrators will soon be busy with the artwork – figures, diagrams, etc. The final book is now available!

So, to summarize, Active Directory, 5th Edition is now available:

Share »

Signing Active Directory, 5th Edition Books at TechEd North America

I’ll be at TechEd North America in New Orleans this week. On Monday, June 3rd from 6:00 to 6:30 PM, I’ll be at the O’Reilly/Microsoft Press booth, booth #511 signing copies of my new book – Active Directory, 5th Edition. If you can’t stop by then, I’ll be at the Access and Information Protection in the Microsoft Solutions Experience Monday from 12PM to 2PM and Tuesday from 12PM to 2:30PM. I’ll also be at the Ask The Experts evening event on Tuesday evening.

Share »

Active Directory, 4th Edition Updates

Over the past couple years, readers have identified a number of mistakes that unfortunately made it through the edit cycles for Active Directory, 4th Ed. O’Reilly recently launched a process by which authors can make updates to the source files that they use to produce eBooks and print conventional paper books on demand. I took advantage of this a few weeks ago and I resolved all of the errata which were reported as well as a couple I found myself. Here’s the quick summary on where the updated text can be found:

Print Copies - If you’ve bought a print copy, you’ll need to look at the notes I made on the errata page. However, as O’Reilly is now doing print on demand for this title, the updates will trickle out into the supply chain over time and newly purchased books will be updated. Obviously this timeline is highly dependent on how much inventory is sitting in warehouses.

eBooks - If you bought any of the various eBook formats O’Reilly offers in their web store – P…

Share »
Sponsored Content

Active Directory Group Scopes and Group Nesting

Settle the debate of whether or not you should be using domain local, global, or universal groups on your network with a few simple facts about group scopes - how they work and when they matter. Chances are you're spending valuable time on a purely academic debate, so come find out if this is a topic that really matters, or if there are bigger problems to tackle.

Share »

Managing Local Backups with Windows Server Backup

One of the strategies I often employ when deploying Active Directory is to use the local Windows Server Backup (WSB, previously NTBackup) tool to make system state backups on the local machine. I’ll also often place backups on neighboring domain controllers to provide for redundancy if there is a failure. This strategy ensures that a backup is available in the same site and it also removes the dependency on an external backup team. Many third party backup applications can backup a file share without needing to install an agent on the server as well which is a better all around situation for domain controller backup at many organizations.

The script in this post implements this backup strategy as well as retention and aging of older backups

Share »

Property Sets and Default Security Descriptors

Every object class definition in the Active Directory schema has the option to define a “defaultSecurityDescriptor” value which holds the initial ACL that will apply to any new instances of that object type. This rule doesn’t hold true if you specify a security descriptor explicitly when creating an object, however, because this case the defaultSecurityDescriptor will be ignored.

The default value for the defaultSecurityDescriptor for the user class has a couple of entries in it which most administrators don’t know about, and fortunately neither do many end users. Out of the box, the user which an object in AD represents has permissions to modify quite a few attributes on their own account. Anyone who can figure out how to make an LDAP call against their object in the directory can take advantage of this. The easiest way to edit or view the value for this attribute is using the Active Directory Schema MMC. Browse to the Classes folder and then open the properties of the user class. Switch to the Default Security tab and click Advanced.

Share »

Active Directory SPN Mappings and Kerberos

I had an interesting customer problem today where Kerberos was being attempted for a service principal name (SPN) which simply didn’t exist in Active Directory. This was causing the applications (Exchange) involved to fail as they couldn’t authenticate to one another. The client machine involved was logging numerous errors similar to the following indicating that it was presenting a service ticket encrypted by another machine to the server in question.

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          12/6/2010 2:03:11 PM
Event ID:      4
Level:         Error
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server01$. The target name used was HTTP/ This indicates that the target server failed to decrypt the ticket provided by the clien…
Share »

View the History of an Active Directory Object

I answered a question via Twitter the other day as to whether or not it was possible to see when someone was added to a group without relying on audit information. The good news is that the answer is “Yes!” – assuming your forest is running in the Windows Server 2003 Forest Functional Level (FFL2) or better, and that the user was added after you upgraded your forest to this level. You can also see when a user was removed, however once they’ve been removed you won’t be able to see when they were added.

Start with FFL2, linked values, such as group membership replicate individually via linked value replication (LVR). In Windows 2000, linked attributes replicated as a single block of data which led to issues around groups with large memberships. Active Directory also stores some additional data called Replication Metadata. Inside the metadata is information about the versions of attributes, when they were last changed, and where the change originated. Since links replicate individually, each link value has meta…

Share »