Active Directory

Here's an excerpt

I’ve been remiss in posting anything here the past six months as my weekends have been consumed with an update to my book, . The writing and technical reviews  of the fifth edition are complete, thanks to , , and . We’ve now moved in to the production cycle and a copy editor is busy fixing up my writing to make the book a polished all-around easy-to-read product. Meanwhile,  the illustrators will soon be busy with the artwork – figures, diagrams, etc. The final book is now available!

So, to summarize, is now available:

• The eBook is available from O’Reilly .
• The printed book is available from O’Reilly .
• The eBook is available via Safari Books Online at .
• The printed book is available for from Amazon.com at …

I’ll be at TechEd North America in New Orleans this week. On Monday, June 3rd from 6:00 to 6:30 PM, I’ll be at the O’Reilly/Microsoft Press booth, booth #511 signing copies of my new book – . If you can’t stop by then, I’ll be at the Access and Information Protection in the Microsoft Solutions Experience Monday from 12PM to 2PM and Tuesday from 12PM to 2:30PM. I’ll also be at the Ask The Experts evening event on Tuesday evening.

Over the past couple years, readers have identified a number of mistakes that unfortunately made it through the edit cycles for . O’Reilly recently launched a process by which authors can make updates to the source files that they use to produce eBooks and print conventional paper books on demand. I took advantage of this a few weeks ago and I resolved all of the which were reported as well as a couple I found myself. Here’s the quick summary on where the updated text can be found:

Print Copies - If you’ve bought a print copy, you’ll need to look at the notes I made on the page. However, as O’Reilly is now doing print on demand for this title, the updates will trickle out into the supply chain over time and newly purchased books will be updated. Obviously this timeline is highly dependent on how much inventory is sitting in warehouses.

eBooks - If you bought any of the various eBook formats O’Reilly offers in their we…

Settle the debate of whether or not you should be using domain local, global, or universal groups on your network with a few simple facts about group scopes - how they work and when they matter. Chances are you're spending valuable time on a purely academic debate, so come find out if this is a topic that really matters, or if there are bigger problems to tackle.

One of the strategies I often employ when deploying Active Directory is to use the local Windows Server Backup (WSB, previously NTBackup) tool to make system state backups on the local machine. I’ll also often place backups on neighboring domain controllers to provide for redundancy if there is a failure. This strategy ensures that a backup is available in the same site and it also removes the dependency on an external backup team. Many third party backup applications can backup a file share without needing to install an agent on the server as well which is a better all around situation for domain controller backup at many organizations.

The script in this post implements this backup strategy as well as retention and aging of older backups

Every object class definition in the Active Directory schema has the option to define a “defaultSecurityDescriptor” value which holds the initial ACL that will apply to any new instances of that object type. This rule doesn’t hold true if you specify a security descriptor explicitly when creating an object, however, because this case the defaultSecurityDescriptor will be ignored.

The default value for the defaultSecurityDescriptor for the user class has a couple of entries in it which most administrators don’t know about, and fortunately neither do many end users. Out of the box, the user which an object in AD represents has permissions to modify quite a few attributes on their own account. Anyone who can figure out how to make an LDAP call against their object in the directory can take advantage of this. The easiest way to edit or view the value for this attribute is using the Active Directory Schema MMC. Browse to the Classes folder and then open the properties of the user class. Switch to the Default Security tab and click Advanced.

I had an interesting customer problem today where Kerberos was being attempted for a service principal name (SPN) which simply didn’t exist in Active Directory. This was causing the applications (Exchange) involved to fail as they couldn’t authenticate to one another. The client machine involved was logging numerous errors similar to the following indicating that it was presenting a service ticket encrypted by another machine to the server in question.

Log Name:      System





…

I answered a via Twitter the other day as to whether or not it was possible to see when someone was added to a group without relying on audit information. The good news is that the answer is “Yes!” – assuming your forest is running in the Windows Server 2003 Forest Functional Level (FFL2) or better, and that the user was added after you upgraded your forest to this level. You can also see when a user was removed, however once they’ve been removed you won’t be able to see when they were added.

Start with FFL2, linked values, such as group membership replicate individually via linked value replication (LVR). In Windows 2000, linked attributes replicated as a single block of data which led to issues around groups with large memberships. Active Directory also stores some additional data called Replication Metadata. Inside the metadata is information about the versions of attributes, when they were last changed, and where the change originated. Since links replicate ind…

I have a list of baseline registry settings which I put on any new domain controller. I thought I'd share the VB Script below which sets all these as well as enables some performance counters. Many of the settings are applicable outside of a Domain Controller.

Feel free to use this and leave a comment if you have any suggestions for additions, etc.

…

If you're trying to import an LDIF file with some schema changes on a Windows Server 2008 (or Vista) machine and it fails with an access denied error and an INSUFF_ACCESS_RIGHTS messag, first make sure your account is in the Schema Admins group. Second, make sure User Account Control isn't adding to the mix. Right click the command prompt shortcut and Run as Administrator and then try the LDIF import.