Active Directory

I wrote this script when I was frequently deploying replication topologies for large geographies. Rather than manually creating them one at a time, I would set everything up in a spreadsheet and then import the spreadsheet. There are a few assumptions made in this script. You may need to modify it a bit if the assumptions don’t work for you.

• Site links only contain two sites
• The replication schedule will be copied from another site link

The input file is expected to be in tab separated format which you can export from Excel (it’s one of the options under File>Save As). The order of the fields is documented at the top of the script. The Hub Site and Spoke Site fields should contain the common name (CN) of the relevant site objects. The Schedule field should contain the common name (CN) of the site link to duplicate the schedule from.

I for the first time this evening had to enroll a DNS server in some custom app partitions at a customer site. I've never actually done this before, though I knew it was a simple dnscmd command. I ran what I felt was the obviously correct command a couple times and got this error, DNS_ERROR_DP_DOES_NOT_EXIST. The name of the switch is "EnlistDirectoryPartition" which I mentally translated to mean I needed to supply the DN of the direction partition I wanted to enlist. This is in fact wrong if you take the time to read the help. You need to supply the FQDN of the directory partition. Totally unintuitive if you ask me, but whatever works.

So, if your NC is DC=CampusDnsZones,DC=BrianDesmond,DC=Com, the command to run is dnscmd MyDnsServer /EnlistDirectoryPartition "CampusDnsZones.BrianDesmond.Com".

Here's another error you might run into if you're setting up a DNS server to use some existing application partitions. I got it because I was being impatient and restarting the service constantly after enlisting in a couple of app partitions. By default DNS will only check AD once every five minutes for new data (though ACLs are special, those are checked every thirty seconds).

Event Type: Warning

Description:

The DNS server encountered error 9605 attempting to load zone somedomain.briandesmond.com from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle. This can be caused by high Active Directory load and may be a transient condition.

If you look up error 9605, the error in question is DNS_ERROR_ZONE_HAS_NO_SOA_RECORD.

What's happening here is AD has not completely replicated a zone (namely the SOA record isn't there y…

One of the questions I frequently answer on the MS newsgroups is with regards to making a redundant active directory setup. Frankly, this is pretty easy to do in a small (one location) setup, and much harder as the number of remote sites grows.

For one site, the simple solution is additional domain controllers and DNS servers. In fact, I wouldn't recommend less than two if you're a single site. With one, you're completely out of luck if you don't have backups (note, this should never happen)! Mark both the DCs global catalogs, install DNS and make sure AD Integrated zones are setup, and you're good to go. Remember, nothing beats good backups, though!

Planning DC/GC placement in a large environment with multiple geographically dispersed sites is a completely different issue, and is very situation specific. With this in mind, I can't really give the end-all solution to this.

If you have an Active Directory, and/or a Domain Based DFS setup, you're probably familiar with . It's Microsoft's graphical FRS monitoring tool. It provides a wealth of information, and logging capabilities.

Anyway, I went ahead and set it up on my workstation yesterday, which also happened to be hosting the SQL instance Ultrasound required. During setup, I specified the SQL Server using (local) notation. Setup created the database fine. Ultrasound, for whatever reason refused to contact the database though. I started poking through the help file today, and low and behold, here's a topic about how you have to specify the FQDN or NetBIOS name of the SQL box, not localhost, or something like that. I uninstalled & reinstalled with this in mind, and, guess what? Ultrasound works like a charm!

Why in the world does the setup program even accept (local) or localhost if the program won't work? Beats me.

I'm writing this up here mostly because I answer this at least once a week on the msnews newsgroups. Hopefully Google will pick it up, and now, I can link to it:

The question goes something like this: “If I upgrade my forest or domain functional level to Windows 2003, can I still have NT4 or Windows 2000 member servers?”

The answer goes like this “Yes!”. Forest & domain functional levels control the OS of the domain controllers you can have in your domain only. If you have a 2000 Functional level , you can have 2000 and 2003 DCs. If you have a 2003 functional level, you can have 2003 DCs only.

If you have an Exchange 2000 organization in your AD setup, which many places do, here's the member server caveat. Microsoft added something called linked-value-replication (LVR) to Windows 2003 AD. Basically, rather than replicating the entire member attribute on agroup everytime someone is added/removed, just that single entry is replicated. This saves a ton of bandwidth when yo…

One of the common misunderstandings I see working with organizations and their Active Directory deployments is with regard to subnet definitions in Active Directory. This discussion came up recently on the mailing list so I thought I would write up a quick summary of how this works.

Subnets are defined in Active Directory solely for defining what sites in Active Directory a set of machines belong to. The subnet definitions do not correspond to the actual layer 3 routing within the organization. This is a key misunderstanding – the layer 3 routing design does not have to correspond to the subnet/site definitions in Active Directory at all. Second, Active Directory will match the most specific subnet. This means that if you have defined two subnet objects in Active Directory – 10.1.0.0/16 and 10.1.2.0/24 and a client with an IP of 10.1.2.5, it will match the second subnet object.

One of the common events that fills up the event log on domain controllers in large organizations …

A useful tip I've found people tend not to know about is that the Active Directory GUI tools (AD Users and Computers, Sites and Services, etc) are installed on every Windows 2000 and 2003 server regardless of whether or not the server is a domain controller. When the server is promoted to domain controller status, the shortcuts are just added to the Start Menu. To launch the tools without the shortcuts (e.g. from Start>Run) you just need to know the filenames of the tools:

• Active Directory Users and Computers - dsa.msc
• Active Directory Sites and Services - dssite.msc
• Active Directory Domains and Trusts - domain.msc
• ADSI Edit - adsiedit.msc
• Schema Management - schmmgmt.msc
• By default the DLL that supports this MMC is unregistered. To register it run "regsvr32 schmmgmt.msc"

A frequent question is how do I know what domain controller logged me in? To find this out, open a command prompt and type "set logonserver".

echo %logonserver% has the same functionality. Incidentally, this is an environment variable so you could use it from a script if you wanted to.

Looking for more useful Active Directory tips and tricks? Check out my book,

The focus of this discussion as the  title implies is how to handle authentication and authorization (the latter to a certain degree) on Cisco IOS devices with Active Directory. On an IP Base IOS image we basically have two choices for this task – RADIUS and TACACS (and of course the local database). The latter is capable of connecting to Active Directory, although certainly not easily. There are situations where a TACACS system is necessary (such as command level authorization). Microsoft includes a RADIUS server in Windows 2003 (and 2000) called Internet Authentication Service (“IAS”). The interface for IAS isn’t the simplest GUI, so it may take some tinkering to get everything right. The rest of this discusion outlines the steps I took to get IOS logging in to AD.          

that IAS be loaded on domain controllers (and ideally global catalogs) for performance reasons. In a low load environment this is less …