Sometimes people write really excellent articles on the web. This is one of those occassions where an article needs nothing adding to it. If you set up labs to learn new technologies, study for exams or just to pre-flight technologies before you put them live and struggle to have certificates working “inside” and “outside” of your lab based environment, the article at http://www.windowsnetworking.com/articles_tutorials/Certificate-Revocation-Checking-Test-Labs.html walks you through publishing CRL’s (to an “external” server for example) or even turning off revocation checking so that its no longer an issue (only advisable in lab environments).
How to format GPResult
Apr 6
You probably know how to run GPResult to see which policies etc are being applied to an end user workstation or server but did you know for Windows 2008 / R2 and Windows 7 there is now an easy way to format those results ? Just run the command below:
GPResult /H GPResult.html
and the results will be held in a html formatted page. Run the command below and it will display the page automatically for you.
GPResult /H GPResult.html & GPResult.html
The head on over to the joint Microsoft and Citrix site and see how you can save a whopping 70% on the cost of implementing your first solution.
Read all about it at http://www.citrixandmicrosoft.com/. There’s even a training lab at https://cmg.vlabcenter.com/default.aspx?moduleid=281742e3-2613-42da-bd58-2c3578f039b4 that walks you through installing the whole solution.
Take the guesswork out of your deployments by making use of Microsoft sizing guide to SCOM 2007 R2 – simple to use as its leverages Excel to deliver the answer, download the workbook here.
Great news. Microsoft have started to release news about SP 1 for Windows 2008 R2. Still slated for release in Q4, there are two major announcements for anyone interested in virtualisation – RemoteFX which essentially supercharges the vide experience for end users of Remote Desktop Services. So powerfullis this that for once Citrix will be licensing the Microsoft solution on graphics acceleration ratehr than the other way round. Read more about it here.
The other big announcement is dynamic memory allocation in Hyper-V. You can read about that here. VMWares “killer” feature has always been memory over commit. Essentially it just pages non used memory to the hard drive so in highly virtualised environments where VM’s need to use their RAM this can lead to excessive paging and poorly performing infrastructures. However, it is still the number 1 reason why people choose VMWare over other virtualisation vendors so even though, in my opinion, its not as great as its cracked up to be, if you ant to do virtualisation then you have to offer this functionality. The good news its, that’s one less reason to spend a fortune on VMWare if you are on a budget.
The HP Sizing and Configuration Tool for Microsoft Hyper-V is a downloadable, automated tool that provides a quick and consistent methodology to determine a “best-fit” server configuration for your virtualized Hyper-V environment. This tool enables you to quickly compare different solution configurations and obtain a highly detailed, customizable server and storage solution complete with a detailed bill of materials.
This sizer allows users to create new Hyper-V solutions, open already saved solutions, and use data compiled from other tools like Microsoft’s Assessment and Planning (MAP) toolkit to build rich Hyper-V configurations built on HP ProLiant server and storage technologies.
The sizer allows rapid comparisons of various Hyper-V characterizations and server platform choices. You can select and customize configurations for your particular environment by adding or substituting server types, number of servers, and server components.
The sizer was developed from knowledge gained during performance characterization testing of Microsoft Hyper-V in the HP Solutions Engineering lab in Houston, Texas
New in Windows 2008 R2 active directory is the concept of Active Directory Optional Features and the first of these which have been made available is the Recycle Bin feature. Ever since Active Directory was launched you have been able to recover individual deleted items by undertaking an authoritative restore of sections of the database, even down to an individual object. From 2003 onwards deleted objects have been tombstoned and you have been able to use the ADRestore tool (available to download from http://technet.microsoft.com/en-us/sysinternals/bb963906.aspx). However, the issue with these methods has always been with back links or, to put it another way, restoring these items with any group membership they had and, yes, it has been possible to do that with multiple authoritative restores of the database but that is at best tiresome and at worse can be dangerous. What the Recycle Bin feature does for you is restore with these back links / group memberships in place.
However, to use this feature the first thing you need to do is have your Forest at the Windows 2008 R2 level. Whilst your schema may be at the R2 level (meaning your forest can play host to 2008 R2 Domain Controllers) your domains and forest may still be running Domain Controllers with previous operating systems such as 2008 RTM or 2003 R2. The easy way to check your domain level in Windows 2008 R2 is to start the new Active Directory Administrative Centre. If you select the domain node on the left hand side (the netbios name of my domain is philipflint) then you will be able to check and raise the domain / forest functional levels in the action pane on the right hand side.
Click to Enlarge
If your forest level is not at Windows 2008 R2 you can raise it.
Click to Enlarge
We can now install the Recycle Bin feature. Care should be taken before undertaking the next procedure. Enabling the Recycle Bin feature for a domain / forest is a one way process with no way back. In a typical environment the recycle bin feature will grow the Active Directory database by 10 – 20% which may have an affect on performance especially in larger environments which many thousands of users where servers have been sized to run the complete database in RAM.
You should also note that, even though the Recycle Bin is an optional feature, it cannot be added as a Role Service nor as a Feature.
Click to Enlarge
Instead the role is enabled by running a command in PowerShell. PowerShell is installed by default Windows 2008 R2 servers. However, PowerShell itself has no knowledge of Active Directory. Instead we need to load up the scripts and Verbs that PowerShell needs to be aware of to connect and control Active Directory. There are two ways to do this. The first, and simplest, is to click on Start | All Programs | Administrative Tools | Active Directory Module for Windows PowerShell.
Click to Enlarge
The other alternative is to start PowerShell by clicking on the below icon on the taskbar and then running the command below to import the Active Directory modules.
Import-Module ActiveDirectory
Click to Enlarge
We can now enable the Recycle Bin Feature. Below is a piece of code that you can change to use in your environment.
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=YourDomain,DC=ComOrNetOrLocal‘ –Scope ForestOrConfigurationSet –Target ‘YourDomain.ComOrNetOrLocal‘ –confirm:$false
I’ve highlighted in Red the three pieces of information you have to change. If you have a two tier domain name (such as .co.uk) then you will have to add another DC= section. An example is given below for a domain called philipflint.co.uk.
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=philipflint,DC=co,DC=uk‘ –Scope ForestOrConfigurationSet –Target ‘philipflint.co.uk‘ –confirm:$false
After amendment for the appropriate domain name variables this command is simply cut and paste into the PowerShell window.
Click to Enlarge
I was not given a chance to back out of the addition of the feature as I used the PowerShell switch –confirm:$false which provides any confirmation when asked. If you do not include this switch then you will be asked to confirm the action.
NOTE: This command needs to be run for each domain in your forest for which the Recycle Bin should be installed.
After synchronising the domain the Recycle Bin will be active on all Domain Controllers and you can now test it out by creating test OU’s and test users and deleting them and restoring them. I have created two users called ‘William Shakespeare‘ and ‘Enid Blyton’ in an OU called ‘Authors‘.
They are both members of the Global Group ‘Famous‘ and the Domain Local group ‘Published‘.
Click to Enlarge
We can now delete the William Shakespeare account.
Click to Enlarge
To restore a user that has been deleted I have provided a script for you below.
Get-ADObject -Filter {samAccountName -eq “UserLogonName“} -IncludeDeletedObjects | Restore-ADObject
As before, simply change the section in Red with the display name of the user you want to restore. I use the logon name as its something that you can ask the user that they are likely to know but if they don’t know this (‘Its always there, I just enter my password’) then you can use another field which uniquely identifies them, their email address for example.
Get-ADObject -Filter {mail -eq “UsersEmailAddress“} -IncludeDeletedObjects | Restore-ADObject
To restore Williams account we can just enter the following in the PowerShell window.
Get-ADObject -Filter {samAccountName -eq “william.shakespeare“} -IncludeDeletedObjects | Restore-ADObject
Click to Enlarge
The user account is now restored along with all group memberships.
Click to Enlarge
Memberships below.
Click to Enlarge
Now, of course, its possible that a user may be deleted who is in an OU that has also been deleted. It is not possible to restore the user without first restoring the OU of which they were a member or, in extreme cases, the whole OU tree if multiple OU’s have been deleted.
Unless your records are up-to-date there is a chance that you may not know what your exact OU structure was and so you need a method of finding out what was the parent object of a deleted user. The code to do this is below.
Get-ADObject -SearchBase “CN=Deleted Objects, DC=YourDomain,DC=ComOrNetOrLocal‘ ” -ldapFilter:”(msDs-lastKnownRDN=ObjectName)” –IncludeDeletedObjects –Properties lastKnownParent
For example, if we run the above for our deleted William Shakespeare account we would run the following.
Get-ADObject -SearchBase “CN=Deleted Objects, DC=philipflint,DC=com” -ldapFilter:”(msDs-lastKnownRDN=William Shakespeare)” –IncludeDeletedObjects –Properties lastKnownParent
Click to Enlarge
As can be seen from the output, we can see that the last know parent (i.e. the containing OU for this user) was the Authors OU directly under the domain node. Note that the Authors OU has not been deleted and so the user object may be directly restored. Below is a screenshot with the same command but where the Authors OU has been deleted.
Click to Enlarge
In this case we can query the Authors OU to find its last known good parent until we find a containing object which has not been deleted.
Once we know which is the first object to be restored we can begin the restoration process. Previously I have given you the code to restore a user. The command to restore an OU is slightly different and I show it below.
Get-ADObject -ldapFilter:”(msDs-lastknownRDN=NameOfYourOU)” -IncludeDeletedObjects | Restore-ADObject
In our case we would therefore run the following three commands to restore the OU and the 2 deleted accounts (William Shakespeare and Enid Blyton).
Get-ADObject -ldapFilter:”(msDs-lastknownRDN=Authors)” -IncludeDeletedObjects | Restore-ADObject
Get-ADObject -Filter {samAccountName -eq “william.shakespeare“} -IncludeDeletedObjects | Restore-ADObject
Get-ADObject -Filter {samAccountName -eq “enid.blyton“} -IncludeDeletedObjects | Restore-ADObject
Click to Enlarge
Note that all objects are restored with the appropriate backlinks in place
Click to Enlarge
I hope you have found this useful, can see why this is such a powerful feature of the R2 and gives you one more good reason to go for the upgrade.
Audit Active Directory
Nov 18
Want some free advice on what to audit in Active Directory ?
You could do worse than go to http://www.activedirsec.com/index.html - try out their free Gold Finger tool too.
What level is my Schema at ?
Nov 18
Sometimes you need to have your Schema at a certain level of Windows or may even want to check that a Schema upgrade is successful. One way to do this is to use ADSI Edit and connect to the Schema contect. Looking at the properties of the Schema node we can see the objectVersion attribute of the Schema. For Windows 2008 R2 this is 47.
Click to Enlarge
The objectVersion attribute has the values below for different levels of Schema upgrades.
| Schema Version | Release of Windows |
| 13 | Windows 2000 |
| 30 | Windows 2003 |
| 31 | Windows 2003 R2 |
| 44 | Windows 2008 |
| 47 | Windows 2008 R2 |
Of course, there may be a level of risk in accessing objects with ADSI Edit so you want to query the schema version from a command prompt. To do so you can download the free AdFind tool from http://www.joeware.net/freetools/tools/adfind/index.htm and open up an administrative level command prompt (right click cmd.exe ad select “Run As Administrator”), change your path to where you have saved AdFind.exe to and then run the command
Adfind –schema –s base objectVersion
Click to Enlarge
Office 2010 Beta
Nov 17
Office 2010 Beta is now available for download if you have an MSDN / Technet subscription – expect a public Beta real soon !
