However, to use this feature the first thing you need to do is have your Forest at the Windows 2008 R2 level. Whilst your schema may be at the R2 level (meaning your forest can play host to 2008 R2 Domain Controllers) your domains and forest may still be running Domain Controllers with previous operating systems such as 2008 RTM or 2003 R2. The easy way to check your domain level in Windows 2008 R2 is to start the new Active Directory Administrative Centre. If you select the domain node on the left hand side (the netbios name of my domain is philipflint) then you will be able to check and raise the domain / forest functional levels in the action pane on the right hand side.

Click to Enlarge

If your forest level is not at Windows 2008 R2 you can raise it.

Click to Enlarge

We can now install the Recycle Bin feature. Care should be taken before undertaking the next procedure. Enabling the Recycle Bin feature for a domain / forest is a one way process with no way back. In a typical environment the recycle bin feature will grow the Active Directory database by 10 – 20% which may have an affect on performance especially in larger environments which many thousands of users where servers have been sized to run the complete database in RAM.

You should also note that, even though the Recycle Bin is an optional feature, it cannot be added as a Role Service nor as a Feature.

Click to Enlarge

Instead the role is enabled by running a command in PowerShell. PowerShell is installed by default Windows 2008 R2 servers. However, PowerShell itself has no knowledge of Active Directory. Instead we need to load up the scripts and Verbs that PowerShell needs to be aware of to connect and control Active Directory. There are two ways to do this. The first, and simplest, is to click on Start | All Programs | Administrative Tools | Active Directory Module for Windows PowerShell.

Click to Enlarge

The other alternative is to start PowerShell by clicking on the below icon on the taskbar and then running the command below to import the Active Directory modules.

Import-Module ActiveDirectory

Click to Enlarge

We can now enable the Recycle Bin Feature. Below is a piece of code that you can change to use in your environment.

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=YourDomain,DC=ComOrNetOrLocal‘ –Scope ForestOrConfigurationSet –Target ‘YourDomain.ComOrNetOrLocal‘ –confirm:$false

I’ve highlighted in Red the three pieces of information you have to change. If you have a two tier domain name (such as .co.uk) then you will have to add another DC= section. An example is given below for a domain called philipflint.co.uk.

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=philipflint,DC=co,DC=uk‘ –Scope ForestOrConfigurationSet –Target ‘philipflint.co.uk‘ –confirm:$false

After amendment for the appropriate domain name variables this command is simply cut and paste into the PowerShell window.

Click to Enlarge

I was not given a chance to back out of the addition of the feature as I used the PowerShell switch –confirm:$false which provides any confirmation when asked. If you do not include this switch then you will be asked to confirm the action.

NOTE: This command needs to be run for each domain in your forest for which the Recycle Bin should be installed.

After synchronising the domain the Recycle Bin will be active on all Domain Controllers and you can now test it out by creating test OU’s and test users and deleting them and restoring them. I have created two users called ‘William Shakespeare‘ and ‘Enid Blyton’ in an OU called ‘Authors‘.

They are both members of the Global Group ‘Famous‘ and the Domain Local group ‘Published‘.

Click to Enlarge

We can now delete the William Shakespeare account.

Click to Enlarge

To restore a user that has been deleted I have provided a script for you below.

Get-ADObject -Filter {samAccountName -eq “UserLogonName“} -IncludeDeletedObjects | Restore-ADObject

As before, simply change the section in Red with the display name of the user you want to restore. I use the logon name as its something that you can ask the user that they are likely to know but if they don’t know this (‘Its always there, I just enter my password’) then you can use another field which uniquely identifies them, their email address for example.

Get-ADObject -Filter {mail -eq “UsersEmailAddress“} -IncludeDeletedObjects | Restore-ADObject

To restore Williams account we can just enter the following in the PowerShell window.

Get-ADObject -Filter {samAccountName -eq “william.shakespeare“} -IncludeDeletedObjects | Restore-ADObject

Click to Enlarge

The user account is now restored along with all group memberships.

Click to Enlarge

Memberships below.

Click to Enlarge

Now, of course, its possible that a user may be deleted who is in an OU that has also been deleted. It is not possible to restore the user without first restoring the OU of which they were a member or, in extreme cases, the whole OU tree if multiple OU’s have been deleted.

Unless your records are up-to-date there is a chance that you may not know what your exact OU structure was and so you need a method of finding out what was the parent object of a deleted user. The code to do this is below.

Get-ADObject -SearchBase “CN=Deleted Objects, DC=YourDomain,DC=ComOrNetOrLocal‘ ” -ldapFilter:”(msDs-lastKnownRDN=ObjectName)” –IncludeDeletedObjects –Properties lastKnownParent

For example, if we run the above for our deleted William Shakespeare account we would run the following.

Get-ADObject -SearchBase “CN=Deleted Objects, DC=philipflint,DC=com” -ldapFilter:”(msDs-lastKnownRDN=William Shakespeare)” –IncludeDeletedObjects –Properties lastKnownParent

Click to Enlarge

As can be seen from the output, we can see that the last know parent (i.e. the containing OU for this user) was the Authors OU directly under the domain node. Note that the Authors OU has not been deleted and so the user object may be directly restored. Below is a screenshot with the same command but where the Authors OU has been deleted.

Click to Enlarge

In this case we can query the Authors OU to find its last known good parent until we find a containing object which has not been deleted.

Once we know which is the first object to be restored we can begin the restoration process. Previously I have given you the code to restore a user. The command to restore an OU is slightly different and I show it below.

Get-ADObject -ldapFilter:”(msDs-lastknownRDN=NameOfYourOU)” -IncludeDeletedObjects | Restore-ADObject

In our case we would therefore run the following three commands to restore the OU and the 2 deleted accounts (William Shakespeare and Enid Blyton).

Get-ADObject -ldapFilter:”(msDs-lastknownRDN=Authors)” -IncludeDeletedObjects | Restore-ADObject

Get-ADObject -Filter {samAccountName -eq “william.shakespeare“} -IncludeDeletedObjects | Restore-ADObject

Get-ADObject -Filter {samAccountName -eq “enid.blyton“} -IncludeDeletedObjects | Restore-ADObject

Click to Enlarge

Note that all objects are restored with the appropriate backlinks in place

Click to Enlarge

I hope you have found this useful, can see why this is such a powerful feature of the R2 and gives you one more good reason to go for the upgrade.

You could do worse than go to http://www.activedirsec.com/index.html - try out their free Gold Finger tool too.

Click to Enlarge

The objectVersion attribute has the values below for different levels of Schema upgrades.

Of course, there may be a level of risk in accessing objects with ADSI Edit so you want to query the schema version from a command prompt. To do so you can download the free AdFind tool from http://www.joeware.net/freetools/tools/adfind/index.htm and open up an administrative level command prompt (right click cmd.exe ad select “Run As Administrator”), change your path to where you have saved AdFind.exe to and then run the command

Adfind –schema –s base objectVersion

Click to Enlarge

Well, a home drive, or more correctly a home directory, is a special type of mapped drive that contains a users folders and can contain application data. It allows programmatic access to the home drive by assigning values to the variables:

• HOMEDRIVE
• HOMEPATH
• HOMESHARE

For example, these three environment variables could contain the following:

HOMEDRIVE=<drive letter>:
HOMEPATH=\<path>
HOMESHARE=\\<server name>\<share name>

The home drive can then be accessed in a standard logon script. Below are some parameters that can be used and their meanings.

So, we can assign a home drive rather than a standard “mapped” drive to enable us to reference the drive in scripts. But, is that all that using a home drive gives us ? The answer is “no”. If you have not assigned a home drive to a user in their Active Directory object then Windows (on clients) uses a default location, the users profile in Documents and Settings / Users directory for files and for user-specific application files such as .ini files it uses the users Windows directory which, be default, is the Windows directory on the client. Therefore one thing extra that using a home drive gives us (over a standard mapped drive) is a place to store user-specific application settings which will follow the user from machine to machine – note that this is distinct from roaming user profiles as these files are not stored in the users profile by default. Also, as the default home location is the users My Documents folder in their profile if we map a home directory we change the home location. This doesn’t mean that the users My Documents location is changed but it does mean that the default location for Open, Save As and command prompt start points is the users Home Directory.

From the above you can see that if we set a users home directory (Home Drive) to be H: then when they try to save a file in Microsoft Word, for example, it will offer to save the file to H: by default. It is for this reason that you often see My Documents redirected to the home drive location….. so that users will save to their My Documents location by default.

As you can see from the above a Home Drive is not just another mapped drive but has a real affect on the end user experience and where files are saved.

The first is around synchronisation of system clocks. As mentioned in a previous article windows Servers use time synchronisation to ensure against replay attacks and thus increase the security of Kerberos authentication within an Active Directory environment. However, virtual platforms such as VMWare or Hyper-V also allow you to synchronise a virtual machines clock with the physical host. What this means though is that, if the server host is showing a different time from the root PDC Emulator then any virtualised domain member server or domain controller will set its clock against the domain and then set its clock against the physical host and then against the domain and then against the physical host and so on ad nauseum. This can cause five issues:

1. If there is more than the amount of “difference” between the DC clock and other domain controller clocks then the server will not be able to synchronise
2. Similarly, as the DC clock will different from those of clients, clients will fail authentication against this domain controller.
3. This constant re-synchronisation will cause clock “flapping” so that any events or logs written will have events recorded in an incorrect order. This is an issue not only for domain controllers but also for other servers such as SQL or Exchange where they record the time of records being changed or messages arriving.
4. If you run an environment where accurate times are important then this will into be possible with “flapping” clocks. For example, if you require staff to “clock in” and penalise them for late arrival then your solution will be at risk if your clock cannot keep accurate time.

So, by all means virtualise your domain controllers but don’t allow them to synchronise their clocks with the physical host. In Hyper-V this behaviour can be disabled by opening the Hyper-V Manager Console. selecting the virtual machine and clicking on Settings in the Actions pane for that virtual machine. Under the Management node select Integration Services and clear the Time Synchronization check box.

Click to enlarge

Click on Apply and that virtual machine will now synchronise its clock solely based on the settings within its operating system.

The second item to consider before virtualising your domain controllers concerns “snapshotting”. Snapshots allow you to take a point in time view of a server and then record differences to the virtual disk of that server over time. In this way you can “roll back” a virtual machine to the point the snap shot was taken by removing the changes made. However, this gives an issue when we consider domain controllers.

When a change is made on a Domain Controller it updates its own Update Sequence Number (USN) and, when a synchronisation is due with other domain controllers, issue the update to them. These USN’s are maintained per Domain Controller and a certain change may register on DC1 as 12345 and hold the USN of 7657622 on the far older DC2. You can see the USN on a particular Domain Controller by looking at the highestCommittedUSN value using ADSIEdit to connect to the RootDSE default naming context.

Click to enlarge

DC1 would look like above and DC2 would have the USN below, for example.

Click to enlarge

Now, it’s a basic premise that the USN on a domain controller should only ever get bigger, and not smaller. After all, transactions can’t just disappear. Indeed, domain controllers use this USN to keep track of the updates they have received from each other. The last USN received from each replicating partner is stored in a High Watermark Vector Table on each DC. In this way, the receiving domain controller knows which was the last change it received form a replicating partner. When it next wants to replicate it sends its high watermark value to the DC it wants to replicate from (the source domain controller). The source DC then uses the information in the high watermark value to determine which objects to replicate back to the target Domain Controller. This can be represented by the following table:

So far so good. So, what’s the issue. The issue is that if we had taken a snapshot of DC1 at, say, step 3 and rolled back then the following would happen.

So, by restoring Active Directory from a snapshot we would run the risk of losing updates IF Active Directory allowed us to do this. Fortunately the clever guys at Microsoft have worked this out and from Windows 2003 SP1 this is not likely to happen because AD will recognise that the USN’s have become out of sequence and will refuse to allow DC1 to synchronise. You will know if this has happened to you not only because your domain will not synchronise properly but you will see an event similar to the below logged in the event viewer on the “restored” Domain Controller.

Click to enlarge

 As you can see, the only solution for this is to forcibly demote the domain controller and start again. Of course, the situation is even worse if ALL domain controllers are snapshotted and then restored. It’s perfectly possible that you can end up without an operating Active Directory environment ! So, the original question was “Should I virtualise my Domain Controllers ?” and I say that this is a decision that you have to make yourself and the risk you want to assume. However, I would suggest that a best practice is to:

• Never synchronise Domain Controller clocks with the virtualisation host
• Never snapshot domain controllers
• Always have at least one (and preferably two) physical domain controllers in case you have to force demote all virtualised domain controllers

If you follow the above advice I believe the risks in virutalising DC’s are relatively low.

• All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
• All member servers also nominate the authenticating domain controller as their in-bound time partner.
• All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time partner.
• All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner and synchronise with the server holding the PDC operations master role in the forest root domain.
• In this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization and should be set to synchronise with an external atomic time source or will use its own CMOS clock to set its internal time.

When deploying domain controllers, the server holding the PDC operations master role must then be granted access to the internet to synchronise its time with an atomic clock using the NTP protocol (UDP port 123). This is fine when a data centre is first deployed but what happens when the PDC emulator operations master role is moved to another server ? Synchronisation will still occur within the forest with the new server holding this role other than for the original server hosting the role which will still synchronise with its external source.

This can raise two issues.

1. One of the servers, over time, could drift in terms of its clock and so the original PDC emulator may not be in sync with the rest of the forest and therefore reject authentication attempts.
2. If an application is Active Directory integrated and using the AD servers for its time source then that application or service may not be accurately recording its time in the application or any logs. This can be an issue, for example, for systems “clocking in” staff where staff are fined for late arrival or, perhaps, when accurate recording of access times for network assets is important for security reasons. If the time recorded is out by a few minutes then this may be an issue.

This raises the question then “how do I set my clocks accurately for all machines if I move my PDC Emulator role”. There are three solutions.

1. Set all domain controllers to synchronise to the same external atomic clock. Whilst this should certainly keep all clocks within a reasonable skew time the same issue can occur as described above if one server should, for some reason, not have external access. It is likely to eventually drift from the other server clocks and create issues.
2. Set two domain controllers to synchronise externally and only move the PDC emulator role between those two servers. This is a standard answer to this conundrum and can work well. It has the advantage that administrators are likely to know where the FSMO roles are for the domain and reduces the amount of setup time. However, there is still a small risk of drift if one server loses its external access for any reason. There is also the possibility that the PDC Emulator role will be moved to a server other than those nominated.
3. Use a GPO to set domain controllers to follow the hierarchy above and be compliant with RFC 1305 unless they are the PDC Emulator in which case they go to an external source. While all domain controllers still need to be provided access to the internet over UDP port 123, should a mistake be made then all servers will at least have the same clock time and so, using this method, the likelihood of failed authentication attempts are very much minimised.

The preferred method then is option C above. To configure this is relatively simplistic. A GPO is created and applied at the “Domain Controllers” OU level. The GPO itself is scoped by way of a WMI script to affect just the server holding the PDC Emulator operations master role. This GPO configures the W32Time service on that server with the external clocks to synchronise to.

To create the GPO, open Group Policy Management Console and create a new GOP linked to the Domain Controllers OU (I have called mine PDC Time Sync). Access the Scope tab of the GPO.

Note that WMI Filtering is net to <none>. You can only apply a WMI filter if one exists and so, next, we right click the WMI Filters node above and select “New…“. We give the WMI filter a name and description as below.

We then click Add to add a query to the filter. The WMI query will be as below:

Select * from Win32_ComputerSystem where DomainRole = 5

We then click on OK and “Save“.

The WMI script selects computers whose DomainRole method of the Win32_ComputerSystem class (i.e. DomainRole value) is set to 5. The allowed values for this method are as below.

Active Directory follows the multi-master method of replication whereby each domain controller “owns” a copy of the Active Directory database and can update values in that database and replicate changes to all other domain controllers. This is as opposed to the NT4 methodology where a primary domain controller existed and all other domain controllers were backup domain controllers. However, Active Directory maintains the PDC Emulator role for those times when a PDC is still required for down level clients, password replication and time synchronisation. The server hosting this role has DomainRole 5 and all other domain controllers hold domain role 4, even though they are not backup domain controllers in the traditional meaning of that term.

As the WMI filter now exists it can be assigned to the GPO as a filter. Access the scope tab of the GPO created earlier and set the WMI filter to the one just created.

The GPO can now be edited and values set to control the W32Time service on the server holding the PDC Emulator role. If the role is moved between servers then the GPO ceases to apply and the W32Time settings are reverted to their original values forcing the server to sync to the new server holding the PDC Emulator role. The appropriate policy to set is the “Configure Windows NTP Client” policy found at “Computer Configuration | Policies | Administrative Templates | System | Windows Time Service | Time Providers” in Windows Server 2008 R2. The default values for these settings are shown below.

The meaning of each value is as follows:

A list of NTP Time servers can be obtained from http://support.microsoft.com/?id=262680. The values I tend to set for the GPO are as below.

I use the flag 0×1 on the NtpServer setting to make the time service take note of the SpecialPollInterval setting (which is a value in seconds) which sets how often the server should poll for a new time. In this way we can, if desired, poll for a time update more or less often. The NTP type setting tells the service to go direct for its time updates to the NtpServer specified.

One the GPO is configured you can wait for it to be applied to the PDC Emulator or force its application using GPUpdate. To check that the policy is working simply note the difference between the server clock and your wristwatch or other clock and, around an hour later, check again and you should see that the difference between the two time sources has changed as the server is drawing its time from an accurate time source.

The final thing to do is to change the GPO status to disable user configuration settings within the GPO as this will lead to a slightly faster GPO processing time.

I hope this post will help remove some of the mystery surrounding how to configure time synchronisation settings within an Active Directory domain.

As you know, Active Directory “knows” which Domain Controller to direct a logon request to by using the clients IP address and directing the request to a domain controller in the same site as the user (or another site assigned to the users IP subnet). But requests are directed to the “most likely” subnet or, to put it another way “best match” subnet. Where this leads us to is that you can use subnets in Active Directory Sites and Services to direct logon requests.

For example, your data centre may have the subnet 10.1.1.0/24 (10.1.1.0, 255.255.255.0) and you may have the following servers.

 So, what we don’t want to do is just assign the subnet 10.1.1.0/248 to a site as this will not include Exchange2 and, indeed, will remove all DC’s from our server site. Similarly, we can’t just use 10.1.1.0/240 as a subnet as this will also include our backup server and, once again, all DC’s. That is, we could assign a more specific subnet to the Exchange “site” but, if needs be and for the purposes of this article, we can also assign individual servers. Below is an example of our site setup before we start with all servers assigned to the subnet OU.

The first thing we would do is create a new Site called, for example “Exchange” and, in this case, assign it to our default site link.

We then create a new Site Link to link the Exchange servers back to the Server site. We do this so that we can change the replication schedule as we will want “fast” replication between the DC’s in the Server site and in the Exchange Site (If required the sites can then be removed from the Default Site Link).

We can then create a series of new subnets, one for each server, and assign them to the “Exchange” Site.

In this way, individual servers can be added to the site until all servers that should be treated as one unit exist in the same site.

The Domain Controllers can then be moved to the Active directory site by right clicking the server in Sites and Services and selecting “Move”

This means that all the servers should perform lookups and any authentication against the domain controllers in their own local site. This technique can also be used in any other situation where particular AD servers have to be used by particular servers (for example when a certain level of domain controller must be used in a still mixed environment). All that remains is to change the site link to replicate rapidly.

By default, changes are not replicated between sites when the change is made (with the exception of urgent replication items such as password changes). Instead changes are replicated according to a schedule as defined on the site link. By default the replication interval is set to 180 minutes.

However, as these servers all sit on the same high speed network we can configure change notifications to traverse the site link in near real time as though the servers are in the same site. This is done by setting a value in Active Directory by using the ADSI Edit tool (installed by default in Windows 2008 R2 and part of the support tools pack in Windows 2003.

To enable change notification between sites

1. In ADSI Edit, expand the Configuration container.

   

2. Navigate to the Inter-Site Transports container, and select CN=IP . (You cannot enable change notification for SMTP links.)

   

3. Right-click the site link object for the sites for which you want to enable change notification (CN=Exchange Servers in our case), and then click Properties .
4. In the Select a property to view box, select options .

   

5. In the Edit Attribute box, if the Value(s) box shows <not set> , type 1 in the Edit Attribute box. If the Value(s) box contains a value, you must derive the new value by using a Boolean BITWISE-OR calculation on the old value, as follows: old_value  BITWISE-OR 1. For example, if the value in the Value(s) box is 2, calculate 0010 OR 0001 to equal 0011. Type the integer value of the result in the Edit Attribute box; for this example, the value is 3. In this case, as this is a new site link that we have set up then the value should be set to <not set> and so we can enter 1.

   

6. Click OK and the OK again and exit ADSI Edit.

Changes should now be notified across the site link with the same frequency as they would if the servers were in a single site (around 15 seconds for 2003 / 2008).