Windows ADAD

Windows Tricks: AD
1 of 26
http://www.windowstricks.in/search/label/AD?updated-max=2010-03-0...
Windows Tricks
Home
Active Directory
Exchange
Products
Free Tools
Online Tools
QUICK LINKS
About
Contact
Loading...
Active Directory
FREE UPDATES
Active Directory
Replication
Group Policy
DNS
Gpresult failed with ERROR Access

Denied
GET THE FREE E-MAIL UPDATES.

..
4 FEBRUARY 2010
Exchange
Exchange 2010
Unable to get the result from gpresult on windows 2003 server,
Windows 2008
gpresult return with the access denied errors, you can able to update
Commands
Oneline Script
Free Tools
the group policy without issue
How to resolve the Print Spooler service crash issue

Run the following commands to register the userenv.dll and recompile
the rsop mof file
Online Tools
Forums
POPULAR POSTS
Find distinguished name (LDAP path for the object)

How to change the subnet mask of DHCP scope
To resolve the access denied error while doing the gpresult.

Force sysvol replication
LABELS
1. Open a cmd
Account lockout (1)
1. re-register the userenv.dll
Active Directory (4)
Regsvr32 /n /I c:\winnt\system32\userenv.dll
Active Directory
2012 (1)
Active Directory
2. CD c:\windows\system32\wbem
Change users Screen Saver through GPO

Sync the Active Directory replication between two
domain controllers in low bandwidth sites
Difference between Windows Server 2008 and
3. Mofcomp scersop.mof
Tools (9)
Active Directory
Account lockout
4. Gpupdate /force
Windows Server 2008 R2

Difference between windows 2003 and windows 2008
Troubleshooting (2)
AD (57)
5. Gpresult
Command for time sync and troubleshooting
AD Replication (14)
Application Directory
Partition (3)
Now you able to run the gpresult without error and even server reboot
RECENT POSTS
not required for this procedure
Backup (1)
Blackberry (1)
Bulk reporting (1)
Posted by Ganesamoorthy S at 15:12 , Links to this post

, 0 comments
Labels: AD, GPO
Cloud (3)
Cloud Computing
(3)
Active Directory 2008 features
command (27)
30 JANUARY 2010
csvde (4)
DFS (2)
Whats new in windows 2008 Active Directory
Dfsutil (2)
Dhcp (3)
DN (1)
As an Active Directory administrator very curies about the windows

2008 features compare to the earlier version like windows 2003,
Windows 2008 comes with the whole bunch of features, and am going
DNS (18)
to discuss specific about the features of Active Directory server roles
dsget (7)
in Windows 2008
dsmod (1)
dsquery (11)
First I will list the features of windows 2008 Active directory and will
Exchange (12)
discuss in detail of each in my upcoming article
Exchange 2010 (6)

Exchange Migration
Continue Reading...
(5)
Exhcnage 2007 (1)

Labels: AD, Windows Server 2008
extract bulk object
12/24/2013 1:53 AM
Windows Tricks: AD
2 of 26
from AD (1)
Free tool (10)
Roaming profile issues

8 JANUARY 2010
Google Plus (1)

GPO (19)
HTA Script (1)
Keyboard shortcuts
(1)
lingering objects (5)
Microsoft (1)
netsh (1)
You have aware the known roaming profile issues, roaming profile will
not work with the remote site (especially low bandwidth sites like VPN
site) When user tries to log on to the system from one site and the
configured roaming profile server in the other site then the system will
not loads the roaming profile, system loads the local profile and you
will get the error message like unable to load roaming profile
Nslookup (2)
offline files (1)
Most of the system admins faced these roaming profile issues, if you
oneline script (6)
have an active directory environment with multiple sites and roaming
Online Tools (3)
profile configured user travelling between sites always complains that
port number (1)

Printer (1)
Privacy Policy (1)
Scripts (2)
roaming profile will not working if he log on to the system from the
site other then the site he belongs to.
If you have the roaming profile issues, then you have to check the
below
Server 2003 (1)

Spooler service
System you trying to logon and your roaming profile server should be
crash (1)
the same site otherwise roaming profile will not work, to check that
SYSVOL (2)
you can use the below command from your system
Time Service (4)

VBscripts (1)
Windows 7 (2)
Command to get the site name of the system you login

Nltest /dsgetsite
windows server (7)

Windows Server
Command to get the site name of the roaming profile server
2008 (12)
Windows Server
Nltest /dsgetsite /server roaming profile serve name
2012 (1)
Windows tools (4)
Windows Vista (2)
SITEMETER
Both the command should result the same site name, if the profile
server and the user are from different site then you need to check the
site and subnet configuration
To resolve this issue
You can configure the group policy to overwrite this windows
behaviour,
Configure the group policy so that the system will wait for the remote
FEEDBURNER
FEEDCOUNT
copy of the roaming user profile to load

Group policy settings
Computer Configuration\Administrative Templates\System\Logon
If you configure this group policy then system will wait for the
roaming profile to load, its will load even if you have slow link
between profile server and user system
This will be very slow depends on the network latency and bandwidth
speed between roaming profile and user system
Note: Do not use this setting if you have low bandwidth sites because
this will utilise more bandwidth while loading the roaming profile
Let say if the user have 2GB data on the profile folder then the 2GB
data will be copied through the WAN link while the time of user login,
so its not recommended to change the default windows behaviour.
Related Articles
group policy
event 1000
Windows cannot obtain the domain controller name for your computer
Group Policy Processing
12/24/2013 1:53 AM
Windows Tricks: AD
3 of 26

, 1 comments
Labels: AD, GPO
To get the members status from the

active directory group
6 JANUARY 2010
In any environment if the employee leaves the company you have to

disable the user account in active directory, all the disabled users are
still there in the Distribution list and security groups and have to
remove the disabled user account manually
If you want to know all the disabled users from the active directory
group use the below command
This command will list the members from the active directory group
with the status
Find the command to get the members status from the group (Account
disabled or not)
Group name: sales_executes
Syntax:
dsquery group -samid Group Pre-Win2k Name | dsget group
-members | dsget user -disabled -display
Example:
dsquery group -samid sales_executes | dsget group -members | dsget
user -disabled -display
Related Articles
how to find the ldap path
List active directory group members
find distinguished name
HRH3U2HJWH9H
Does the battle sport a such contour?
, 0 comments
Labels: AD, command, dsget, dsquery

28 NOVEMBER 2009
How do I force the Sysvol replication in an active directory

Your can restart the FRS service to force the FRS replication
To restart the FRS service, launch services.msc from the Run option
on the Start Menu
And restart the FRS service and you will get the Event ID 13516 on
FRS event log this will ensure the FRS status is fine
Forcing Sysvol replication through NTFRSUTL
If you want to force sysvol replication between two domain controllers
in an active directory then use the below procedure
12/24/2013 1:53 AM
Windows Tricks: AD
4 of 26
NTFRSUTL FORCEREPL Command-Line Option to Force Replication

You can use the new ntfrsutl forcerepl command to enforce replication
regardless of the predefined replication schedule. This is only
implemented for the domain controller Sysvol replica set.
ntfrsutl forcerepl [Computer] /r [SetName] /p [DnsName]
This command forces FRS to start a replication cycle. You must specify
the Computer, SetName and DnsName.
Note In this command, the following placeholders are used:
[Computer] = Connect with the NtFrs service on this machine.
[SetName] = The name of the replica set.
[DnsName] = The DNS name of the inbound partner to force
replication from.
For example:
ntfrsutl.exe forcerepl DestinationDC /r "Domain System Volume
(SYSVOL share)" /p SourceDC.domain.com
The quotation marks in this example are required when you use the /r
option. If the quotation marks are not present, the command will not
work.
Subscribe to Windowstricks by E-mail to get the free updates
and free tools
Related Articles
Force active directory replication
troubleshoot active directory replication
active directory replication
active directory replication time
check Active Directory replication
, 0 comments
Labels: AD, AD Replication
How do I synchronize active directory between two domain controllers

in a Domain, normal AD replication is scheduled however some time
we require to synchronize manually
There is many ways to do this we will see one by one
Force
active
directory
replication
through
the
Microsoft
Management Console (MMC) or Forcing replication through

Active Directory Sites and Services snap-in
1. Go to Start --> Programs --> Administrative Tools --> and open
the Active Directory Sites and Services MMC.
2. Expand the Sites container in the left pane by clicking the plus (+)
to the left of it.
3. Expand the container that represents the name of the site
containing the server that needs to be synchronized.
4. Expand the Servers container and then expand the target server
to display the NTDS settings object.
5. Click the NTDS Settings option. In the right pane should now be a
12/24/2013 1:53 AM
Windows Tricks: AD
5 of 26
list of the target servers replication partners.

6. Right click a connection object in the right pane and click Replicate
Now
Force active directory replication through Replmon Tool
1. Go to Start --> Run --> type replmon -->and this will open a
Replmon console
2. Click on > edit and select --> Add monitored server
3. Select -->Add the server explicitly by name -->Next
4. Enter the server name that needs to be synchronized > Finish
5. Expand the Partition that needs to be synchronized (Exg: Domain
partition)
6. Select the connection object needs to be synchronized
7. Right click a connection object and click Synchronize with this
replication partner
8. Wait for the replication
9. You will get the status message once the replication get completed
10. If any error while the time of replication then you will get the
meaningful error message
Force active directory replication through Repadmin command
Open the Command prompt CMD
Syntax:
repadmin /replicate destination_dsa source_dsa Naming Context
Example:
repadmin
/replicate
server2.Domain.com
server1.Domain.com
dc=Domain,dc=com
Destination server Name: server2.Domain.com
Source server Name: server1.Domain.com
Naming Context : dc=Domain,dc=com (Domain partition)
Additional switches
/force
This parameter is used to override the Disable Replication option on a
directory server. Do not use this parameter unless you are certain
that replication has been disabled, and that you want to override this
setting.
/async
Specifies that the operation will be asynchronous. This means that
repadmin starts the replication event, but it does not expect an
immediate response from the destination directory server. Use this
parameter when there are slow links between directory servers.
/full
Forces a full replication of all objects from the destination directory
server.
/allsources
A given destination can have multiple sources for the same naming
context. Directs the destination to sync with all sources instead of just
one. This parameter cannot be used with source_dsa.
Force replication with all of its replication partners
I would strongly recommend to use the Replmon tool or
repadmin command,to force active directory replication since
you will get the meaningful error message and the status
message once the replication get completed
Related Articles
12/24/2013 1:53 AM
Windows Tricks: AD
6 of 26

active directory replication time
Health check active directory
Force the Active Directory replication between two domain controllers
in low bandwidth sites
How to check Active directory replication for multiple Domain
Controllers
application directory partition
, 1 comments
Labels: AD, AD Replication, command
Configure active directory replication

schedule
27 NOVEMBER 2009
Configure connection object schedule across time zones

Domain controllers store time in Coordinated Universal Time (UTC).
When viewed through the Active Directory Sites and Services snap-in,
time settings in connection object schedules are displayed according to
the local time of the computer on which the snap-in is being run.
However, replication occurs according to UTC, UTC is equal to GMT
For example:
Chennai-site to Frankfurt-site Chennai is in Indian Standard Time
(IST) and Frankfurt is in Central European Time (CET) which is 4.30
hours later, if you want to schedule (6-6 2time /hr) for the both the
connection objects(symmetric connection object)
Let say you login to the domain controller Chennai0000 and configure
the
Frankfur0008-Chennai0000
connection
object
schedule
on
Chennai0000 domain controller and login to the domain controller

Frankfur0008 and configure the Chennai0000-Frankfur0008 connection
object schedule on Frankfur0008 domain controller to 6-6 2time /hr
However actual time of replication will not be same between this two
connection objects, since both this servers in different time zones, as
per the Microsoft standard both the connection objects (symmetric
connection object) should be replicate in same time, should be same
UTC time
We need to configure schedule for both the connection objects on
Frankfur0008 domain controller (or) any one of domain controller, so
that the actual time of replication is same although the time zones
may be different.
Chennai0000 is a domain controller from Chennai-site
Frankfur0008 is a domain controller from Frankfurt-site
Related Articles
12/24/2013 1:53 AM
Windows Tricks: AD
7 of 26

force ad replication
Controllers
, 0 comments
Troubleshoot Active Directory Server

Replication
25 NOVEMBER 2009
In an active directory environment monitoring the replication between

the domain controller and keep the domain controller up-to-date is
important
aspect,
so
Monitor
replication health daily,
or
use
Repadmin.exe to retrieve replication status daily and Attempt to

resolve any reported failure in a timely manner, If the problem that is
causing replication to fail cannot be resolved by any known methods,
remove AD DS from the server and then reinstall AD DS.
Use the repadmin /showreps command to identify Active Directory
replication
problems,
find
the
error
messages
that
repadmin
command generates,
1. Not enough server storage is available to process this command
2. Active Directory could not allocate enough memory to process
replication tasks
3. Active Directory replication has been preempted.
4. Replication posted, waiting.
5. RPC Server Not Available
6. Target account name is incorrect
7. The DSA operation is unable to proceed because of a DNS lookup
failure.
8. The remote system is not available. For information about network
tr
oubleshooting, see Windows Help.
1. Not enough server storage is available to process this

command
Replication failed for TEST0001- TESTB0000 (connection object)

Example:
12/24/2013 1:53 AM
Windows Tricks: AD
8 of 26
DC=test,DC=com
Default-First-Site-Name\ TEST0001 via RPC
DC object GUID: **-**-**-***
Last attempt @ 2006-12-02 10:03:21 failed, result 1130 (0x46a):
Not enough server storage is available to process this command.
33 consecutive failure(s).
Last success @ 2006-12-01 22:36:20.
While
doing
Sync
on
TESTB0000
server
for
TEST0001-
TESTB0000
Getting Event log error 1699, 1079 on TEST0001
Event Type: Error

Event Source: NTDS Replication
Event Category: Replication
Event ID: 1699
Date: 12/2/2008
Time: 10:03:21 AM
User: TEST\ TEST0000$
Computer: TEST0001
Description:
The local domain controller failed to retrieve the changes requested
for the following directory partition. As a result, it was unable to send
the change requests to the domain controller at the following network
address.
Directory partition:
DC=test,DC=com
Network address:
***._msdcs.test.com
Extended request code:
0
Additional Data
Error value:
8446 The replication operation failed to allocate memory.
For
more
information,
see
Help
and
Support
Center
at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning

Event Source: NTDS General
Event ID: 1079
Date: 12/2/2008
Time: 10:03:21 AM
User: TEST\ TEST0000$
Computer: TEST0001
Description:
Internal event: Active Directory could not allocate enough memory to
process replication tasks. Replication might be affected until more
memory is available.
User Action
Increase the amount of physical memory or virtual memory and
restart this domain controller.
For
more
information,
see
Help
and
Support
Center
at
Solution:
Problem with the TEST0001 server
12/24/2013 1:53 AM
Windows Tricks: AD
9 of 26
Need to clear the replication queue from TEST0001 there is no way to

resolve this issue without restarting the server
Restart the server TEST0001 to resolve the problem
http://support.microsoft.com/kb/832851
Note: Its a workaround only, for permanent solution need to increase
you functional level to 2003 forest functional level & domain functional
level to windows 2003 native
2. Active Directory could not allocate enough memory to

process replication tasks
Replication failed for TEST0001- TESTB0000
While
doing
Sync
on
TESTB0000
server
for
TEST0001-
TESTB0000
Getting Event log error 1079 on TESTB0000
Event Type: Warning

Event Source: NTDS General
Event ID: 1079
Date: 12/8/2008
Time: 11:15:59 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: TESTB0000
Description:
Internal event: Active Directory could not allocate enough memory to
process replication tasks. Replication might be affected until more
memory is available.
User Action
Increase the amount of physical memory or virtual memory and
restart this domain controller.
For
more
information,
see
Help
and
Support
Center
at
Solution:
Need to restart TESTB0000 to resolve the issue.
Unlike the previous one, restarted the replication partner (TEST0001)
but in this issue need to restart the affected server (TESTB0000)
Note: Its a workaround only, for permanent solution need to increase
you functional level to 2003 forest functional level & domain functional
level to windows 2003 native

The progress of inbound replication was interrupted by a higher
priority replication request, such as a request generated manually
12/24/2013 1:53 AM
Windows Tricks: AD
10 of 26
with the repadmin /sync command.

Wait for replication to complete. This informational message indicates
normal operation.

The domain controller posted a replication request and is waiting for
an answer. Replication is in progress from this source.
Wait for replication to complete. This informational message indicates
normal operation.
5. RPC Server Not Available

DC=Test,DC=com
Default-First-Site-Name\ TEST0001 via RPC
DC object GUID: **-**-**-***
Last attempt @ 2006-04-18 01:45:51 failed, result 1722 (0x6ba):
The RPC server is unavailable.
Last success @ 2006-04-13 18:55:37.
This error can occur because of connectivity issues.
Unable to connect the source server using the RPC protocol, The "RPC
server unavailable" error can occur for the following reasons
1. source domain controller down
2. Network connectivity down between source and destination domain
controller
3. Due to network latency
4. Intermediate network issue
5. Not enough network bandwidth to establish the connection
6. All bandwidth used by some other traffic (currently link is
overtuilizing)
6. Target account name is incorrect
This problem can be related to connectivity, DNS, or authentication
issues.
If it is a DNS error, the local domain controller could not resolve the
GUIDbased DNS name of its replication partner.
For the below example:
Replication from TEST0000 to TEST0001(TEST0000- TEST0001)
Repadmin result from TEST0000
DC=test,DC=com
BR-SaoPaulo-SiteBH\ TEST0001 via RPC
DC object GUID: 009cb97b-074b-4ac0-adc8-525566c02433
Last attempt @ 2009-04-23 22:53:53 failed, result 8524 (0x214c):
Target account name is incorrect.
Last success @ 2006-04-13 15:29:15.
Use the nslookup tool from TEST0000 to resolve the TEST0001 DNS
GUID for DC ._msdcs.domain name
009cb97b-074b-4ac0-adc8-525566c02433._msdcs.test.com
Check weather the DNS resolve for the affected server (source
server) from the target server
> 009cb97b-074b-4ac0-adc8-525566c02433._msdcs.test.com
12/24/2013 1:53 AM
Windows Tricks: AD
11 of 26
Server: TEST0001.test.com
Address: 192.168.1.100
Name: TEST0001.test.com
Address: 192.168.1.100
Aliases: 009cb97b-074b-4ec0-adc8-525533c02433._msdcs.test.com
If its not able to resolve the GUIDbased DNS name of its replication
partner TEST0001.test.com then check the DNS issue to resolve the
replication issue
And also check the normal DNS entry for its replication partner
weather the server pointing to correct IP address, in this example
TEST0001.test.com pointing to 192.168.1.100
7.The DSA operation is unable to proceed because of a DNS
lookup failure.
DNS entry for its replication partner should be pointing to correct IP

address
Check the replication partner IP address from the affected domain
controller (TEST0000)
For the below example:
Replication from TEST0000 to TEST0001(TEST0000- TEST0001)
Repadmin result from TEST0000
DC=test,DC=com
BR-SaoPaulo-SiteBH\ TEST0001 via RPC
DC object GUID: 009cb97b-074b-4ac0-adc8-525566c02433
Last attempt @ 2009-04-23 22:53:53 failed, result 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failu
re.
Last success @ 2006-04-13 15:29:15.
Use the nslookup tool from TEST0000 to resolve the TEST0001
In this example TEST0001.test.com pointing to 192.168.1.100
> TEST0001.test.com
Server: TEST0000.test.com
Address: 192.168.1.200
Name: TEST0001.test.com
Address: 192.168.1.100
If it's pointing to the other wrong IP then you will get the DSA
operation is unable to proceed because of a DNS lookup failure
error message in repamin result
Correct the DNS issue to resolve replication issue.
Related Articles
12/24/2013 1:53 AM
Windows Tricks: AD
12 of 26
Controllers
, 0 comments
How to check the DNS zone status from

the list of servers
8 NOVEMBER 2009
Check the DNS zone status from the list of servers

If you are using the windows DNS server and its not AD integrated
then its a primary and secondary concept, in this zone will not be
replicated automatically you have to create manually an each server,
if you want to check the zone status on all the servers then you have
to login to each server and check the zone status or you can use the
below command, to simplify the work
For /f %a in (list.txt) do dnscmd %a /zoneinfo zonename >>
output.txt
This command will check all the servers in the input file (list.txt) for
the zonename and store the output in output.txt file
Note: run this command from where the input file (list.txt) there
Example: if you have the user list in c:\temp then you have to run this
command from there, this will create and store the output in
output.txt file
Related Articles
how to troubleshoot dns issues
clearing dns cache
view dns cache
register dns record
dns server role
Unable to access the server share through DNS alias name
, 0 comments
Labels: AD, command, DNS, oneline script
To check the list of Users Group

Membership
Check the list of Users Group Membership List
I have used "for" command to read the input file (list.txt) and execute
the "net user" command for each user and store the result in
output.txt file
For /f %a in (list.txt) do net user %a /dom >> output.txt
Note: run this command from where the input file (list.txt) there
12/24/2013 1:53 AM
Windows Tricks: AD
13 of 26
Example: if you have the user list in c:\temp then you have to run this
command from there, this will create and store the output in
output.txt file
Related Articles
ldap path
You can also use the below link which uses the dsget command
Related Articles
To display the list of members with nested groups
how to find the ldap path
List active directory group members
find distinguished name

, 0 comments
Labels: AD, command, oneline script
How to check Active Directory

replication
31 OCTOBER 2009
One
of
the
questions asked
most
frequently
by
the
system
administrators is how to check the Active Directory replication or how

to monitor the AD replication, most of the AD administrates know
about the repadmin /showreps command however this command will
provide the Last attempt status, like Last attempt @ 2008-10-31
13:51:13 was successful if any error while last attempt it will
show the errors like the below one for communication issue
Last attempt @ 2009-04-18 01:45:51 failed, result 1722
(0x6ba):
The RPC server is unavailable.
Some time you will get the below status through repamin command
3. Server busy
All the above status are related to replication progressing without any
major issues, but we dont know about the exact status
To get the exact status use the below procedure:
If the replication progressing (or) not ????
Let say am checking for test0000-test0005 (Connection object)
check the active directory replication on test0005
12/24/2013 1:53 AM
Windows Tricks: AD
14 of 26
1. Run the repadmin /showreps /v on test0005

a. Check for respective connection object and partition (domain
partition)
b. Check the USN value on /OU /PU
c. Find the below result
USNs: 215044188/OU, 0/PU
Last attempt @ 2008-10-31 15:05:20 was successful.
2. Check after some time if the value increase then the replication
happening, as per the below screenshot replication happening because
the USN: /OU value changing
(USNs: 221237525/OU, 0/PU
Now
you
see
the
change
(USNs:
215044188/OU
to
USNs:
221237525/OU)
3. Also check other partition for the same server, for up to date USN,
find the screenshot for configuration partition.
USNs: 262820263/OU, 262820263/PU
4. In order to complete the replication this USN /OU value should
reach USNs: 262820263/OU
5. If this USN /OU value not changed for long time then replication
failed (replication not progress) please check for event log for more
info.
This procedures are mainly used to check The high-watermark value,

it can help you deduce the state of progress on that replication link
USNs:. The high-watermark USN is the number that is followed by
/OU.
The object update (OU) USN saves the position when in the middle of
a replication cycle. It stays the same as the property update (PU)
when replication is not occurring, and increases during a replication
cycle. At the end of the cycle, the final USN replicated becomes the PU
value and the OU is left to match. Thus, the OU indicates progress
within a cycle, and the PU indicates the last update seen at the
conclusion of a successful cycle. A PU of zero means that the link has
never completed a successful cycle, as is the case when performing its
first synchronization on a new domain controller connection. If the OU
and PU are not equal, it means a replication cycle is in progress.
Subscribe to Windowstricks by E-mail to get the free updates
and free tools
Related Articles
12/24/2013 1:53 AM
Windows Tricks: AD
15 of 26
Controllers
, 0 comments
Script to find the subnet conflict in AD

28 OCTOBER 2009
Script to find the subnet conflict in AD

In a small environment with few sites and subnets, its very easy to
find the subnet conflict especially when you have request to create a
new subnet and associate to the site
If its a large environment with more number of sites and subnets, its
very diffeclect to find the subnet conflict manually and moreover if you
have frequent request to create the subnet, you can use the below
script to find the subnet conflict in Active Directory, also this script
used to find the subnet with the corresponding site in Active directory
Use the below link to download the script.
Email me
If you having any issue to downloading above the file, please feel free
to mail to me to get the script (s.ganesamoorthy@gmail.com)

, 0 comments
Labels: AD, Scripts, VBscripts
Single object replication

22 OCTOBER 2009
Some time we need to create or modify the AD object (like DNS

change) this change should be happen immediately to some of specific
DCs in different site, normally we wait for normal replication
Some time this is schedule change, some site need this change
immediately to all the list of DCs, we sync the replication to site
where the change happen to site where needed.
We can user the single object replication command to reduce the
replication time
Run the bellow command
syntex:
repadmin /replsingleobj DC_LIST dsa-source-guid ObjectDN
Example:
repadmin /replsingleobj test02 dd565bre-738f-4f35-9831-f0fgfa6505f
"CN=Jean, OU=user,DC=microsoft,DC=com"
12/24/2013 1:53 AM
Windows Tricks: AD
16 of 26
Related Articles
Controllers

, 0 comments
Application Directory Partition

3 SEPTEMBER 2009
Application Directory Partition

In Windows Server 2003, Active Directory Domain Services support
application directory partitions.
Applications and services can use application directory partitions to
store application-specific data. Application directory partitions can
contain any type of object, except security principals, and can be
configured to replicate to any set of domain controllers in the forest.
Unlike a domain partition, an application directory partition is not
required to replicate to all domain controllers in a domain and the
partition can replicate to domain controllers in different domains of the
forest
Application directory partitions are usually created by the applications
that will use them to store and replicate data. For testing and
troubleshooting purposes, members of the Enterprise Admins group
can manually create or manage application directory partitions using
the Ntdsutil command-line tool.
Creating an Application Directory Partition
You can use the NTDSUTIL command line tool to create and manage
application directory partition; some application vendors will also
include code in their applications to create the application directory
partition
Open a command prompt window and entering the NTDSUTIL

command followed by the DOMAIN MANAGEMENT command and the
CONNECT TO SERVER servername..
Commands
12/24/2013 1:53 AM
Windows Tricks: AD
17 of 26
CREATE NC application_directory_partition domain_controller

CREATE NC application.test.com Taz0000.test.com
Replicating the Application Directory Partition
ADD NC REPLICA application_directory_partition domain_controller
ADD NC Replica application.test.com Taz0001.brienposey.com
The process for removing a replica is almost identical to creating it:
REMOVE
NC
REPLICA
application_directory_partition
domain_controller
The command for deleting an application directory partition is:
DELETE NC application_directory_partition
DELETE NC application.test.com
Application Directory Partitions for DNS
DNS can use application directory partitions to store DNS data on
Windows
Server
2003based
domain
controllers.
DNS-specific
application directory partitions are automatically created in the forest

and in each domain when the DNS service is installed on new or
upgraded Windows Server 2003based domain controllers
he creation and deletion of application directory partitions, including
the default DNS application directory partitions, requires that the
domain naming master role holder reside on a Windows Server
2003based domain controller.
The following DNS-specific application directory partitions are created
during Active Directory installation:
ForestDnsZones A forest-wide application directory partition shared
by all DNS servers in the same forest
nDomainDnsZones Domain-wide application directory partitions for
each DNS server in the same domain
Replication Scope Domain partition
Active Directory domain partition for each domain in the forest. DNS
zones stored in this partition are replicated to all domain controllers in
the domain. This is the only Active Directory storage option for DNS
zones that are replicated to domain controllers running Windows 2000
Server.
Forest-wide DNS application directory partition
DNS application directory partition for the entire forest. DNS zones
stored in this application directory partition are replicated to all DNS
servers running on domain controllers in the forest. This DNS
application directory partition is created when you install the DNS
Server service on the first Windows Server 2003 domain controller in
the forest. ]
Domain-wide DNS application directory partition
DNS application directory partition for each domain in the forest. DNS
zones stored in this application directory partition are replicated to all
DNS servers running on domain controllers in the domain. For the
forest root domain, this DNS application directory partition is created
when you first install the DNS Server service on a Windows Server
2003 domain controller in the forest.
Custom DNS application directory partition
DNS application directory partition for any domain controller that is
enlisted in its replication scope. This type of DNS application directory
partition does not exist by default and must be created. DNS zones
stored in this application directory partition are replicated to all DNS
servers running on domain controller that enlist in the partition.
12/24/2013 1:53 AM
Windows Tricks: AD
18 of 26
Use DNS Application Directory Partitions

Use application directory partitions for Active Directoryintegrated
DNS zones to reduce replication traffic and the amount of data stored
in the global catalog.
After completing the upgrade of all Windows 2000based domain
controllers in the forest to Windows Server 2003, move the Active
Directoryintegrated DNS data on all DNS servers from the domain
partition into the newly created DNS application directory partitions.
This is done by changing the replication scope of the DNS zones.
Move the DNS zones that you want to replicate to all DNS servers in
the forest to the forest-wide DNS application directory partition,
ForestDnsZones. For each domain in the forest, move the DNS zones
that you want to replicate to all DNS servers in the domain to the
domain-wide DNS application directory partition, DomainDnsZones.
Domain-wide replication can be targeted to minimize replication traffic
because administrators can specify which of the domain controllers
running the DNS service receive the DNS zone data.
Forest-wide replication can be targeted to minimize replication traffic
because DNS data is no longer replicated to the global catalog.
NS records located on global catalog servers in the forest are
removed, minimizing the amount of information replicated with the
global catalog.
To view the records for the various DNS partitions
The DNS application directory partitions are not displayed by all Active
Directory administrative tools. To see these directory partitions, you
can use dnscmd (command-line tool) or ADSI Edit (adsiedit.msc) in
Support Tools.
To view the records for the various DNS partitions or to delete the
Test.com zone in the desired directory partition(s), follow these steps.
Click Start, click Run, type adsiedit.msc, and then click OK.
In the console tree, right-click ADSI Edit, and then click Connect to.
Click Select or type a Distinguished Name or Naming Context, type
the following text in the list, and then click OK:
DC=ForestDNSZones, DC=Test, DC=com
In the console tree, double-click DC=ForestDNSZones, DC=Test,
DC=com.
Double-click CN=MicrosoftDNS, and click the zone (Test.com). You
should now be able to view the DNS records which exist in this DNS
partition

, 0 comments
Labels: AD, Application Directory Partition
Loopback policy
28 JULY 2009
Loopback policy can be used in special computer scenario, such as for

schools, reception areas, or other zones whrere it is important that no
matter who logs on, the computer settings must always remain in the
same secured sate. Since user settings are applied after computer
settings in the application order, GPOs allow you to enable a
Loopback policy settings to ensure that computer settings are
reapplied instead of or along with user settings.
By default, users settings override computer settings in case of any
conflict in policy settings. By configuring Loopback policy setting, an
12/24/2013 1:53 AM
Windows Tricks: AD
19 of 26
administrator can reverse the process of the application of policies.

When the Loopback policy option is configured, the computer settings
take precedence on the users settings. The Loopback policy option can
be set as Not Configured, Enabled, or Disabled. The enabled Loopback
option can be set in the following two modes:
o Replace mode: In this mode, the computer policy settings override
the user policy settings.
o Merge mode: In this mode, the computer policy settings are
appended to the user policy settings
Configure Loopback policy
Use the GPMC to create a new policy or user the existing policy to
configure the below setting for Loopback policy
Computer
configuration
->
Administrative
Templates
->
System/Group policy
User Group policy loopback processing Enable
Mode Replace / Merge
Related Articles
loopback processing
group policy
event 1000
Windows cannot obtain the domain controller name for your computer
Group Policy Processing
ie7 group policy
, 0 comments
Labels: AD, GPO
Configure Strict Replication

Consistency
27 JULY 2009
How to enable Strict Replication Consistency

If you enable the Strict Replication Consistency then the Lingering
Objects will not replicate to other domain controllers, it's used to
isolate the issue with the site and very easy to find the affected
domain controller that contains the lingering object if you enable the
Strict Replication Consistency
Registry Setting That Determines Whether Lingering Objects Are
Replicated
If a writable lingering object exists in your environment and an
attempt is made to update the object, the value in the strict
replication
consistency
registry
entry
(type
REG_DWORD)
in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\NTDS\Parameters determines whether replication proceeds or is
stopped, as follows:
1 (enabled): Inbound replication of the specified directory partition
from the source is stopped on the destination.
0 (disabled): The destination requests the full object from the source
domain controller, and the lingering object is revived in the directory
as a new object.
Default Settings for Strict Replication Consistency
The default value for the strict replication consistency registry entry is
determined by the conditions under which the domain controller was
12/24/2013 1:53 AM
Windows Tricks: AD
20 of 26
installed into the forest.

Related Articles
How to find domain controller that contains lingering object
Remove Lingering Objects
lingering objects
, 0 comments
Labels: AD, lingering objects
Removing Lingering Objects

Tool for Removing Lingering Objects
On domain controllers running Windows Server 2003 or Windows
Server 2003 with SP1, use Repadmin.exe (in Windows Support Tools)
to remove the lingering object or objects. Windows Support Tools are
available on the operating system CD in the Support\Tools folder. The
version of Repadmin that ships with Windows Server 2003 provides
the option /removelingeringobjects, which safely removes instances of
lingering objects from both writable directory partitions and read-only
directory partitions.
Continue Reading...
, 0 comments
How to find the domain controller that

contains the lingering object
If we enable Strict Replication Consistency
Lingering objects are not present on domain controllers that log Event
ID 1988. The source domain controller contains the lingering object
If we doesnt enable Strict Replication Consistency
Lingering objects are not present on domain controllers that log Event
ID 1388. Domain controller that doesnt log Event ID 1388 and that
domain controller contain the lingering object
You have a 100 Domain controllers which doesnt enable Strict
Replication Consistency, then you will get the Event ID 1388 on all the
99 Domain controllers except the one that contain the lingering object
Need to Remove Lingering Objects from the affected domain
controller or decommission the domain controller
You can use Event Comb tool (Eventcombmt.exe) is a multi-threaded
tool that can be used to gather specific events from the Event Viewer
logs of different computers at the same time.
You can download these tools from the following location:
http://www.microsoft.com/downloads
/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&
DisplayLang=en
Related Articles
Configure Strict Replication Consistency
12/24/2013 1:53 AM
Windows Tricks: AD
21 of 26
lingering objects
, 0 comments
Lingering objects
Lingering objects
When an object is deleted, Active Directory replicates the deletion as
a tombstone object, which consists of a small subset of the attributes
of the deleted object. By inbound-replicating this object, other domain
controllers in the domain and forest become aware of the deletion.
The tombstone is retained in Active Directory for a specified period
called the tombstone lifetime. At the end of the tombstone lifetime,
the tombstone is deleted from the directory permanently.
After the tombstone is removed permanently, the object deletion can
no longer be replicated. Therefore, the tombstone lifetime defines
how long domain controllers in the forest retain knowledge of a
deleted object and thus the time during which a unique deletion must
be received by all direct and transitive replication partners of the
originating domain controller.
The default value of the tombstone lifetime depends on the version of
the operating system that is running on the first domain controller that
is installed in a forest, as follows:
Windows 2000 Server or Windows Server 2003: The default value is
60 days.
Windows Server 2003 with Service Pack 1 (SP1): The default value is
180 days
How Lingering Objects Occur
When conditions beyond your control cause a domain controller to be
disconnected for a period that is longer than the tombstone lifetime,
one or more objects that are deleted from Active Directory on all
other domain controllers might remain on the disconnected domain
controller. Such objects are called lingering objects. Because the
domain controller is offline during the entire time that the tombstone
is alive, the domain controller never receives replication of the
tombstone.
When it is reconnected to the replication topology, this domain
controller acts as a source replication partner that has an object that
its destination partner does not have.
Replication problems occur when the object on the source domain
controller is updated. In this case, when the destination attempts to
inbound-replicate the update, the destination domain
controller responds in one of two ways:
If the destination domain controller has strict replication consistency
enabled, it recognizes that it cannot update the object and locally halts
inbound replication of the directory partition from that source domain
controller.
If the destination domain controller has strict replication consistency
enabled, it recognizes that it cannot update the object and locally halts
inbound replication of the directory partition from that source domain
controller.
Lingering objects can reside in writable or read-only partitions that are
potentially replicated between domain controllers in the same or
different domains in the same forest.
Causes of Long Disconnections
Indications That a Domain Controller Has Lingering Objects
12/24/2013 1:53 AM
Windows Tricks: AD
22 of 26
A domain controller is left in a storage room and forgotten, or

shipment of a prestaged domain controller to its remote location takes
longer than a tombstone lifetime.
Replication fails and monitoring is not in place. Failures can occur as
follows:
A domain controller is started and connected to the corporate
intranet but experiences inbound replication failure as a result of an
underlying network connectivity failure, name resolution failure, or
authentication failure that prevents replication from occurring.
A bridgehead server is overloaded, and replication becomes
backlogged. Excessively high replication load on a global catalog
server, in combination with a short intersite replication interval, can
result in updates not being replicated.
Global catalog servers replicate read-only replicas of all domain
directory partitions in the forest. The replication of read-only replicas
has a lower priority than the replication of writable replicas. In
addition, global catalog servers are often bridgehead servers, which
adds to the replication load. If the replication load on global catalog
servers acting as bridgehead servers is too high as a result of an
extremely short replication interval, excessive numbers of concurrent
outbound replication partners,
or
combination of both,
the
replication queue can become backlogged. If the condition persists,

read-only replicas can remain in the queue indefinitely. These
conditions can result in lingering objects on a global catalog server.
Wide area network (WAN) connections are unavailable for long
periods. For example, a domain controller onboard a cruise ship might
be unable to replicate because the ship is at sea for longer than the
tombstone lifetime.
The reported event is a false positive because an administrator
shortened the
tombstone
lifetime
to force tombstone
deletion
(garbage collection).
The reported event is a false positive because the system clock on
the source or destination domain controller is improperly rolled
forward or back in time. Clock skews are most common following a
system reboot and can have the following causes:
System clock battery or motherboard problems.
The time source for a computer is improperly configured, including a
time source server configured with Windows Time service (W32time),
third-party time servers, and network routers.
The system clock is advanced or rolled back by an administrator
attempting to extend the useful life of a system state backup or
accelerate the garbage collection of deleted objects. Make sure that
the system clock reflects the actual time and that event logs do not
contain events from the future or invalid past.
Indications That a Domain Controller Has Lingering Objects

An outdated domain controller can store lingering objects with no
noticeable effect as long as an administrator, application, or service
does not update the lingering object or attempt to create an object
with the same name in the domain or with the same user principal
name (UPN) in the forest. However, the existence of lingering objects
can cause problems, especially if the object is a security principal.
Symptoms Associated with Lingering Objects
The following symptoms indicate that a domain controller has
lingering objects:
12/24/2013 1:53 AM
Windows Tricks: AD
23 of 26
A deleted user or group account remains in the global address list

(GAL) on Exchange servers. Therefore, although the account name
appears in the GAL, attempts to send e-mail messages result in
errors.
Multiple copies of an object appear in the object picker or GAL for an
object that should be unique in the forest. Duplicate objects
sometimes appear with altered names, causing confusion on directory
searches. For example, if the relative distinguished name of two
objects cannot be resolved, conflict resolution appends "*CNF:GUID"
to the name, where * represents a reserved character, CNF is a
constant that indicates a conflict resolution, and GUID represents the
objectGUID attribute value.
E-mail messages are not delivered to a user whose Active Directory
account appears to be current. After an outdated domain controller or
global catalog server becomes reconnected, both instances of the user
object appear in the global catalog. Because both objects have the
same e-mail address, e-mail messages cannot be delivered.
A universal group that no longer exists continues to appear in a
users access token. Although the group no longer exists, if a user
account still has the group in its security token, the user might have
access to a resource that you intended to be unavailable to that user.
A new object or Exchange mailbox cannot be created, but you do not
see the object in Active Directory. An error message reports that the
object already exists.
Searches that use attributes of an existing object incorrectly find
multiple copies of an object of the same name. One object has been
deleted from the domain, but it remains in an isolated global catalog
server.
If an attempt is made to update a lingering object that resides in a

writable directory partition, events are logged on the destination
domain controller. However, if the only version of a lingering object
exists in a read-only directory partition on a global catalog server, the
object cannot be updated and this type of event will never be
triggered.
Events that indicate that lingering objects are present in the
forest
If a destination domain controller logs event ID 1388 or event ID
1988, a lingering object has been detected and one of two conditions
exists on the destination domain controller:
Event ID 1388: Inbound replication of the lingering object has
occurred on the destination domain controller.
Event ID 1988: Inbound replication of the directory partition of the
lingering object has been blocked on the
destination domain
controller.
Event ID 1388
This event indicates that a destination domain controller that does not
have strict replication consistency enabled has received a request to
update an object that does not reside in the local copy of the Active
Directory database. In response, the destination domain controller
has requested the full object from the source replication partner. In
this way, a lingering object has been replicated ("reanimated") to the
destination domain controller.
Event ID 1988
This event indicates that a destination domain controller that has strict
replication consistency enabled has received a request to update an
object that does not exist in its local copy of the Active Directory
database. In response, the destination domain controller has blocked
replication of the directory partition containing that object from that
source domain controller. The event text identifies the source domain
controller and the outdated (lingering) object. An example version of
12/24/2013 1:53 AM
Windows Tricks: AD
24 of 26
the event text is as follows:

Event ID 2042
If a domain controller has not replicated with its partner for longer
than a tombstone lifetime, it is possible that a lingering object
problem exists on one or both domain controllers. When this condition
occurs, inbound replication with the source partner is stopped on the
destination domain controller and event ID 2042 is logged in the
Directory Services event log. The event identifies the source domain
controller and the appropriate steps to take to either remove the
outdated domain controller or remove lingering objects and restore
replication from the source domain controller.
for more info http://support.microsoft.com/kb/910205
Related Articles
How to find domain controller that contains lingering object
Configure Strict Replication Consistency
lingering objects

, 0 comments
Backup and Recovery

19 JULY 2009
Data in windows 2000 is divided into two primary types 1) User Data
and 2) System State data.
User data includes application files and folders, operating system files
and folders, and user-created files and folders.
For all Windows 2000 computers, System State Data includes
operating system boot files, the registry and the COM+ class
registration database. On DC, System state data includes the AD data
store and the contents of the SYSVOL folder. When Certificate services
is installed in Windows 2000 server, System State Data includes
Certificate Services database.
Backup Types
Normal : Backs up all selected files and folders. It removes the
archive attribute from the backed up files and folders. It is a full,
complete backup.
Copy : Backs up all selected files and folders. It does not remove or
otherwise affect the archive attribute. Mainly to create extra backup
to store on Off-site
Incremental : Backs up all selected files and folders that have
changed since the last normal or incremental backup. It removes the
archive attribute from the backed up files and folders.
Differential : Backs up all selected files and folders that changed
since the last normal backup. It does not remove the archive attribute
from any files and folders.
Daily : Backs up all selected files and folders that changed during the
day the backup is made. It does not remove or otherwise affect the
archive attribute.
12/24/2013 1:53 AM
Windows Tricks: AD
25 of 26
Backup Strategies
Perform a normal backup everyday
Perform a weekly normal backup and daily differential backups.
Perform a weekly normal backup and daily incremental backups.
Emergency repair disk is primarily used to repair and restart a
windows 2000 computer that wont boot. It used to repair Windows
2000 system files that become accidentally corrupted or erased due to
viruses or other causes. Windows NT copies the registry in the
Emergency repair disk.
Restoring System State Data on Domain Controllers is two
types
Nonauthoritative restore of Active Directory : This is a full
restore of System State data, including Active Directory, on a
Windows 2000 DC. When this type of restore is performed, AD entries
on other DCs will replace the restored entries when replication of AD
occurs.We should use this type of restore when you only have one DC
in the network, or when you are primarily concerned with restoring
the other components of System State data, such as the registry and
system boot files, and we do no want to overwrite the more recent
copy of AD located on other DCs on the network
Authoritative
restore
of
Active
Directory
Like
Non-authoritative restore, this is also a full restore of System State

data, including AD, on a Windows 2000 Domain Controller. After the
restore is complete, however, an additional step is requires. Some or
all of the restored AD objects are marked as being authoritative.
When this type of restore is performed the restored AD entries that
are marked as authoritative will replace the corresponding AD entries
on other DCs on the network when replication of AD occurs. We should
use this type of restore , when the AD data store on the networks
domain controllers is damaged, or when a portion of AD has been
accidentally deleted.
When we perform an authoritative restore of AD, we need follow the
one more step..
In the command prompt , type ntdsutil and press enter.
At the ntdsutil : prompt type authoritative restore and press Enter.
To restore the entire AD data store, at the authoritative restore :
prompt
Type restore database and press Enter. Or to restore a portion of AD
data store at the authoritative restore : prompt type
Restore subtree OU=OU_name,DC=domain_name,DC=root_domain
and press Enter.
For Eg, to restore only a OU named Marketing in domain named
Domain2.com , we should type
Restore subtree OU=Marketing,DC=domain2,DC=com
In the authoritative Restore Confirmation dialog box, click Yes.
At the authoritative restore : prompt, type quit and press Enter.
At the ntdsutil : prompt, type quit and press Enter.
At the command prompt, type exit and press Enter.
Recovery Console is limited version of the Windows 2000 operating
system that only has command-line interface. Use recovery console
when we arent able to resolve a computers problem by using Safe
Mode or the Emergency Repair Disk. Recovery Console is used to
manually start or stop a service, repair the master boot record, or
manually copy files from floppy disk or compact disk to the computers
hard disk to restore a system.
, 0 comments
12/24/2013 1:53 AM
Windows Tricks: AD
26 of 26
Labels: AD, Backup
Newer Posts
Home
Older Posts
Subscribe to: Posts (Atom)
12/24/2013 1:53 AM

Windows ADAD

Uploaded by

Copyright:

Available Formats

Windows ADAD

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Windows ADAD

Uploaded by

Copyright:

Available Formats

Windows Tricks: AD

Gpresult failed with ERROR Access

GET THE FREE E-MAIL UPDATES.

Unable to get the result from gpresult on windows 2003 server,

the group policy without issue

How to resolve the Print Spooler service crash issue

Find distinguished name (LDAP path for the object)

To resolve the access denied error while doing the gpresult.

Account lockout (1)

1. re-register the userenv.dll

Active Directory (4)

Change users Screen Saver through GPO

Windows Server 2008 R2

Command for time sync and troubleshooting

not required for this procedure

Posted by Ganesamoorthy S at 15:12 , Links to this post

Active Directory 2008 features

Whats new in windows 2008 Active Directory

As an Active Directory administrator very curies about the windows

to discuss specific about the features of Active Directory server roles

discuss in detail of each in my upcoming article

Exchange 2010 (6)

Posted by Ganesamoorthy S at 20:21 , Links to this post

extract bulk object

Roaming profile issues

Google Plus (1)

oneline script (6)

have an active directory environment with multiple sites and roaming

Online Tools (3)

profile configured user travelling between sites always complains that

port number (1)

Server 2003 (1)

you can use the below command from your system

Time Service (4)

Command to get the site name of the system you login

windows server (7)

Command to get the site name of the roaming profile server

Nltest /dsgetsite /server roaming profile serve name

copy of the roaming user profile to load

Posted by Ganesamoorthy S at 14:59 , Links to this post

To get the members status from the

In any environment if the employee leaves the company you have to

Force sysvol replication

How do I force the Sysvol replication in an active directory

NTFRSUTL FORCEREPL Command-Line Option to Force Replication

Force active directory replication

How do I synchronize active directory between two domain controllers

Management Console (MMC) or Forcing replication through

list of the target servers replication partners.

troubleshoot active directory replication

Configure active directory replication

Configure connection object schedule across time zones

Chennai0000 domain controller and login to the domain controller

troubleshoot active directory replication

Troubleshoot Active Directory Server

In an active directory environment monitoring the replication between

replication health daily,

Repadmin.exe to retrieve replication status daily and Attempt to

1. Not enough server storage is available to process this