Brian Desmond - Active Directory

Transfer Domain FSMO Roles

You can transfer the three domain-wide FSMO roles (PDC Emulator, RID Master, and Infrastructure Master) with the GUI or via the command line. To transfer the roles via the GUI, follow the steps below. If the server curently hosting the role you want to transfer is unavailable, you must instead seize the roles.

Prior to attempting to transfer any of these roles, you must be a Domain Admin in the domain you will be performing the transfer. Once you have the appropriate access, perform the steps below for any of the roles you wish to transfer. In this example, we will transfer the PDC Emulator from a domain controller called COHO-CHI-ADC02.cohovines.com to a domain controller called COHO-CHI-SFO01.cohovines.com.

Launch the Active Directory Users and Computers (ADUC) MMC snap-in (Start>Run>dsa.msc).
Right click the Active Directory Users and Computers node and click Change Domain Controller.

Select the target domain controller (COHO-SFO-ADC01.cohovines.com in this example).
Right click the domain and click Operations Masters….

On the PDC tab, confirm the target domain controller is correct and then click Change….

Click Yes on the ensuing confirmation dialog.
If the operation succeeds, you will receive the message below:

You can repeat these steps for each of the other FSMO roles as necessary. If you want to transfer all of the roles to the same domain controller, you only need to repeat steps 5 – 7. Otherwise, you must repeat steps 2 – 7.

Transfer Forest FSMO Roles

You can transfer the two forest-wide FSMO roles (Schema Master and Domain Naming Master) with the GUI or via the command line. To transfer the roles via the GUI, follow the steps below. If the server curently hosting the role you want to transfer is unavailable, you must instead seize the roles.

Schema Master
Domain Naming Master

Transferring the Schema Master with the GUI

In this example, we will transfer the Schema Master FSMO role from a domain controller called COHO-CHI-ADC02.cohovines.com to a domain controller called COHO-SFO-ADC01.cohovines.com. You must first verify two prerequisites:

Ensure that you are using an account that is a member of the Schema Admins group.
Ensure you have registered the Active Directory Schema MMC snap-in by following these directions.

Once you have verified the prequisites, follow the steps below to transfer the Schema Master.

Open a new MMC (Start>Run>mmc) and add the Active Directory Schema snap-in.
Right click the Active Directory Schema node under Console Root and click Change Active Directory Domain Controller… as shown below:

Select the domain controller you want to transfer the Schema Master role to. In this example, I selected COHO-SFO-ADC01:

You will receive a warning that the Active Directory Schema snap-in is not connected to the Schema operations master. This is normal and can be ignored.

Right click the Active Directory Schema node under Console Root and click Operations Master….
The Change Schema Master dialog will show the current role holder (COHO-CHI-ADC02.cohovines.com in our example) and the target domain controller (COHO-SFO-ADC01.cohovines.com in our example). Confirm that the target server is the right server and then click Change.

Click yes on the ensuing confirmation dialog.
If the operation succeeds, you will receive the message below:

Transferring the Domain Naming Master with the GUI

In this example, we will transfer the Domain Naming Master FSMO role from a domain controller called COHO-CHI-ADC02.cohovines.com to a domain controller called COHO-SFO-ADC01.cohovines.com. Prior to beginning this procedure, you must be using an account that is a member of the Enterprise Admins group. Once you have verified that you have sufficient access, follow the steps below:

Launch the Active Directory Domains and Trusts MMC snap-in (Start>Run>domain.msc).
Right click Active Directory Domains and Trusts and click Change Active Directory Domain Controller….
Select the domain controller you want to transfer the Domain Naming Master role to. In this example, I selected COHO-SFO-ADC01:

Right click Active Directory Domains and Trusts and click Operations Master….
The Operations Master dialog will show the current role holder (COHO-CHI-ADC02.cohovines.com in our example) and the target domain controller (COHO-SFO-ADC01.cohovines.com in our example). Confirm that the target server is the right server and then click Change.

Click yes on the ensuing confirmation dialog.
If the operation succeeds, you will receive the message below:

How to Register Active Directory Schema MMC Snap-In

By default, the Active Directory Schema MMC snap-in is not registered on domain controllers or machines with the Remote Server Administration Tools (RSAT) installed. To use the snap-in for the first time on a new machine, you’ll need to register the DLL. To do this, follow the steps below:

Open an elevated command prompt
Run the following command: regsvr32 schmmgmt.dll
You should receive a success message:

Once you have registered the snap-in, you can add it to an MMC by following these steps:

Open a new MMC Console (Start>Run>mmc)
In the MMC Console, go to File>Add/Remove Snap-in
Add the Active Directory Schema snap-in as shown below:

Once you click OK, you’ll be able to access the snap-in through the MMC Console.

Remove an Offline Domain Controller

Sometimes domain controllers encounter catastrophic failures that take them off the network permanently – perhaps a hardware failure or an extended network outage that exceeds the tombstone lifetime. In these cases, the traditional process of demoting the domain controller won’t work and you’ll be forced to manually clean up Active Directory instead. This manual process is known as metadata cleanup. Metadata cleanup removes all of the references to the domain controller from Active Directory so that things like replication continue to work without error. Depending on what version of Windows you’re working with, this can be as simple as deleting the domain controller’s computer account with AD Users and Computers, or it might require a trip to the command line to put ntdsutil to work.

Windows Server 2008 and Newer (Active Directory Users and Computers)

The Windows Server 2008 version of Active Directory Users and Computers (ADUC) introduced a convenient one click approach to performing metadata cleanup. To take advantage of this feature, follow these steps:

If you are using the Windows Server 2003 version of ADUC, skip down to the NTDSUtil version of these steps. The Windows Server 2003 version of ADUC will not perform a metadata cleanup for you!

Launch ADUC (Start>Run>dsa.msc) and browse to the Domain Controllers OU.
Select the domain controller you want to delete. You will first receive the traditional prompt shown below:

Once you click Yes, you will subsequently receive a confirmation prompt similar to the one shown below:

If you’re certain that you want to proceed, check the box and click Delete. ADUC may prompt you for further confirmation if the domain controller is a Global Catalog or a FSMO role holder.

That’s all there is to it. If the domain controller ever comes back online, you must either erase the server and reinstall Windows or perform a forced demotion of the domain controller.

Windows Server 2003 (NTDSUtil)

If you’re running Windows Server 2003 or you would rather do a metadata cleanup using the command line, the NTDSUtil command line utility is what you’ll need.

Open an elevated command prompt
Type ntdsutil and press Enter.
Type metadata cleanup and press Enter.
Type connections and press Enter.
Type connect to server coho-chi-adc02 and press Enter.
Type quit and press Enter. After this step, your screen should look similar to the image below:

Type select operation target and press Enter.
Type list domains and press Enter.
Type select domain 0, where 0 is the number of the listed domain that contains the domain controller you want to clean up.
Type list sites and press Enter.
Type select site 0, where 0 is the number of the listed site that contains the domain controller you want to clean up. After this step, your screen should look similar to the image below:

Type list servers in site and press Enter.
Type select server 0, where 0 is the number of the listed server that you want to clean up. After this step, your screen should look similar to the image below:

If you discover that you selected the wrong domain or site, you can return to steps eight or ten.

Type quit and press Enter.
Type remove selected server and press Enter. You will be prompted to confirm your selection before continuing:

Once the process completes, you will see output similar to the following

Transferring / Seizing FSMO roles off the selected server.
Removing FRS metadata for the selected server.
Searching for FRS members under "CN=COHO-CHI-ADC01,OU=Domain Controllers,DC=cohovines,DC=com".

Removing FRS member "CN=COHO-CHI-ADC01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=cohovines,DC=com".
Deleting subtree under "CN=COHO-CHI-ADC01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=cohovines,DC=com".
Deleting subtree under "CN=COHO-CHI-ADC01,OU=Domain Controllers,DC=cohovines,DC=com".
The attempt to remove the FRS settings on CN=COHO-CHI-ADC01,CN=Servers,CN=Chicago,CN=Sites,CN=Configuration,DC=cohovines,DC=com failed because "Element not found.";
metadata cleanup is continuing.
"CN=COHO-CHI-ADC01,CN=Servers,CN=Chicago,CN=Sites,CN=Configuration,DC=cohovines,DC=com" removed from server "coho-chi-adc02"

This completes the process to manually remove a domain controller from Active Directory by performing a metadata cleanup with NTDSUtil.

How to Configure Time Synchronization on the PDC Emulator

Active Directory provides a time synchronization hierarchy that ensures that time dependent protocols such as Kerberos will work correctly. The PDC emulator in the forest root domain must be configured to synchronize with an authoritative external source – either a hardware clock, government time source, or another NTP server. As a matter of best practice, consider configuring a domain controller that has been identified as an alternate PDC emulator role holder to also synchronize with an external source. This way, if you transfer the PDCe FSMO role, you won’t need to reconfigure the time service on the new domain controller. Figure 2-5 from my book, Active Directory, 5th Edition shows how the time synchronization hierarchy works in a multi-domain forest:

To configure the forest root PDCe role holder to synchronize with the NTP Pool Project’s NTP servers, execute the following commands from an elevated command prompt:

w32tm /config /update /manualpeerlist:"0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org" /syncfromflags:manual /reliable:YES
w32tm /resync /rediscover /nowait

How to Promote a Domain Controller

The process to convert a member server to a domain controller (DC) – known as promotion – requires a number of inputs to complete the wizard. As Active Directory has evolved, additional steps/inputs have been added to the wizard, but, the process itself has undergone very little change. If you are coming to Windows Server 2012 or newer from a previous version of Active Directory, the most noticeable change is that the dcpromo tool dating to Windows 2000 is gone. In fact, if you try to run dcpromo on a Windows Server 2012 or newer server, you’ll receive a message similar to this:

---------------------------
Active Directory Domain Services Installer
---------------------------
The Active Directory Domain Services Installation Wizard is relocated in Server Manager. For more information, see http://go.microsoft.com/fwlink/?LinkId=220921
---------------------------
OK
---------------------------

Instead of dcpromo, you’ll instead need to use the new Active Directory Domain Services Configuration Wizard that is accessible from Server Manager. Alternately, you can use Windows PowerShell to promote a domain controller as described here. To begin, you’ll need to install the Active Directory Domain Services (AD DS) server role.

Open Server Manager and click Add roles and features.
During the Installation Type step, choose Role-based or feature-based installation.
In the Server Selection step, ensure the local server is selected.
Select the Active Directory Domain Services role as shown below.

In the Features step, accept the defaults. Windows will automatically add additional features that are necessary to support AD DS.
Continue through the wizard to the Results step. Once the AD DS role installation completes, click the Promote this server to a domain controller link as highlighted below.

At this point in the process, you have installed the AD DS server role and launched the AD DS Configuration Wizard that will be used to promote the server to be a domain controller. The remaining steps will illustrate the process to add an additional Windows Server 2012 R2 domain controller to an existing domain. The member server that will be promoted has the following attributes:

Domain – cohovines.com
Site – Tokyo
Read Only Domain Controller – No
Global Catalog – Yes
DNS Server – Yes

While the screenshots may vary slightly, the process is largely identical to prior versions of Windows Server.

In the Deployment Configuration screen, specify the domain that the member server will become a domain controller for. You must also provide a set of Domain Admin credentials to complete the promotion process, as shown below.

In the Domain Controller Options step, you should:

Specify if the DC will run the DNS Server service, act as a Global Catalog, or function as a Read Only Domain Controller.
Select the correct AD Site that the DC will be a member of.
Provide a Directory Services Restore Mode (DSRM) password.

Ignore the DNS Options step shown below and any warnings displayed. It is not relevant to adding a domain controller to an existing domain since it is assumed that you have a functional AD forest with working DNS prior to beginning this process.

On the Additional Options step, you can specify the source domain controller to perform initial replication to this server if necessary.
On the Paths step, you may need to modify where the AD DS database (ntds.dit file), transaction logs, or SYSVOL share are stored if your standards dictate. In many cases, accepting the defaults is OK.
Take a moment to review your selections on the Review Options step prior to continuing. You can save a copy of the Windows PowerShell command to promote a domain controller with the options you selected by clicking View script, as shown below.

The Prerequisites Checker will run and attempt to guarantee that the domain controller promotion will succeed. If there are any blocking issues, you will not be able to proceed until the issues are corrected. You may receive warnings about DNS zones, for example, as shown below that can typically be ignored.

Click Install and then monitor the progress on the Results screen. The progress is subtletly updated at the top of the screen as highlighted below.

Whether you leave the AD DS Configuration Wizard open or close it, the server will automatically reboot when the promotion process is complete. Once the server reboots, it will be a member of the domain chosen at the beginning of the wizard and ready to begin functioning as a domain controller.

Forcefully Demote a Domain Controller

If you have a domain controller that is no longer on the network, hasn’t replicated during the forest’s tombstone lifetime, or has been cleaned up in Active Directory via metadata cleanup, you’ll need to do a forced demotion in order to get the server back to a normal state. The procedure to do this varies depending on whether the server in question is running Windows Server 2012 or newer, or if it’s running a prior version of Windows Server.

Windows Server 2012 and Newer (PowerShell)

The easiest way to forcefully demote a Windows Server 2012 (or newer) domain controller is with the Uninstall-ADDSDomainController PowerShell cmdlet.

Launch an elevated PowerShell prompt. You can do this by right clicking the PowerShell icon pinned to the taskbar:

Next, run the following PowerShell command. You will be prompted to provide a local administrator password to be used after the server reboots. The cmdlet will provide some progress information prior to rebooting the server.

Uninstall-ADDSDomainController -ForceRemoval -DemoteOperationMasterRole

Once the server reboots, login with the local administrator password you provided in the previous step. The server is now in a workgroup. If desired, you can safely promote the server back in to service as a domain controller.

Windows Server 2008 R2 and Older (DCPromo)

Versions of Windows prior to Windows Server 2012 do not have a convenient PowerShell cmdlet for forceful demotion of a domain controller. Instead, you must run the DCPromo wizard with a secret parameter.

From the Run dialog, enter “dcpromo /forceremoval”.

If the domain controller holds any FSMO roles, you will receive a warning for each role. Following the completion of this process, you must seize these FSMO roles on new domain controller(s) to ensure that your forest continues to function correctly.


RID Master Warning	PDC Emulator Warning	Infrastructure Master Warning

Domain Naming Master Warning	Schema Master Warning

If the domain controller is a global catalog or a DNS server, you will also be warned. In the case of DNS, ensure that clients aren’t looking to this server for their DNS needs.


DNS Server Warning	Global Catalog Warning

Once any necessary warnings have been displayed, the wizard will start.

You must supply a new local administrator password. This password will be used to login to the server following the completion of the forced demotion process. This password must comply with the domain password policy that applies to the domain controller.

Once you’re sure you want to proceed, click Next to begin the process.

The demotion process will take some time to complete. The progress dialog provides information about what task is currently being performed, but no indication of overall progress.

If you didn’t check Reboot on completion, the wizard will let you know when it’s done.

Once the server reboots, you should immediately seize any FSMO roles that were previously held and perform a metadata cleanup. You can then safely promote the server back to domain controller status if desired.

Installing the Web Application Proxy to Publish AD FS

One of the new additions with Windows Server 2012 R2 was the Web Application Proxy (WAP) feature. If you have deployed AD FS on Windows Server 2008 R2, the WAP replaces the AD FS proxy. WAP is not a direct replacement for AD FS – it is much more.

Once you have installed AD FS, you can install the first WAP server to publish AD FS. You’ll need to have a number of prerequisites in order prior to beginning the installation process:

Server or virtual machine – ensure that the host meets the minimum requirements for Windows Server 2012 R2
Firewall – the WAP will need SSL (TCP443) access to the AD FS federation server. If you are domain joining WAP, it must also have access to domain controllers.
SSL Certificate – install a certificate that matches the AD FS host name (e.g. fs.cohovines.com) or a wildcard certificate in the machine certificate store. You should plan to use a commercially issued certificate from a public certification authority such as DigiCert.

If you will be using the Device Registration Service for Workplace Join, you will need to add subject alternate names (SANs) to your SSL certificate. For each User Principal Name (UPN) suffix that will be supported, you must add a SAN in the format of enterpriseregistration.<UPN Suffix>. For example, in my environment, users have a UPN suffix of cohovines.com. To support Workplace Join, my service communications certificate will need a SAN of enterpriseregistration.cohovines.com.

Once you have all the prerequisite items in place, you can begin installing the first WAP server.

Open Server Manager and click ‘Add roles and features’.
During the Server Selection step of the Add Roles and Features Wizard, shown below, you can elect to install WAP on multiple servers if you have added them to a pool in Server Manager. If you will be installing a server farm, this is a handy time saving feature.

On the next screen, Server Roles, select Remote Access as shown below.

On the Remote Access Role Services screen, select Web Application proxy as shown below.

Complete the wizard to install the WAP service of the Remote Access role.

Once WAP is installed, you can use the Remote Access Management Console to configure WAP to publish AD FS.

Launch the Remote Access Management Console. This Console is accessible from the Tools menu in Server Manager.
Select Web Application Proxy on the left side of the window and then click Run the Web Application Proxy Configuration Wizard.

Enter the FQDN of your AD FS farm as well as a local administrator account on the AD FS servers. This account is only used to setup trust during the configuration process.

If the FQDN of your AD FS farm does not resolve to the correct IP address, you must add the AD FS farm FQDN to the HOSTS file on your WAP server. The HOSTS file is located in c:\windows\system32\drivers\etc.

Select a certificate from the machine’s store for WAP to listen with when proxying to AD FS.

Once the wizard completes, you can publish the WAP server through your firewall on TCP port 443. This completes the tasks necessary to publish AD FS externally with WAP.

Install the First Active Directory Federation Services Farm Member

In this article, we’ll walk through the steps necessary to install the first Windows Server 2012 R2 federation server in an Active Directory Federation Services (AD FS) farm. Subsequent articles will walk through the steps necessary to add additional farm members, install the Web Application Proxy role, and customize AD FS for your organization.

Prior to installing the first server, you’ll need to organize a number of prerequisites for the installation:

Server or Virtual Machine – Ensure that the machine that meets the minimum system requirements and is domain joined
Service Account or Group Managed Service Account – AD FS requires a service account that will be used for Kerberos authentication as well as managing access to security keys across farm members. If you install the service in a domain with at least one Windows Server 2012 domain controller, you can use a Group Managed Service Account (gMSA). Using a gMSA is the recommended approach, and the installation wizard can create and configure a gMSA for you if you have enough access to the directory. If not, create a gMSA in advance for use with AD FS.
Federation Service Name – You will need to choose a DNS name for the federation service. This name will be referenced by clients and relying parties when accessing AD FS. Common hostnames for the federation service include ‘FS’, ‘STS’, and ‘IDP’ (federation service, security token service, and identity provider, respectively). In this example we will use the FS hostname with a fully qualified domain name of fs.cohovines.com.
SSL Certificates – The AD FS service uses three SSL certificates – the service communications certificate, the token signing certificate, and the token decryption certificate. The setup wizard requires that you provide a certificate for service communications, while by default, self signed token signing and token decryption certificates will be generated by AD FS. The service communications certificate is used to secure the HTTPS traffic between clients and AD FS and should be trusted by internal and external clients that will access the service. You should plan to use a commercially issued certificate to ensure trust from a public certification authority such as DigiCert. The common name of the certificate should match the federation service name, e.g. fs.cohovines.com. You can choose whether or not to buy a commercial certificate for token signing and token decryption. Generally speaking, interoperability with third parties is much easier if you choose to buy a commercial certificate for this task. Be sure to get the maximum lifetime possible for the certificate (e.g. 3 years). Changing the certificate later will be an involved process, so it is best to make this design decision up front.

If you will be using the Device Registration Service for Workplace Join, you will need to add subject alternate names (SANs) to your service communications certificate. For each User Principal Name (UPN) suffix that will be supported, you must add a SAN in the format of enterpriseregistration.<UPN Suffix>. For example, in my environment, users have a UPN suffix of cohovines.com. To support Workplace Join, my service communications certificate will need a SAN of enterpriseregistration.cohovines.com. You may also use a wildcard certificate for the service communications certificate.

SQL Server or Windows Internal Database – AD FS uses SQL Server to store server configuration and for two optional features. In lieu of using a full SQL Server installation, AD FS can install the Windows Internal Database (WID), a stripped down version of SQL Server, on each federation server. Prior to installing the first AD FS server, decide whether to use WID or SQL Server for the AD FS farm. If you expect to need to support more than 100 relying parties, or more than five federation servers, Microsoft recommends that you use the full version of SQL Server. Likewise, if you have a need for SAML Artifact Resolution or Token Replay Detection for external claims providers, you must use SQL Server. Review this TechNet Library document for more information on this decision. If you elect to use SQL Server, don’t forget to factor in high availability for SQL Server (e.g. clustering or mirroring).

Once you have completed all of the prerequisite tasks, you can begin installing the first AD FS server.

Open Server Manager and click ‘Add roles and features’.
During the Server Selection step of the Add Roles and Features Wizard, shown below, you can elect to install AD FS on multiple servers if you have added them to a pool in Server Manager. If you will be installing a server farm, this is a handy time saving feature.

On the next screen, Server Roles, select Active Directory Federation Services as shown below. This will automatically add any missing features that AD FS requires to the wizard’s task list.

Proceed through the remainder of the wizard. Once you reach the Results page, shown below, click the ‘Configure the federation service on this server’ hyperlink to begin the AD FS installation process.

The AD FS Configuration Wizard will complete the process of installing AD FS on the server. Since this is the first server in the farm, you will need to provide inputs based on the prerequisite decisions discussed earlier in the article.

On the Welcome page, shown below, ensure that Create the first federation server in the federation server farm is selected at the bottom of the screen.

On the Connect to AD DS page, provide a domain administrator account for installing the federation service. Elevated credentials are required to create a distributed key management object for AD FS in the Domain’s Program Data container. These credentials are only required during the installation process.
On the Specify Service Properties page, shown below, use the decisions made during the prerequisites section of this article to populate the inputs. The SSL Certificate is the Service Communications Certificate. The dropdown list will show any valid certificates that are already imported. You can use the Import button to import a PFX file containing the certificate that AD FS should use. The federation service name must match the certificate selected. Finally, the Federation Service Display Name is displayed on the default login pages and can be easily changed later.

On the Specify Service Account page, shown below, provide details for the service account that the AD FS farm should use. As discussed earlier, a gMSA is the preferred option when possible. If you are running the wizard with sufficient permissions, the wizard can automatically create a gMSA for you. Otherwise, select the second option to specify an existing gMSA or standard domain user account.

On the Specify Database page, provide the details for an external SQL Server if you will be using SQL Server. If you will be using WID, accept the defaults and continue.
A useful option on the Review Options page is the View script button. If you click this button, the AD FS Configuration Wizard will provide the PowerShell script equivalent to the options you chose in the wizard.

The script below shows the equivalent PowerShell syntax for the options selected in the wizard.

Import-Module ADFS

Install-AdfsFarm `
-CertificateThumbprint:"794CAF64196F53F71DF39BE16E4BADDF4FD277C8" `
-FederationServiceDisplayName:"Coho Vineyard" `
-FederationServiceName:"fs.cohovines.com" `
-GroupServiceAccountIdentifier:"COHOVINES\svc_ADFS`$"

Complete the wizard. Once the Results page is shown, you will be able to begin managing the AD FS farm configuration.
To open the AD FS MMC, open the Start screen and search for ‘AD FS’ as shown below. For convenience, you may want to pin the MMC to the Taskbar so it is easily accessible in the future.

In summary, the first AD FS federation server is now installed and ready for configuration, the addition of additional farm members, and publication with the Web Application Proxy. In future articles, we will walk through the steps to perform all three of these tasks.

How to Make a Domain Controller a Global Catalog

Promoting a domain controller to be a global catalog is a simple change that initiates replication of the partial attribute set for each domain in the forest (other than the domain controller’s domain).

To make a domain controller a global catalog, start by launching the Active Directory Sites and Services MMC snap-in. A quick way to launch the snap-in is to run “dssite.msc” from the Run dialog.
Browse to the Site containing the domain controller, and expand the Servers container as shown below.

Double click the domain controller that you will be promoting to a global catalog as shown below.

Open the Properties of the NTDS Settings object.
Check the Global Catalog box shown below.

Starting with the Windows Server 2008 R2 Remote Server Administration Tools (RSAT), you can also promote a domain controller to be a global catalog from AD Users and Computers. Find the Domain Controller's computer account, open the Properties of the object, and click the NTDS Settings button to open the dialog shown above.

You can use LDP to check when the domain controller has completed the initial replication of the partial attribute set. Once this replication completes, it will advertise itself as a global catalog and be accessible to clients.

Run “LDP” from the Run dialog.
Click Connection>Connect… and enter the name of the domain controller you are promoting.
Check the isGlobalCatalogReady attribute of RootDSE as shown below.
If the isGlobalCatalogReady attribute is FALSE, click Connection>Disconnect and then repeat steps two and three until the isGlobalCatalogReady attribute is TRUE.

Change Default Location for Domain Joined Computers

When you join a machine to the domain, by default it will be placed in the Computers container under the root of the domain. This can be undesirable, particularly if you want to apply distinct Group Policy to machines when they are initially joined to the domain. Fortunately, Active Directory lets you change the default location for new Computer accounts. The best way to make this change is with the redircmp tool that is included with Windows Server. For example, to redirect new computers in the cohovines.com domain to an Organizational Unit called NewComputers, run this command:

redircmp "OU=NewComputers,DC=cohovines,DC=com"

Under the covers, the redircmp tool updates an attribute of the domain NC head object called wellKnownObjects. The wellKnownObjects attribute contains a list of well known GUIDs and a distinguished name for each GUID. By using GUIDs, the path to an object can be dynamic without the client needing to be aware of anything other than the GUID for the object it is searching for. In this case, the aa312825-7688-11d1-aded-00c04fd8d5cd GUID is how Active Directory keeps track of the default location for new computer objects. You can use a tool like LDP to look at the wellKnownObjects attribute of the domain as shown below:

Change Default Location for New User Objects

When you create a user account in Active Directory using certain tools, by default the user will be placed in the Users container under the root of the domain. This can be undesirable, particularly if you want to apply distinct Group Policy to these users. Fortunately, Active Directory lets you change the default location for new User accounts. The best way to make this change is with the redirusr tool that is included with Windows Server. For example, to redirect new users in the cohovines.com domain to an Organizational Unit called New Hires, run this command:

redirusr "OU=New Hires,DC=cohovines,DC=com"

Under the covers, the redirusr tool updates an attribute of the domain NC head object called wellKnownObjects. The wellKnownObjects attribute contains a list of well known GUIDs and a distinguished name for each GUID. By using GUIDs, the path to an object can be dynamic without the client needing to be aware of anything other than the GUID for the object it is searching for. In this case, the a9d1ca15-7688-11d1-aded-00c04fd8d5cd GUID is how Active Directory keeps track of the default location for new user objects. You can use a tool like LDP to look at the wellKnownObjects attribute of the domain as shown below:

What Is The Global Catalog?

The Global Catalog (GC) is a critical component of Active Directory, particularly in multi-domain forests. In a multi-domain forest, objects (users, groups, computers, etc.) are spread across each domain. If an application needs to locate a user, for example, and the application does not know what domain the user is located in, then the application would need to contact a domain controller in each domain until the user is located. This approach is highly inefficient, and the Global Catalog is the solution. Domain Controllers that host a copy of the Global Catalog store a partial read-only copy of every object in the forest in the local database. When LDAP queries are submitted on TCP port 3268 (or TCP port 3269 for SSL), a single search can be conducted across all of the objects in the forest.

To conserve space and ensure efficient replication, objects in the Global Catalog are referred to as partial objects because only a subset of the attributes of the object are replicated to the Global Catalog. This subset of attributes is known as the Partial Attribute Set (PAS). Administrators can configure the set of attributes that comprise the PAS by modifying the definition for a given attribute in the Active Directory schema. Many applications that extend the Active Directory schema add their custom attributes to the PAS. Microsoft Exchange Server is a common example of this approach. Exchange adds dozens of attributes to the PAS and subsequently conducts nearly all of its LDAP searches via the Global Catalog.

Special logic in Active Directory ensures that the Global Catalog has a copy of group membership for all universal groups. Consequently, client computers must contact a Global Catalog at logon time to construct a complete token for the user. If the user is located at a site that does not have a Global Catalog, the request must traverse the wide area network (WAN). If a GC is not available (e.g. due to a network outage), the logon attempt will fail. This behavior can be disabled by following the steps in Microsoft Knowledge Base Article 241789. It is important to note however that if this behavior is disabled and a GC cannot be contacted, the user will receive an incomplete security token. Resources secured via universal groups will not be accessible to the user. If your access model uses deny entries in Access Control Lists (ACLs), and a deny entry is specified for a universal group, the deny entry will not be effective because universal group memberships are not reflected in the user’s token.

Historically, the question of what domain controllers should host the Global Catalog was a topic of significant interest during Active Directory design discussions. As WANs have evolved and forest topologies have shrank to have fewer and fewer domains, the need for this discussion has subsided. First and foremost, the GC is not relevant in a single domain forest. If your forest has only one domain, simply make all of your domain controllers GCs. In a multi-domain forest, try to make as many (or all) of your domain controllers GCs if possible. If you have sites that have poor connectivity and the replication overhead of the GC would place a significant burden on the WAN, then you must decide if placing a GC in the site is necessary or not. If the site hosts applications that are dependent on the GC (e.g. Exchange Server), then placing a GC locally is critical. Likewise, if universal group membership is a key component of the access model for applications and services hosted at the site, then placing a GC is likely necessary.

What Are the Five FSMO Roles

Since the first days of Active Directory, the concept of FSMO (Flexible Single Master Operator, pronounced “fizmo”) roles has been a topic of endless discussion amongst IT Professionals. Furthermore, the five roles make for a quick and easy first question in an interview. As Active Directory has evolved over more than a decade, the duties of the FSMO role holders have changed very little, but broad understanding of the duties and optimal placement has not consistently matured.

The five FSMO roles are divided in to two categories: forest-wide and domain-wide. The two forest-wide roles, the Schema Master and the Domain Naming Master exist on a per-forest basis. Meanwhile, the three remaining domain-wide roles - the PDC (Primary Domain Controller) Emulator (PDCe), RID (Relative Identifier) Master, and Infrastructure Master - exist for each domain in the forest. So, for example, in a single domain forest, there are a maximum of five possible FSMO role holders. Meanwhile, in a three domain forest, there are a maximum of eleven FSMO role holders (two forest-wide roles, plus three domain-wide roles multiplied by three domains).

Forest-Wide FSMO Roles

Let’s first examine the forest-wide roles, beginning with the Schema Master. The duties of the Schema Master are well defined and very clear, especially in comparison to some of the other roles. Simply put, any change to the forest’s schema must be made directly on the Schema Master. These changes include adding new classes and attributes as well as modifications to existing classes and attributes (e.g. adding an additional attribute to an existing class or indexing an attribute). It’s important to note a common misconception, however. While any changes to the forest’s schema must be written on the Schema Master, a read-only copy of the schema is stored on every domain controller in the forest.

The second forest-wide role is the Domain Naming Master. The duties of the Domain Naming Master are brief and will not be invoked frequently in most organizations. Any time an administrator adds a new domain to the forest, or removes an existing domain, the Domain Naming Master is called upon. Similarly, adding or removing an application partition is also dependent on the Domain Naming Master.

Application Partitions were added to Active Directory in Windows Server 2003. You can use an application partition to replicate a set of objects to a defined group of domain controllers across the forest. Given the name “application partition”, you can infer that Microsoft was anticipating that many people and software companies would take advantage of the feature. Unfortunately, the only common real-world use of application partitions is Active Directory integrated DNS. Even then so, few organizations customize DNS’ use of application partitions beyond the defaults.

Domain-Wide FSMO Roles

The domain-wide FSMO roles are called upon to perform work much more often than the two forest-wide roles we have discussed so far. Let’s begin with the Infrastructure Master – perhaps the most misunderstood and often debated FSMO role. The duties of the Infrastructure Master are narrow and only called upon in a very specific set of circumstances. Simply put, the Infrastructure Master is only relevant when you have a domain with the following characteristics:

· More than one domain in the forest

· All of the domain controllers in the domain are not global catalogs

· Active Directory Recycle Bin is not enabled

If your forest has only one domain, all of the domain controllers in a given domain are global catalogs, or the AD Recycle Bin is enabled, then the Infrastructure Master has no day-to-day duties.

If your domain does not meet the criteria listed above, then the Infrastructure Master has an important task. The Infrastructure Master is responsible for maintaining hidden objects in the directory known as phantoms. Phantoms are used by the Active Directory database to track group members that are not from the local domain and are not present in the local database. If the domain controller is a global catalog, then every object in the forest is present in the database and a phantom is not necessary to track cross-domain group memberships.

Phantoms have a small number of attributes – the objectGUID value of the actual group member in the foreign domain, the group member’s objectSID (security identifier), and the distinguished name (DN) of the group member. Any time an object in another domain is moved or deleted, the phantom must be updated with the correct value or deleted. The Infrastructure Master is responsible for periodically processing each phantom object in the domain and ensuring that it is up-to-date and necessary.

The Infrastructure Master validates phantoms by connecting a global catalog and finding the corresponding object via its objectGUID. The mechanics of contacting a global catalog are why it is important that the Infrastructure Master is not hosted on a global catalog in a multi-domain forest if you have multiple domain controllers in the domain that are not also global catalogs. When the Active Directory Recycle Bin is enabled in a multi-domain forest, the duties of the infrastructure master are performed locally on each domain controller and the placement of the Infrastructure Master is no longer relevant.

Continuing our discussion, the RID Master has a much more straightforward set of duties. The RID Master distributes pools of RIDs – Relative Identifiers – to each writeable domain controller in the domain. Any time a security principal (user, computer, group, etc.) is created on a domain controller, the domain controller uses a RID to construct the security principal’s unique SID (security identifier). Placing the RID Master is not especially complicated – generally a central point in the network that domain controllers can easily contact is ideal.

The final FSMO role in our discussion is the PDC Emulator. The original need for PDC Emulator dates to Windows 2000 and the need to maintain backwards compatibility with Windows NT by way of having a domain controller that acts as the Windows NT Primary Domain Controller. While the fundamental need for this function has long passed, the PDC Emulator has a number of additional tasks that are still critical. The two most common and important tasks that the PDC Emulator continues to perform are time synchronization and password chaining.

In a given domain, the PDC Emulator is the root of the time synchronization hierarchy. All of the other domain controllers in the domain synchronize their clocks with the PDC Emulator (and in turn client computers and member servers synchronize their clocks with their local domain controllers). In a multi-domain forest, the PDC Emulator in the forest root domain serves as the reference for the PDC Emulators in each of the child domains. Ultimately, the PDC Emulator in the forest root domain should be configured to synchronize its clock with an authoritative external time source.

Password chaining is the second duty of interest for the PDC Emulator. Password chaining is important in environments where domain controllers are spread across multiple sites in a Wide Area Network (WAN). In this case, domain controllers attempt to immediately forward password changes and resets to the PDC Emulator. If a user attempts to authenticate, and the authenticating domain controller rejects the user’s password, the domain controller will first attempt to check with the PDC Emulator to see if the PDC Emulator’s copy of the user’s password matches the password the user is attempting to authenticate with.

In addition to these two tasks, the PDC Emulator is also responsible for a number of less frequent tasks such as executing the AdminSDHolder process and authorizing domain controller cloning operations.

Summary

How to Seize a FSMO Role with NTDSUtil

If a domain controller that holds one or more of the five FSMO roles becomes permanently unavailable, you’ll ultimately need to seize the roles to another domain controller. Seizing FSMO roles is not a graceful process and is intended only to be performed when the unexpected occurs. In normal day-to-day operations, if you need to change what domain controller a FSMO role is held by, you should instead transfer the role. In order to seize the RID Master, PDC Emulator, or Infrastructure Master, you’ll need to be logged in as a Domain Admin. To seize the Schema Master or Domain Naming Master, you must be logged in with Schema Admin or Enterprise Admin permissions, respectively.

If you are seizing the RID Master or Schema Master, you must ensure that the domain controller holding either of those roles is never brought back on the network without being forcefully demoted or erased! I recommend that you immediately perform a metadata cleanup of the domain controller in question once the role is transferred.

In this example, we’ll seize the PDC Emulator to a domain controller called coho-chi-adc02. I have provided the commands to seize each of the four other FSMO roles at the conclusion of these steps.

Open an elevated command prompt
Type ntdsutil and press Enter.
Type roles and press Enter.
Type connections and press Enter.
Type connect to server coho-chi-adc02 and press Enter.

Replace coho-chi-adc02 in the previous step with the name of the domain controller you want to seize the FSMO role to.

Type quit and press Enter. Your screen should look similar to the following after this step:

Type Seize PDC and press Enter. You will be prompted to confirm the seizure as shown below. Once you click yes, the seizure process will begin. This will take some time to complete. As a safety mechanism, NTDSUtil will first try to transfer the role. This should timeout and fail and then the actual seizure will occur.

Once the seizure occurs, you will see output similar to the following written to the console. While the output includes an error, the important success message (highlighted in yellow) is also included.

Attempting safe transfer of PDC FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-032105B1, problem 5002 (UNAVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of PDC FSMO failed, proceeding with seizure ...

Server "coho-chi-adc02" knows about 5 roles
Schema - CN=NTDS Settings,CN=COHO-CHI-ADC01,CN=Servers,CN=Chicago,CN=Sites,CN=Configuration,DC=cohovines,DC=com
Naming Master - CN=NTDS Settings,CN=COHO-CHI-ADC01,CN=Servers,CN=Chicago,CN=Sites,CN=Configuration,DC=cohovines,DC=com
PDC - CN=NTDS Settings,CN=COHO-CHI-ADC02,CN=Servers,CN=Chicago,CN=Sites,CN=Configuration,DC=cohovines,DC=com
RID - CN=NTDS Settings,CN=COHO-CHI-ADC01,CN=Servers,CN=Chicago,CN=Sites,CN=Configuration,DC=cohovines,DC=com
Infrastructure - CN=NTDS Settings,CN=COHO-CHI-ADC01,CN=Servers,CN=Chicago,CN=Sites,CN=Configuration,DC=cohovines,DC=com

To seize the other roles, run the following commands in lieu of “Seize PDC”. If you are seizing multiple roles, you can seize them sequentially without repeating steps one through six:

Domain Naming Master – “Seize naming master”
Infrastructure Master – “Seize infrastructure master”
RID Master – “Seize RID master”
Schema Master – “Seize schema master”

Once you have completed seizing the roles you need, you can close the command prompt. The changes will replicate throughout your forest via normal channels.

Promote a Domain Controller with Windows PowerShell

Windows Server 2012 and newer servers can be promoted to be a domain controller using Windows PowerShell. If you’re running your domain controllers on the Server Core variant of Windows Server, or you simply need to automate the promotion of domain controllers, PowerShell is a great way to quickly complete this task. In this guide, we’ll look at promoting an additional domain controller in to an existing domain. If you need to script the creation of a new forest or child domain, take a look at the Microsoft documentation for Install-ADDSDomainController and Install-ADDSForest.

Launch an elevated Windows PowerShell prompt. On a server with the GUI installed, you can right click the PowerShell shortcut in the taskbar as shown below. On a Server Core server, type “powershell” in to the prompt.

Customize the following PowerShell script to reflect the name of the domain the server will be promoted in to as well as your Directory Services Restore Mode (DSRM) password. This script will promote a global catalog in to a domain called “cohovines.com” and install the Windows DNS Server service on the service.

$domainName = "cohovines.com"
$domainAdminCredential = Get-Credential
$dsrmPassword = (ConvertTo-SecureString -AsPlainText -Force -String "YourDSRMPassword!!")
Install-ADDSDomainController -DomainName $domainName -InstallDns -Credential $domainAdminCredential -SafeModeAdministratorPassword $dsrmPassword

The server will automatically reboot once prerequisites are installed and promotion has completed.

Active Directory, 5th Edition

I’ve been remiss in posting anything here the past six months as my weekends have been consumed with an update to my book, Active Directory, 4th Edition. The writing and technical reviews of the fifth edition are complete, thanks to Joe Richards, Mark Parris, and Mark Morowczynski. We’ve now moved in to the production cycle and a copy editor is busy fixing up my writing to make the book a polished all-around easy-to-read product. Meanwhile, the illustrators will soon be busy with the artwork – figures, diagrams, etc. The final book is now available!

So, to summarize, Active Directory, 5th Edition is now available:

The eBook is available from O’Reilly here.
The printed book is available from O’Reilly here.
The eBook is available via Safari Books Online at http://my.safaribooksonline.com/9781449361211?portal=oreilly&cid=orm-cat-readnow-9781449361211.
The printed book is available for from Amazon.com at http://www.amazon.com/gp/product/1449320023/ref=as_li_ss_tl?ie=UTF8&tag=briandesmonsb-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=1449320023.

Signing Active Directory, 5th Edition Books at TechEd North America

I’ll be at TechEd North America in New Orleans this week. On Monday, June 3rd from 6:00 to 6:30 PM, I’ll be at the O’Reilly/Microsoft Press booth, booth #511 signing copies of my new book – Active Directory, 5th Edition. If you can’t stop by then, I’ll be at the Access and Information Protection in the Microsoft Solutions Experience Monday from 12PM to 2PM and Tuesday from 12PM to 2:30PM. I’ll also be at the Ask The Experts evening event on Tuesday evening.

Active Directory, 4th Edition Updates

Over the past couple years, readers have identified a number of mistakes that unfortunately made it through the edit cycles for Active Directory, 4th Ed. O’Reilly recently launched a process by which authors can make updates to the source files that they use to produce eBooks and print conventional paper books on demand. I took advantage of this a few weeks ago and I resolved all of the errata which were reported as well as a couple I found myself. Here’s the quick summary on where the updated text can be found:

Print Copies - If you’ve bought a print copy, you’ll need to look at the notes I made on the errata page. However, as O’Reilly is now doing print on demand for this title, the updates will trickle out into the supply chain over time and newly purchased books will be updated. Obviously this timeline is highly dependent on how much inventory is sitting in warehouses.

eBooks - If you bought any of the various eBook formats O’Reilly offers in their web store – PDF, mobi, and ePub – then you’ll be able to login to your account and pull an updated copy down. I’m told you will also be getting an email sometime soon (if it hasn’t gone out already) notifying you of this as well. If you purchased the book for Kindle from Amazon, Amazon doesn’t have a mechanism to push updated content to your Kindle, so you won’t get an update. This also applies if you bought the book for iPhone/iPad from the Apple bookstore. The iPhone/iPad “app” version of the book is also not going to get updated due to the shift to the native Apple Bookstore.

Active Directory Group Scopes and Group Nesting

Dating to the early days of Windows NT is a discussion of what group scope to choose when creating a new group in Active Directory. There are a plethora of acronyms and time tested practices that administrators sometimes turn to, but, I usually recommend a simple approach. In many organizations, I suggest that the time spent debating this topic could be better focused somewhere more important.

There are three group scopes available:

Domain Local
Global
Universal

The scope primarily affects four things:

The exposure of the group across trusts, and the ability to add group members from other domains or forests.
The number of bytes the group consumes in the user’s logon token. This is important in large organizations that have token bloat problems.
In large highly-distributed multi-domain forests that have domain controllers dispersed around the world, and replication traffic poses a network concern, universal group membership changes are replicated to every global catalog.
In multi-domain forests, if every domain controller is not a global catalog, logon will fail (by default) if a global catalog cannot be contacted during the logon attempt.

In order to understand how the scope of a group affects your ability to nest groups (that is, make one group a member of another group), first study the rules for whether or not a group from one domain can be used in another domain:

Domain local – only useable within the domain that the group was created in. Cannot be accessed via a trust.
Global – useable in the domain the group was created in, or in any domain that trusts the domain the group is in.
Universal – useable in the domain the group was created in, or in any domain or forest that trusts the domain the group is in.

As you consider the rules above, you can see why you cannot nest a Domain Local group in a Global or Universal group. Simply put, Global and Universal group membership is accessible across trusts, but domain local group membership is not. So, if you were to nest a Domain Local group in a Global or Universal group, the full group membership would not be accessible across the trust. Fortunately, Active Directory enforces these rules for us. You can keep track of these rules by referencing the table below:

Group scope	Can contain users and computers from		Can contain domain local groups from
Group scope	Same domain	Different domain	Same domain	Different domain
Domain local groups	Yes	Yes	Yes	No
Domain global groups	Yes	No	No	No
Universal groups	Yes	Yes	No	No

The next table highlights the rules that apply to global and universal groups.

Group scope	Can contain domain global groups from		Can contain universal groups from
Group scope	Same domain	Different domain	Same domain	Different domain
Domain local groups	Yes	Yes	Yes	Yes
Domain global groups	Yes	No	No	No
Universal groups	Yes	Yes	Yes	Yes

Managing Local Backups with Windows Server Backup

One of the strategies I often employ when deploying Active Directory (AD) for customers is to use the local Windows Server Backup (WSB, previously NTBackup) tool to make system state backups on the local machine. I’ll also often place backups on neighboring Domain Controllers (DCs) to provide for redundancy if there is a failure. This strategy ensures that a backup is available in the same site and it also removes the dependency on an external backup team. Many third party backup applications can backup a file share without needing to install an agent on the server as well which is a better all around situation for DC backup at many customers. Note that you’ll want to tightly secure the shares that backups are placed on given they include full copies of your AD database (ntds.dit) which has all of the password hashes in it.

The script below implements this strategy of backing up DCs to neighboring DCs and it also will implement retention and aging of backups. You’ll need to configure the age, log location, and backup table at the top. Note that the DC names in the table are case sensitive. In the example, DC01 backs up to a share on DC02 and vice versa. I simply schedule the script to run on the appropriate interval (e.g. nightly) using the Task Scheduler. The script runs well under Local System.

'==========================================================================
' NAME: WS08 DC Backup
'
' AUTHOR: Brian Desmond, brian@briandesmond.com
' DATE  : 7/10/2009
'
' COMMENT: 
'    Version        Date        Author            Note
'    -----------------------------------------------------------------
'    1.0            10Jul09        Brian Desmond    Initial VERSION
'    1.1            05Feb11        Brian Desmond    Bug fixes, documentation
'==========================================================================

Option Explicit

Const VERSION = "1.0"

' How many days to keep the backup for
Const MAX_BACKUP_AGE = 7

' Where to store the log file
Const LOG_FILE = "C:\Scripts\Backups\DCBackupLog.txt"

Dim backupLocation
Set backupLocation = WScript.CreateObject("Scripting.Dictionary")

' List of DCs and the shares to store their backups in
backupLocation.Add "DC01", "\\DC02.green.briandesmond.net\adbackup$\dc01" 
backupLocation.Add "DC02", "\\DC01.green.briandesmond.net\adbackup$\dc02" 

'==========================================================================

Dim fso
Set fso = WScript.CreateObject("Scripting.FileSystemObject")

Dim shl
Set shl = WScript.CreateObject("Wscript.Shell")

Dim net
Set net = WScript.CreateObject("WScript.Network")

Dim logFile
Set logFile = fso.OpenTextFile(LOG_FILE, 8, True) ' 8 = ForAppending

If Not backupLocation.Exists(net.ComputerName) Then 
    WriteLogLine "Server not found in backup location table."
    WScript.Echo "Server not found in backup location table."
    
    WScript.Quit 1
End If 

Dim backupRoot
backupRoot = backupLocation(net.ComputerName)

CleanOldBackups MAX_BACKUP_AGE, backupRoot

Dim wbAdminCmd
wbAdminCmd = "wbadmin start backup -AllCritical -Quiet -BackupTarget:"

wbAdminCmd = wbAdminCmd & GetBackupPath(backupRoot)
wbAdminCmd = wbAdminCmd & """"

WScript.Echo wbAdminCmd
WriteLogLine "Launching " & wbAdminCmd

Dim execObj
Set execObj = shl.Exec(wbAdminCmd)

While execObj.Status = 0
    WScript.Sleep(1000)
Wend 

Dim wbAdminOutput
wbAdminOutput = execObj.StdOut.ReadAll

WScript.Echo wbAdminOutput
WriteLogLine wbAdminOutput

Sub CleanOldBackups(MaxAge, SearchLocation)
    WriteLogLine "Beginning CleanOldBackups; MaxAge=" & MaxAge
    
    Dim foldersToDelete()
    ReDim Preserve foldersToDelete(0)
    Dim doDeleteFolder
    doDeleteFolder = False 
    
    If fso.FolderExists(SearchLocation) Then 
        Dim folder
        For Each folder In fso.GetFolder(SearchLocation).SubFolders
            If IsDate(folder.Name) Then 
                Dim age
                age = DateDiff("d", Now(), CDate(folder.name), vbSunday, vbFirstJan1)
                
                If age > MaxAge Then 
                    foldersToDelete(UBound(foldersToDelete)) = folder.Path
                    doDeleteFolder = True 
                End If 
            Else
                WScript.Echo "Skipping " & folder.name & ", invalid name"
            End If 
        Next
    End If 
    
    If doDeleteFolder Then 
        Dim i
        For i = 0 To UBound(foldersToDelete)
            WScript.Echo "Deleting " & foldersToDelete(i)
            WriteLogLine "Deleting " & foldersToDelete(i)
            
            fso.DeleteFolder foldersToDelete(i), True    
        Next 
    End If 
    
    WriteLogLine "Ending CleanOldBackups"
End Sub 

Sub WriteLogLine(line)
    logFile.WriteLine Date & " " & Time & ": " & line 
End Sub 

Sub SafeCreateFolder(path)
    If Not fso.FolderExists(path) Then 
        fso.CreateFolder(path)
    End If 
End Sub 

Function GetBackupPath(RootPath)
    Dim cleanDate
    cleanDate = Replace(FormatDateTime(Date, vbShortDate), "/", "-")
    
    Dim cleanHour
    cleanHour = CStr(DatePart("h", Now, vbSunday, vbFirstJan1))
    
    Dim backupPath
    
    backupPath = RootPath
    SafeCreateFolder backupPath 
    
    backupPath = fso.BuildPath(backupPath, cleanDate)
    SafeCreateFolder backupPath
    
    backupPath = fso.BuildPath(backupPath, cleanHour)
    SafeCreateFolder backupPath

    GetBackupPath = backupPath
End Function

Property Sets and Default Security Descriptors

I made a brief mention of some of the default security permissions that apply to users in my article on Delegating Privileges in Active Directory for Windows IT Pro. I’ve gotten a couple of e-mail questions so I thought I’d elaborate here since I don’t have to worry about how many words I have to work with in this space. Every object class definition in the Active Directory schema has the option to define a “defaultSecurityDescriptor” value which holds the initial ACL that will apply to any new instances of that object when they are created. This rule doesn’t hold true if you specify a security descriptor explicitly when creating an object, however, as in this case the defaultSecurityDescriptor will be ignored.

The default value for the defaultSecurityDescriptor for the user class has a couple of entries in it which most administrators don’t know about, and fortunately neither do many end users. Out of the box, the user which an object in AD represents has permissions to modify quite a few attributes on their own account. Anyone who can figure out how to make an LDAP call against their object in the directory can take advantage of this. The easiest way to edit or view the value for this attribute is using the Active Directory Schema MMC. Browse to the Classes folder and then open the properties of the user class. Switch to the Default Security tab and click Advanced.

Note: By default the Active Directory Schema MMC snap-in is not available. To use it you must first register the COM DLL it depends on by running “regsvr32 schmmgmt.dll” from an elevated command prompt. Once you do this, you will be able to open a new MMC and go to File>Add/Remove Snap-ins and add the Active Directory Schema snap-in to your console.

If you sort on the Name column and scroll down to SELF, you’ll see three entries (highlighted in yellow below) which are interesting:

These three ACEs grant the user permissions to write to the attributes in those three property sets for their account. If you’re not familiar with Property Sets, they’re a construct that allows you to group attributes and apply security for all the attributes in a single ACE which applies to the property set. An easy way to get a nice list of the attributes in these property sets is with adfind. The first thing you’ll need to do is convert the friendly display name (e.g. Personal Information) into the GUID of the property set:

adfind -sc findpropsetrg:"Personal Information"

You should get a result similar to this:

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: BRIAN-RTDC01.brianlab.local:389
Directory: Windows Server 2003
Base DN: cn=extended-rights,CN=Configuration,DC=brianlab,DC=local

dn:CN=Personal-Information,CN=Extended-Rights,CN=Configuration,DC=brianlab,DC=local
>rightsGuid: 77B5B886-944A-11d1-AEBD-0000F80367C1

You can paste that GUID into a second adfind command to list all of the attributes in the property set:

adfind -sc propsetmembersl:"77b5b886-944a-11d1-aebd-0000f80367c1"

Depending on the schema your directory has, your results might vary a bit, but in my test forest this is the result:

assistant
c
facsimileTelephoneNumber
homePhone
homePostalAddress
info
internationalISDNNumber
ipPhone
l
mobile
mSMQDigests
mSMQSignCertificates
otherFacsimileTelephoneNumber
otherHomePhone
otherIpPhone
otherMobile
otherPager
otherTelephone
pager
personalTitle
physicalDeliveryOfficeName
postalAddress
postalCode
postOfficeBox
preferredDeliveryMethod
primaryInternationalISDNNumber
primaryTelexNumber
publicDelegates
registeredAddress
st
street
streetAddress
telephoneNumber
teletexTerminalIdentifier
telexNumber
thumbnailPhoto
userCert
userCertificate
userSharedFolder
userSharedFolderOther
userSMIMECertificate
x121Address

If you’ve got an automated system that populates any of these attributes, hypothetically an end user could put other data in them and start breaking things. I’ve only ever heard once or twice of this happening, and I’m not fully aware of all the implications of removing these ACEs if you wanted to prevent the possibility. Keep in mind that this is applied as an individual ACE to each user as it’s created, so, in order to clean this up in an existing forest you’d need a script to go through and remove the ACEs from each user individually. New users would get the updated defaults based on modifying the defaultSecurityDescriptor of the user class, though.

Active Directory SPN Mappings and Kerberos

I had an interesting customer problem today where Kerberos was being attempted for a service principal name (SPN) which simply didn’t exist in Active Directory. This was causing the applications (Exchange) involved to fail as they couldn’t authenticate to one another. The client machine involved was logging numerous errors similar to the following indicating that it was presenting a service ticket encrypted by another machine to the server in question.

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          12/6/2010 2:03:11 PM
Event ID:      4
Level:         Error
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server01$. The target name used was HTTP/webmail.customer.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (CUSTOMER.COM) is different from the client domain (CUSTOMER.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

The tricky part about this was that Kerberos shouldn’t have been being used at all but instead NTLM. With SPNEGO enabled on the IIS virtual directory, once Kerberos is deemed possible, we can’t fall back to NTLM. My first step was to search Active Directory for an object which had the http/webmail.customer.com SPN adfind:

adfind -f "servicePrincipalName=http/webmail.customer.com" -gcb

I came up empty, though. This makes things even more interesting since there’s no way Kerberos could be attempted if there’s no user or machine account in the directory with a matching SPN. My next step was to do a search for any accounts which had the HOST/webmail.customer.com SPN registered:

adfind -f "servicePrincipalName=HOST/webmail.customer.com" -gcb

This time I came up with a computer account called WEBMAIL. The server had long since been retired, but, the orphaned computer account was still in AD. The root cause of the issue here is a function in Active Directory which matches the HOST service component to several dozen other services. There are numerous services (like RPC or NetLogon) which every single Windows machine has, and it would be a huge waste of space to store SPNs for those services on every computer account in the directory. To mitigate this, Active Directory has an attribute called spnMappings on the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=… object in the Configuration NC. One of the services in this list is “HTTP” which was causing the KDC to issue a service ticket encrypted with this old machine account’s secret for http/webmail.customer.com.

Each time the KDC receives a request for a service ticket, it first does an explicit search to see if there is an account with the requested SPN in the directory. If there are no matches, the KDC then checks to see if the service component (HTTP in this case) is listed in the spnMappings attribute. If this is the case, then a search of the directory is performed to find a user or computer matching HOST/some-name.domain.com. If there’s a match, then a service ticket is issued. Below is a copy of a slide from a presentation I gave at TEC this year which summarizes this functionality.

View the History of an Active Directory Object

I answered a question via Twitter the other day as to whether or not it was possible to see when someone was added to a group without relying on audit information. The good news is that the answer is “Yes!” – assuming your forest is running in the Windows Server 2003 Forest Functional Level (FFL2) or better, and that the user was added after you upgraded your forest to this level. You can also see when a user was removed, however once they’ve been removed you won’t be able to see when they were added.

Start with FFL2, linked values, such as group membership replicate individually via linked value replication (LVR). In Windows 2000, linked attributes replicated as a single block of data which led to issues around groups with large memberships. Active Directory also stores some additional data called Replication Metadata. Inside the metadata is information about the versions of attributes, when they were last changed, and where the change originated. Since links replicate individually, each link value has metadata you can use to determine when the user was added to the group. To look at the replication metadata for an object, you’ll need to provide the object’s distinguished name. In this case, I’m going to look at the group “Test Group” in my domain:

repadmin /showobjmeta test-dc01 "CN=Test Group,OU=Groups,DC=brianlab,DC=local"

The output of this command will vary, but, in my environment it looks like this:

13 entries.
Loc.USN                      Originating DSA       Org.USN   Org.Time/Date         Ver Attribute
=======                      ===============       ========= =============         === =========
685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1 objectClass
685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1 cn
686100                       TestSite\TEST-DC01    686100    2010-10-27 14:06:19    2 description
685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1 instanceType
685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1 whenCreated
685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1 nTSecurityDescriptor
685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1 name
685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1 objectSid
685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1 sAMAccountName
685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1 sAMAccountType
685899                       TestSite\TEST-DC01    685899    2010-10-25 12:56:19    1 sIDHistory
685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1 groupType
685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1 objectCategory
3 entries.
Type     Attribute     Last Mod Time       Originating DSA     Loc.USN Org.USN Ver Distinguished Name
======= ============ =============       =================   ======= ======= === =============================
ABSENT   member        2010-11-05 16:55:28 TestSite\TEST-DC01 749327 749327   2 CN=Brian Desmond,OU=Users,DC=brianlab,DC=local
PRESENT member        2010-11-05 16:55:02 TestSite\TEST-DC01 749320 749320   1 CN=Test User 01,OU=Users,DC=brianlab,DC=local
PRESENT member        2010-11-02 12:48:34 TestSite\TEST-DC01 730720 730720   1 CN=Doe\, John,OU=Users,DC=brianlab,DC=local

There are a couple key takeaways here. The first is that you can see the version numbers of each of the attributes. In this case, none of the attributes have been modified since the group was created, except for the description attribute. Description was updated once a couple days later. At the bottom of the output is the listing for each linked attribute. In this case I only have the member attribute populated, but, if for example the manager linked attribute was populated, it would be listed here as well. On 11/5, my user was removed from the group, and shortly before that, Test User 01 was added. On 11/2 John Doe was added. You can see that Test User 01 was added before I was removed since the USN for Test User 01’s link is a bit lower.

Baseline Registry Settings for new Domain Controllers

I have a list of baseline registry settings which I put on any new domain controller. I thought I'd share the VB Script below which sets all these as well as enables some performance counters. Many of the settings are applicable outside of a Domain Controller.

Note: These settings have been tested countless times with Windows Server 2003 domain controllers. I indicated where possible which settings do not apply to a Windows Server 2008 (or better) domain controller. I've used these on Windows Server 2008 domain controllers however not nearly as many times as prior versions.

Feel free to use this and leave a comment if you have any suggestions for additions, etc.

'==========================================================================
' NAME: Baseline Registry Settings for new Domain Controllers
'
' AUTHOR: Brian Desmond, brian@briandesmond.com
' DATE  : 8/1/2009
'
'=========================================================================
'	Version		Date		Author			Note
'	-----------------------------------------------------------------
'	1.0			01Aug09		Brian Desmond	Initial Release	
'==========================================================================

Option Explicit

Dim shl
Set shl = WScript.CreateObject("WScript.Shell")

' Enable Remote Desktop
WriteRegistry "HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections", 0, "REG_DWORD"

' Set crash config settings
WriteRegistry "HKLM\SYSTEM\CurrentControlSet\CrashControl\NMICrashDump", 1, "REG_DWORD"
WriteRegistry "HKLM\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters\CrashOnCtrlScroll", 1, "REG_DWORD"
' WS03 pre SP2 requires KB244139 for the following to be effective
' WS08 pre SP2 requires KB971284 for the following to be effective
WriteRegistry "HKLM\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters\CrashOnCtrlScroll", 1, "REG_DWORD"

' log DIT whitespace info
WriteRegistry "HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\6 Garbage Collection", 1, "REG_DWORD"
' Expensive/inefficient queries
WriteRegistry "HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\15 Field Engineering", 5, "REG_DWORD"

' JET Perf counters
WriteRegistry "HKLM\system\currentcontrolset\Services\ESENT\Performance\Open", "OpenPerformanceData", "REG_SZ"
WriteRegistry "HKLM\system\currentcontrolset\Services\ESENT\Performance\Collect", "CollectPerformanceData", "REG_SZ"
WriteRegistry "HKLM\system\currentcontrolset\Services\ESENT\Performance\Close", "ClosePerformanceData", "REG_SZ"
WriteRegistry "HKLM\system\currentcontrolset\Services\ESENT\Performance\Library", "%systemroot%\system32\esentprf.dll", "REG_SZ"
WriteRegistry "HKLM\system\currentcontrolset\Services\ESENT\Performance\Squeaky Lobster", 1, "REG_DWORD"

' === Shouldn't be necessary on WS08
' set the path to the install binaries
WriteRegistry "HKLM\Software\Microsoft\Windows\CurrentVersion\Setup\SourcePath", "C:\", "REG_SZ"
WriteRegistry "HKLM\Software\Microsoft\Windows\CurrentVersion\Setup\ServicePackSourcePath", "C:\", "REG_SZ"

' Import JET perf counters
' === Path under WS08 is %windir%\inf\ESENT\0000\esentprf.ini
shl.Run(shl.ExpandEnvironmentStrings("%SystemRoot%\System32\lodctr.exe %SystemRoot%\System32\esentprf.ini"))

' === Shouldn't be necessary on WS08
' Disable manage server wizard
WriteRegistry "HKEY_USERS\.Default\Software\Microsoft\Windows NT\CurrentVersion\Setup\Welcome\srvwiz", 0, "REG_DWORD"
WriteRegistry "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Setup\Welcome\srvwiz", 0, "REG_DWORD"

' === Shouldn't be necessary on WS08
' Disable SP2 SNP stuff
WriteRegistry "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableTCPChimney", 0, "REG_DWORD"
WriteRegistry "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableTCPA", 0, "REG_DWORD"
WriteRegistry "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableRSS", 0, "REG_DWORD"

' writes a given value to a given registry path
' use readregistry to validate success
' this function will throw an error up the stack
Sub WriteRegistry(path, value, regType)
	Dim sbShl
	Set sbShl = WScript.CreateObject("WScript.Shell")

	sbShl.RegWrite path, value, regType

	Set sbShl = Nothing 
End Sub

Windows 2008 Schema Update - INSUFF_ACCESS_RIGHTS

If you're trying to import an LDIF file with some schema changes on a Windows Server 2008 (or Vista) machine and it fails with an access denied error and an INSUFF_ACCESS_RIGHTS messag, first make sure your account is in the Schema Admins group. Second, make sure User Account Control isn't adding to the mix. Right click the command prompt shortcut and Run as Administrator and then try the LDIF import.

Editing Group Policies without ADUC or GPMC

Under Windows Server 2003 (and 2000), Active Directory Users and Computers was always available by just launching dsa.msc. From there you could use the legacy Group Policy management interface if you didn't have the GPMC loaded. Windows Server 2008 machines no longer have ADUC loaded by default unless you either are on a domain controller or install the management tools. This makes the scenario where you need to edit a Group Policy locally a bit more complicated.

The good news is that the Group Policy Editor itself is there on Windows Server 2008 machines, you just can't graphically browse to a GPO (so far as I know). If you launch gpedit.msc, the local machine policy is pulled up. Adding the snap-in manually to an MMC allows you to target another machine for editing its' local policy.

The gpedit.msc console will however accept an argument at startup pointing it to a GPO in the domain. To do this you'll need the GUID of the policy you're looking to edit. If you go to the Details tab after selecting the GPO in question from the GPMC on another machine, the GUID is adjacent to the Unique ID label, and you can select the GUID and copy it to the clipboard.

If for example you wanted to edit the GPO with GUID {0F0AB6A5-A700-4493-9D0E-DCCA40D2E27B} in domain briandesmond.net, you could run "gpedit.msc /gpobject:"LDAP://CN={0F0AB6A5-A700-4493-9D0E-DCCA40D2E27B},CN=Policies,CN=System,DC=briandesmond,DC=net".

Script for Bulk Import of Active Directory Subnets

I’ve been using this script for years now and was reminded of it by a post on the activedir.org DL the other day. The script does exactly what the name implies – it takes a tab separated input file (supplied as the first argument) and generates Active Directory subnet objects for each line. If the subnet already exists, the associated site and description will be updated. The script targets the forest the user is currently logged in to.

The code is pasted in below, note the format for the input file (TSV). One field I noticed is missing is the canonical location field. You should be able to add this to the script pretty easily if you need this, or if there’s sufficient demand leave a comment and I can do it.

Note: You can export tab separated files from Excel via the File>Save As menu.

'==========================================================================
' NAME: Import Subnets from Tab Seperated File
'
' AUTHOR: Brian Desmond, brian@briandesmond.com
'
' COMMENT: 
'
' TEMPLATE FILE FORMAT (tab delimited):
' Subnet Address	Prefix Length	Site Name	Description
'==========================================================================

Option Explicit

If WScript.Arguments.Count < 1 Then
	WScript.Echo "Specify an input file name as an argument to this script."
	WScript.Quit(1)
End If 

Dim fso
Set fso = WScript.CreateObject("Scripting.FileSystemObject")

Dim importFile
importFile = Trim(WScript.Arguments(0))

If Not fso.FileExists(importFile) Then
	WScript.Echo "Input file not found"
	WScript.Quit(1)
End If 

Dim configNcDn
configNcDn = GetConfigNc()

Dim inputReader
Set inputReader = fso.OpenTextFile(importFile)

Dim line
While Not inputReader.AtEndOfStream
	line = inputReader.ReadLine
	Dim tokens
	tokens = Split(line, vbtab)
	
	Dim subnetAddress
	subnetAddress = ""
	Dim prefixLength
	prefixLength = ""
	Dim siteName
	siteName = ""
	Dim description
	description = ""	
	
	On Error Resume Next
	
	subnetAddress = tokens(0)
	prefixLength = tokens(1)
	siteName = tokens(2)
	description = tokens(3)
	
	On Error GoTo 0 
	
	If subnetAddress = "" Or prefixLength = "" Or siteName = "" Then
		WScript.Echo "FAIL: " & line
	Else
		Dim siteDn
		siteDn = GetSiteDn(configNcDn, siteName)
		
		If siteDn = "" Then 
			WScript.Echo "SITE NOT FOUND: " & line 
		Else
			Dim subnetCn
			subnetCn = subnetAddress & "/" & prefixLength
		
			'On Error Resume Next 
			Dim subnetDn
			subnetDn = ""
			subnetDn = GetSubnetDn(configNcDn, subnetCn)
			WScript.Echo subnetDn 
			Dim subnetExists		
			If subnetDn = "" Then
				subnetExists = False
			Else
				subnetExists = True 
			End If 
			
			'Err.Clear 
			'On Error GoTo 0 
			
			Dim subnetObj
			If subnetExists Then 
				WScript.Echo subnetDn 
				Set subnetObj = GetObject("LDAP://" & Replace(subnetDn, "/", "\/"))
			Else 
				Dim configObj
				Set configObj = GetObject("LDAP://CN=Subnets,CN=Sites," & configNcDn)
				
				Set subnetObj = configObj.Create("subnet", "cn=" & subnetCn)
			End If 			

			subnetObj.Put "siteObject", siteDn
			If Not Trim(description) = "" Then 
				subnetObj.Put "description", description
			End If 
			subnetObj.SetInfo 
				
			WScript.Echo "SUCCEED: " & line 
			Set subnetObj = Nothing 
		End If 
	End If 
Wend

inputReader.Close
WScript.Echo "Complete"

Function GetConfigNc()
	Dim rootDse
	Set rootDse = GetObject("LDAP://RootDSE")
	
	Dim configNc
	configNc = rootDse.get("configurationNamingContext")
	
	Set rootDse = Nothing
	
	GetConfigNc = configNc
End Function

Function GetSiteDn(configNc, siteName)
	Dim cnxn
	Set cnxn = WScript.CreateObject("ADODB.Connection")
	cnxn.Provider = "ADsDSOObject"
	cnxn.Open "Active Directory Provider"
	
	Dim cmd
	Set cmd = WScript.CreateObject("ADODB.Command")
	cmd.ActiveConnection = cnxn
	
	cmd.CommandText = "<LDAP://" & configNc & ">;(&(objectcategory=site)(cn=" & siteName & "));distinguishedName;subtree"
	cmd.Properties("Page Size") = 100
	cmd.Properties("Timeout") = 30
	cmd.Properties("Cache Results") = False
	
	Dim rs
	Set rs = cmd.Execute
	
	While Not rs.eof 
		GetSiteDn = rs.fields("distinguishedName").Value
		
		rs.MoveNext
	Wend 
	
	rs.close
	cnxn.Close
	
	Set rs = Nothing
	Set cmd = Nothing
	Set cnxn = Nothing 
End Function 

Function GetSubnetDn(configNc, subnetName)
	Dim cnxn
	Set cnxn = WScript.CreateObject("ADODB.Connection")
	cnxn.Provider = "ADsDSOObject"
	cnxn.Open "Active Directory Provider"
	
	Dim cmd
	Set cmd = WScript.CreateObject("ADODB.Command")
	cmd.ActiveConnection = cnxn
	
	cmd.CommandText = "<LDAP://" & configNc & ">;(&(objectcategory=subnet)(cn=" & subnetName & "));distinguishedName;subtree"
	cmd.Properties("Page Size") = 100
	cmd.Properties("Timeout") = 30
	cmd.Properties("Cache Results") = False
	
	Dim rs
	Set rs = cmd.Execute
	
	While Not rs.eof 
		GetSubnetDn = rs.fields("distinguishedName").Value
		
		rs.MoveNext
	Wend 
	
	rs.close
	cnxn.Close
	
	Set rs = Nothing
	Set cmd = Nothing
	Set cnxn = Nothing 
End Function

Script for Bulk Import of Active Directory Site Links

I wrote this script when I was frequently deploying replication topologies for large geographies. Rather than manually creating them one at a time, I would set everything up in a spreadsheet and then import the spreadsheet. There are a few assumptions made in this script. You may need to modify it a bit if the assumptions don’t work for you.

Site links only contain two sites
The replication schedule will be copied from another site link

The input file is expected to be in tab separated format which you can export from Excel (it’s one of the options under File>Save As). The order of the fields is documented at the top of the script. The Hub Site and Spoke Site fields should contain the common name (CN) of the relevant site objects. The Schedule field should contain the common name (CN) of the site link to duplicate the schedule from.

Note: I typically recommend creating template site links for each unique schedule which are only used for scripting. When you create the site link with Active Directory Sites & Services, the tool will require you to pick sites to include in that site link. Once you’re done configuring the template, use a tool like ADSI Edit to remove the sites from the siteList attribute of the template site link. It is fine to have site links with no sites in Active Directory – they simply won’t do anything.

'==========================================================================
' NAME: Import Site Links from TSV
'
' AUTHOR: Brian Desmond, brian@briandesmond.com
' DATE  : 3/13/2008
'
' COMMENT: 
'
' TEMPLATE FILE FORMAT (tab delimited):
' Hub Site	Spoke Site	Cost	Frequency	Schedule
'==========================================================================

Option Explicit

If WScript.Arguments.Count < 1 Then
	WScript.Echo "Specify an input file name as an argument to this script."
	WScript.Quit(1)
End If 

Dim fso
Set fso = WScript.CreateObject("Scripting.FileSystemObject")

Dim importFile
importFile = Trim(WScript.Arguments(0))

If Not fso.FileExists(importFile) Then
	WScript.Echo "Input file not found"
	WScript.Quit(1)
End If 

Dim configNcDn
configNcDn = GetConfigNc()

Dim inputReader
Set inputReader = fso.OpenTextFile(importFile)

Dim line
While Not inputReader.AtEndOfStream
	line = inputReader.ReadLine
	
	Dim tokens
	tokens = Split(line, vbtab)
	
	Dim hubSite
	Dim spokeSite
	Dim cost
	cost = -1
	Dim frequency
	frequency = -1
	Dim templateSchedule
		
	hubSite = tokens(0)
	spokeSite = tokens(1)
	cost = tokens(2)
	frequency = tokens(3)
	templateSchedule = tokens(4)
	
	Dim hubSiteDn
	Dim spokeSiteDn
	
	hubSiteDn = GetSiteDn(configNcDn, hubSite)
	spokeSiteDn = GetSiteDn(configNcDn, spokeSite)
	
	If hubSiteDn = "" Or spokeSiteDn = "" Or templateSchedule = "" Or cost = -1 Or frequency = -1 Then
		WScript.Echo "FAIL: " & line
	Else
		Dim siteLinkName
		siteLinkName = hubSite & " - " & spokeSite

		On Error Resume Next 		
		Dim siteLinkObj
		Set siteLinkObj = GetObject("LDAP://" & GetSiteLinkDn(configNcDn, siteLinkName))
		
		Dim siteLinkExists 
		
		If Err.Number <> 0 Then 
			siteLinkExists = False 
			Err.Clear
		Else
			siteLinkExists = True 	
		End If 
		On Error GoTo 0 

		On Error Resume Next 
		Dim templateLinkObj
		Set templateLinkObj = GetObject("LDAP://" & GetSiteLinkDn(configNcDn, templateSchedule))
		Dim schedule
		
		If Err.Number <> 0 Then
			WScript.Echo "Template " & templateSchedule & " not found"
			Err.Clear
			On Error GoTo 0 
		Else
			On Error GoTo 0 
			schedule = templateLinkObj.get("schedule")
		End If
	
		If siteLinkExists = False Then ' we are making a new one not updating an existing one
			Dim transports
			Set transports = GetObject("LDAP://CN=IP,CN=Inter-Site Transports,CN=Sites," & configNcDn)
			
			Dim newObj
			Set newObj = transports.Create("siteLink", "cn=" & siteLinkName)
			
			newObj.Put "cost", cost
			newObj.Put "replInterval", frequency
			
			newObj.PutEx 2, "siteList", Array(hubSiteDn, spokeSiteDn)
			newObj.put "schedule", schedule
			
			newObj.SetInfo
			
			WScript.Echo "SUCCEED: " & siteLinkName
		Else
			siteLinkObj.Put "cost", cost
			siteLinkObj.Put "replInterval", frequency
			
			siteLinkObj.PutEx 2, "siteList", Array(hubSiteDn, spokeSiteDn)
			siteLinkObj.put "schedule", schedule
			
			siteLinkObj.SetInfo
			
			WScript.Echo "SUCCEED: " & siteLinkName
		End If 
	End If 
Wend

inputReader.Close
WScript.Echo "Complete"

Function GetConfigNc()
	Dim rootDse
	Set rootDse = GetObject("LDAP://RootDSE")
	
	Dim configNc
	configNc = rootDse.get("configurationNamingContext")
	
	Set rootDse = Nothing
	
	GetConfigNc = configNc
End Function

Function GetSiteDn(configNc, siteName)
	Dim cnxn
	Set cnxn = WScript.CreateObject("ADODB.Connection")
	cnxn.Provider = "ADsDSOObject"
	cnxn.Open "Active Directory Provider"
	
	Dim cmd
	Set cmd = WScript.CreateObject("ADODB.Command")
	cmd.ActiveConnection = cnxn
	
	cmd.CommandText = "<LDAP://" & configNc & ">;(&(objectcategory=site)(cn=" & siteName & "));distinguishedName;subtree"
	cmd.Properties("Page Size") = 100
	cmd.Properties("Timeout") = 30
	cmd.Properties("Cache Results") = False
	
	Dim rs
	Set rs = cmd.Execute
	
	While Not rs.eof 
		GetSiteDn = rs.fields("distinguishedName").Value
		
		rs.MoveNext
	Wend 
	
	rs.close
	cnxn.Close
	
	Set rs = Nothing
	Set cmd = Nothing
	Set cnxn = Nothing 
End Function 

Function GetSiteLinkDn(configNc, siteLinkName)
	Dim cnxn
	Set cnxn = WScript.CreateObject("ADODB.Connection")
	cnxn.Provider = "ADsDSOObject"
	cnxn.Open "Active Directory Provider"
	
	Dim cmd
	Set cmd = WScript.CreateObject("ADODB.Command")
	cmd.ActiveConnection = cnxn
	
	cmd.CommandText = "<LDAP://" & configNc & ">;(&(objectcategory=siteLink)(cn=" & siteLinkName & "));distinguishedName;subtree"
	cmd.Properties("Page Size") = 100
	cmd.Properties("Timeout") = 30
	cmd.Properties("Cache Results") = False
	
	Dim rs
	Set rs = cmd.Execute
	
	While Not rs.eof 
		GetSiteLinkDn = rs.fields("distinguishedName").Value
		
		rs.MoveNext
	Wend 
	
	rs.close
	cnxn.Close
	
	Set rs = Nothing
	Set cmd = Nothing
	Set cnxn = Nothing 
End Function

Enlisting in DNS Application Partitions

I for the first time this evening had to enroll a DNS server in some custom app partitions at a customer site. I've never actually done this before, though I knew it was a simple dnscmd command. I ran what I felt was the obviously correct command a couple times and got this error, DNS_ERROR_DP_DOES_NOT_EXIST. The name of the switch is "EnlistDirectoryPartition" which I mentally translated to mean I needed to supply the DN of the direction partition I wanted to enlist. This is in fact wrong if you take the time to read the help. You need to supply the FQDN of the directory partition. Totally unintuitive if you ask me, but whatever works.

So, if your NC is DC=CampusDnsZones,DC=BrianDesmond,DC=Com, the command to run is dnscmd MyDnsServer /EnlistDirectoryPartition "CampusDnsZones.BrianDesmond.Com".

Note: You can substitute a "." in lieu of the server name to do the operation on the local host. Further note you'll need to be running in the context of an enterprise admin.