Category Archives: Active Directory

AD related stuff

Active Directory Azure Technical Fiction

Azure VM, Active Directory and a Dedicated Disk

Installing the AD DS role onto a Azure virtual machine? Creating a Domain Controller in the cloud? Are you sure you want to do this?

For all Domain Controllers you create on an Azure virtual machine, in addition to the system OS disk (C:\) you MUST add a dedicated disk and ensure thatyour AD DS install wizard or script uses this dedicated disk as the location for both the Active Directory database (NTDS) and the replicated system volume (SYSVOL) during the Role installation.

IMPORTANT: For this dedicated disk ensure that the ‘Azure Disk Host Cache’ is set to NONE

Failure to do this risks the corruption of your Active Directory database.

The relevant Microsoft documentation can be found here

I’ve extracted the exact section below, saves you going through the whole web page above:

“Data disk drives do not cache writes by default. Data disk drives that are attached to a VM use write-through caching. Write-through caching makes sure the write is committed to durable Azure storage before the transaction is complete from the perspective of the VM’s operating system. It provides durability, at the expense of slightly slower writes.

This is important for Windows Server AD DS because write-behind disk-caching invalidates assumptions made by the DC. Windows Server AD DS attempts to disable write caching but it is up to the disk IO system to honor it. Failure to disable write caching may, under certain circumstances, introduce USN rollback resulting in lingering objects and other problems.

As a best practice for virtual DCs, do the following:

  • Set the Host Cache Preference setting on the Azure data disk for NONE. This prevents issues with write caching for AD DS operations.
  • Store the database, logs, and SYSVOL on the either same data disk or separate data disks. Typically, this is a separate disk from the disk used for the operating system itself. The key takeaway is that the Windows Server AD DS database and SYSVOL must not be stored on an Azure Operating System disk type. By default, the AD DS installation process installs these components in %systemroot% folder, which is NOT recommended for Azure.”
Active Directory

DirSync, Azure AD Sync – Support Ends April 13, 2017

Official Microsoft support for DirSync (x64, single forest) and Azure AD sync (multiple forests) ends within a year on April 13th 2017.

The information was only sent by email last week and not everyone will be aware and the only official Microsoft statement I can find is linked below:

Of course end of support does not mean your sync tool of choice will stop functioning – it will happily continue to function, but an upgrade will be needed to ensure it remains in support from next year onward.

So get your upgrade boots on and get Azure AD Connect working which is the replacement for any of the previous sync tools and was released in 2015, the link above has further links for an in-place or swing upgrade – whatever floats your boat (in reality choose the method that suits your organisation, also test it first in non-Production!!!)

Azure AD Connect
Azure AD Connect

Azure AD Connect essentially replaces any of the following you might still be running:

  • Dirsync
  • Azure AD Sync
  • Azure AD Connector
  • FIM 2012 R2


So seriously consider upgrading this side of Christmas, and not next Easter. You have been informed!

End of Support for legacy Azure sync products
End of Support for legacy Azure sync products
Active Directory

Activate the AD Recycle Bin

You’ve finally got rid of those Windows Server 2003, you’re ready to upgrade your AD DS Functional Levels to either 2008 or 2012. Now you finally can and want to activate the recycle bin feature in AD (it wasn’t possible while you still had 2003 R2 DC’s running). The recycle bin feature is stored in the Configuration Partition of your Forest:

CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=tld

This is presumably a location for storing any new features to come. Ok, first it’s nice to check to see if the AD Recycle Bin is already enabled or not, type in:

Get-ADOptionalFeature -filter *

Return the AD Optional Features





Note how there is nothing between the {} for ‘Enabled Scopes’ – this means it is NOT enabled. IF it was you would have an entry in here just as it shows in the 2nd screenshot below. To enable it, is is simply this command:

Enable-ADOptionalFeature -Identity “CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Services, CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=tld

Enable AD Recycle Bin
Enable AD Recycle Bin




Click Y to confirm and the change is made. Now check the Optional Features setting again, type in:

Get-ADOptionalFeature -filter *

AD Recycle Bin enabled
AD Recycle Bin enabled





Test it out. Go on, you know you want to. Delete some objects & recover them (not in Production of course, cause that would be plain silly!). See what attributes are recovered and report back if you wish.

Active Directory Islam SharePoint stash Technical Fiction Trading Windows 10

It’s 2015, coming soon to my blog…

Right, another year gone. Another already started.

thank you

First I’d like to thank all those who have visited my blog, and especially those who have commented or provided feedback. I really do appreciate it, my stats have been steadily trending upwards which encourages me to share more.

Here I quickly outline my blogging plans for the new year:

More car stuff – by far the most popular post on my blog (by hits/month) is my post on the engine pump failure on my Vauxhall back in 2008. The blog post is here and was posted back in late 2010. I still have said Vauxhall and also have a Zafira, i’ve done bits of work on both and will post updates soon.

More technical stuff – this is both my job and passion, so expect lots more. Hopefully I’m aiming to restart my beginners Server 2008 courses, for Server 2012 of course – both online and classroom based. I’ll be covering AD, Exchange, SharePoint, SQL and PowerShell in lots more detail. Oh and lots on Windows 10 as I march on with my Technical Preview.

Birmingham – the city I live in. There is a tonne of stuff I wish to share, from activities through to infographics. What’s good, what could be better and in the words of Oliver Queen I must do what i can to “save my city” in these years of budgetary crises.

Personal Computing – the prevalence of the internet, gadgets, storage and phones means everyone is creating and using data. This is critical data (photos, tax information, licensing, bills, banking, passwords) and I’d like to share how I both store it (with resilience) and secure it (with confidence). This is domestic technology, not corporate.

Trading & Economics – another passion of mine. I will start to share my trading strategy, my actual trades and advice & tips on how to get started and crucially how to create the correct mindset for this. Mental toughness required. Although I concentrate on Forex i’ll be dipping into wider issues such as banking and personal finance where relevant.

CVs/Resumes, Job Hunting, Scam Hunting – as per usual I’ll continue along this path, the 2nd most popular blog post on my site is the CV site one found here. Exposing scams and helping people in their efforts to better their future prospects is something I love doing.

Islam – as my faith is currently under constant attack I believe it a responsiblity to add my input as and when I feel it may improve someones knowledge on an issue. I often find the basis of prejudice is lack of knowledge, educating people and doing it the right way counters bigotry.

There you go, some simple plans for 2015. The good Lord willing I hope to accomplish all of these.

[7 is my lucky number!]

Active Directory Technical Fiction Virtualization

Free MS Books for Kindle or Kindle App

Whether you have a Kindle, or a smartphone/tablet with the Kindle App installed you can download the following Microsoft related technical books for free. Right now from Amazon. They are:

Introducing Windows 8.1 for IT Professionals – Ed Bott DOWNLOAD

Introducing Windows Server 2012 R2 – Mitch Tulloch DOWNLOAD

Introducing Microsoft System Center 2012 R2 – Mitch Tulloch, Symon Perriman, Microsoft System Center Team DOWNLOAD

Office 365: Migrating and Managing Your Business in the Cloud – Matt Katzer, Don Crawford DOWNLOAD

Introducing Windows Azure for IT Professionals – Mitch Tulloch DOWNLOAD

Microsoft System Center Troubleshooting Configuration Manager  – Rushi Faldu, Manoj Pal, Andre Monica, Kaushal Pandey, Mitch Tulloch DOWNLOAD

Microsoft System Center Building a Virtualized Network Solution – Nigel Cain, Alvin Morales, Michel Luescher, Damian Flynn DOWNLOAD

Microsoft System Center Integrated Cloud Platform (Introducing) – David Ziembicki, Mitch Tulloch DOWNLOAD

Remmeber, you DO NOT need a Kindle to access these books. Use the App. Enjoy!

Active Directory Technical Fiction

Migration Guide: FRS to DFS Replication

In an effort to reduce SYSVOL bloat and replication across Domain Controllers (DCs) consider using DFS Replication (DFSR). A bigger reason however is that FRS is no longer supported in Server 2012, so if you plan to upgrade DCs to Server 2012 – then you must do this first. Want a third reason? If you are using Read Only DCs (RODCs) and are still on FRS it is easy for the SYSVOL on the RODC to become out of synch with other DCs; better still in Server 2008 R2 and above DFS-R ensures that the RODC SYSVOL can never be modifed.

DFS-R simply provides better and more efficient synchronisation than the old world File Replication Service (FRS). Prior to proceeding you may want to indeed check  and make sure that you are not already using DFS-R. Jump into a command prompt and type in this command:

Dfsrmig /GetGlobalState

If the output is shown as “Current DFSR global state: ‘Eliminated’” then you are already using DFS-R and there is no need to go any further. Stop right here.

dfsrmig command
dfsrmig command
Did You Know: the DFS-R migration process actually uses Robocopy (yes! Robocopy) to copy the SYSVOL data at various stages


All Domain Controllers need to be online and available. If you have any redundant DCs listed and they have not been cleaned up (meta data an’ all!) then do so before starting this task

Depending on what Server OS and Service Pack Level you are on ALL DCs may need to be located in the default Domain Controllers OU. If they are located in a sub OU or elsewhere (for policy reasons usually) then consider moving them into the default location temporarily during the migration

The PDC Emulator MUST be online during the whole process – that’s the dude with the most up to date Policy and it is the DC that this whole process talks to the most

You need at least a Windows 2008 Functional Level for your Domain, so get rid of those soon to be end of life Server 2003 R2 DCs first

4 Steps to DFS-R

There are 4 steps to migrate from FRS to DFS-R using the Dfsrmig command:

  1. Health Check: Run the following commands to check the health of current replication
    1. Ensure there is enough free disk space on each Domain Controller for the migration
    2. Run repadmin /replsummary to ensure current replication is healthy, resolve any issues
    3. Run repadmin /showrepl * /csv > replication.txt to ensure current replication is healthy, resolve any issues in the output file
  2. Migrate to Prepared State: Use the command Dfsrmig /SetGlobalState 1 to begin the migration, use Dfsrmig /GetMigrationState to check the current status of this step. Do NOT proceed until this step is complete
  3. Migrate to Redirected State: Use the command Dfsrmig /SetGlobalState 2 for this second step, use Dfsrmig /GetMigrationState to check the current status of this step. Do NOT proceed until this step is complete. If you wish to stay with FRS for SYSVOL replication then stop here.
  4. Migrate to Eliminated State: [NOTE: There is no going back after this step! You have been warned] Use the command Dfsrmig /SetGlobalState 3 for this final step, use Dfsrmig /GetMigrationState to check the current status of this step. Once this step is complete so is the migration.

That’s all there is too it. Honest.

If you did execute Step 4 in error, then as I said there is no going back. Ever. Except of course unless you rebuild the whole domain (a whole lot of fun for you then!).

Clean Up Tasks – get rid of FRS!

Now that you have succesfully migrated to DFS-R you now need to

  • Delete the old SYSVOL directory
  • Disable and then Remove the NTFRS Service

You really should download and read the full Microsoft guide found here:

As usual, get in touch if you have any questions.

Active Directory

Uplifting Active Directory to 2012/2012 R2


Following on from my earlier post about the death knell for Server 2003 which is due to retire in July 2015 I provide some guidance on uplifting your Domain Controllers to either 2008 or more relevant to this post, to 2012 R2. It has been a year since 2012 R2 was released in October 2013 so you better be ready for it…are you ready, are you sure? …go on be honest, does it scare you? Change usually does. This guide will serve as a calming oasis in a sea of chaos.

To clarify at the outset, we are not bothered about upgrading member servers here, that’s a big task for even smaller organisations as any legacy services and applications running on these will need some level of remediation to work on 2012 or 2012 R2 member servers. Heck, just migrate to the latest version straight into the ‘cloud’ as a hosted solution and let the 3rd party vendor do all the hard work (then all you need is a Trust or Federation! Easy!). Just remember that member servers on an OS of 2003 Server or above will function completely fine in a pure 100% 2012 R2 AD environment (but don’t forgot about July 2015!).

Out with the old…

NOTE: Also we are not talking about an AD migration here, this is a DIY guide to replacing all your flavour of the month Domain Controllers (Windows 2003, 2003R2, 2008 or 2008 R2) with all new shiny 2012 R2 Domain Controllers (DCs) – and then optionally uplifting your Domain &/or Forest Functional levels.


Please Please Please Please Please do some housekeeping. Clean up those stale objects (users, groups, computers, GPOs, Fwd and Rvrse DNS entries, SIDs, OUs, Sites, Trusts), clean down those global groups and lock down the number of people with privileged access. Your Security Chief (mean scary person) will thank you and your attack surface will be reduced accordingly. Honest.

Service and Application accounts in your AD often have more privileges than they actually need, they are usually classified as ‘stale objects’ as they probably haven’t been interacted with for quite a while. Identify the owners of these accounts, this is quite important as more often than not an application failure can be traced to the service account…but if you don’t know who owns/manages it the TTF is lengthened significantly.

Also use this time to document your AD structure and settings, seriously a lot organisations either 1) have no such document or even a visio diagram or 2) have the original one created as a vanilla ‘design’ back in the day but it was never updated since! Wuh? You mean you’ve actually got 30 DCs and not just 3 like it says here?!!!

Audit: The servers themselves and the Environment

Here’s your simple checklist of questions to ask yourself or information to find out:

  • Are your existing physical servers fit for purpose and can they support Windows Server 2012 R2? For your server hardware do the associated 2012 version drivers exist? Consider using virtualisation as DCs in virtual environments are fully supported (Hyper-V and VMware);
  • Will your AD be upgraded either 1. remotely by an in-place upgrade from Server 2003/2008 to Server 2012 R2 or 2. rebuilt from scratch 3. New hardware and built from scratch?
  • Cross architecture (32 bit to 64 bit) and cross language (change in server language) in-place upgrades are not possible, these servers will need to be rebuilt;
      • If servers are running a 64 bit edition of Server 2008 or 2008 R2 they can be upgraded to 2012 R2
      • If servers are running ANY edition of Server 2003 they will have to be rebuilt or replaced
  • Windows Standard editions will be upgraded to Windows Standard and Windows Enterprise editions will be upgraded to Windows Enterprise;
  • What is the size of your existing NTDS.DIT? This is important as your upgraded or newly built server MUST have sufficient memory to hold the entire NTDS.DIT file in active memory, in RAM. If your NTDS.DIT is 500MB, than your available RAM after all other considerations must be minimum 500MB – ideally more;
  • Note down your AD Schema version, go to a Domain Controller, run regedit and navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NTDS\Parameters;
  • Non Windows clients, identify them and understand how they interact with and access domain resources, sometimes they have IPs or even Hostnames hard coded somewhere within their settings. Identify and either rectify or have a plan of action;
  • Network equipment that may need DNS information, check your switches, routers and firewalls and liaise with the network operators to understand the dependencies;
  • 3rd Party applications, find out what if any dependency they have on AD DS and what may happen to functionality and service in the event of an upgrade. This means engaging with the 3rd party and having a plan just in case;
  • Services, applications or hardware (Printers, Multifunction Devices, Logging services, Proxy/RAS/VPN Servers, IP Cameras, NAS servers, SAN storage) that relies upon Active Directory and in particular Kerberos for authentication should be logged and if needed a remedial plan of action formulated;
  • Upgrades and rebuilds of DCs should be completed out of hours where possible;
  • Identify your current FSMO role holders > netdom query FSMO;
  • Note down your Domain and Forest Functional levels;

To be honest a lot of you will need new server hardware or new VMs, so you will be introducing 2012 R2 side by side with the existing servers. Makes it a lot easier than attempting to in-place upgrade the OS, which isn’t possible in some cases e.g. x32 and x64 2003/2003 R2 Servers CANNOT be OS upgraded to x64 2012 R2  directly.

Testing – you do have a Non Production environment, right?

Most of you won’t. Tough ask then, to make changes in Live. Well, try to mock up some kind of non-prod environment and make it as life like as possible – then try some testing. However such a vanilla environment won’t reflect reality so prepare for the worst and have a clear roll back plan.


Updates to locally installed application services for monitoring or optimisation – make sure the product you use for monitoring/optimisation has a 2012 compatible version/pack available for example SCOM, Nagios, Foglight

Security products locally installed – e.g. Anti-Virus, Software Firewall products – make sure your security vendor(s) have a 2012 compatible version/upgrade available and ideally available to push out via your software deployment service.

Applications will fail to authenticate and will require remediation – some services running elsewhere in your organisation may fail to authenticate or work once you introduce 2012 R2 Domain Controllers or when you switch off all the legacy 2003 or 2008 ones. Plan for this.

Check for hardcoded host name usage – I’ve seen many organisations throughout the transitions and migrations I have completed where 3rd party services/applications are provided the hostname or IP address of specific DC’s in order to function. When these DC’s are no longer DC’s the application or service simply fails to function as before.

Domain-joined clients cover several versions of the Windows OS (NT4.0, 2000 Server, Server 2003, Server 2008, Server 2008 R2, Windows 7, Windows XP, Windows 8, Windows 8.1 ) all of which should continue to function as is EXCEPT NT 4.0 and 2000 Server – these 2 simply cannot communicate securely within a pure 100% 2012 R2 Active Directory service.

When you come to demote the old DCs do not accidentally tick the box “This is the last Domain Controller in the Domain” cos if you do then you’re in a whole heap of doo-dah. If that happens, please don’t call me. Pretty please.

File Replication Services (FRS) is fully depreciated in Server 2012 R2 so you better be rid of it prior to uplifting. The replacement is DFS Replication, see my brief guide HERE on how to do this.

What Will or Might break…

This list is by no means comprehensive but should give you some idea of what you need to watch out for:

  • DNS – no internal or external DNS resolution. In other words you won’t be able to check if Murray is losing (again!)
  • DHCP – clients drop of like lemmings of a cliff (oh how i loved that game!)
  • Printers – users love to print. They get angry when they cannot. I’m a user too, I get ANGRY when i cannot print my Marvel superhero pics
  • Network Devices – network stuff, that dark art of magicy wizardly stuff. Make sure a wizard is at hand to fix stuff
  • Clients cannot authenticate – uh-oh, the big chiefs PA cannot log in this morning. BIG PANIC. IT staff hide out next door in Krispy Kreme (yum!)

The actual Process…how to Uplift to 2012 R2

Finally, what you actually came here to read. Phew, after all that nonsense upstairs. This is HOW and WHAT you need to do:

1. Get Change Approval and engage with all key stakeholders (CTO, CIO, IT Consultants/Architects, Senior Management, Application owners, Service Line Managers etc.). As stated before, finding out who application and service owners are is critical, both to engage them and keep them informed of the process.

2. Have a Roll Back plan, a method that states the steps to get back to before the next step i.e. as if you never started this.

3. Ensure good and verified backups of existing DCs have been taken, verify any offsite backups and ensure they can be restored without errors if needed

4. Replace/Upgrade/Uplift any existing Server Hardware and older OS (2008, 2008 R2 only) with 2012 R2

5. Add in all new servers with 2012 R2 installed that you may need. Join to your existing Domain as Domain members. Let then just chill out, before battle commences for takeover

6. Jump onto one of the new 2012 R2 servers. Add the AD DS Server Role, this will run AD Prep > SCHEMA Update (the bit that scares you all) > Domain Prep and part of that process is adding this as a new DC. After the update check your AD Schema version, go to a Domain Controller, run regedit and navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NTDS\Parameters

2012 R2 Server Manager
2012 R2 Server Manager

7. Add in some DNS Role servers and allow DNS to replicate (your network has DNS as AD integrated right?! IF using BIND or other DNS Service then you have more work to do in your planning and testing stages)

8. Check that your newly introduced 2012 DCs are fully replicating, use REPLMON and check the event log for errors. In fact check both the System and Application event logs and filter for Warning, Critical, Error events.

9. Test your Apps and Services while 2012 R2 Domain Controllers are running at same time as your old ones

10. If you built new servers then transfer FSMO roles > Move-ADDirectoryServerOperationMasterRole -MyNewServer “Old Role Holder” -OperationMasterRole 0,1,2,3,4

11. Migrate any other roles and services running on existing DCs e.g. DNS, DHCP, CS, AD RMS to new DCs

12. Close down all ‘legacy’ Domain Controllers in a phased approach, always watching for service failures anywhere across your environments. It’s useful to make your Helpdesk aware and to relay any unusual incidents through to you on the Day After the Night Before

13. Pat yourself on the back, it all works nicely. Good job.

Server 2012 – Hurrah!

All these steps can either take an evening or many months to complete. That depends on the size and complexity of your infrastructure.


No good using 2012 R2 if your nice support engineers don’t know PowerShell. Teach them, send them to a course or call me for some quick-fire lessons!

If you spot any errors, have any suggestions, tips or improvements please comment to let me know.

Active Directory Exchange Quest Software SharePoint stash

Migrations – been there, done this…

Always in a state of transition, IT departments around the world are continually deploying new systems, applications and hardware. However one of the biggest changes, and challenges, is the successful migration from an existing infrastructure to a whole shiny new one with all the bells and whistles it comes with.

Let me quickly introduce myself, I’m Zulf and I currently work for Fujitsu as a Solution/Technical Architect mostly on migrations with a particular focus on Active Directory, Exchange and SharePoint.

Preparation, preparation, preparation! That there is my mantra, the first word that comes out of me when looking at any migration. It really doesn’t matter whether the migration is large or small, preparation is key and I’ll tell you why.

Without it you will undoubtedly fail, or if you to manage to somehow struggle through, the stress and strains upon the shoulders of those tasked with the migration will lead them to breaking point. I can truly say I have “been there, done that”, I worked on one of the biggest migrations in the UK – 125,000 seats over a 30 month period – yet the migration of the data (filestore and email) was treated as a minor irritation by the project planners as it was deemed straightforward – copy and paste anyone?

The result? An inefficient, trouble strewn, terrible state of affairs that ended up using more resources than it needed, took twice as long as it should and resulting in levels of stress and anger never before seen in the user environment. The ‘planning’ time set aside for this monumentous migration task (which spanned the whole UK) was a truly dismal 6 weeks.

The fix? Prepare! It is actually quite simple, follow my easily digestible non-technical guide to running a technical migration. Here goes:

Understand what you want to do: What are you trying to achieve? What are your outcomes, timeframe and budget. Your timeframe? Double it now!

Understand how you are going to do it: Identify the tools, resources, expertise and finances needed to effect your change.

Prepare: Lay the groundwork, communicate with the affected parties and create a plan of action in your chosen project methodology. Be realistic with your timelines.

Prepare again: Purchase the products and tools you need, book in the resources and ensure the right equipment and tools are available and accessible.

Prepare once more: Prepare for the unknown. Yes, that’s right – prepare for something you’re not even aware of yet. How? Purposely set aside delays in your project (catch-up days, firebreaks) for the infamous Rumsfeld ‘unknown unknowns’ – use them if you need them, finish up early if you don’t.

Pilot: Once you’ve got what you need find a sample (whether it is users, computers, servers etc. etc.) and run through a mini version of your end to end migration. Yup, the whole thing from start to finish – in some cases you may not be able to go the whole way, but if that means you have to pilot a further change at a later time DO SO!

Deploy & Migrate: Finally that point when you can approach a migration with confidence

If you are indeed planning or going through a migration and need assistance get in touch with me here at my Blog and you can be assured that a friendly and experienced consultant (me!) will respond.

Too often an organisation changes only when forced to, either by policy, necessity (end of life, end of support) or organisational change. It is always best to change when you have the control, so be proactive, look at what’s coming over the horizon and act quickly.

Active Directory Technical Fiction

Bye bye to Server 2003 (and R2)

Take a long hard look…

2003 R2 Server Logon
2003 R2 Server Logon

Depending on when you are reading this Windows 2003 is either still in your environment or it’s already gone.

However you look at it, this has been the reliable & trusted workhorse of the Data Centre (Comms room or Broom cupboard aka ‘it’s under Matts desk!”) for the last many years and incidentally mostly in x32. From Exchange to SharePoint to SCOM/SCCM and a whole plethora of business apps and services Windows 2003 Server has been the main man for such a long time we take it for granted.

It is now time to say goodbye 😐 , mainstream support ends July 14th. 2015. That’s LESS than a year. No more patches, updates. Nothing. Only those who are desperate or really stupid will keep any live services running on them beyond 2015 The security risk is just too great.

‘What to do?’ I hear you cry, well consider this:

  • Migrate upwards and onwards to 2008R2, 2012 or even 2012R2, does your app/service vendor support this, your hardware/virtual platform?
  • Migrate to a service based model where your solution is now cloud based, again is there a viable solution for your app/service?
  • Migrate to a whole new app/service with all the pain that comes along with that, but at least you can hop straight to 2012/2012 R2 (hopefully)

There is a LOT of work to do, and currently I do not see many organisations doing that work. Perhaps after budgets are being signed off in the 2nd Quarter 2015 the panic might start.

The Great Server 2003 rundown brings an end to an era, it really was the NetWare killer (although the ball got rolling with AD in 2000 Server) providing the knockout blow. It came with a fully blown Mail service (free!), a free Web Server (IIS 6), the awesome GPMC and even WSS to host SharePoint sites (free!). It was resilient. It was brilliant. Its time has come.

Close the door on the way out please.

Active Directory Quest Software Technical Fiction

Using SubInACL to dump permissions and re-apply

As usual during a data centre migration at some point you need to move a huge chunk of data. I’ve come across several of these challenges in my years of migration and I usually end up with using the two most reliable yet simplest tools in my ‘migration toolkit’. Robocopy and SubInACL. Of course you have icacls within PowerShell and some of the more recent Windows Server versions, but the oldies are still goodies even in 2014.

The raw copy is the easy bit, just robocopy files from Old Device to New Device using the LAN, WAN or whatever you have at your disposal. If you wish or need to use an interim device for quicker transfer then do so, whether a NAS device or Eclypt drives – just make sure they are encrypted in case of loss during transfer.

Oh just a polite notice, for me Folder=Directory, Directory=Folder – same thing, different word.

So you’ve got the raw data across. Now those pesky NTFS permissions are still needed. 2 ways this can go down, the New Device is either:

  • In the same domain as the Old Device
  • Or in a different domain to the Old Device

If in the same domain, full steam ahead and rush along to the next paragraph. However if it is a different domain between the Old and New devices then you need a Trust in place. Minimum one-way from Old < New (Old Trusts New domain). If you cannot use the trust, then you better hope you have somehow migrated SIDHistory across to your domain user objects OR you are using the same group/user names in the New Domain as you were in the Old domain OR you are able to create a mapping file between the two(!). Did I not tell you it can get quite complex?

Record the Permissions

Full steam ahead here, go to the Old Device. Identify a Folder whose NTFS permissions you would just love to capture and need to re-apply. Type in the following command at a command prompt (ensure you have the subinacl.exe file handy):

subinacl /output=C:\DumpMyOutputFileHerePlease.txt /subdirectories H:\ThisIsTheOldDeviceFolder

The /output switch lets you specify where the NTFS dump file listing all the ACLs will be errrr….dumped(!) This can be anywhere, I’ve just put it in the root of C: in my simple example. I also gave mine an apt and descriptive filename. Just in case I have cause to come back to this file in a few weeks, calling it commandfile.txt just doesn’t help.

/subdirectories is an interesting beast, if you leave it as is, it will capture all NTFS permissions for both FOLDERS and FILES (largest output file size) but changing it to one of the magically delightful options below does something very different:

  • /subdirectories=directoriesonly will only collect FOLDER/DIRECTORY permissions into the /output file (often smallest output file size)
  • /subdirectories=filesonly will only collect FILE permissions into the /output file (often large output file size)

The last bit H:\ThisIsTheOldDeviceFolder has to be the directory/folder whose permissions you need to record.

Once you let the command loose, it creates a file called DumpMyOutputFileHerePlease.txt and this file could be huuuuuuge! Zip it for transport. If it’s too big to Zip then split it using a nifty tool like GSplit.

Replay the Permissions

Now you need to copy that file somewhere, anywhere where you can easily see the New Device copied raw data for example I used C:\Temp.

Run the following SubInACL command to replay the permissions:

subinacl  /playfile C:\Temp\DumpMyOutputFileHerePlease.txt

Now, remember this tidbit of highly useful information. Running this command to replay the NTFS permissions makes one HUGE ASSUMPTION. It assumes that on the New Device you are using the SAME DRIVE LETTER and top level FOLDER as you had on the Old Device.

Heck what if you have done a bit of transformation on your New Device and re-organised the data and top level folder structure. Hopefully you’re just using a different drive letter and maybe just a different top level folder. If that is the case then you need to do 2 things before replaying the permissions.

Open the file DumpMyOutputFileHerePlease.txt

Change every line containing this “H:\ThisIsTheOldDeviceFolder” to whatever it needs to be to match your different drive letter or path e.g. “S:\WeNowUseThisNewFolder” use Find/Replace to seep that up. SAVE the file. You must SAVE it. Replace or Save as New, as long as you SAVE it please.

Once saved just run the exact same command (except now your .txt file has been modified):

subinacl  /playfile C:\Temp\DumpMyOutputFileHerePlease.txt

Good Luck & Good Night.

Coming soon: speeding up ACL application, icacls and 3rd party permissions tooling/reporting.

Active Directory Technical Fiction

Microsoft Products (non-mainstream)

There are a number of Microsoft Products that provide plenty of value add but most people have never heard of them or do not know what they are useful for. I provide a sample below, some more useful than others. I’ll try to keep the links and versions updated as things change (of course, they always do!)

Download the PDF version HERE

List and Description of Microsoft Products for Business Support

1. Microsoft Deployment Toolkit (MDT) 2010

Brief Description

MDT provides OS and Application Deployment for Windows 7, Vista, 2008, XP SP3 and 2003 R2.


MDT 2010 provides a common console with comprehensive tools and guidance for every organizational role – making it the recommended process and toolset to automate large-scale desktop and server deployments


2.Active Directory Migration Toolkit (ADMT) 3.1

Brief Description

ADMT provides an integrated toolset to facilitate migration and restructuring tasks in an Active Directory infrastructure.


The ADMT version 3.1 toolkit simplifies the process of restructuring your operating environment to meet the needs of your organization. You can use ADMT v3.1 to migrate users, groups, and computers from Microsoft® Windows NT 4.0, 2000 or 2003 domains to same/newer Active Directory domains; between Active Directory domains in different forests (an interforest migration); and between Active Directory domains in the same forest (an intraforest migration). ADMT v3.1 also performs security translation from Windows NT 4.0, 2000 or 2003 domains to same/newer Active Directory domains and between Active Directory domains in different forests to allow the migration of user profiles.


3. Password Export Server (PES) 3.1

Brief Description

PES enables password migrations during account migrations in an Active Directory Domain Services infrastructure.


The Password Export Server version 3.1 (PES v3.1) is a part of the ADMT v3.1 toolset. You can use PES v3.1 to migrate passwords, when performing account migrations between different Active Directory Domain Service (AD DS) environments using ADMT v3.1.


4. Windows Automated Installation Kit (AIK) 1.0

Brief Description

Windows AIK for Windows® 7 helps you to install, customize, and deploy the Microsoft Windows® 7 and Windows Server® 2008 R2 family of operating systems.


The Windows AIK is a set of tools and documentation that supports the configuration and deployment of Windows operating systems. By using Windows AIK, you can automate Windows installations, capture Windows images with ImageX, configure and modify images using Deployment Imaging Servicing and Management (DISM), create Windows PE images, and migrate user profiles and data with the User State Migration Tool (USMT). Windows AIK also includes the Volume Activation Management Tool (VAMT), which enables IT professionals to automate and centrally manage the volume activation process using a Multiple Activation Key (MAK).



5. User State Migration Tool (USMT) 4.0

Brief Description

Use USMT to migrate user files and settings during large deployments of Microsoft OS.


USMT captures desktop, and application settings, as well as user accounts and users’ files, and then migrates them to a new Windows installation. Using USMT can help you improve and simplify your migration process. You can use USMT for both side-by-side and wipe-and-load migrations. If you are only upgrading your operating system, USMT is not needed. You can use USMT to preserve user accounts, favourites, files & application settings but it does NOT preserve applications themselves (those you need to manually re-install).


6. Microsoft Application Compatibility Toolkit (MACT) 5.6

Brief Description

The Microsoft Application Compatibility Toolkit (ACT) version 5.6 contains the necessary tools and documentation to evaluate and mitigate application compatibility issues before deploying Windows 7, Windows Vista®, a Windows Update, or a new version of Windows® Internet Explorer® in your environment.


The Microsoft Application Compatibility Toolkit (ACT) 5.6 helps customers understand their application compatibility situation by identifying which applications are compatible with the Windows 7 operating system and which require further testing. ACT helps customers lower their costs for application compatibility testing, prioritize their applications, and deploy Windows more quickly.

You can use the ACT features to:

  • Verify an application’s compatibility with a new version of the Windows operating system, or a Windows Update, including determining your risk assessment.
  • Become involved in the ACT Community, including sharing your risk assessment with other ACT users.
  • Test your Web applications and Web sites for compatibility with new releases and security updates to the Windows Internet Explorer® Internet browser.



7. Windows 7 Upgrade Advisor v2

Brief Description

Download and run the Windows 7 Upgrade Advisor to see if your PC is ready for Windows 7. It scans your hardware, devices, and installed programs for known compatibility issues, gives you guidance on how to resolve potential issues found, and recommends what to do before you upgrade.


As above!



8. Microsoft Assessment and Planning Toolkit (APT) 4.0

Brief Description

APT makes it easy to assess your current IT infrastructure for a variety of technology migration projects. This Solution Accelerator provides a powerful inventory, assessment, and reporting tool to simplify the migration planning process.


APT is an agentless toolkit that finds computers on a network and performs a detailed inventory of the computers using Windows Management Instrumentation (WMI) and the Remote Registry Service. The data and analysis provided by this toolkit can significantly simplify the planning process for migrating to Windows® 7, Windows Vista®, Microsoft Office 2007, Windows Server® 2008 R2, Windows Server 2008, Hyper-V, Microsoft Application Virtualization, Microsoft SQL Server 2008, and Forefront® Client Security and Network Access Protection. Assessments for Windows Server 2008 R2, Windows Server 2008, Windows 7, and Windows Vista include device driver availability as well as recommendations for hardware upgrades.


9. Microsoft IT Environment Health Scanner

Brief Description

The Microsoft IT Environment Health Scanner is designed for administrators who want to assess the overall health of their Active Directory and network infrastructure. The tool identifies common problems that can prevent your network environment from functioning properly.


The Microsoft IT Environment Health Scanner is a diagnostic tool that is designed for administrators of small or medium-sized networks (recommended up to 20 servers and up to 500 client computers) who want to assess the overall health of their network infrastructure. The tool identifies common problems that can prevent your network environment from functioning properly as well as problems that can interfere with infrastructure upgrades, deployments, and migration.

When run from a computer with the proper network access, the tool takes a few minutes to scan your IT environment, perform more than 100 separate checks, and collect and analyze information about the following:

* Configuration of sites and subnets in Active Directory

* Replication of Active Directory, the file system, and SYSVOL shared folders

* Name resolution by the Domain Name System (DNS)

* Configuration of the network adapters of all domain controllers, DNS servers, and e-mail servers running Microsoft Exchange Server

* Health of the domain controllers

* Configuration of the Network Time Protocol (NTP) for all domain controllers

If a problem is found, the tool describes the problem, indicates the severity, and links you to guidance at the Microsoft Web site (such as a Knowledge Base article) to help you resolve the problem. You can save or print a report for later review. The tool does not change anything on your computer or your network.


10. Microsoft File Server Migration Toolkit (FSMT) 1.2

Brief Description

The wizards in the File Server Migration Toolkit use Distributed File System (DFS) to maintain Universal Naming Convention (UNC) paths and to simplify the consolidation and migration process


Many organizations today are consolidating older file servers to reduce the cost of managing multiple file servers and to increase the efficiency of storage allocation and backup tasks. When organizations migrate data to file servers running Windows Server 2003 and Windows Server 2008, they can take advantage of new features, such as Shadow Copies for Shared Folders and the Volume Shadow Copy service, and enhancements to other technologies, such as Distributed File System (DFS).



11. AD Performance Testing Tool (ADTest.exe)

Brief Description

ADTest.exe is an Active Directory load-generation tool that simulates client transactions on a host server to assess the performance of the Microsoft® Active Directory™ within Microsoft® Windows® Server 2003 and Microsoft® Active Directory Application Mode™.


ADTest is an Active Directory load-generation tool. It allows you to simulate client transactions on the host server. By varying client load, you can relate the transaction rate to resource utilization on the server and get some idea about the requirements for your environment. Because ADTest can perform generic Active Directory requests, it can also create an organizational unit structure inside Active Directory. You can add many organizational units and user objects in those ADTest-created organizational units. You can also add attributes to the user objects. Once you have created the Active Directory structure you require, you can use ADTest to perform various Active Directory requests, including Modify and Search. Several pre-built tests have been written to reproduce some typical activities you might want to evaluate. Examples of these pre-built tests are: an interactive logon, a batch logon, a search for a random user, and a modification of an attribute of a random user. By varying your hardware environment or other test parameters, you can gain insight into the performance sensitivities of your particular setup.

Remember that benchmarking and performance exercises are useful for comparing platforms or for getting a general understanding of the hardware requirements for common implementation scenarios. However, because these tests are run in constrained environments, such as an isolated lab, they do not necessarily translate directly to deployable scenarios. Therefore, it is important to understand that while this tool is meant to help you prepare for a fairly comprehensive server-sizing and capacity-planning effort, any data generated is only meant for general sizing, benchmarking, or deployment recommendations.


Active Directory

Windows Server 2008 training (free)

Yup, i’ve restarted in Server 2008 flavour similar courses to those I delivered in the year 2007 (at that time it was on Windows Server 2003!).

Again it is completely FREE, this time around I have 9 keen students 2 of whom are completely new to Windows Server of any flavour. Previously I delivered a classroom based course with 4 students, using the geneorsity of office space in the studios of, however this time around I’m using a combination of 2 completely free technologies to deliver these online and with minimal (well almost 0) cost, they are:

Skype – for audio confering for up to 20 people, Free, and the quality is amazing – the alternative to WebEx (or even the awful Live Meeting), again free, works brilliantly in sharing apps, whiteboards or my desktop. The guys can easily follow my actions in my VMs as I demonstrate!). Max 20 paticipants for the free version.

I started the once per week sessions 4 weeks ago, 12 sessions in total which should give each student enough knowledge to approach the MCP Exam 70-640 with confidence! I wish them luck!

%d bloggers like this: