Tag Archives: Active Directory

Active Directory Azure Technical Fiction

Azure VM, Active Directory and a Dedicated Disk

Installing the AD DS role onto a Azure virtual machine? Creating a Domain Controller in the cloud? Are you sure you want to do this?

For all Domain Controllers you create on an Azure virtual machine, in addition to the system OS disk (C:\) you MUST add a dedicated disk and ensure thatyour AD DS install wizard or script uses this dedicated disk as the location for both the Active Directory database (NTDS) and the replicated system volume (SYSVOL) during the Role installation.

IMPORTANT: For this dedicated disk ensure that the ‘Azure Disk Host Cache’ is set to NONE

Failure to do this risks the corruption of your Active Directory database.

The relevant Microsoft documentation can be found here https://msdn.microsoft.com/en-us/library/azure/jj156090.aspx?f=255&MSPPError=-2147217396

I’ve extracted the exact section below, saves you going through the whole web page above:

“Data disk drives do not cache writes by default. Data disk drives that are attached to a VM use write-through caching. Write-through caching makes sure the write is committed to durable Azure storage before the transaction is complete from the perspective of the VM’s operating system. It provides durability, at the expense of slightly slower writes.

This is important for Windows Server AD DS because write-behind disk-caching invalidates assumptions made by the DC. Windows Server AD DS attempts to disable write caching but it is up to the disk IO system to honor it. Failure to disable write caching may, under certain circumstances, introduce USN rollback resulting in lingering objects and other problems.

As a best practice for virtual DCs, do the following:

  • Set the Host Cache Preference setting on the Azure data disk for NONE. This prevents issues with write caching for AD DS operations.
  • Store the database, logs, and SYSVOL on the either same data disk or separate data disks. Typically, this is a separate disk from the disk used for the operating system itself. The key takeaway is that the Windows Server AD DS database and SYSVOL must not be stored on an Azure Operating System disk type. By default, the AD DS installation process installs these components in %systemroot% folder, which is NOT recommended for Azure.”
Active Directory Technical Fiction

Migration Guide: FRS to DFS Replication

In an effort to reduce SYSVOL bloat and replication across Domain Controllers (DCs) consider using DFS Replication (DFSR). A bigger reason however is that FRS is no longer supported in Server 2012, so if you plan to upgrade DCs to Server 2012 – then you must do this first. Want a third reason? If you are using Read Only DCs (RODCs) and are still on FRS it is easy for the SYSVOL on the RODC to become out of synch with other DCs; better still in Server 2008 R2 and above DFS-R ensures that the RODC SYSVOL can never be modifed.

DFS-R simply provides better and more efficient synchronisation than the old world File Replication Service (FRS). Prior to proceeding you may want to indeed check  and make sure that you are not already using DFS-R. Jump into a command prompt and type in this command:

Dfsrmig /GetGlobalState

If the output is shown as “Current DFSR global state: ‘Eliminated’” then you are already using DFS-R and there is no need to go any further. Stop right here.

dfsrmig command
dfsrmig command
Did You Know: the DFS-R migration process actually uses Robocopy (yes! Robocopy) to copy the SYSVOL data at various stages


All Domain Controllers need to be online and available. If you have any redundant DCs listed and they have not been cleaned up (meta data an’ all!) then do so before starting this task

Depending on what Server OS and Service Pack Level you are on ALL DCs may need to be located in the default Domain Controllers OU. If they are located in a sub OU or elsewhere (for policy reasons usually) then consider moving them into the default location temporarily during the migration

The PDC Emulator MUST be online during the whole process – that’s the dude with the most up to date Policy and it is the DC that this whole process talks to the most

You need at least a Windows 2008 Functional Level for your Domain, so get rid of those soon to be end of life Server 2003 R2 DCs first

4 Steps to DFS-R

There are 4 steps to migrate from FRS to DFS-R using the Dfsrmig command:

  1. Health Check: Run the following commands to check the health of current replication
    1. Ensure there is enough free disk space on each Domain Controller for the migration
    2. Run repadmin /replsummary to ensure current replication is healthy, resolve any issues
    3. Run repadmin /showrepl * /csv > replication.txt to ensure current replication is healthy, resolve any issues in the output file
  2. Migrate to Prepared State: Use the command Dfsrmig /SetGlobalState 1 to begin the migration, use Dfsrmig /GetMigrationState to check the current status of this step. Do NOT proceed until this step is complete
  3. Migrate to Redirected State: Use the command Dfsrmig /SetGlobalState 2 for this second step, use Dfsrmig /GetMigrationState to check the current status of this step. Do NOT proceed until this step is complete. If you wish to stay with FRS for SYSVOL replication then stop here.
  4. Migrate to Eliminated State: [NOTE: There is no going back after this step! You have been warned] Use the command Dfsrmig /SetGlobalState 3 for this final step, use Dfsrmig /GetMigrationState to check the current status of this step. Once this step is complete so is the migration.

That’s all there is too it. Honest.

If you did execute Step 4 in error, then as I said there is no going back. Ever. Except of course unless you rebuild the whole domain (a whole lot of fun for you then!).

Clean Up Tasks – get rid of FRS!

Now that you have succesfully migrated to DFS-R you now need to

  • Delete the old SYSVOL directory
  • Disable and then Remove the NTFRS Service

You really should download and read the full Microsoft guide found here: http://technet.microsoft.com/en-us/library/dd640019(WS.10).aspx

As usual, get in touch if you have any questions.

Active Directory Exchange Quest Software SharePoint stash

Migrations – been there, done this…

Always in a state of transition, IT departments around the world are continually deploying new systems, applications and hardware. However one of the biggest changes, and challenges, is the successful migration from an existing infrastructure to a whole shiny new one with all the bells and whistles it comes with.

Let me quickly introduce myself, I’m Zulf and I currently work for Fujitsu as a Solution/Technical Architect mostly on migrations with a particular focus on Active Directory, Exchange and SharePoint.

Preparation, preparation, preparation! That there is my mantra, the first word that comes out of me when looking at any migration. It really doesn’t matter whether the migration is large or small, preparation is key and I’ll tell you why.

Without it you will undoubtedly fail, or if you to manage to somehow struggle through, the stress and strains upon the shoulders of those tasked with the migration will lead them to breaking point. I can truly say I have “been there, done that”, I worked on one of the biggest migrations in the UK – 125,000 seats over a 30 month period – yet the migration of the data (filestore and email) was treated as a minor irritation by the project planners as it was deemed straightforward – copy and paste anyone?

The result? An inefficient, trouble strewn, terrible state of affairs that ended up using more resources than it needed, took twice as long as it should and resulting in levels of stress and anger never before seen in the user environment. The ‘planning’ time set aside for this monumentous migration task (which spanned the whole UK) was a truly dismal 6 weeks.

The fix? Prepare! It is actually quite simple, follow my easily digestible non-technical guide to running a technical migration. Here goes:

Understand what you want to do: What are you trying to achieve? What are your outcomes, timeframe and budget. Your timeframe? Double it now!

Understand how you are going to do it: Identify the tools, resources, expertise and finances needed to effect your change.

Prepare: Lay the groundwork, communicate with the affected parties and create a plan of action in your chosen project methodology. Be realistic with your timelines.

Prepare again: Purchase the products and tools you need, book in the resources and ensure the right equipment and tools are available and accessible.

Prepare once more: Prepare for the unknown. Yes, that’s right – prepare for something you’re not even aware of yet. How? Purposely set aside delays in your project (catch-up days, firebreaks) for the infamous Rumsfeld ‘unknown unknowns’ – use them if you need them, finish up early if you don’t.

Pilot: Once you’ve got what you need find a sample (whether it is users, computers, servers etc. etc.) and run through a mini version of your end to end migration. Yup, the whole thing from start to finish – in some cases you may not be able to go the whole way, but if that means you have to pilot a further change at a later time DO SO!

Deploy & Migrate: Finally that point when you can approach a migration with confidence

If you are indeed planning or going through a migration and need assistance get in touch with me here at my Blog and you can be assured that a friendly and experienced consultant (me!) will respond.

Too often an organisation changes only when forced to, either by policy, necessity (end of life, end of support) or organisational change. It is always best to change when you have the control, so be proactive, look at what’s coming over the horizon and act quickly.

Active Directory Technical Fiction

Microsoft Products (non-mainstream)

There are a number of Microsoft Products that provide plenty of value add but most people have never heard of them or do not know what they are useful for. I provide a sample below, some more useful than others. I’ll try to keep the links and versions updated as things change (of course, they always do!)

Download the PDF version HERE

List and Description of Microsoft Products for Business Support

1. Microsoft Deployment Toolkit (MDT) 2010

Brief Description

MDT provides OS and Application Deployment for Windows 7, Vista, 2008, XP SP3 and 2003 R2.


MDT 2010 provides a common console with comprehensive tools and guidance for every organizational role – making it the recommended process and toolset to automate large-scale desktop and server deployments



2.Active Directory Migration Toolkit (ADMT) 3.1

Brief Description

ADMT provides an integrated toolset to facilitate migration and restructuring tasks in an Active Directory infrastructure.


The ADMT version 3.1 toolkit simplifies the process of restructuring your operating environment to meet the needs of your organization. You can use ADMT v3.1 to migrate users, groups, and computers from Microsoft® Windows NT 4.0, 2000 or 2003 domains to same/newer Active Directory domains; between Active Directory domains in different forests (an interforest migration); and between Active Directory domains in the same forest (an intraforest migration). ADMT v3.1 also performs security translation from Windows NT 4.0, 2000 or 2003 domains to same/newer Active Directory domains and between Active Directory domains in different forests to allow the migration of user profiles.



3. Password Export Server (PES) 3.1

Brief Description

PES enables password migrations during account migrations in an Active Directory Domain Services infrastructure.


The Password Export Server version 3.1 (PES v3.1) is a part of the ADMT v3.1 toolset. You can use PES v3.1 to migrate passwords, when performing account migrations between different Active Directory Domain Service (AD DS) environments using ADMT v3.1.



4. Windows Automated Installation Kit (AIK) 1.0

Brief Description

Windows AIK for Windows® 7 helps you to install, customize, and deploy the Microsoft Windows® 7 and Windows Server® 2008 R2 family of operating systems.


The Windows AIK is a set of tools and documentation that supports the configuration and deployment of Windows operating systems. By using Windows AIK, you can automate Windows installations, capture Windows images with ImageX, configure and modify images using Deployment Imaging Servicing and Management (DISM), create Windows PE images, and migrate user profiles and data with the User State Migration Tool (USMT). Windows AIK also includes the Volume Activation Management Tool (VAMT), which enables IT professionals to automate and centrally manage the volume activation process using a Multiple Activation Key (MAK).




5. User State Migration Tool (USMT) 4.0

Brief Description

Use USMT to migrate user files and settings during large deployments of Microsoft OS.


USMT captures desktop, and application settings, as well as user accounts and users’ files, and then migrates them to a new Windows installation. Using USMT can help you improve and simplify your migration process. You can use USMT for both side-by-side and wipe-and-load migrations. If you are only upgrading your operating system, USMT is not needed. You can use USMT to preserve user accounts, favourites, files & application settings but it does NOT preserve applications themselves (those you need to manually re-install).



6. Microsoft Application Compatibility Toolkit (MACT) 5.6

Brief Description

The Microsoft Application Compatibility Toolkit (ACT) version 5.6 contains the necessary tools and documentation to evaluate and mitigate application compatibility issues before deploying Windows 7, Windows Vista®, a Windows Update, or a new version of Windows® Internet Explorer® in your environment.


The Microsoft Application Compatibility Toolkit (ACT) 5.6 helps customers understand their application compatibility situation by identifying which applications are compatible with the Windows 7 operating system and which require further testing. ACT helps customers lower their costs for application compatibility testing, prioritize their applications, and deploy Windows more quickly.

You can use the ACT features to:

  • Verify an application’s compatibility with a new version of the Windows operating system, or a Windows Update, including determining your risk assessment.
  • Become involved in the ACT Community, including sharing your risk assessment with other ACT users.
  • Test your Web applications and Web sites for compatibility with new releases and security updates to the Windows Internet Explorer® Internet browser.




7. Windows 7 Upgrade Advisor v2

Brief Description

Download and run the Windows 7 Upgrade Advisor to see if your PC is ready for Windows 7. It scans your hardware, devices, and installed programs for known compatibility issues, gives you guidance on how to resolve potential issues found, and recommends what to do before you upgrade.


As above!




8. Microsoft Assessment and Planning Toolkit (APT) 4.0

Brief Description

APT makes it easy to assess your current IT infrastructure for a variety of technology migration projects. This Solution Accelerator provides a powerful inventory, assessment, and reporting tool to simplify the migration planning process.


APT is an agentless toolkit that finds computers on a network and performs a detailed inventory of the computers using Windows Management Instrumentation (WMI) and the Remote Registry Service. The data and analysis provided by this toolkit can significantly simplify the planning process for migrating to Windows® 7, Windows Vista®, Microsoft Office 2007, Windows Server® 2008 R2, Windows Server 2008, Hyper-V, Microsoft Application Virtualization, Microsoft SQL Server 2008, and Forefront® Client Security and Network Access Protection. Assessments for Windows Server 2008 R2, Windows Server 2008, Windows 7, and Windows Vista include device driver availability as well as recommendations for hardware upgrades.


9. Microsoft IT Environment Health Scanner

Brief Description

The Microsoft IT Environment Health Scanner is designed for administrators who want to assess the overall health of their Active Directory and network infrastructure. The tool identifies common problems that can prevent your network environment from functioning properly.


The Microsoft IT Environment Health Scanner is a diagnostic tool that is designed for administrators of small or medium-sized networks (recommended up to 20 servers and up to 500 client computers) who want to assess the overall health of their network infrastructure. The tool identifies common problems that can prevent your network environment from functioning properly as well as problems that can interfere with infrastructure upgrades, deployments, and migration.

When run from a computer with the proper network access, the tool takes a few minutes to scan your IT environment, perform more than 100 separate checks, and collect and analyze information about the following:

* Configuration of sites and subnets in Active Directory

* Replication of Active Directory, the file system, and SYSVOL shared folders

* Name resolution by the Domain Name System (DNS)

* Configuration of the network adapters of all domain controllers, DNS servers, and e-mail servers running Microsoft Exchange Server

* Health of the domain controllers

* Configuration of the Network Time Protocol (NTP) for all domain controllers

If a problem is found, the tool describes the problem, indicates the severity, and links you to guidance at the Microsoft Web site (such as a Knowledge Base article) to help you resolve the problem. You can save or print a report for later review. The tool does not change anything on your computer or your network.


10. Microsoft File Server Migration Toolkit (FSMT) 1.2

Brief Description

The wizards in the File Server Migration Toolkit use Distributed File System (DFS) to maintain Universal Naming Convention (UNC) paths and to simplify the consolidation and migration process


Many organizations today are consolidating older file servers to reduce the cost of managing multiple file servers and to increase the efficiency of storage allocation and backup tasks. When organizations migrate data to file servers running Windows Server 2003 and Windows Server 2008, they can take advantage of new features, such as Shadow Copies for Shared Folders and the Volume Shadow Copy service, and enhancements to other technologies, such as Distributed File System (DFS).




11. AD Performance Testing Tool (ADTest.exe)

Brief Description

ADTest.exe is an Active Directory load-generation tool that simulates client transactions on a host server to assess the performance of the Microsoft® Active Directory™ within Microsoft® Windows® Server 2003 and Microsoft® Active Directory Application Mode™.


ADTest is an Active Directory load-generation tool. It allows you to simulate client transactions on the host server. By varying client load, you can relate the transaction rate to resource utilization on the server and get some idea about the requirements for your environment. Because ADTest can perform generic Active Directory requests, it can also create an organizational unit structure inside Active Directory. You can add many organizational units and user objects in those ADTest-created organizational units. You can also add attributes to the user objects. Once you have created the Active Directory structure you require, you can use ADTest to perform various Active Directory requests, including Modify and Search. Several pre-built tests have been written to reproduce some typical activities you might want to evaluate. Examples of these pre-built tests are: an interactive logon, a batch logon, a search for a random user, and a modification of an attribute of a random user. By varying your hardware environment or other test parameters, you can gain insight into the performance sensitivities of your particular setup.

Remember that benchmarking and performance exercises are useful for comparing platforms or for getting a general understanding of the hardware requirements for common implementation scenarios. However, because these tests are run in constrained environments, such as an isolated lab, they do not necessarily translate directly to deployable scenarios. Therefore, it is important to understand that while this tool is meant to help you prepare for a fairly comprehensive server-sizing and capacity-planning effort, any data generated is only meant for general sizing, benchmarking, or deployment recommendations.



Active Directory Quest Software

Upgrading to InTrust 10.2

If upgrading to InTrust 10.2 from any version prior to 10.0 (e.g. from 9.6) then you have to ensure an interim step of upgrading to 10.0 or 10.1 FIRST before upgrading to 10.2! Annoying yes, but impossible otherwise. Oh and it normally takes a day to update just a handful of servers.

InTrust is a hetrogenous auditing, monitoring and compliance tool from Quest Software.

Active Directory

Upgrading to Windows Server 2008 R2

Just to cover quickly the upgrade of Windows 2008 Server SP2 to the R2 version in 13 steps.

REMEMBER > Plan > Prepare > Update,

This is a GUIDE only and not a recommendation of how you should upgrade so test it first and don’t blame me if it goes horrible, blame the gerbil – if in doubt consult an expert (i.e. not me!)

Using an account that has EA, DA and SA membership (talk about overkill eh…but trust me it wasn’t working without them), you need to run the adprep tools first, ensure the DC you run it on has the Schema Master FSMO role. Follow these steps:

1. Copy the ADPREP folder from W2K8 R2 DVDSupportAdprep to a local volume e.g. E:adprep.


Usual gotcha – make sure you run this from an elevated CMD prompt. Otherwise you get an error about how it cannot check your Group Membership

3. Change directory to where you copied adprep and type in adprep /forestprep


4. Press C and then hit ENTER if you are happy to proceed then it does stuff like below


And more stuff


And some more before it is finished.


5. Excellent, now run the following command

adprep /domainprep /gpprep


Et voila, all preparation tasks finished and you’re ready to roll with the update to R2

6. In the Windows Explorer GUI browse to your WK8 R2 DVD and run setup


7. Click on the annoying UAC prompt to confirm so you can continue then click Install Now, setup starts


Still starts up


8. Click on Do not get the latest updates


Searches for something


9. Seems to have found whatever it was looking for, select Windows Server Standard 2008 R2 Standard (Full Installation) (or whatever is relevant for your upgrade), yeah I know it says Full but worry not it will be doing an Upgrade! Click Next


10. Sign your life away, Click Next


11. See, promised you as much. Click UPGRADE!


12. You’ll get the following compatibility warning…


13. Resolve any issues and then crack on. Otherwise setup will cancel the upgrade for you if any errors are unresolved. Warnings are acceptable!


Then it does stuff, randomly, and also randomly reboots about 3 times!


Oh look, registry still exists…


Is this the final step…


Nope, fooled you, anyone who knows WHY it is copying so many files (nearly a quarter of a million) please email me!


And then it REBOOTS again, third time and counting…

…then like something from a Star Wars movie comes the following

First time use? Eh, i’ve been using this server for nearly a year how can this be the first time!!! Anyway it glows randomly for a little while as it ‘prepares’ for battle. Bit like a ceylon, sorta


There you go, all that effort for that red R2 at the bottom(!)


Anyway, the update is worth it. The interface is now pretty as a picture!

BUT, my RDP would no longer work. Neither would pinging it by IP Address? Has the Firewall for the Domain Profile come back on? NO!

So what happened? Well upon further investigation it seems it lost all the static IP information that had been entered into this DC. WHAT? Why would it do that dear old Microsoft? Renter the STATIC IP info to get the Server back in shape….oh dear(!) hope it doesn’t happen to you!

%d bloggers like this: