Well it's been a while since I blogged on Active Directory and I'm starting to feel a little rusty (after all, I haven't worked on AD for a month now ;)) I now have a pretty large list of tools and utilities that are less known that most. While going through that list I came across two I haven't used in a while, but had, at one time, been pretty useful. Here they are:

ADMX.EXE: This tool allows you to extract GPO settings (from an .ADM file) to a text file, then use a file parser to compare the contents of one file with another. Usefull when MS comes up with a new .ADM template, as they do with each OS update (including Service Packs). BTW, the latest .ADM template available right now is packaged with Windows XP SP2, a new one will soon arrive with W2K3 SP1.

DCGPOFIX.EXE: Well you screwed up the default AD gpo's (domain and domain controllers OU) and you want to restore them to their default settings. This is the tool for you.

More to come soon...

Recently I was working on a military project where we had to configure naval ships with AD domain controllers. Each ship would have it's own domain controller, part of the military domain. (name and country has to remain private) I recieved the guarantee that DC's would synchronize through satellite communication at least every 2 months. To ensure i would not run into any problems with tombstones, I increased the tombstone lifetime to 120 days for the DC's.

I moved on to other projects and one day got a call from the client, they had issues with DC's not able to replicate domain information. Turned out the DC's had been out of sync for 6 months. It definitely wasn't a smart idea, but they applied the following registry modification to allow replication:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
DWORD value: (thanks for pointing that out GKressel)
Allow Replication With Divergent and Corrupt Partner  - Value: 1

Replication works fine now, but what shadow/ghost object will appear? I'll keep you updated.

This new (relatively) feature in Windows Server 2003 removes the requirement of a (subsequent) logon query to the Global Catalog server. However this information only gets refreshed every 8 hours. If you want to force a refresh from the "caching site" here's the VB syntax:

set objRoot = GetObject(LDAP://RootDSE)

objRoot.Put "UpdateCachedMemberships", 1

objRoot.SetInfo

msgbox "Thanks David for this nice script :)"

A couple of weeks ago I ran into an issue where a client computer was not receiving his site-linked GPO. I had just created the new site structure, so I was wondering if the client did not yet get the site information. I had used Nltest.exe before, but had never used this switch.

nltest /dsgetsite

It will return the local site membership of the client computer. I then noticed the client was reading his information from cache and force a refresh with: Nltest /dsgetdc:DOMAIN_NAME /force

GPO Applied!

One of the things i'm starting to recommend to my students relating the built-in Administrator account is to rename it. Which that in itself is nothing new, but along with that create a new "fake" administrator account, named "Administrator" with as little user rights as possible. Set a very complex password to that account and let hacker hack away at that account.