Exchange Server 2007 / 2003 (tips and tricks) sprinkled with SMS and AD stuff...: Active Directory

Couple of little known GPO tools

Wed, 23 Feb 2005 05:11:14 GMT

Well it's been a while since I blogged on Active Directory and I'm starting to feel a little rusty (after all, I haven't worked on AD for a month now ;)) I now have a pretty large list of tools and utilities that are less known that most. While going through that list I came across two I haven't used in a while, but had, at one time, been pretty useful. Here they are:

ADMX.EXE: This tool allows you to extract GPO settings (from an .ADM file) to a text file, then use a file parser to compare the contents of one file with another. Usefull when MS comes up with a new .ADM template, as they do with each OS update (including Service Packs). BTW, the latest .ADM template available right now is packaged with Windows XP SP2, a new one will soon arrive with W2K3 SP1.

DCGPOFIX.EXE: Well you screwed up the default AD gpo's (domain and domain controllers OU) and you want to restore them to their default settings. This is the tool for you.

More to come soon...

Taking DC's offline for an extended period of time

Fri, 17 Dec 2004 16:45:43 GMT

Recently I was working on a military project where we had to configure naval ships with AD domain controllers. Each ship would have it's own domain controller, part of the military domain. (name and country has to remain private) I recieved the guarantee that DC's would synchronize through satellite communication at least every 2 months. To ensure i would not run into any problems with tombstones, I increased the tombstone lifetime to 120 days for the DC's.

I moved on to other projects and one day got a call from the client, they had issues with DC's not able to replicate domain information. Turned out the DC's had been out of sync for 6 months. It definitely wasn't a smart idea, but they applied the following registry modification to allow replication:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
DWORD value: (thanks for pointing that out GKressel)
Allow Replication With Divergent and Corrupt Partner - Value: 1

Replication works fine now, but what shadow/ghost object will appear? I'll keep you updated.

How do you refresh the cache for Universal Group Membership?

Thu, 16 Dec 2004 19:48:40 GMT

This new (relatively) feature in Windows Server 2003 removes the requirement of a (subsequent) logon query to the Global Catalog server. However this information only gets refreshed every 8 hours. If you want to force a refresh from the "caching site" here's the VB syntax:

set objRoot = GetObject(LDAP://RootDSE)

objRoot.Put "UpdateCachedMemberships", 1

objRoot.SetInfo

msgbox "Thanks David for this nice script :)"

nltest is your friend...

Wed, 15 Dec 2004 15:28:42 GMT

A couple of weeks ago I ran into an issue where a client computer was not receiving his site-linked GPO. I had just created the new site structure, so I was wondering if the client did not yet get the site information. I had used Nltest.exe before, but had never used this switch.

nltest /dsgetsite

It will return the local site membership of the client computer. I then noticed the client was reading his information from cache and force a refresh with: Nltest /dsgetdc:DOMAIN_NAME /force

GPO Applied!

Securing your Administrator account

Wed, 15 Dec 2004 01:42:11 GMT

One of the things i'm starting to recommend to my students relating the built-in Administrator account is to rename it. Which that in itself is nothing new, but along with that create a new "fake" administrator account, named "Administrator" with as little user rights as possible. Set a very complex password to that account and let hacker hack away at that account.