Understanding FSMO Roles in Active Directory

by Daniel Petri

What are the FSMO Roles in Active Directory?

Windows 2000/2003 Multi-Master Model

A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows 2000/2003 deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, “the last writer wins”), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the “last writer wins” approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact.

For certain types of changes, Windows 2000/2003 incorporates methods to prevent conflicting Active Directory updates from occurring.

Read the rest of this entry »

Understanding Windows Server 2008 Active Directory Domain and Forest Functional Levels

by Daniel Petri

In Windows Server 2003, functional levels were an extension of the older mixed/native mode concept introduced in Windows 2000. In Windows Server 2008 this was further extended to include new features and benefits, and are used to activate new Active Directory features after all the Domain Controllers (DCs) in the domain or forest are running Windows Server 2008 operating systems. Functional levels determine the features of Active Directory Domain Services (AD DS) that are enabled in a domain or forest.

Read the rest of this entry »

By default, windows returns only a maximum of 1000 objects in response to a single LDAP query. This can be a limitation when you have more than 1000 objects in your Active Directory and you are running some kind of script that does a bulk import of objects (user accounts and/or computers) from Active Directory.

Some applications like Adobe Connect also require such bulk imports. If you find that the number of user accounts imported from Active Directory is exactly 1000 when you are sure there are more, its time to take a look at this.

The 1000-object limit is governed by the MaxPageSize LDAP administration limit, which is defined using NTDSUTIL. To increase the value:

1. Open Command Prompt on a domain controller, logged in as domain administrator.
2. Type NTDSUTIL and press ENTER.
3. In the ntdsutil: prompt, type ldap policies
4. In the ldap policy: prompt, type connections
5. In the server connections: prompt, type connect to server <FQDN of domain controller>
6. Once you are connected, type q to come back to the ldap policy: prompt.
7. If you type show values, you can see the current value for the administration limits, including the MaxPageSize limit.
8. To change the value to allow up to 30,000 objects to be returned in a single LDAP query, type set MaxPageSize to 30000
9. You can view your changes by typing Show Changes. Note that the new values appear in brackets, because you have not yet commited your changes.
10. To commit changes type commit changes

Source.

The tut from Petri and Microsoft Support website will show you how to Undelete Object in AD by using ldp.exe.

- Read the Article at Microsoft Support site: How to restore deleted user accounts and their group memberships in Active Directory

- Here is the tut on Petri site

by Daniel Petri – January 8, 2009

Read the rest of this entry »

The artical show you how to clean up failed DC’s metadata in AD.

Read the article at Microsoft Support.

Or at petri.co.il site.

The Event Viewer is always a must.  I look at all the logs before and after the update to the domain controller looking for abnormal events.  With the pre-check I usually go back a month of logs to get more historical data. I then run through a couple command line utilities.  One thing I always do is pipe my commands out to a text document.  This just makes it easier for me to read and also search for failed events.

Dcdiag.exe /v >> c:\temp\pre_dcdiag.txt
This is a must and will always tell you if there is trouble with your DCs and/or services associated with it

Netdiag.exe /v >> c:\temp\pre_Netdiag.txt
This will let me know if there are issues with the networking components on the DC.  This along with the post test also is a quick easy way to ensure the patch I just installed is really installed (just check the top of the log)

Netsh dhcp show server >> c:\temp\pre_dhcp.txt
Some may not do this but I’ve felt the pain of a DHCP server somehow not being authorized after a patch.  This allows me verify the server count and names.

Repadmin /showreps >> c:\temp\pre_rep_partners.txt
This shows all my replication and if it was successful or not.  Just be aware that Global Catalogs will have more info here than a normal domain controller.

repadmin /replsum /errorsonly >> c:\temp\pre_repadmin_err.txt
This is the one that always takes forever but will let you know who you are having issues replicating with.

After I run and check the pre_ scripts I update my server.  When it is done I run post_ scripts which are the same thing but this allows me to verify them against the scripts earlier.

Hopefully this helps you when you troubleshoot your domain controllers but by no way is this an all encompassing list of things to do.  These are the standard steps I take but I would love to hear what you all do as well.

Source.