Critical must read for you Active Directory admins! How to troubleshoot or even just detect slow LDAP searches.
Archive for the 'Active Directory Health Check' Category
How to Troubleshoot Slow LDAP Searches
Published April 6, 2010 Active Directory Health Check , Microsoft Active Directory Leave a CommentTags: Active Directory, Active Directory Health Check, Active Directory Users and Computers, AD, ADUC, LDAP, Microsoft Active Directory, web active directory
Audit GPO Inheritance with Powershell
Published March 29, 2010 Active Directory Health Check , Powershell , Tools Leave a CommentTags: Active Directory, ADUC, cmdlet, micorsoft powershell, Microsoft Active Directory, Powershell, web active directory
I’m working on my next Active Directory Health Check article and I came across this article which applies to one of the areas we review as part of an Active Directory Health Check.
Check it out!
http://daniellange.wordpress.com/2010/03/08/auditing-gpo-inheritance-with-powershell/
For more information contact us at www.webactivedirectory.com, or call us at (+1) 800-747-3565
Active Directory Design Guide
Published March 10, 2010 Active Directory Health Check , Microsoft Active Directory , Tools Leave a CommentTags: Active Directory, Active Directory Attributes, active directory groups, active directory photos, Active Directory Reporting, Active Directory Users and Computers, AD, ADUC, Microsoft, Microsoft Active Directory, PeopleUpdate, Search Active Directory, update active directory, web active directory, Windows 2008
It’s great to see Microsoft publish a design guide for Active Directory. I haven’t read all of it yet but I do like that the guidance is specific to different business verticals and scenarios.
Naming conventions in Active Directory
Published March 8, 2010 Active Directory Health Check , Microsoft Active Directory Leave a CommentTags: Active Directory, Active Directory Users and Computers, ADUC, Microsoft, Microsoft Active Directory, netbios, netbios names, PeopleUpdate, update active directory
Ever wonder what characters are valid in domain names, netbios names, Active Directory sites, etc? Well you don’t have to guess, Microsoft has a knowledgebase article with the standards already defined for you.
Pay special attention to name collisions in the directory and the reserved words when defining OU names.
http://support.microsoft.com/kb/909264
For more information contact us at www.webactivedirectory.com, or call us at (+1) 800-747-3565
Domain and forest functionality levels
Published March 5, 2010 Active Directory Health Check , Microsoft Active Directory , Powershell , Tools Leave a CommentTags: Active Directory, Active Directory Health Check, Active Directory Reporting, active directory self service, Active Directory Users and Computers, ADUC, micorsoft powershell, Microsoft, Microsoft Active Directory, PeopleSearch, PeopleUpdate, Powershell, Powershell script, update active directory
I recently saw a post on this and so it got me interested in where this data is stored and where on the MSDN site I could find it.
I have found that if you ask a company what forest and domain functionality level they are at you will probably get a different answer from each person you ask…so why not get it from the source, query the rootDSE and get the attributes that correspond to the forest and domain levels.
If you are using the Active Directory module for Windows PowerShell in Windows Server 2008 R2 then you can also get this information by using Get-ADDomain and Get-ADForest and it will give you the ForestMode and DomainMode.
Using this same Directory module for Windows PowerShell in Windows Server 2008 R2 you can also use Get-ADRootDSE and look at the forestFunctionality and domainFunctionality.
Here is the blog article that got me looking Permanent Link to Active Directory – Domain and Forest Functional Levels
Here are the links to MSDN’s reference on these values
http://msdn.microsoft.com/en-us/library/cc223273(PROT.10).aspx
http://msdn.microsoft.com/en-us/library/cc223274(PROT.10).aspx
http://technet.microsoft.com/en-us/library/dd378809(WS.10).aspx
For more information contact us at www.webactivedirectory.com, or call us at (+1) 800-747-3565
When to use OUs in Active Directory
Published March 5, 2010 Active Directory Health Check , Microsoft Active Directory , PeopleSearch & PeopleUpdate 1 CommentTags: Active Directory, active directory groups, Active Directory Reporting, active directory self service, Active Directory Users and Computers, ADUC, Group Policy, Microsoft, Microsoft Active Directory, PeopleUpdate
This has been something that has bugged me for quite a while, when I see environments where Active Directory OU’s have been created to reflect the organization structure, whether that be departments or physical locations, I always wonder why someone would choose this model and if they really understand the features and functions in Active Directory.
When you create an Active Directory OU structure that reflects physical location or departments you have doomed yourself to a life of constant object moves for little or no value. If you want to see which users are in a particular location or department use the attributes in Active Directory that correspond to those things! Use a product like PeopleUpdate to allow delegated updates to Active Directory and then when you want to see all users in a particular location or department just perform a quick search of Active Directory.
When someone asks me when they should use or create another OU my answer is for Active Directory security delegation. In limited cases I can buy in to creating OU’s to support Group Policies or at a very high level to separate normal user and computer accounts from IT/service accounts and computers. One commonly overlooked feature of Group Policy is the ability to use WMI filtering, Active Directory security groups, and Active Directory Sites to filter when or to whom Group Policy is applied to users.
I’d like to hear from you what you think about this topic too, so post a comment or two. We would love to hear from you.
For more information contact us at www.webactivedirectory.com, or call us at (+1) 800-747-3565
Powershell script to view and set the Default Domain Password Policy
Published March 4, 2010 Active Directory Health Check , Microsoft Active Directory , Tools Leave a CommentTags: Active Directory, Active Directory Health Check, micorsoft powershell, Microsoft, Microsoft Active Directory, password, Password Policy, Powershell, Powershell script, self-service password reset, web active directory
I think it’s important that everything you can do in a GUI can be done in Powershell and this is quickly becoming a reality for all Microsoft products. This Powershell script allows you to quickly report on an Active Directory Default Domain Password Policy and change it…all with Powershell. Use this in your Active Directory Health Check to report on the directory.
http://www.energizedtech.com/2010/02/powershell-viewing-and-setting.html
For more information contact us at www.webactivedirectory.com, or call us at (+1) 800-747-3565
Active Directory Health Check part 2
Published February 2, 2010 Active Directory Health Check , Microsoft Active Directory , Tools Leave a CommentIn the last post Permanent Link to Active Directory Health Check part 1 I wrote about the reasons companies commonly want to perform an Active Directory Health Check, if I’ve overlooked any common reason you think should be included please shoot me an email: dan.brinkmann@webactivedirectory.com
To review, the major components we’ll be covering in our Active Directory Health Check:
- Replication
- Domain controller health
- Directory objects
- Network services health
So, lets start with part 2 of the Active Directory Health check series and the first bullet item on the list… Replication.
When I refer to replication I am referring to these items:
- File Replication Service
- Active Directory Replication
- Group Policy Object Replication
I think Group Policy Object replication could probably be included as part of File Replication but I’ve broken it out separately as I think it’s a very important portion of this Active Directory Health Check.
So what are we looking for? Well with the File Replication Service we’re checking the consistency of the objects being replicated across domain controllers using tools like FRSDiag, Sonar, and Ultrasound. What do we need FRS do in an Active Directory environment you ask? FRS is the mechanism Active Directory uses to replicate directory information, Group Policy objects, and SYSVOL.
In diagnosing Active Directory replication issues repadmin is your friend, albeit one you only seem to call when things are bad. Repadmin will give you a look into the replication status and queues between domain controllers.
Group Policy Object Replication is something I have had trouble placing into a particular category and maybe after typing this Active Directory Health Check Series I’ll change my mind again and move it. Either way, the goal here is to use GPOTool and ensure that the information in SYSVOL is consistent with the GPO information in the directory. It also validates that GPO’s are consistent between domain controllers. I can personally tell you I have MANY TIMES seen information between Active Directory and SYSVOL not consistent.
That’s all for tonight, enjoy…give me feedback, suggestions, etc., I’m looking forward to it. Email me at dan.brinkmann@webactivedirectory.com
Want to learn more about tools to help manage Active Directory, visit us at http://www.webactivedirectory.com
Active Directory Health Check part 1
Published January 21, 2010 Active Directory Health Check , Microsoft Active Directory , Tools Leave a CommentTags: Active Directory Health Check
Microsoft Active Directory seems to be one of those products that everyone has, is using, but never quite fully understands. I used to know someone who explained oddities in Active Directory as “ripples”, in reality it wasn’t ripples, it was replication latency and urgent change notification. Microsoft Active Directory is definitely a complex product, its reliance on DNS is also something which only further complicates it for most users I have talked with.
I’ve personally been working with Microsoft Active Directory since pretty much the beta’s of Windows 2000 and we rolled it out in a large enterprise environment almost immediately after the release of Windows 2000. Since then I don’t know if a day has gone by without me thinking, working, reading something about Active Directory.
All that said, this series will be about the components of Active Directory and the basis of an Active Directory Health Check. If you are interested in having an Active Directory Health Check performed in your environment hit me up at dan.brinkmann@webactivedirectory.com
Why would one want to complete an Active Directory Health Check? Common reasons I see are:
- Schema update
- Exchange upgrade
- Mergers & Acquisitions
- New employee in a neglected environment
- Ongoing issues with Active Directory that can’t be pinpointed
- IT has never looked to see if their Active Directory is healthy
- Audits
- Reduce support costs of maintaining the symptoms of Active Directory problems
So lets start with the major components that need to be analyzed in an AD Health Check, then in later posts I’ll dig in to each of these separately.
- Replication
- Domain controller health
- Directory objects
- Network services health
In the next post I’ll dig into the components that make up the replication portion of the Active Directory Health Check.
Want to learn more about tools to help manage Active Directory, visit us at http://www.webactivedirectory.com
Active Directory Health Check Series
Published January 7, 2010 Active Directory Health Check , Microsoft Active Directory , Tools Leave a CommentTags: Active Directory Health Check
Just curious how people feel about Active Directory Health Checks? At Web Active Directory we have a significant amount of experience performing a multitude of Active Directory troubleshooting and I know that Microsoft and Microsoft partners offer Active Directory Health Checks…so how many of you are interested in a tool to perform your own Active Directory Health Checks? Would you prefer that a partner provide the review of you Active Directory? Would you prefer that a partner provide the remediation of the findings of the Active Directory Health Checks?
Just wanted to get some feedback on this topic. In the next few days I’m going to post a few items that people should think about when doing a health check.
Want to learn more about tools to help manage Active Directory, visit us at http://www.webactivedirectory.com
