The wierd lowercase NETBIOS name

I got a call from an associate on how to change a domains NetBIOS name from lower to upper case. At first I was stumped, Was I the one that was out of date. In my head an NetBIOS name is always in uppercase, the same as a FQDN is always in lowercase. Don’t get me started on the special case with Single Label Domains (SLD). First I turned to my colleague Jimmy Andersson to ask if I had missed that day in AD training on why one would do that, he could not really give me any good reason or how. So I turned back to associate that reported it from the beginning. It was a regular Windows 2012R2 installation that had done this. So I tried with a Windows 2012R2 Update installation. And low and behold.. I managed to get the NetBIOS name in lowercase.

A small powershell script to verify NetBIOS name:

Windows 2012R2 lowercase NetBIOS proof

How to do it: [Read more…]

Get the SID of all domains in a forest

I got a request from a system owner what was the SID of the domain since their license was bound to the domain SID. The Domain SID is not really that is going to change and its really unlikely that anyone will collide with yours, so not really a bad choice.

Anyways if you have the Active Directory Powershell module its really easy to do this. Without the AD Powershell module its not really that hard either, but Im lazy when the three latest published versions of Windows has the modules available I feel that I can skip doing it the long way.

Lets continue with the show:

And there we go, easy as 1-2-3

Managing tombstone lifetime with AD cmdlets

So the first question might be why should I even care about this. I have heard things like “I am running Windows version xxx, so I have a tombstone life of 180 days.”. This might not be the case, the tombstone lifetime is set at the time of the promotion of the first domain controller in the forest. So okey if you have have an old forest running on a new Windows version you cant be sure that the tombstone life what you want. To make things a bit more silly, Microsoft decided during Windows 2003 to increase the value from the default of 60 days to 180 days. Jane Lewis wrote a Technet blog about this in 2006, but this is still an area where you can find forests which still run with a 60 day tombstone lifetime. Microsoft has a nice article about this, but I like powershell instead of dsquery.

How to read the current Tombstone lifetime

If no value..Note the value in the Value column. If the value is <not set>, the value is 60 days. [Read more…]

Getting all possible classes / attributes for a AD Object

So in the World of the AD everything is build by classes. Classes are stored in the Schema part of the AD.

So what does this mean?

The fast basics

  • Each AD object has a objectClass which matches to a class in the schema.
  • Each class has a parent (subClassof)
  • One class has itself as its parent (top)
  • Each class has available attributes which might or must be set on an AD object.
  • An AD object can use all attributes of its class and all above it.

There are 4 attributes defined for each class which says which attributes it carries:

  • MayContain
  • MustContain
  • systemMayContain
  • systemMustContain

Lets get all classes that is assigned to a AD Object

[Read more…]

Possible source fields for Azure Active Directory Sync Services transformations

So Microsoft has released the latest version of the directory sync tools between your on-premise directory and the Microsoft Azure AD. So there is a load of information about it written on MSDN, but the information I was looking for I couldn’t find. With the new AAD Sync you can apply transformations, if a field is in the wrong place in your Active Directory you can let the sync tool take the data from another attribute in the AD. This is done by storing the data in the AAD Sync meteverse. The In rules populate the metaverse and the out rules polulate services. Edit Outbould syncronization rule And there is a big list of attributes to select from. Give the illusion that you can select just about any attribute. But no. There are some attributes missing. So I have completed a list of all attributes that are available under the source selection box. Source Attributes Default attributes in the DirSync Metaverse. [Read more…]

Move all FSMO roles to the local domain controller using Powershell

I upgraded one domain controller in my home active directory and needed to move all the FSMO the new domain controller. So since I’m really lazy and like quick solutions I check what powershell could help me with. And since I know it should live in the ActiveDirectory module I decided to list all move commands in that module.

[Read more…]

Getting a FSMO DC to start without replication

So you have just restored your domain controller so that you can do a recovery test or a real recovery. And you notice that the domain controller isn’t working. First you off you might even need to logon using the Directory Restore mode because well you just don’t get in. Then you notice all of those Event id 2092 in the Active Directory log.

Windows_2012R2_AD_Event_2092

Windows_2008R2_AD_Event_2092

This is a security measure implemented by Microsoft. To make sure that a domain controller that hosts a FSMO wont start the FSMO role, without checking if another domain controller has seized the role while the server was down. Consider the following:

  • We loose the current RID master (dc01)
  • We promote (seize) the dc02 to RID master
  • We fix the server dc01

If the check wasn’t done we could have two RID masters until the first replication was completed with dc01. Since having more than one of a FSMO role online at the same time is BAD. This check is good and works most of the time.

So now you are thinking, well my domain only has one domain controller. And it starts just fine, so?? Well Microsoft checks if there are any replication partners, if there aren’t well no need to check for replication.

[Read more…]

How can I link a GPO to the Computers Container

Well. The easy and correct answer is you cant. The computer container is a container and not an organizational unit. Why not you may wonder. [Read more…]

RID pool depleted?

Whoh.. What happened.. I was about to install a new software in my home domain that required a service account so I tried to run New-ADServiceAccount.. But I got:

So why does my domain leak like a sieve?

Lets run dcdiag on it

[Read more…]

Enable scavenging on all dns zones using Powershell

So I needed to enable scavenging on all reverse zones for a customer. All forward and most reverse zones were done but not all. Since this was a Windows Server 2012R2 server I knew, that every cmdlet I might need was available.

But what if I have enabled scavaging but want to update which servers will scavenge?

And now all my zones have scavenge enabled and the correct DNS server specified.