Troubleshooting Active Directory Replication

In Windows 2003 there was a useful gui tool replmon but they didn’t continue developing and shipping it.

But you can also do it comfortable with the command repadmin. Here the most important commands:
repadmin /showrepl
repadmin /showrepl * /errorsonly
repadmin /showrepl * /csv
repadmin /queue
repadmin /queue DCServerName
repadmin /replsummary

repadmin /syncall DCServerName /APed
* All Partitions Push enterprise distinguished Name
** Pushes all DCs to start the replication

No Comments »

admin on March 3rd 2015 in IT, Windows Server

How to create a Managed Service Account

New since Win2k8 R2

Instead of using User Accounts for services you can create Managed Service Accounts now. The advantage is that it also changes the password every 30 days automatically like in the computer accounts. You can find the managed user accounts here:
Active Directory User and Computers\Managed Service Accounts

1. Run Active Directory Module for PowerShell
2. Add-KDSRootKey
     For LAB Environment to not wait the 10 hours to repliacte type instead:
     Add-KDSRootKey –EffectiveTime ((Get-Date).AddHours(-10))
2. New-ADServiceAccount –Name WebTest –DNSHostname servername –Passthru

    Without –Passtrhu you don’t have any feedback

3. Add-ComputerServiceAccount –identity web01 –ServiceAccount WebTest –Passthru

You can check the settings in more details if you run adsiedit.msc.

Now you can use this service for example for services.

1. Run services.msc

2. Right Click on a Service\Properties\Log On\
    This Account:


3. You don’t need to put a password

No Comments »

admin on July 15th 2013 in Windows Server

Find old Computers/users in Active Directory

Easiest way is to use following query on your Domain Controller to find all computers which were inactive for 4 weeks:
dsquery computer –inactive 4

The same you could for users:
dsquery users – inactive 4

No Comments »

admin on March 22nd 2012 in Windows, Windows Server

Prevent that authenticated users can add computers to the domain/network

I didn’t know before that actually every authenticated user can add up to 10 computers to the domain  by default. This is a security issue and should be prevented.

Follow the steps to do so:
1. Open ADSI Editor
2. Click with the right mouse button on ADSI Editor and make a default connection
3. Click with the right mouse button on the domain / properties
4. Change the value for ms-DS-MachineAccountQuota to 0

No Comments »

admin on July 15th 2009 in Windows Server

AD – bypass the default computers containers to own ou

When somebody adds a computer to the domain it usually goes into the CN=Computers,DC=Domain. If you want to choose another OU as the default container, you can do this with the redircmp “DN of the OU”.
By the way you can do the same for the users with the command redirusr “DN of the OU”.

No Comments »

admin on July 15th 2009 in Windows Server

Active Directory Commands

dsadd Creates and object in the directory
dsget Gets the attributes of an object
dsmod Changes the attributes of an object
dsmove Moves and object
dsrm Removes and object or container with all objects
dsquery Runs a query
csvde Import/Export Objects from/into a csv file
ldifde Import/Export (Lightweight Directory Access Data Interchange Format)
dsa.msc Active Directory Console

dsadd user “cn=Todd Test,ou=Users,dc=mist,dc=com” –samid ttest –upn
dsadd group “CN=Marketing,OU-Groups,DC=mist,DC=com” –samid Marketing –secgrp yes –scope g
dsget group “CN=Marketing,OU-Groups,DC=mist,DC=com” –members -expand
dsget user “cn=Todd Test,ou=Users,dc=mist,dc=com”
dsrm “cn=Todd Test,ou=Users,dc=mist,dc=com”
csvde –i –f NewUsers.txt
ldifde -i -f NewUsers.ldf

No Comments »

admin on June 4th 2009 in Windows Server

Check out new movies online website. Download and buy movies now.