michaelcolson.com » active directory

NetWrix Free System Administration Tools

michael — Sat, 06 Mar 2010 14:54:29 +0000

I recently came across NetWrix, a software company that specializes in system administration tools and utilities. They seem to really have hit a niche that has been a pain point for many administrators over the years. Whats even better is that NetWrix offers free versions of several of their products and not just limited evaluations either.

The tools that really caught my eye were their:

Active Directory Change Reporter – this tool is great for environments with multiple administrators or environments that have delegated administration. You get to see the before/after value of exactly what was changed and exactly who changed it.
Inactive User Tracker – I would bet that nearly every Active Directory environment must have dozens, if not hundreds or thousands of accounts that haven’t been used for long periods of time. This tool can help to identify these accounts and can even take action to eliminate those open risks.
Password Expiration Notifer – I actually wrote an application one time that would pull the last change time stamp from Active Directory and send out an email notification to a user. This solution does exactly the same thing only without code! Very handy for users that may never get to a Windows based system where a password reminder is available (VPN, custom LDAP, portal, etc.).

Transfer FSMO Roles

michael — Sun, 20 Jul 2008 02:00:42 +0000

I can never seem to remember the exact syntax on how to transfer the Active Directory FSMO roles and I seem to spend quite a bit of time looking up the commands. So I thought I would write up a quick article on how to transfer those ‘pesky’ FSMO roles.

It is worth noting that you *can* transfer all the FSMO roles using MMC snap-ins. Yes that’s plural snap-ins. You will use a total of no less than three snap-ins to transfer the five roles. I however prefer the use of the command line utility ntdsutil.

Open a command prompt and start ntdsutil
Type roles, then press ENTER
Type connections, then press ENTER
Type connect to server CORPDC01, press ENTER (where CORPDC01 is the target domain controller)
Type q, then press ENTER
Finally you can transfer the roles individually by entering the following commands:
- transfer domain naming master
- transfer infrastructure master
- transfer pdc
- transfer rid master
- transfer schema master
When you have finished transferring the roles, type q, then press ENTER until you have exited ntdsutil

NETLOGON Share Missing During DC Replacement

michael — Tue, 20 Feb 2007 19:15:57 +0000

I encountered a missing NETLOGON folder during a domain controller replacement. I was able to rebuild the NETLOGON folder by setting a single registry value. The full scenario is as follows:

Remote Office
DC05 = Old Domain Controller
DC232 = New Replacement Domain Controller

Headquarters
DC01 = Domain Controller

DC232 was promoted to a DC, before it completely finished replication DC05 was demoted and turned off. DC232 was then missing its NETLOGON folder. Event 13565 appeared in the File Replication Service log in Event Viewer. To correct this problem the following registry key needed to be changed:
HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol Seeding\Domain System Volume (SYSVOL share)\Replica Set Parent

In this case it was set to the recently demoted and now unavailable \\dc05.contoso.com Changed the value to \\dc01.contoso.com and restarted the NETLOGON and File Replication Services. Once replication was complete event 13516 appeared and the NETLOGON share was created.