How to un destroy your active directory
1 / 25

How to (un)destroy your Active Directory - PowerPoint PPT Presentation

  • Uploaded on

SIA402. How to (un)destroy your Active Directory. Ralf Wigand [email protected] Ralf Wigand c/o TechniData IT-Service Karlsruhe, Germany. About me …. Microsoft PreSales Consultant ( since 2000) Microsoft Most Valuable Professional MVP Directory Services ( since 2007)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'How to (un)destroy your Active Directory' - cassia

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
How to un destroy your active directory


How to (un)destroy your Active Directory

Ralf Wigand

[email protected]

Ralf Wigand

c/o TechniData IT-Service

Karlsruhe, Germany


Microsoft PreSales Consultant (since 2000)

Microsoft Most Valuable Professional MVP

  • Directory Services (since 2007)




    System Engineer

Before we begin… a word of warning!

  • Whenyoutryto fix a problem(not only) in yourActive Directory…

  • Take your time!

  • Bepreparedfortheunexpected!

  • Think beforeyouchangesomething!

  • Understandwhatyouaredoing!

  • Check yourresults!

  • Re-Check yourresults!

  • Considerusing a Change/Release Management

Your complete documentation
Your (complete?) documentation

First contact

demo 1

First contact…

Errors found in demo 1
Errors found in demo 1

  • nodynamic DNS registration on subdc3

    • subdc3 canreplicatefromother DCs

      • noerrorsfound in replicationstatusof subdc3

    • other DCs canNOTreplicatefromsubdc3

    • Always double-check replication in bothdirections

  • Service „DHCP Client“ was disabled

    • responsiblefordynamic DNS updates

    • requiredevenwithstatic IP addresses

    • Youmightdisable „DHCP Server“ service…

Even more errors found in demo 1
Even moreerrorsfound in demo 1

  • „subdc3“ is not thereal nameoftheserver

    • subdc3 isonlyregistered as a CNAME

    • SPNs are registered for real name, not for CNAME

    • Kerberos does not workasexpected

  • multihomed subdc2

    • eventuallywrong DNS registration:

      • registerwithexternal IP address, not availableforinternalhosts

    • choosewhich NIC toregister

    • Better: Do not usemultihomed DCs, use LDAP Proxy (ADLDS)

Dive deeper

demo 2

Dive deeper…

Errors found in demo 2
Errors found in demo 2

  • Global Catalog not available

    • Youneeda GC foruniversal groupmembership

    • No GC? no universal groupmembership!

  • Global Catalog on Infrastructure Master FSMO

    • ok, when all DCs are GCs

    • if not, thenthe Infrastructure Master must notbe a GC

Even deeper

demo 3

even deeper…

Errors found in demo 3
Errors found in demo 3

  • Time difference

    • max. toleranceis 5 min (default, see GPO)

    • Kerberos will not workif time is not in sync

  • Restore Default Policies

    • Def. Domain PolicyandDef. Domain Controller Policy

    • usedcgpofix (check other Server appsforchanges in DefGPOs)

    • Rule: nevermodifythe DDP andDDCP (except Password Pol)

And deeper

demo 4

…and deeper…

Lingering objects
Lingering Objects

  • Whenyoudelete an object, itis not reallyremoved

    • itisflagged (tombstoned) andhas a timestampwhentodelete

    • itisreplicatedasusual

    • anddeletedwhenitis time… withoutfurthernotice

  • So ifit‘s not replicatedwhiletombstoned

    • or a backupisrestoredfrombeforeit was tombstoned…

    • theobject will existforever

  • removeitwithreferenceto a „clean“ DC!

  • repadmin /removelingeringobjects …

Too deep

demo 5

Too deep?

Usn rollback
USN rollback

  • Restore DC from „Snapshot“

    • Update SequenceNumber USN isset back, too

    • Other DCs alreadysawthe USNs and will not acceptthem

    • DC stopsserving after some time

  • Howtosolve…

    • Itdepends

    • Best way:

      • remove DC

      • Never use „snapshots“ forDCs (orwaitfor Server 2012)

List of errors found
List of Errors found

  • nodynamic DNS registration

  • DHCP Client Service disabled

  • Computer nameas CNAME

  • multihomed DC

  • no GC available

  • GC on Infrastructure Master

  • time difference

  • removed Default Policies

  • lingeringobjects

  • USN rollback


  • Check yoursystemsusingtherighttools

    • System Center Operations Manager

    • Event Viewer

    • Repadmin

    • Dcdiag

    • Setspn

  • Understand LDAP / Kerberos / DNS


  • Getusedtoyourtools

    • whileyoursystemisok

  • Knowyoursystemswell

    • whichserverhaswhichrole…

  • Train yourselfforfailures

    • in test (!) environments(Hyper-V helps…)


Thereis a reasonwhyitiscalled



Related content
Related Content

  • Breakout Sessions SIA403, SIA207, SIA341, SIA312, WSV326

Hands-on Labs SIA11-HOL, WSV25-HOL

Product Demo Stations: Windows Server 2012 Active Directory

Related Certification Exam: Practise, Practise, Practise

TLC: Find Me There Wed & Thu Afternoon, or most of the time…

Sia wsv and vir track resources
SIA, WSV, and VIR Track Resources

Talk to our Experts at the TLC


Hands-On Labs

DOWNLOAD Windows Server 2012 Release Candidate

DOWNLOAD Microsoft System Center 2012 Evaluation




  • Connect. Share. Discuss.

  • Microsoft Certification & Training Resources

  • Resources for IT Professionals

  • Resources for Developers


Submit your evals online


Submit your evals online

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.