SlideShare a Scribd company logo

Ad disasters & how to prevent them

Download as PPT, PDF
C
Concentrated Technology

This document provides an overview of common Active Directory (AD) disasters, including hardware/software failures, human errors, and complete disasters. It discusses specific issues like morphed SYSVOL folders, broken GPT/GPC linkages, DNS aging/scavenging not being enabled, and improper time synchronization. Solutions provided include using tools like NTDSUTIL, GPOTOOL, and REPADMIN to fix issues and prevent disasters. The document emphasizes the importance of logging and monitoring to troubleshoot AD problems.

1 of 71
Downloaded 41 times
AD Disasters …and How to Prevent Them! Greg Shields, MVP, vExpert Head Geek, Concentrated Technology www.ConcentratedTech.com
This slide deck was used in one of our many conference presentations. We hope you enjoy it, and invite you to use it within your own organization however you like. For more information on our company, including information on private classes and upcoming conference appearances, please visit our Web site, www.ConcentratedTech.com . For links to newly-posted decks, follow us on Twitter: @concentrateddon or @concentratdgreg This work is copyright ©Concentrated Technology, LLC
Agenda Topics Part I: Hardware & Software Failures Part II: Human Errors Part III: Complete Disasters
Three Types of Disasters Hardware & Software Human Error Complete Disasters Microsoft Screwed Up You Screwed Up Somebody REALLY Screwed Up
Three Types of Disasters Hardware & Software Human Error Complete Disasters Increasing Problem Complexity Increasing Troubleshooting Complexity
Part I Hardware & Software Failures
Morphed SYSVOL Folders Problem: When SYSVOL replication finds a name conflict, one of the folders in conflict is renamed to foldername_ntfrs_???????? (hex) This can break the links to that folder. This can occur when users attempt to manually replicate folders, two users add folders of the same name at the same time, or during an improper restore of the SYSVOL.
Morphed SYSVOL Folders Solution: Three-steps: Rename all morphed folders to new names and allow replication of the new names to fully complete. This ensures a common name for the folder is available on all DC ’s and that the new names and GUID’s match. Once replication has completed, look in the folders and determine which is correct and which does not belong. Rename the correct folder back to its original name and again allow replication to complete. Delete the unnecessary folder. This is OK as FRS tracks files by their GUID.
Broken GPT/GPC Linkages Problem: Group Policy Objects are made up of two parts, the Group Policy Template and the Group Policy Container. GPC ’s are stored in Active Directory and replicate through AD replications. GPT ’s are stored in the SYSVOL and replicate through FRS. Broken GPT/GPC linkages can cause GPO ’s to malfunction and should be fixed. Same with mismatched version numbers.
Broken GPT/GPC Linkages Solution: Use GPOTOOL.EXE from the Resource Kit Tools to identify GPT ’s/GPC’s that are not synchronized. GPOTOOL.EXE with no switches validates and reports on the GPT/GPC linkage. If someone has accidentally changed permissions on the GPT, you can also use the /checkacl switch. GPMC will notify when permissions are not consistently set and request to reset those permission. GPMC will reset the permission on the GPT to match the permission on the GPC.
Broken GPT/GPC Linkages
DNS Aging & Scavenging Not Enabled Problem: If DNS Aging & Scavenging is not enabled on a domain, stale DNS records caused by DHCP lease changes can pile up. Group Policy application as well as correct name resolution requires a one-to-one mapping between FQDN and IP. Stale DNS records mean multiple IP ’s per host and/or multiple host records per IP. Systems management tools like SMS can fail.
Aging & Scavenging When DNS was static, keeping active and inactive records straight was a nightmare. Now that DNS is dynamic, inactive recordkeeping is improved, when configured correctly. Aging All dynamically updated resource records have a time stamp That time stamp is reset whenever a record is created, modified, or refreshed. Windows hosts refresh their record… At startup At DHCP lease renewal Every 24 hours
Aging & Scavenging Windows DNS servers that accept dynamic updates need to have Scavenging enabled or records will quickly grow stale. This is especially problematic if DHCP is active and has a short lease time. Be aware the DNS scavenging on AD-integrated zones can have an impact on AD replication. Refresh Interval If a client does not refresh its record by the end of this period, the scavenging process will remove the record. No-Refresh Interval A period of time before the refresh interval where client refreshes are ignored by the server. This is done to reduce DNS replication requirements. Scavenging increases AD replication
Aging & Scavenging 7 Days Record Created 7 Days 7 Days 7 Days 7 Days 7 Days 7 Days 7 Days No Refresh Interval Refresh Interval Refresh Accepted Refresh Accepted Record Deleted Time
Aging & Scavenging Global Setting Per-Zone Setting Let ’s discuss strategies for Aging & Scavenging in Small, Large, & Enterprise Networks…
DNS Aging & Scavenging Not Enabled Solution: Enable DNS Aging & Scavenging on all zones populated by DHCP. DNS Aging & Scavenging enabled in two locations. Global Setting Per-Zone Setting
DNS Aging & Scavenging Not Enabled Solution: Use DNSCMD.EXE command-line tool to automatically age and scavenge all records after enabling Aging & Scavenging DNSCMD.EXE ageallrecords DNSCMD.EXE startscavenging
Disable Unused Network Cards Problem: Unused network cards can auto-populate DNS with incorrect entries. With regular servers this doesn ’t often cause a big problem, but with DC’s, auto-registration populates SRV records as well. This can cause bad resolution to DC services. Solution: Disable any unused network cards. Disabling unused network cards prevents them from registering their incorrect values into DNS.
Tombstones & Zombies Problem: When an AD object is deleted, it goes into a special container called “Deleted Items”. It’s movement there is replicated. The object is not removed until the tombstone lifetime is exceeded. Windows 2000 tombstone lifetime is 60 days Windows 2003 tombstone lifetime is 180 days Upgraded Windows 2003 tombstone lifetime is still 60 days. When a DC comes back on-line after being down for longer than the tombstone lifetime or a restore from a tape older than the tombstone lifetime, zombies are created.
Tombstones & Zombies Solution: Never bring on-line a DC that ’s been down for greater than 60/180 days. Never use tapes to restore objects older than 60/180 days. If you do, you ’re in a world of hurt. … but what if you forget…?
Lingering Objects Problem: So, you ’ve gone ahead and accidentally reanimated a tombstoned object? What now? Reanimation of these lingering objects can break replication in some cases.
Lingering Objects Solution: Use REPADMIN.EXE /REPLSUM from the Support Tools to verify if lingering objects are resident in Active Directory. REPADMIN.EXE to remove them. These tools only work on W2003. Step 1: Find the GUID of a DC: repadmin.exe /showrepl Step 2: Check for lingering objects: repadmin.exe /removelingeringobjects * <DC GUID> dc={mydomain},dc={com} /advisory_mode Step 3: Remove any lingering objects found: Remove the /advisory_mode switch from Step 2.
Lingering Objects Solution: Use REPADMIN.EXE /REPLSUM from the Support Tools to verify if lingering objects are resident in Active Directory. REPADMIN.EXE to remove them. These tools only work on W2003. Step 4: Enable strict replication consistency. Strict replication consistency is only enabled by default on 2003 DCs (not upgraded) that were promoted into a Forest that was built as 2003 (not upgraded from 2000). All other DCs will only have this setting enabled manually. Enable strict replication consistency on all DC ’s by setting the DWORD value for Strict Replication Consistency to 1 at the key HKLM\System\CurrentControlSet\Services\NTDS\Parameters.
Improper Time Synchronization Problem: Time synchronization is critical for Kerberos authentication and many applications. Time skew greater than 5 minutes can prevent logins and cause log files to barf. Users with administrator rights can reconfigure time sync to another time server. Very slight differences in time between stratum 1, 2, and 3 servers, usually caused by Internet conditions. Using different time servers in a network can cause problems for time-sensitive network applications.
Improper Time Synchronization Solution: Configure all machines in the domain to synchronize against the same time server. Choose to use NT5DS or NTP mode, but choose one for all systems. NT5DS is accurate to ~20 seconds. NTP can be accurate to <1 second. Some applications require greater time resolution, so consider a 3 rd party time sync tool with an on-site stratum 3 time device. “ Domain Time” from Symmetriccom
Bad DNS SRV Records Problem: Improperly decommissioning DC ’s can lead to their SRV records not being expunged from the DNS database. Also, missing DNS SRV records can prevent AD from functioning properly. This can cause error messages in the Event Log, replication problems, etc. due to the missing server. This happens most often when AD DNS is not hosted on Windows and dynamic updates are not enabled.
Bad DNS SRV Records Solution: Ensure DNS SRV records are consistent. Use ipconfig /registerdns to force DC to re-register DNS SRV records along with it ’s A records. Be careful of multiple interfaces on DC ’s. Disable any unused interfaces. Unused interfaces can register themselves in DNS. Bridged interfaces can cause routing problems. Delete stale DNS SRV records from DNS database (you ’ll know which are stale).
Orphaned Domains & DC ’s Problem: Old domains and Domain Controllers are still resident in Active Directory. These extra domains are unnecessary, can cause Event Log errors and odd problems during contact attempts. Orphaned DC ’s can prevent a domain from being decommissioned. Orphaned DC ’s in child domains can prevent a parent domain from being decommissioned.
Orphaned Domains & DC ’s Solution: Remove the offending Domains and/or DC ’s from your infrastructure. This is a multi-step process. NTDSUTIL.EXE to remove from Active Directory ADSIEDIT.MSC to remove from LDAP DNSMGMT.MSC to remove from DNS
Orphaned Domains & DC ’s Solution: Remove the offending Domains and/or DC ’s from your infrastructure. This is a multi-step process. NTDSUTIL.EXE to remove from Active Directory NTDSUTIL METADATA CLEANUP CONNECTIONS CONNECT TO SERVER {SERVER NAME} QUIT SELECT OPERATION TARGET SELECT SERVER {SERVER NAME} REMOVE SELECTED SERVER | QUIT
Orphaned Domains & DC ’s Solution: Remove the offending Domains and/or DC ’s from your infrastructure. This is a multi-step process. ADSIEDIT.MSC to remove from LDAP. This step is required if the domain is not at W2003 SP1. Navigate to DC={MYDOMAIN},DC={COM},OU=DOMAIN CONTROLLERS Delete the offending Domain Controller. DNSMGMT.MSC to remove from DNS Delete any FQDN ’s and/or associated GUID’s related to that DC.
Stale AD Site Links Problem: AD Site Links are usually created and managed by the KCC. However, some administrators want to get their hands in on replication. Once Site Links are manually created, the KCC no longer manages them, which can cause them to grow stale as the network changes.
Stale AD Site Links Solution: (Except in the very largest of networks) Remove any manually created Links and allow the KCC to manage links. In Windows 2003 SP1, the link-managing capabilities of the KCC are improved by multiple orders of magnitude. Older versions in larger networks had timing problems with KCC optimization passes. Also, improperly decommissioned DC ’s may need to be removed from AD S&S.
No DNS Reverse Zones Problem: DNS reverse zones must be enabled for proper functionality of Active Directory. Needed so clients can identify the site they reside in. Needed so clients can find the closest DNS server. Needed for correct processing of some attributes of Group Policy.
No DNS Reverse Zones Solution: Enable DNS reverse zones for each zone active in your network infrastructure. Ensure that all zones have similar configuration and dynamic updates enabled. Don ’t forget Aging & Scavenging.
DSRM Passwords Unknown Problem: Directory Services Restore Mode passwords are set individually on each Domain Controller as that controller is DCPROMO ’ed. This is arguably the most forgotten password in a Windows network because it is only used again during a restore operation. Not having this in a crisis can inhibit restoration activities. Who here knows their DSRM password?
DSRM Passwords Unknown Solution: Run NTDSUTIL.EXE to reset DSRM passwords before a failure occurs. NTDSUTIL.EXE SET DSRM PASSWORD RESET PASSWORD ON SERVER {Server Name} {Enter New Password} {Re-Enter New Password} QUIT / QUIT (Consider “bagging” the password…)
DSRM Passwords Unknown Solution: Windows Server 2008 + KB961320 enables DSRM password synchronization to a domain account. Create a standard domain user. This user does not need to be a member of any special groups or the Domain Admins group. NTDSUTIL SET DSRM PASSWORD SYNC FROM DOMAIN ACCOUNT <userName> This process can also be scheduled via a GPP scheduled task “ SET DSRM PASSWORD” “SYNC FROM DOMAIN ACCOUNT <userName>” Q Q
Why 2008 R2 is a good idea for AD AD Module for PowerShell and PowerShell cmdlets Every AD task is now automate-able via PowerShell AD Administrative Center Improved, task-based GUI for ADUC AD Recycle Bin Tough to use, but better than Authoritative Restore AD Best Practices Analyzer Are you the weakest link in your AD infrastructure? Offline Domain Join Handy for W7 upgrades and VDI
Why 2008 R2 is a good idea for AD Managed Service Accounts Eliminate service account nightmares AD Web Services & AD Management Gateway Simplified PowerShell and 3 rd party management integration Authentication Mechanism Assurance Deliver a different set of resources when users login via smart cards. AD OpsMgr Management Pack If you haven ’t incorporated OpsMgr yet, see me after class…
A Review of Useful AD Logs NTDS Diagnostics Logging By default, AD only records critical and error events to the Directory Service log. OK during normal operations, but during problem troubleshooting additional logging is necessary. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\NTDS\Diagnostics Set any of the 24 subkey ’s DWORD value to a number between 0 and 5
A Review of Useful AD Logs
A Review of Useful AD Logs Extended DCPROMO Logging During a W2003 DCPROMO, two log files are created in %systemroot%\debug: dcpromo.log and dcpromoui.log. The log level on dcpromoui.log can be increased to help when troubleshooting promotions/demotions. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\AdminDebug\dcpromoui Set the DWORD value for LogFlags to FF0003 (hex).
A Review of Useful AD Logs NETLOGON Logging Hunt down problems with client log-ins, repeatedly locked-out accounts and log-in activity across forest trusts by increasing the log level on NETLOGON. HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Services\NetlogonParameters Set the DWORD value for DBFlag to 2080FFFF (hex), then restart the NETLOGON service. NETLOGON.log is found in %systemroot%\debug.
A Review of Useful AD Logs Kerberos Logging Increasing the Kerberos logging level can track down problems with disabled or expired accounts, missing usernames, and clock synchronization. HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Control\Lsa\Kerberos\Parameters Set the DWORD value for LogLevel to 1 and look for events in the System Event Log.
A Review of Useful AD Logs USERENV Debug Logging This logging helps identify problems with loading/unloading of user profiles, login/logout delays, and Group Policy application. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Set the DWORD value for UserEnvDebugLevel to 0x00030002 and watch %systemroot%\debug\usermode\userenv.log Match wall clock time.
A Review of Useful AD Logs GPO Client Logging To troubleshoot the enumeration and application of GPO ’s, increase the log level for GPO application at the client. HKEY_LOCAL_MACHINESoftware\Microsoft\ Windows\CurrentVersion\Diagnostics Set the DWORD value for RunDiagnosticLoggingGroupPolicy to 1, reboot the system and watch the Application Event Log.
A Review of Useful AD Logs Group Policy Logging changes with Vista/08 With Vista/08, Group Policy elements are moved to their own process. Out of WinLogon Enabling Group Policy logging is now done by setting the DWORD value for GpSvcDebugLevel to 10002 for HKLM\Software\Microsoft\Windows NT\CurrentVersion\ Diagnostics The userenv debug log is now moved to %systemroot%\debug\usermode\gpsvclog.log The format of this log is easier to use, aligned with the movement of GP to a service.
Part II Human Errors
GPO ’s Not Easily Restorable Problem: Group Policy Objects can be restored if they ’re accidentally deleted, but this process involves a complicated authoritative restore, et cetra. This authoritative restore can be a source of downtime to complete the restore and takes a while to complete.
GPO ’s Not Easily Restorable Solution: Create a Scheduled Task that backs up all GPO ’s in the Domain to a text file using GPMC. This task will use both scripts to ensure that GPO settings and any logon/logoff/startup/shutdown scripts are also saved. Ensure that this text file is part of the nightly backup scheme. cscript.exe %PROGRAMFILES%\gpmc\scripts\ BackupAllGPOs.wsf %SYSTSEMDRIVE%\backup\ GPOData /domain:<DomainFQDN> cscript.exe %PROGRAMFILES%\gpmc\scripts\ GetReportsForAllGPOs.wsf %SYSTSEMDRIVE%\ backup\GPOReports (Can also backup and restore in R2 with PowerShell)
Incorrect FSMO Placement Problem: Incorrect FSMO role placement in domains where all DC ’s are not GC’s can cause a loss of data. The Infrastructure Master role cannot reside on a Domain Controller that also runs the Global Catalog role Except in the situation where the forest contains a single domain and all Domain Controllers are Global Catalogs. To check FSMO role placement, NETDOM QUERY FSMO
Incorrect FSMO Placement Solution: Either enable the Global Catalog role on all Domain Controllers or move the Infrastructure Master role to a DC that is not a GC. NTDSUTIL.EXE ROLES CONNECTIONS CONNECT TO SERVER {Server Name} QUIT TRANSFER {Role} QUIT | QUIT
Fat Finger (Not that I ’m calling your finger fat) Problem: You ’ve done it again and accidentally deleted a series of objects or an entire OU from AD. The default configuration of Active Directory allows everyone with administrative access to delete any object in AD. Though, we all make mistakes… In W2008, OU properties include a box box “Protect this Object/Container from Accidental Deletion”. But we ’re not at W2008 yet!
Fat Finger (Not that I ’m calling your finger fat) Solution: That checkbox, revealed in W2008 is actually just a skin for a supported feature of W2003. By checking this box: “ Deny Delete” and “Deny Delete Subtree” permissions for the Everyone group are set on the object. You can set these permissions manually for any AD object or container inside the ADUC: Enable ADUC Advanced Features Navigate to the Object, select Properties, and view the Security tab Apply the Advanced privileges “Deny Delete” and “Deny Delete Subtree” to the object
Unnecessary Apps Installed Problem: Every additional application installed to a server is an expansion of that server ’s attack surface. WinZip versions prior to v10. Java JRE prior to Version 5. Real Player Office Acrobat Solution: Never install applications to your Domain Controllers. Ensure that any apps installed are always patched. There ’s more to patching than just Microsoft patching.
Letting DCPROMO Do DNS Problem: Generally a bad idea to let DCPROMO handle configuring DNS for Active Directory. Tends to do a poor job of it, if at all. Better in W2008. Solution: Ensure DNS properly configured before starting a DCPROMO process. Three tests: nslookup dchostname nslookup dchostname.dcdomainame.com nslookup 10.1.3.4 If success, no errors, and no time delays, then OK.
VM-level Backups for AD DR Problem: With virtualized Domain Controllers using VM-level backups to backup DC ’s can corrupt AD. USN number mismatch between restored DC and existing DC ’s. Which USN ’s have correct high water mark? Solution: Always use authoritative/non-authoritative restore for AD DR. Never VM-level backups. In fact, never use VM-level backups for any transactional database for the same reason. Want more justification? http://support.microsoft.com/kb/888794
Part III Complete Disasters
Snapping an Offline DC VM Problem: Need to create an offline DC VM for testing purposes, but am concerned about lingering objects. Solution: Use this process… Create a new site in AD Add a member server VM to the domain in the new site. DCPROMO. Wait for replication to complete, then shut down the DC. Copy/Paste the virtual machine, then restart the DC. Demote this DC back to a member server and remove it from the production network. Start the DC, reconfigure network, and seize all FSMO roles. Use the new DC to complete testing.
What you Need to Back Up Problem: What exactly needs to be backed up to ensure a successful DC restore. A successful authoritative restore of the AD database. Solution: Never try to restore the AD database from one DC to another DC. So, all files that make up that DC must be backed up: C:\ System State
Lack of Defined DR Policy & Procedures Problem: Most companies do not have a defined DR Policy and DR Restoration Procedures. This is usually the case because the project can get over-scoped. Consider just the steps necessary to start a recovery. Solution: Build a simple DR plan and recovery steps. Does not need to be complicated. Just the basic steps necessary to start recovery. When you ’re under the spotlight, you don’t want to be searching for recovery steps on TechNet…
3 DR Scenarios Scenario 1: A subset of objects within Active Directory or the SYSVOL is accidentally or maliciously removed from the database. Scenario 2: An Active Directory domain controller is functionally and irrecoverably down and must be rebuilt to return to operations. Scenario 3: The entire Active Directory forest and domain is functionally and irrecoverably down and must be rebuilt to return to operations.
Scenario 1: Deleted Objects Locate a DC that is also a GC. Disconnect this server from the network. Reboot that server into Directory Services Restore Mode using the DSRM password. Restore the AD database to the DC from tape or file backup (non-authoritative). Perform an authoritative restore of the deleted object: NTDSUTIL AUTHORITATIVE RESTORE RESTORE SUBTREE {Object to Restore} <Object to Restore> is the DN of the object to restore. For example, to restore the Accounts OU, the DN would be “OU=Accounts,DC={MyDomain},DC={com}” QUIT / QUIT
Scenario 1: Deleted Objects Reconnect the DC and reboot the DC into normal operations. Ensure the restored object has replicated to all DC ’s in the domain. As the DC reboots from DSRM mode, it will generate .LDF files that include back-link information for the restored objects. As an example, back-links are groups the object is a member of. These files are of the format ar_{date}-{time}_links_{Domain Name}.ldf. Restore the back-links for each file found: ldifde –i –k –f ar_{date}-{time}_links_{Domain Name}.ldf
Scenario 2: A DC Goes Down Validate the DC is completely failed and a restoration is not feasible. If the DC is functional, but the AD database is corrupt, attempt a forced demotion: DCPROMO /FORCEREMOVAL Remove the failed server ’s server objects from a functioning DC: NTDSUTIL METADATA CLEANUP REMOVE SELECTED SERVER {DN of Server} QUIT | QUIT Within the active DNS for the domain, manually remove any references to the failed DC and its SID in either A or SRV records.
Scenario 2: A DC Goes Down Build a replacement server at the same Service Pack and patch level. DCPROMO the member server Validate a complete promotion and verify the AD database has resynchronized to the domain.
Scenario 3: Corrupted Forest As of the last time I checked, Microsoft PSS has never been called to perform a complete forest restoration. Validate that the complete Active Directory is completely and irreparably failed and a restoration is not feasible. Call Microsoft PSS at 800-936-2200 and declare a Priority 1 “Crit-Sit”. http://www.microsoft.com/downloads/details.aspx? displaylang=en&FamilyID=3EDA5A79-C99B-4DF9-823C-933FEBA08CFE
 
This slide deck was used in one of our many conference presentations. We hope you enjoy it, and invite you to use it within your own organization however you like. For more information on our company, including information on private classes and upcoming conference appearances, please visit our Web site, www.ConcentratedTech.com . For links to newly-posted decks, follow us on Twitter: @concentrateddon or @concentratdgreg This work is copyright ©Concentrated Technology, LLC
Ad

Recommended

Repl ts
Repl tsRepl ts
Repl ts
Venkatesh Vr
 
NetApp against ransomware
NetApp against ransomwareNetApp against ransomware
NetApp against ransomware
Damien Berezenko
 
Deduplication without performance hits: Intel Xeon processor E5-2697v2-powere...
Deduplication without performance hits: Intel Xeon processor E5-2697v2-powere...Deduplication without performance hits: Intel Xeon processor E5-2697v2-powere...
Deduplication without performance hits: Intel Xeon processor E5-2697v2-powere...
Principled Technologies
 
Upgrading to Windows Server 2019 on Dell EMC PowerEdge servers: A simple proc...
Upgrading to Windows Server 2019 on Dell EMC PowerEdge servers: A simple proc...Upgrading to Windows Server 2019 on Dell EMC PowerEdge servers: A simple proc...
Upgrading to Windows Server 2019 on Dell EMC PowerEdge servers: A simple proc...
Principled Technologies
 
Daos
DaosDaos
Daos
Ulrich Krause
 
Nyoug delphix slideshare
Nyoug delphix slideshareNyoug delphix slideshare
Nyoug delphix slideshare
Kyle Hailey
 
Three cool cmdlets I wish PowerShell Had!
Three cool cmdlets I wish PowerShell Had!Three cool cmdlets I wish PowerShell Had!
Three cool cmdlets I wish PowerShell Had!
Thomas Lee
 
PowerShell crashcourse for sharepoint
PowerShell crashcourse for sharepointPowerShell crashcourse for sharepoint
PowerShell crashcourse for sharepoint
Concentrated Technology
 
PowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint adminsPowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint admins
Concentrated Technology
 
Best free tools for win database admin
Best free tools for win database adminBest free tools for win database admin
Best free tools for win database admin
Concentrated Technology
 
Free tools for win server administration
Free tools for win server administrationFree tools for win server administration
Free tools for win server administration
Concentrated Technology
 
PowerShell v4 Desired State Configuration
PowerShell v4 Desired State ConfigurationPowerShell v4 Desired State Configuration
PowerShell v4 Desired State Configuration
Jason Stangroome
 
PowerShell crash course
PowerShell crash coursePowerShell crash course
PowerShell crash course
Concentrated Technology
 
PowerShell Functions
PowerShell FunctionsPowerShell Functions
PowerShell Functions
mikepfeiffer
 
No-script PowerShell v2
No-script PowerShell v2No-script PowerShell v2
No-script PowerShell v2
Concentrated Technology
 
Ha & drs gotcha's
Ha & drs gotcha'sHa & drs gotcha's
Ha & drs gotcha's
Concentrated Technology
 
Combining output from multiple sources
Combining output from multiple sourcesCombining output from multiple sources
Combining output from multiple sources
Concentrated Technology
 
PowerShell and WMI
PowerShell and WMIPowerShell and WMI
PowerShell and WMI
Concentrated Technology
 
Managing SQLserver
Managing SQLserverManaging SQLserver
Managing SQLserver
Concentrated Technology
 
Automating Active Directory mgmt in PowerShell
Automating Active Directory mgmt in PowerShellAutomating Active Directory mgmt in PowerShell
Automating Active Directory mgmt in PowerShell
Concentrated Technology
 
PowerShell 8tips
PowerShell 8tipsPowerShell 8tips
PowerShell 8tips
Concentrated Technology
 
Automating ad with powershell
Automating ad with powershellAutomating ad with powershell
Automating ad with powershell
Concentrated Technology
 
From VB Script to PowerShell
From VB Script to PowerShellFrom VB Script to PowerShell
From VB Script to PowerShell
Concentrated Technology
 
PowerShell custom properties
PowerShell custom propertiesPowerShell custom properties
PowerShell custom properties
Concentrated Technology
 
PowerShell and the Future of Windows Automation
PowerShell and the Future of Windows AutomationPowerShell and the Future of Windows Automation
PowerShell and the Future of Windows Automation
Concentrated Technology
 
Ive got a powershell secret
Ive got a powershell secretIve got a powershell secret
Ive got a powershell secret
Chris Conte
 
PS error handling and debugging
PS error handling and debuggingPS error handling and debugging
PS error handling and debugging
Concentrated Technology
 
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - CertificateAdvanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Don Reese
 
The Pensions Trust - VM Backup Experiences
The Pensions Trust - VM Backup ExperiencesThe Pensions Trust - VM Backup Experiences
The Pensions Trust - VM Backup Experiences
glbsolutions
 
1
11
1
Vincent Mwesigwa
 
Ad

More Related Content

Viewers also liked (20)

PowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint adminsPowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint admins
Concentrated Technology
 
Best free tools for win database admin
Best free tools for win database adminBest free tools for win database admin
Best free tools for win database admin
Concentrated Technology
 
Free tools for win server administration
Free tools for win server administrationFree tools for win server administration
Free tools for win server administration
Concentrated Technology
 
PowerShell v4 Desired State Configuration
PowerShell v4 Desired State ConfigurationPowerShell v4 Desired State Configuration
PowerShell v4 Desired State Configuration
Jason Stangroome
 
PowerShell crash course
PowerShell crash coursePowerShell crash course
PowerShell crash course
Concentrated Technology
 
PowerShell Functions
PowerShell FunctionsPowerShell Functions
PowerShell Functions
mikepfeiffer
 
No-script PowerShell v2
No-script PowerShell v2No-script PowerShell v2
No-script PowerShell v2
Concentrated Technology
 
Ha & drs gotcha's
Ha & drs gotcha'sHa & drs gotcha's
Ha & drs gotcha's
Concentrated Technology
 
Combining output from multiple sources
Combining output from multiple sourcesCombining output from multiple sources
Combining output from multiple sources
Concentrated Technology
 
PowerShell and WMI
PowerShell and WMIPowerShell and WMI
PowerShell and WMI
Concentrated Technology
 
Managing SQLserver
Managing SQLserverManaging SQLserver
Managing SQLserver
Concentrated Technology
 
Automating Active Directory mgmt in PowerShell
Automating Active Directory mgmt in PowerShellAutomating Active Directory mgmt in PowerShell
Automating Active Directory mgmt in PowerShell
Concentrated Technology
 
PowerShell 8tips
PowerShell 8tipsPowerShell 8tips
PowerShell 8tips
Concentrated Technology
 
Automating ad with powershell
Automating ad with powershellAutomating ad with powershell
Automating ad with powershell
Concentrated Technology
 
From VB Script to PowerShell
From VB Script to PowerShellFrom VB Script to PowerShell
From VB Script to PowerShell
Concentrated Technology
 
PowerShell custom properties
PowerShell custom propertiesPowerShell custom properties
PowerShell custom properties
Concentrated Technology
 
PowerShell and the Future of Windows Automation
PowerShell and the Future of Windows AutomationPowerShell and the Future of Windows Automation
PowerShell and the Future of Windows Automation
Concentrated Technology
 
Ive got a powershell secret
Ive got a powershell secretIve got a powershell secret
Ive got a powershell secret
Chris Conte
 
PS error handling and debugging
PS error handling and debuggingPS error handling and debugging
PS error handling and debugging
Concentrated Technology
 
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - CertificateAdvanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Don Reese
 
PowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint adminsPowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint admins
Concentrated Technology
 
Best free tools for win database admin
Best free tools for win database adminBest free tools for win database admin
Best free tools for win database admin
Concentrated Technology
 
Free tools for win server administration
Free tools for win server administrationFree tools for win server administration
Free tools for win server administration
Concentrated Technology
 
PowerShell v4 Desired State Configuration
PowerShell v4 Desired State ConfigurationPowerShell v4 Desired State Configuration
PowerShell v4 Desired State Configuration
Jason Stangroome
 
PowerShell crash course
PowerShell crash coursePowerShell crash course
PowerShell crash course
Concentrated Technology
 
PowerShell Functions
PowerShell FunctionsPowerShell Functions
PowerShell Functions
mikepfeiffer
 
No-script PowerShell v2
No-script PowerShell v2No-script PowerShell v2
No-script PowerShell v2
Concentrated Technology
 
Ha & drs gotcha's
Ha & drs gotcha'sHa & drs gotcha's
Ha & drs gotcha's
Concentrated Technology
 
Combining output from multiple sources
Combining output from multiple sourcesCombining output from multiple sources
Combining output from multiple sources
Concentrated Technology
 
PowerShell and WMI
PowerShell and WMIPowerShell and WMI
PowerShell and WMI
Concentrated Technology
 
Managing SQLserver
Managing SQLserverManaging SQLserver
Managing SQLserver
Concentrated Technology
 
Automating Active Directory mgmt in PowerShell
Automating Active Directory mgmt in PowerShellAutomating Active Directory mgmt in PowerShell
Automating Active Directory mgmt in PowerShell
Concentrated Technology
 
PowerShell 8tips
PowerShell 8tipsPowerShell 8tips
PowerShell 8tips
Concentrated Technology
 
Automating ad with powershell
Automating ad with powershellAutomating ad with powershell
Automating ad with powershell
Concentrated Technology
 
From VB Script to PowerShell
From VB Script to PowerShellFrom VB Script to PowerShell
From VB Script to PowerShell
Concentrated Technology
 
PowerShell custom properties
PowerShell custom propertiesPowerShell custom properties
PowerShell custom properties
Concentrated Technology
 
PowerShell and the Future of Windows Automation
PowerShell and the Future of Windows AutomationPowerShell and the Future of Windows Automation
PowerShell and the Future of Windows Automation
Concentrated Technology
 
Ive got a powershell secret
Ive got a powershell secretIve got a powershell secret
Ive got a powershell secret
Chris Conte
 
PS error handling and debugging
PS error handling and debuggingPS error handling and debugging
PS error handling and debugging
Concentrated Technology
 
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - CertificateAdvanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Don Reese
 

Similar to Ad disasters & how to prevent them (20)

The Pensions Trust - VM Backup Experiences
The Pensions Trust - VM Backup ExperiencesThe Pensions Trust - VM Backup Experiences
The Pensions Trust - VM Backup Experiences
glbsolutions
 
1
11
1
Vincent Mwesigwa
 
Implementing dr w. hyper v clustering
Implementing dr w. hyper v clusteringImplementing dr w. hyper v clustering
Implementing dr w. hyper v clustering
Concentrated Technology
 
Only an IBM Domino Server can take this much beating and still run
Only an IBM Domino Server can take this much beating and still runOnly an IBM Domino Server can take this much beating and still run
Only an IBM Domino Server can take this much beating and still run
Andreas Ponte
 
Active Directory Security Assessment ADSA
Active Directory Security Assessment ADSAActive Directory Security Assessment ADSA
Active Directory Security Assessment ADSA
Carrie Tran
 
2007-05-23 Cecchet_PGCon2007.ppt
2007-05-23 Cecchet_PGCon2007.ppt2007-05-23 Cecchet_PGCon2007.ppt
2007-05-23 Cecchet_PGCon2007.ppt
nadirpervez2
 
Ubuntu And Parental Controls
Ubuntu And Parental ControlsUbuntu And Parental Controls
Ubuntu And Parental Controls
jasonholtzapple
 
Migrating To Sql Server 2005
Migrating To Sql Server 2005Migrating To Sql Server 2005
Migrating To Sql Server 2005
guest1b8d7a
 
Stored-Procedures-Presentation
Stored-Procedures-PresentationStored-Procedures-Presentation
Stored-Procedures-Presentation
Chuck Walker
 
Mmckeown hadr that_conf
Mmckeown hadr that_confMmckeown hadr that_conf
Mmckeown hadr that_conf
Mike McKeown
 
Hw09 Production Deep Dive With High Availability
Hw09 Production Deep Dive With High AvailabilityHw09 Production Deep Dive With High Availability
Hw09 Production Deep Dive With High Availability
Cloudera, Inc.
 
Moving to ws2003
Moving to ws2003Moving to ws2003
Moving to ws2003
Sumit Tambe
 
70 640 Lesson02 Ppt 041009
70 640 Lesson02 Ppt 04100970 640 Lesson02 Ppt 041009
70 640 Lesson02 Ppt 041009
Coffeyville Community College
 
Extreme Availability using Oracle 12c Features: Your very last system shutdown?
Extreme Availability using Oracle 12c Features: Your very last system shutdown?Extreme Availability using Oracle 12c Features: Your very last system shutdown?
Extreme Availability using Oracle 12c Features: Your very last system shutdown?
Toronto-Oracle-Users-Group
 
Health Check Your DB2 UDB For Z/OS System
Health Check Your DB2 UDB For Z/OS SystemHealth Check Your DB2 UDB For Z/OS System
Health Check Your DB2 UDB For Z/OS System
sjreese
 
Pmw2 k3ni 1-3a
Pmw2 k3ni 1-3aPmw2 k3ni 1-3a
Pmw2 k3ni 1-3a
hariclant1
 
DCEU 18: Developing with Docker Containers
DCEU 18: Developing with Docker ContainersDCEU 18: Developing with Docker Containers
DCEU 18: Developing with Docker Containers
Docker, Inc.
 
System Design.pdf
System Design.pdfSystem Design.pdf
System Design.pdf
JitendraYadav351971
 
Oracle GoldenGate
Oracle GoldenGateOracle GoldenGate
Oracle GoldenGate
Anar Godjaev
 
Pandora FMS: DB2 Enterprise Plugin
Pandora FMS: DB2 Enterprise PluginPandora FMS: DB2 Enterprise Plugin
Pandora FMS: DB2 Enterprise Plugin
Pandora FMS
 
The Pensions Trust - VM Backup Experiences
The Pensions Trust - VM Backup ExperiencesThe Pensions Trust - VM Backup Experiences
The Pensions Trust - VM Backup Experiences
glbsolutions
 
1
11
1
Vincent Mwesigwa
 
Implementing dr w. hyper v clustering
Implementing dr w. hyper v clusteringImplementing dr w. hyper v clustering
Implementing dr w. hyper v clustering
Concentrated Technology
 
Only an IBM Domino Server can take this much beating and still run
Only an IBM Domino Server can take this much beating and still runOnly an IBM Domino Server can take this much beating and still run
Only an IBM Domino Server can take this much beating and still run
Andreas Ponte
 
Active Directory Security Assessment ADSA
Active Directory Security Assessment ADSAActive Directory Security Assessment ADSA
Active Directory Security Assessment ADSA
Carrie Tran
 
2007-05-23 Cecchet_PGCon2007.ppt
2007-05-23 Cecchet_PGCon2007.ppt2007-05-23 Cecchet_PGCon2007.ppt
2007-05-23 Cecchet_PGCon2007.ppt
nadirpervez2
 
Ubuntu And Parental Controls
Ubuntu And Parental ControlsUbuntu And Parental Controls
Ubuntu And Parental Controls
jasonholtzapple
 
Migrating To Sql Server 2005
Migrating To Sql Server 2005Migrating To Sql Server 2005
Migrating To Sql Server 2005
guest1b8d7a
 
Stored-Procedures-Presentation
Stored-Procedures-PresentationStored-Procedures-Presentation
Stored-Procedures-Presentation
Chuck Walker
 
Mmckeown hadr that_conf
Mmckeown hadr that_confMmckeown hadr that_conf
Mmckeown hadr that_conf
Mike McKeown
 
Hw09 Production Deep Dive With High Availability
Hw09 Production Deep Dive With High AvailabilityHw09 Production Deep Dive With High Availability
Hw09 Production Deep Dive With High Availability
Cloudera, Inc.
 
Moving to ws2003
Moving to ws2003Moving to ws2003
Moving to ws2003
Sumit Tambe
 
70 640 Lesson02 Ppt 041009
70 640 Lesson02 Ppt 04100970 640 Lesson02 Ppt 041009
70 640 Lesson02 Ppt 041009
Coffeyville Community College
 
Extreme Availability using Oracle 12c Features: Your very last system shutdown?
Extreme Availability using Oracle 12c Features: Your very last system shutdown?Extreme Availability using Oracle 12c Features: Your very last system shutdown?
Extreme Availability using Oracle 12c Features: Your very last system shutdown?
Toronto-Oracle-Users-Group
 
Health Check Your DB2 UDB For Z/OS System
Health Check Your DB2 UDB For Z/OS SystemHealth Check Your DB2 UDB For Z/OS System
Health Check Your DB2 UDB For Z/OS System
sjreese
 
Pmw2 k3ni 1-3a
Pmw2 k3ni 1-3aPmw2 k3ni 1-3a
Pmw2 k3ni 1-3a
hariclant1
 
DCEU 18: Developing with Docker Containers
DCEU 18: Developing with Docker ContainersDCEU 18: Developing with Docker Containers
DCEU 18: Developing with Docker Containers
Docker, Inc.
 
System Design.pdf
System Design.pdfSystem Design.pdf
System Design.pdf
JitendraYadav351971
 
Oracle GoldenGate
Oracle GoldenGateOracle GoldenGate
Oracle GoldenGate
Anar Godjaev
 
Pandora FMS: DB2 Enterprise Plugin
Pandora FMS: DB2 Enterprise PluginPandora FMS: DB2 Enterprise Plugin
Pandora FMS: DB2 Enterprise Plugin
Pandora FMS
 
Ad

More from Concentrated Technology (19)

Wsus sample scripts
Wsus sample scriptsWsus sample scripts
Wsus sample scripts
Concentrated Technology
 
Wsus best practices
Wsus best practicesWsus best practices
Wsus best practices
Concentrated Technology
 
Virtualization today
Virtualization todayVirtualization today
Virtualization today
Concentrated Technology
 
Virtualization auditing & security deck v1.0
Virtualization auditing & security deck v1.0Virtualization auditing & security deck v1.0
Virtualization auditing & security deck v1.0
Concentrated Technology
 
Vdi in-a-box
Vdi in-a-boxVdi in-a-box
Vdi in-a-box
Concentrated Technology
 
Top ESXi command line v2.0
Top ESXi command line v2.0Top ESXi command line v2.0
Top ESXi command line v2.0
Concentrated Technology
 
Supporting SQLserver
Supporting SQLserverSupporting SQLserver
Supporting SQLserver
Concentrated Technology
 
Server Core2
Server Core2Server Core2
Server Core2
Concentrated Technology
 
Securely connecting to apps over the internet using rds
Securely connecting to apps over the internet using rdsSecurely connecting to apps over the internet using rds
Securely connecting to apps over the internet using rds
Concentrated Technology
 
Rapidly deploying software
Rapidly deploying softwareRapidly deploying software
Rapidly deploying software
Concentrated Technology
 
PS scripting and modularization
PS scripting and modularizationPS scripting and modularization
PS scripting and modularization
Concentrated Technology
 
Prepping software for w7 deployment
Prepping software for w7 deploymentPrepping software for w7 deployment
Prepping software for w7 deployment
Concentrated Technology
 
PowerShell Remoting
PowerShell RemotingPowerShell Remoting
PowerShell Remoting
Concentrated Technology
 
PowerShell crashcourse
PowerShell crashcoursePowerShell crashcourse
PowerShell crashcourse
Concentrated Technology
 
Managing SQLserver for the reluctant DBA
Managing SQLserver for the reluctant DBAManaging SQLserver for the reluctant DBA
Managing SQLserver for the reluctant DBA
Concentrated Technology
 
Managing enterprise with PowerShell remoting
Managing enterprise with PowerShell remotingManaging enterprise with PowerShell remoting
Managing enterprise with PowerShell remoting
Concentrated Technology
 
Inventory your network and clients with PowerShell
Inventory your network and clients with PowerShellInventory your network and clients with PowerShell
Inventory your network and clients with PowerShell
Concentrated Technology
 
Iis implementation
Iis implementationIis implementation
Iis implementation
Concentrated Technology
 
Hyper v r2 deep dive
Hyper v r2 deep diveHyper v r2 deep dive
Hyper v r2 deep dive
Concentrated Technology
 
Wsus sample scripts
Wsus sample scriptsWsus sample scripts
Wsus sample scripts
Concentrated Technology
 
Wsus best practices
Wsus best practicesWsus best practices
Wsus best practices
Concentrated Technology
 
Virtualization today
Virtualization todayVirtualization today
Virtualization today
Concentrated Technology
 
Virtualization auditing & security deck v1.0
Virtualization auditing & security deck v1.0Virtualization auditing & security deck v1.0
Virtualization auditing & security deck v1.0
Concentrated Technology
 
Vdi in-a-box
Vdi in-a-boxVdi in-a-box
Vdi in-a-box
Concentrated Technology
 
Top ESXi command line v2.0
Top ESXi command line v2.0Top ESXi command line v2.0
Top ESXi command line v2.0
Concentrated Technology
 
Supporting SQLserver
Supporting SQLserverSupporting SQLserver
Supporting SQLserver
Concentrated Technology
 
Server Core2
Server Core2Server Core2
Server Core2
Concentrated Technology
 
Securely connecting to apps over the internet using rds
Securely connecting to apps over the internet using rdsSecurely connecting to apps over the internet using rds
Securely connecting to apps over the internet using rds
Concentrated Technology
 
Rapidly deploying software
Rapidly deploying softwareRapidly deploying software
Rapidly deploying software
Concentrated Technology
 
PS scripting and modularization
PS scripting and modularizationPS scripting and modularization
PS scripting and modularization
Concentrated Technology
 
Prepping software for w7 deployment
Prepping software for w7 deploymentPrepping software for w7 deployment
Prepping software for w7 deployment
Concentrated Technology
 
PowerShell Remoting
PowerShell RemotingPowerShell Remoting
PowerShell Remoting
Concentrated Technology
 
PowerShell crashcourse
PowerShell crashcoursePowerShell crashcourse
PowerShell crashcourse
Concentrated Technology
 
Managing SQLserver for the reluctant DBA
Managing SQLserver for the reluctant DBAManaging SQLserver for the reluctant DBA
Managing SQLserver for the reluctant DBA
Concentrated Technology
 
Managing enterprise with PowerShell remoting
Managing enterprise with PowerShell remotingManaging enterprise with PowerShell remoting
Managing enterprise with PowerShell remoting
Concentrated Technology
 
Inventory your network and clients with PowerShell
Inventory your network and clients with PowerShellInventory your network and clients with PowerShell
Inventory your network and clients with PowerShell
Concentrated Technology
 
Iis implementation
Iis implementationIis implementation
Iis implementation
Concentrated Technology
 
Hyper v r2 deep dive
Hyper v r2 deep diveHyper v r2 deep dive
Hyper v r2 deep dive
Concentrated Technology
 
Ad

Recently uploaded (20)

AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 

Ad disasters & how to prevent them

  • 1. AD Disasters …and How to Prevent Them! Greg Shields, MVP, vExpert Head Geek, Concentrated Technology www.ConcentratedTech.com
  • 2. This slide deck was used in one of our many conference presentations. We hope you enjoy it, and invite you to use it within your own organization however you like. For more information on our company, including information on private classes and upcoming conference appearances, please visit our Web site, www.ConcentratedTech.com . For links to newly-posted decks, follow us on Twitter: @concentrateddon or @concentratdgreg This work is copyright ©Concentrated Technology, LLC
  • 3. Agenda Topics Part I: Hardware & Software Failures Part II: Human Errors Part III: Complete Disasters
  • 4. Three Types of Disasters Hardware & Software Human Error Complete Disasters Microsoft Screwed Up You Screwed Up Somebody REALLY Screwed Up
  • 5. Three Types of Disasters Hardware & Software Human Error Complete Disasters Increasing Problem Complexity Increasing Troubleshooting Complexity
  • 6. Part I Hardware & Software Failures
  • 7. Morphed SYSVOL Folders Problem: When SYSVOL replication finds a name conflict, one of the folders in conflict is renamed to foldername_ntfrs_???????? (hex) This can break the links to that folder. This can occur when users attempt to manually replicate folders, two users add folders of the same name at the same time, or during an improper restore of the SYSVOL.
  • 8. Morphed SYSVOL Folders Solution: Three-steps: Rename all morphed folders to new names and allow replication of the new names to fully complete. This ensures a common name for the folder is available on all DC ’s and that the new names and GUID’s match. Once replication has completed, look in the folders and determine which is correct and which does not belong. Rename the correct folder back to its original name and again allow replication to complete. Delete the unnecessary folder. This is OK as FRS tracks files by their GUID.
  • 9. Broken GPT/GPC Linkages Problem: Group Policy Objects are made up of two parts, the Group Policy Template and the Group Policy Container. GPC ’s are stored in Active Directory and replicate through AD replications. GPT ’s are stored in the SYSVOL and replicate through FRS. Broken GPT/GPC linkages can cause GPO ’s to malfunction and should be fixed. Same with mismatched version numbers.
  • 10. Broken GPT/GPC Linkages Solution: Use GPOTOOL.EXE from the Resource Kit Tools to identify GPT ’s/GPC’s that are not synchronized. GPOTOOL.EXE with no switches validates and reports on the GPT/GPC linkage. If someone has accidentally changed permissions on the GPT, you can also use the /checkacl switch. GPMC will notify when permissions are not consistently set and request to reset those permission. GPMC will reset the permission on the GPT to match the permission on the GPC.
  • 12. DNS Aging & Scavenging Not Enabled Problem: If DNS Aging & Scavenging is not enabled on a domain, stale DNS records caused by DHCP lease changes can pile up. Group Policy application as well as correct name resolution requires a one-to-one mapping between FQDN and IP. Stale DNS records mean multiple IP ’s per host and/or multiple host records per IP. Systems management tools like SMS can fail.
  • 13. Aging & Scavenging When DNS was static, keeping active and inactive records straight was a nightmare. Now that DNS is dynamic, inactive recordkeeping is improved, when configured correctly. Aging All dynamically updated resource records have a time stamp That time stamp is reset whenever a record is created, modified, or refreshed. Windows hosts refresh their record… At startup At DHCP lease renewal Every 24 hours
  • 14. Aging & Scavenging Windows DNS servers that accept dynamic updates need to have Scavenging enabled or records will quickly grow stale. This is especially problematic if DHCP is active and has a short lease time. Be aware the DNS scavenging on AD-integrated zones can have an impact on AD replication. Refresh Interval If a client does not refresh its record by the end of this period, the scavenging process will remove the record. No-Refresh Interval A period of time before the refresh interval where client refreshes are ignored by the server. This is done to reduce DNS replication requirements. Scavenging increases AD replication
  • 15. Aging & Scavenging 7 Days Record Created 7 Days 7 Days 7 Days 7 Days 7 Days 7 Days 7 Days No Refresh Interval Refresh Interval Refresh Accepted Refresh Accepted Record Deleted Time
  • 16. Aging & Scavenging Global Setting Per-Zone Setting Let ’s discuss strategies for Aging & Scavenging in Small, Large, & Enterprise Networks…
  • 17. DNS Aging & Scavenging Not Enabled Solution: Enable DNS Aging & Scavenging on all zones populated by DHCP. DNS Aging & Scavenging enabled in two locations. Global Setting Per-Zone Setting
  • 18. DNS Aging & Scavenging Not Enabled Solution: Use DNSCMD.EXE command-line tool to automatically age and scavenge all records after enabling Aging & Scavenging DNSCMD.EXE ageallrecords DNSCMD.EXE startscavenging
  • 19. Disable Unused Network Cards Problem: Unused network cards can auto-populate DNS with incorrect entries. With regular servers this doesn ’t often cause a big problem, but with DC’s, auto-registration populates SRV records as well. This can cause bad resolution to DC services. Solution: Disable any unused network cards. Disabling unused network cards prevents them from registering their incorrect values into DNS.
  • 20. Tombstones & Zombies Problem: When an AD object is deleted, it goes into a special container called “Deleted Items”. It’s movement there is replicated. The object is not removed until the tombstone lifetime is exceeded. Windows 2000 tombstone lifetime is 60 days Windows 2003 tombstone lifetime is 180 days Upgraded Windows 2003 tombstone lifetime is still 60 days. When a DC comes back on-line after being down for longer than the tombstone lifetime or a restore from a tape older than the tombstone lifetime, zombies are created.
  • 21. Tombstones & Zombies Solution: Never bring on-line a DC that ’s been down for greater than 60/180 days. Never use tapes to restore objects older than 60/180 days. If you do, you ’re in a world of hurt. … but what if you forget…?
  • 22. Lingering Objects Problem: So, you ’ve gone ahead and accidentally reanimated a tombstoned object? What now? Reanimation of these lingering objects can break replication in some cases.
  • 23. Lingering Objects Solution: Use REPADMIN.EXE /REPLSUM from the Support Tools to verify if lingering objects are resident in Active Directory. REPADMIN.EXE to remove them. These tools only work on W2003. Step 1: Find the GUID of a DC: repadmin.exe /showrepl Step 2: Check for lingering objects: repadmin.exe /removelingeringobjects * <DC GUID> dc={mydomain},dc={com} /advisory_mode Step 3: Remove any lingering objects found: Remove the /advisory_mode switch from Step 2.
  • 24. Lingering Objects Solution: Use REPADMIN.EXE /REPLSUM from the Support Tools to verify if lingering objects are resident in Active Directory. REPADMIN.EXE to remove them. These tools only work on W2003. Step 4: Enable strict replication consistency. Strict replication consistency is only enabled by default on 2003 DCs (not upgraded) that were promoted into a Forest that was built as 2003 (not upgraded from 2000). All other DCs will only have this setting enabled manually. Enable strict replication consistency on all DC ’s by setting the DWORD value for Strict Replication Consistency to 1 at the key HKLM\System\CurrentControlSet\Services\NTDS\Parameters.
  • 25. Improper Time Synchronization Problem: Time synchronization is critical for Kerberos authentication and many applications. Time skew greater than 5 minutes can prevent logins and cause log files to barf. Users with administrator rights can reconfigure time sync to another time server. Very slight differences in time between stratum 1, 2, and 3 servers, usually caused by Internet conditions. Using different time servers in a network can cause problems for time-sensitive network applications.
  • 26. Improper Time Synchronization Solution: Configure all machines in the domain to synchronize against the same time server. Choose to use NT5DS or NTP mode, but choose one for all systems. NT5DS is accurate to ~20 seconds. NTP can be accurate to <1 second. Some applications require greater time resolution, so consider a 3 rd party time sync tool with an on-site stratum 3 time device. “ Domain Time” from Symmetriccom
  • 27. Bad DNS SRV Records Problem: Improperly decommissioning DC ’s can lead to their SRV records not being expunged from the DNS database. Also, missing DNS SRV records can prevent AD from functioning properly. This can cause error messages in the Event Log, replication problems, etc. due to the missing server. This happens most often when AD DNS is not hosted on Windows and dynamic updates are not enabled.
  • 28. Bad DNS SRV Records Solution: Ensure DNS SRV records are consistent. Use ipconfig /registerdns to force DC to re-register DNS SRV records along with it ’s A records. Be careful of multiple interfaces on DC ’s. Disable any unused interfaces. Unused interfaces can register themselves in DNS. Bridged interfaces can cause routing problems. Delete stale DNS SRV records from DNS database (you ’ll know which are stale).
  • 29. Orphaned Domains & DC ’s Problem: Old domains and Domain Controllers are still resident in Active Directory. These extra domains are unnecessary, can cause Event Log errors and odd problems during contact attempts. Orphaned DC ’s can prevent a domain from being decommissioned. Orphaned DC ’s in child domains can prevent a parent domain from being decommissioned.
  • 30. Orphaned Domains & DC ’s Solution: Remove the offending Domains and/or DC ’s from your infrastructure. This is a multi-step process. NTDSUTIL.EXE to remove from Active Directory ADSIEDIT.MSC to remove from LDAP DNSMGMT.MSC to remove from DNS
  • 31. Orphaned Domains & DC ’s Solution: Remove the offending Domains and/or DC ’s from your infrastructure. This is a multi-step process. NTDSUTIL.EXE to remove from Active Directory NTDSUTIL METADATA CLEANUP CONNECTIONS CONNECT TO SERVER {SERVER NAME} QUIT SELECT OPERATION TARGET SELECT SERVER {SERVER NAME} REMOVE SELECTED SERVER | QUIT
  • 32. Orphaned Domains & DC ’s Solution: Remove the offending Domains and/or DC ’s from your infrastructure. This is a multi-step process. ADSIEDIT.MSC to remove from LDAP. This step is required if the domain is not at W2003 SP1. Navigate to DC={MYDOMAIN},DC={COM},OU=DOMAIN CONTROLLERS Delete the offending Domain Controller. DNSMGMT.MSC to remove from DNS Delete any FQDN ’s and/or associated GUID’s related to that DC.
  • 33. Stale AD Site Links Problem: AD Site Links are usually created and managed by the KCC. However, some administrators want to get their hands in on replication. Once Site Links are manually created, the KCC no longer manages them, which can cause them to grow stale as the network changes.
  • 34. Stale AD Site Links Solution: (Except in the very largest of networks) Remove any manually created Links and allow the KCC to manage links. In Windows 2003 SP1, the link-managing capabilities of the KCC are improved by multiple orders of magnitude. Older versions in larger networks had timing problems with KCC optimization passes. Also, improperly decommissioned DC ’s may need to be removed from AD S&S.
  • 35. No DNS Reverse Zones Problem: DNS reverse zones must be enabled for proper functionality of Active Directory. Needed so clients can identify the site they reside in. Needed so clients can find the closest DNS server. Needed for correct processing of some attributes of Group Policy.
  • 36. No DNS Reverse Zones Solution: Enable DNS reverse zones for each zone active in your network infrastructure. Ensure that all zones have similar configuration and dynamic updates enabled. Don ’t forget Aging & Scavenging.
  • 37. DSRM Passwords Unknown Problem: Directory Services Restore Mode passwords are set individually on each Domain Controller as that controller is DCPROMO ’ed. This is arguably the most forgotten password in a Windows network because it is only used again during a restore operation. Not having this in a crisis can inhibit restoration activities. Who here knows their DSRM password?
  • 38. DSRM Passwords Unknown Solution: Run NTDSUTIL.EXE to reset DSRM passwords before a failure occurs. NTDSUTIL.EXE SET DSRM PASSWORD RESET PASSWORD ON SERVER {Server Name} {Enter New Password} {Re-Enter New Password} QUIT / QUIT (Consider “bagging” the password…)
  • 39. DSRM Passwords Unknown Solution: Windows Server 2008 + KB961320 enables DSRM password synchronization to a domain account. Create a standard domain user. This user does not need to be a member of any special groups or the Domain Admins group. NTDSUTIL SET DSRM PASSWORD SYNC FROM DOMAIN ACCOUNT <userName> This process can also be scheduled via a GPP scheduled task “ SET DSRM PASSWORD” “SYNC FROM DOMAIN ACCOUNT <userName>” Q Q
  • 40. Why 2008 R2 is a good idea for AD AD Module for PowerShell and PowerShell cmdlets Every AD task is now automate-able via PowerShell AD Administrative Center Improved, task-based GUI for ADUC AD Recycle Bin Tough to use, but better than Authoritative Restore AD Best Practices Analyzer Are you the weakest link in your AD infrastructure? Offline Domain Join Handy for W7 upgrades and VDI
  • 41. Why 2008 R2 is a good idea for AD Managed Service Accounts Eliminate service account nightmares AD Web Services & AD Management Gateway Simplified PowerShell and 3 rd party management integration Authentication Mechanism Assurance Deliver a different set of resources when users login via smart cards. AD OpsMgr Management Pack If you haven ’t incorporated OpsMgr yet, see me after class…
  • 42. A Review of Useful AD Logs NTDS Diagnostics Logging By default, AD only records critical and error events to the Directory Service log. OK during normal operations, but during problem troubleshooting additional logging is necessary. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\NTDS\Diagnostics Set any of the 24 subkey ’s DWORD value to a number between 0 and 5
  • 43. A Review of Useful AD Logs
  • 44. A Review of Useful AD Logs Extended DCPROMO Logging During a W2003 DCPROMO, two log files are created in %systemroot%\debug: dcpromo.log and dcpromoui.log. The log level on dcpromoui.log can be increased to help when troubleshooting promotions/demotions. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\AdminDebug\dcpromoui Set the DWORD value for LogFlags to FF0003 (hex).
  • 45. A Review of Useful AD Logs NETLOGON Logging Hunt down problems with client log-ins, repeatedly locked-out accounts and log-in activity across forest trusts by increasing the log level on NETLOGON. HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Services\NetlogonParameters Set the DWORD value for DBFlag to 2080FFFF (hex), then restart the NETLOGON service. NETLOGON.log is found in %systemroot%\debug.
  • 46. A Review of Useful AD Logs Kerberos Logging Increasing the Kerberos logging level can track down problems with disabled or expired accounts, missing usernames, and clock synchronization. HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Control\Lsa\Kerberos\Parameters Set the DWORD value for LogLevel to 1 and look for events in the System Event Log.
  • 47. A Review of Useful AD Logs USERENV Debug Logging This logging helps identify problems with loading/unloading of user profiles, login/logout delays, and Group Policy application. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Set the DWORD value for UserEnvDebugLevel to 0x00030002 and watch %systemroot%\debug\usermode\userenv.log Match wall clock time.
  • 48. A Review of Useful AD Logs GPO Client Logging To troubleshoot the enumeration and application of GPO ’s, increase the log level for GPO application at the client. HKEY_LOCAL_MACHINESoftware\Microsoft\ Windows\CurrentVersion\Diagnostics Set the DWORD value for RunDiagnosticLoggingGroupPolicy to 1, reboot the system and watch the Application Event Log.
  • 49. A Review of Useful AD Logs Group Policy Logging changes with Vista/08 With Vista/08, Group Policy elements are moved to their own process. Out of WinLogon Enabling Group Policy logging is now done by setting the DWORD value for GpSvcDebugLevel to 10002 for HKLM\Software\Microsoft\Windows NT\CurrentVersion\ Diagnostics The userenv debug log is now moved to %systemroot%\debug\usermode\gpsvclog.log The format of this log is easier to use, aligned with the movement of GP to a service.
  • 50. Part II Human Errors
  • 51. GPO ’s Not Easily Restorable Problem: Group Policy Objects can be restored if they ’re accidentally deleted, but this process involves a complicated authoritative restore, et cetra. This authoritative restore can be a source of downtime to complete the restore and takes a while to complete.
  • 52. GPO ’s Not Easily Restorable Solution: Create a Scheduled Task that backs up all GPO ’s in the Domain to a text file using GPMC. This task will use both scripts to ensure that GPO settings and any logon/logoff/startup/shutdown scripts are also saved. Ensure that this text file is part of the nightly backup scheme. cscript.exe %PROGRAMFILES%\gpmc\scripts\ BackupAllGPOs.wsf %SYSTSEMDRIVE%\backup\ GPOData /domain:<DomainFQDN> cscript.exe %PROGRAMFILES%\gpmc\scripts\ GetReportsForAllGPOs.wsf %SYSTSEMDRIVE%\ backup\GPOReports (Can also backup and restore in R2 with PowerShell)
  • 53. Incorrect FSMO Placement Problem: Incorrect FSMO role placement in domains where all DC ’s are not GC’s can cause a loss of data. The Infrastructure Master role cannot reside on a Domain Controller that also runs the Global Catalog role Except in the situation where the forest contains a single domain and all Domain Controllers are Global Catalogs. To check FSMO role placement, NETDOM QUERY FSMO
  • 54. Incorrect FSMO Placement Solution: Either enable the Global Catalog role on all Domain Controllers or move the Infrastructure Master role to a DC that is not a GC. NTDSUTIL.EXE ROLES CONNECTIONS CONNECT TO SERVER {Server Name} QUIT TRANSFER {Role} QUIT | QUIT
  • 55. Fat Finger (Not that I ’m calling your finger fat) Problem: You ’ve done it again and accidentally deleted a series of objects or an entire OU from AD. The default configuration of Active Directory allows everyone with administrative access to delete any object in AD. Though, we all make mistakes… In W2008, OU properties include a box box “Protect this Object/Container from Accidental Deletion”. But we ’re not at W2008 yet!
  • 56. Fat Finger (Not that I ’m calling your finger fat) Solution: That checkbox, revealed in W2008 is actually just a skin for a supported feature of W2003. By checking this box: “ Deny Delete” and “Deny Delete Subtree” permissions for the Everyone group are set on the object. You can set these permissions manually for any AD object or container inside the ADUC: Enable ADUC Advanced Features Navigate to the Object, select Properties, and view the Security tab Apply the Advanced privileges “Deny Delete” and “Deny Delete Subtree” to the object
  • 57. Unnecessary Apps Installed Problem: Every additional application installed to a server is an expansion of that server ’s attack surface. WinZip versions prior to v10. Java JRE prior to Version 5. Real Player Office Acrobat Solution: Never install applications to your Domain Controllers. Ensure that any apps installed are always patched. There ’s more to patching than just Microsoft patching.
  • 58. Letting DCPROMO Do DNS Problem: Generally a bad idea to let DCPROMO handle configuring DNS for Active Directory. Tends to do a poor job of it, if at all. Better in W2008. Solution: Ensure DNS properly configured before starting a DCPROMO process. Three tests: nslookup dchostname nslookup dchostname.dcdomainame.com nslookup 10.1.3.4 If success, no errors, and no time delays, then OK.
  • 59. VM-level Backups for AD DR Problem: With virtualized Domain Controllers using VM-level backups to backup DC ’s can corrupt AD. USN number mismatch between restored DC and existing DC ’s. Which USN ’s have correct high water mark? Solution: Always use authoritative/non-authoritative restore for AD DR. Never VM-level backups. In fact, never use VM-level backups for any transactional database for the same reason. Want more justification? http://support.microsoft.com/kb/888794
  • 60. Part III Complete Disasters
  • 61. Snapping an Offline DC VM Problem: Need to create an offline DC VM for testing purposes, but am concerned about lingering objects. Solution: Use this process… Create a new site in AD Add a member server VM to the domain in the new site. DCPROMO. Wait for replication to complete, then shut down the DC. Copy/Paste the virtual machine, then restart the DC. Demote this DC back to a member server and remove it from the production network. Start the DC, reconfigure network, and seize all FSMO roles. Use the new DC to complete testing.
  • 62. What you Need to Back Up Problem: What exactly needs to be backed up to ensure a successful DC restore. A successful authoritative restore of the AD database. Solution: Never try to restore the AD database from one DC to another DC. So, all files that make up that DC must be backed up: C:\ System State
  • 63. Lack of Defined DR Policy & Procedures Problem: Most companies do not have a defined DR Policy and DR Restoration Procedures. This is usually the case because the project can get over-scoped. Consider just the steps necessary to start a recovery. Solution: Build a simple DR plan and recovery steps. Does not need to be complicated. Just the basic steps necessary to start recovery. When you ’re under the spotlight, you don’t want to be searching for recovery steps on TechNet…
  • 64. 3 DR Scenarios Scenario 1: A subset of objects within Active Directory or the SYSVOL is accidentally or maliciously removed from the database. Scenario 2: An Active Directory domain controller is functionally and irrecoverably down and must be rebuilt to return to operations. Scenario 3: The entire Active Directory forest and domain is functionally and irrecoverably down and must be rebuilt to return to operations.
  • 65. Scenario 1: Deleted Objects Locate a DC that is also a GC. Disconnect this server from the network. Reboot that server into Directory Services Restore Mode using the DSRM password. Restore the AD database to the DC from tape or file backup (non-authoritative). Perform an authoritative restore of the deleted object: NTDSUTIL AUTHORITATIVE RESTORE RESTORE SUBTREE {Object to Restore} <Object to Restore> is the DN of the object to restore. For example, to restore the Accounts OU, the DN would be “OU=Accounts,DC={MyDomain},DC={com}” QUIT / QUIT
  • 66. Scenario 1: Deleted Objects Reconnect the DC and reboot the DC into normal operations. Ensure the restored object has replicated to all DC ’s in the domain. As the DC reboots from DSRM mode, it will generate .LDF files that include back-link information for the restored objects. As an example, back-links are groups the object is a member of. These files are of the format ar_{date}-{time}_links_{Domain Name}.ldf. Restore the back-links for each file found: ldifde –i –k –f ar_{date}-{time}_links_{Domain Name}.ldf
  • 67. Scenario 2: A DC Goes Down Validate the DC is completely failed and a restoration is not feasible. If the DC is functional, but the AD database is corrupt, attempt a forced demotion: DCPROMO /FORCEREMOVAL Remove the failed server ’s server objects from a functioning DC: NTDSUTIL METADATA CLEANUP REMOVE SELECTED SERVER {DN of Server} QUIT | QUIT Within the active DNS for the domain, manually remove any references to the failed DC and its SID in either A or SRV records.
  • 68. Scenario 2: A DC Goes Down Build a replacement server at the same Service Pack and patch level. DCPROMO the member server Validate a complete promotion and verify the AD database has resynchronized to the domain.
  • 69. Scenario 3: Corrupted Forest As of the last time I checked, Microsoft PSS has never been called to perform a complete forest restoration. Validate that the complete Active Directory is completely and irreparably failed and a restoration is not feasible. Call Microsoft PSS at 800-936-2200 and declare a Priority 1 “Crit-Sit”. http://www.microsoft.com/downloads/details.aspx? displaylang=en&FamilyID=3EDA5A79-C99B-4DF9-823C-933FEBA08CFE
  • 70.  
  • 71. This slide deck was used in one of our many conference presentations. We hope you enjoy it, and invite you to use it within your own organization however you like. For more information on our company, including information on private classes and upcoming conference appearances, please visit our Web site, www.ConcentratedTech.com . For links to newly-posted decks, follow us on Twitter: @concentrateddon or @concentratdgreg This work is copyright ©Concentrated Technology, LLC

Editor's Notes

  • #2: MGB 2003 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
  • #4: Greg Shields
  • #5: Greg Shields
  • #6: Greg Shields
  • #7: Greg Shields
  • #8: Greg Shields
  • #9: Greg Shields
  • #10: Greg Shields
  • #11: Greg Shields
  • #12: Greg Shields
  • #13: Greg Shields
  • #14: Greg Shields
  • #15: Greg Shields
  • #16: Greg Shields Graphic adapted from an excellent review of Aging and Scavenging in the book DNS on Windows Server 2003 by Matt Larson, Cricket Liu &amp; Robbie Allen, page 143.
  • #17: Greg Shields
  • #18: Greg Shields
  • #19: Greg Shields
  • #20: Greg Shields
  • #21: Greg Shields
  • #22: Greg Shields
  • #23: Greg Shields
  • #24: Greg Shields
  • #25: Greg Shields
  • #26: Greg Shields
  • #27: Greg Shields
  • #28: Greg Shields
  • #29: Greg Shields
  • #30: Greg Shields
  • #31: Greg Shields
  • #32: Greg Shields
  • #33: Greg Shields
  • #34: Greg Shields
  • #35: Greg Shields
  • #36: Greg Shields
  • #37: Greg Shields
  • #38: Greg Shields
  • #39: Greg Shields
  • #40: Greg Shields
  • #41: Greg Shields
  • #42: Greg Shields
  • #43: Greg Shields
  • #44: Greg Shields
  • #45: Greg Shields
  • #46: Greg Shields
  • #47: Greg Shields
  • #48: Greg Shields
  • #49: Greg Shields
  • #50: Greg Shields
  • #51: Greg Shields
  • #52: Greg Shields
  • #53: Greg Shields
  • #54: Greg Shields
  • #55: Greg Shields
  • #56: Greg Shields
  • #57: Greg Shields
  • #58: Greg Shields
  • #59: Greg Shields
  • #60: Greg Shields
  • #61: Greg Shields
  • #62: Greg Shields
  • #63: Greg Shields
  • #64: Greg Shields
  • #65: Greg Shields
  • #66: Greg Shields
  • #67: Greg Shields
  • #68: Greg Shields
  • #69: Greg Shields
  • #70: Greg Shields