Learn Active Directory Management in a Month of Lunches – 50% off promo code

Wanted to let readers know that I have a 50% off promo code for an upcoming book from Richard Siddaway, ‘Learn Active Directory Management in a Month of Lunches’. It’s now available in Manning’s Early Access Program and I have a 50% of promo code which is valid until Feb 26, 2013 12 midnight EST. Use the code below when ordering:

learnadmau

Here’s the book abstract:

Active Directory is the heart of a Windows network, providing a centralized location for administration, security, and other core management functions. For example, Active Directory authenticates all users in a Windows network and enforces policies for managing your desktop estate. If you’re new to Active Directory administration—or if you find yourself unexpectedly thrust into that role—you need to get a handle on Active Directory quickly. This is the book for you.

Learn Active Directory Management in a Month of Lunches is a practical, hands-on tutorial designed for IT pros new to Active Directory. It skips the theory and concentrates on the day to day administration tasks you need to know to keep your network running smoothly. Just set aside an hour a day for a month—lunchtime would be perfect—and you’ll be comfortable and productive with Active Directory before you know it.

This book makes no assumptions about your background and starts by introducing Active Directory and walking you through its basic features. You’ll learn how to administer AD both from the GUI tools built into Windows and by using PowerShell and the AD cmdlets. Along the way, you’ll touch on best practices for managing user access, setting good group policies, automating backup processes, and more. The examples in the book use Windows Server 2012 version of Active Directory and point out any important differences from earlier versions.

SAP Single Sign On Issues with Windows Server 2008 R2 Domain Controllers

By default, Data Encryption Standard (DES) encryption for Kerberos authentication is disabled  in Windows Server 2008 R2, this is a change from Windows Server 2003. If you are running an application which uses DES encryption for Kerberos application, such as SAP, then you may see issues authenticating users against 2008 R2 DCs. You will see errors in the System Log like the below for the users in question:

“While processing a TGS request for the target server %1, the account %2 did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of %3). The requested etypes were %4. The accounts available etypes were %5.”

To resolve this issue you need to make the Group Policy change to allow DES encryption for Kerberos authentication on the DCs, documented in this KB http://support.microsoft.com/kb/977321.

1. In the Group Policy Management Console (GPMC), locate the following location:
   Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options
2. Click to select the Network security: Configure encryption types allowed for Kerberos option.
3. Click to select Define these policy settings and all the six check boxes for the encryption types.
4. Click OK. Close the GPMC.

To be able to make this change, you need to have first installed the following hotfix, http://support.microsoft.com/kb/978055 . This fix is included in Windows Server 2008 R2 SP1, so if you have installed that you are already good to go.

A good discussion of this issue and further steps you may need to take with service accounts can be found here:

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/ecf15eb9-26cf-483b-b1e3-1b1c7e4901e8/

Running AD Schema Update for 2008 R2 in a 32-bit DC Environment

To upgrade Active Directory from Windows Server 2003 to Windows Server 2008 R2 requires the usual AD schema upgrade first of all. Windows Server 2008 R2 is 64-bit only, so if you try running the usual command to upgrade the schema from a 32-bit Domain Controller:

adprep /forestprep

you get the following result, “adprep.exe is valid, but if for a machine type other than the current machine.”:

An alternative is to try running it from a 64-bit machine that is not a DC, but then you discover that this process absolutely must be run from a DC:

So what do you do? The answer is that you run adprep32.exe, a 32-bit version of adprep, which is included in the same folder:

adprep32 /forestprep

Active Directory: How do you solve a problem like Maria? Or John Smith?

The larger your organisation gets so do the number of users within your Active Directory and consequently the chances of employing people with the same name. Unless you have good naming policies from the start you may well end up with an untidy directory and if you are using Exchange an address book where it is hard to distinguish between people with the same Display Name.

The below script will generate you a report listing all users whose Display Name matches that of somebody else and for instance what a new Display Name would look like if you added their department field in brackets after their name – of course you could use another field entirely to distinguish them.

Note: that it is using the Quest AD cmdlets.

Add-PSSnapin -Name Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue

$users = Get-QADUser -DontUseDefaultIncludedProperties -SizeLimit 0 -LdapFilter '(mail=*)' | Group-Object displayname | Where-Object {$_.count -gt 1}
$myCol = @()

foreach ($user in $users){

    foreach ($duplicateuser in $user.group){

    $NewDisplayName = $duplicateuser.DisplayName + " (" + $duplicateuser.Department + ")"

    $MYInfo = “” | Select-Object UserID,CurrentDisplayName,newDisplayName,Department
    $MYInfo.UserID = $duplicateuser.Name
    $MYInfo.CurrentDisplayName = $duplicateuser.DisplayName
    $MYInfo.NewDisplayName = $NewDisplayName
    $MYInfo.Department = $duplicateuser.Department
    $myCol += $MYInfo
   }
}

$myCol | Export-Csv C:\Scripts\Report.csv -NoTypeInformation

After reviewing the report and deciding to fix everyone on the list you could do it with the very similar code below:

Add-PSSnapin -Name Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue

$users = Get-QADUser -DontUseDefaultIncludedProperties -SizeLimit 0 -LdapFilter '(mail=*)' | Group-Object displayname | Where-Object {$_.count -gt 1}

foreach ($user in $users){

    foreach ($duplicateuser in $user.group){

    $NewDisplayName = $duplicateuser.DisplayName + " (" + $duplicateuser.Department + ")"
    Set-QADUser $duplicateuser -DisplayName $NewDisplayName

   }
}

Of course you might be in a scenario where some people already have brackets after their name and you wish to create a report of those. The below one liner will give you those results.

Get-QADUser -ldapfilter '(&(displayname=*(*)*)(mail=*))' -DontUseDefaultIncludedProperties | Select-Object name,displayname,department | Export-Csv C:\Scripts\Report.csv -NoTypeInformation

UK PowerShell User Group Events in Jan and Feb 2010

The first two sessions of the UK PowerShell User Group for 2010 will be online sessions.

The first event will take place on Tuesday 26th Jan 2010 7.30pm GMT. We will be looking at the Windows 2008 R2 cmdlets and provider for Active Directory.

Sign up details are available on Richard Siddaway’s blog.

The second event will take place on Tuesday 9th Feb 2010 7.30pm GMT. We will be looking at WMI and WQL.

Details again on Richard Siddaway’s blog.

“cd AD:” = wow!

So I had a new article published over at Simple-Talk, Active Directory Management with PowerShell in Windows Server 2008 R2, looking at how you can use the new AD cmdlets and provider to manage Active Directory.

Mr Anonymous (it wasn’t me) has already posted a very nice comment which sums up part of the new management experience;

“cd AD:” = wow!

(OK I know you could do this already with the PowerShell community extensions, so it might not be wow for everybody)

Active Directory PowerShell Quick Reference Guide

I regularly recommend and often refer to this document my good friend Alan Renouf put together Quick Reference Guide for PowerCLI. It is really handy guide to pin up by your desk when you need to remind yourself of a cmdlet and maybe one of the most common usages for it.

I’ve been spending a lot of time recently checking out the PowerShell cmdlets for Active Directory in Windows Server 2008 R2 and they have also recently been made available for downlevel versions of Windows Server. I figured it would be handy to have a similar type Quick Reference Guide for these Active Directory cmdlets so I put  the AD PowerShell Quick Reference Guide together.

Hope you find it useful.

New Simple-Talk.com Article: The Active Directory Recycle Bin in Windows Server 2008 R2

Back in March this year I saw a presentation by James O’Neill and Richard Siddaway about some of the new PowerShell features in Windows Server 2008 R2, in particular Active Directory. I was fascinated by the new ‘Recycle Bin’ feature, which is enabled via PowerShell, and could instantly see that this would be a great and long overdue new feature. I am not alone in this; when Mark Minasi recently appeared on the Run As Radio podcast he said the AD Recycle Bin was the standout feature of the whole Server 2008 R2 release, not just the Active Directory part.

So I have spent some time checking it out which has resulted in my latest article on the Simple-Talk.com website being based on it, hope you find it useful.

64………is the magic number

Most Windows administrators know that the maximum length for the Netbios computer name of a machine is 15 characters since they may well have hit that limit at some point in time. Slightly less familiar might be the samAccountName attribute of an Active Directory account which must be less than 20 characters – I had experience troubleshooting this one though as recently as last year.

Last week  I needed to create hundreds of distribution lists in Active Directory (using PowerShell of course ), some with particularly long names and during the first run through in my test environment about 20% of them failed to create with an error along the lines that one of the properties I was trying to set was causing a violation.

I tracked it down to the ldap ‘name’ property, i.e. the Relative Distinguished Name, and it appeared to have a limit of 64 characters although I could not confirm this with the AD documentation I found on MSDN.

Thankfully Twitter again proved incredibly useful, I posted my question on there and within minutes had a response from AD guru and PowerShell MVP Brandon Shell (I kind of hoped he would know when I posted the tweet), thanks to him again for his assistance. He encouraged me to post to a newsgroup and not too long after also followed up with the confirmed answer, links below:

http://technet.microsoft.com/en-us/library/cc977992.aspx

http://groups.google.com/group/microsoft.public.windows.server.active_directory/browse_thread/thread/d70df4342f43b8f7

UK User Group Events in May

So May looks like a great month for some of the user groups I regularly attend.

First up we have the VMware user group in London on Thursday May 14th. This is an excellent event for VMware administrators to attend and has a great mix of vendor and community contributions. In particular this time check out Alan Renouf’s pre-show PowerShell workshop. This is before the usual start time and should be great if you are new to PowerShell or already using the VI Toolkit.

Sign up details are here.

Next up is the PowerShell user group at Microsoft in Reading on Tuesday 19th May. This time we have a real treat in store, PowerShell MVP Dmitry Sotnikov from Quest will be stopping by on his whistle stop tour of the UK to tell us about PowerGUI and the AD cmdlets, in particular recent updates. This was a great event when he presented for us last year and is a real opportunity if you use either of these products to get your questions answered or put forward any suggestions for improvements. You also get to meet a really cool guy and see if he manages to blue screen his machine again during a PowerShell demo by stopping all the services, having forgot to use the ‘whatif’ paramter! (I told him I’d get him back for making fun of me when I interviewed him for the Get-Scripting podcast)

Sign up details are here. You need to contact Richard if you wish to attend in person.

Finally on Thursday 28th May the Windows Server and Vista Squad user groups join the Active Directory user group for a joint Windows 7 event. Full content is yet to be confirmed, but that’s the first Windows 7 event I’ve heard of in this country.

Full details here.

Hope to see you at one of these events.