Paul Bergson (MVP - Directory Services)

Tuesday, May 14, 2013 6:58 AM

How to Build an AD Replication Delay (Lag) Site

To prevent having to restore objects from Active Directory due to accidentally deleting an object, you can have a remote DC which only sends/receives replication on a limited basis. You also want to prevent users from authenticating against, as well as services being used by other machines, since the metadata on this DC is aging away w/o replication keeping it up to date

Because of this you want to remove all advertised services via dns lookup. To do this, this DC must be isolated from other DC’s and all replication controlled. For that reason a separate site is required to control Intersite Replication.

The following are the steps taken to create a single lag site dc. If you would like to have more than one time frame to fall back upon, all you need do is repeat these steps for a different DC.

Promote a member server to a DC and allow replication to complete

Don’t load any unnecessary services
Don’t load WINS nor make this a WINS client

Create a separate site and site link (I use “Lag” as part of the name to help document it)

Create a new site
Create a new site link, including the source and the Lag sites. If you notice I have set the Site Link Replication Frequency (Replicate Every) to 15 minutes.

Click on the “Change Schedule” button to set the replication schedule to a time frame that fits for your enterprise. In this example, I have set the replication schedule for Saturday morning from the hours of 12:00 am to 2:00 am. So this site should allow replication updates to occur every 15 minutes, on Saturday’s, from the hours of 12:00 am until 2:00 am. Once a replication cycle starts it will continue until complete, which can go beyond the 2:00 am time frame, but no new cycles will start after 2:00 am.

Define the subnet and link it to a site

Borrowing some knowledge from a blog from Brian Desmond, I have created a separate single host site sub-net. I have reserved the address for the dc in dhcp (I reserved .240) and then defined the subnet as a /32 ip mask. The most precisely defined subnet in sites and services is considered the subnet location.

Move the new dc to the newly defined site (Lag Site)

Now that the DC has been placed in its own site and is no longer receiving regular AD replication updates, it needs to no longer advertise itself as a usable DC. To do this, a Group Policy Object will be created and linked to this new site.

Create a new GPO, but do not link it to any OU or Site at this time
Edit the Policy DC Locator DNS records not registered by the DCs. This is located at Computer Configuration / Administrative Templates / System / Net Logon / DC Locator DNS Records. The following mnemonics should be entered into the entry box:

Ldap LdapAtSite Pdc Gc GcAtSite GcIpAddress DcByGuid Kdc KdcAtSite Dc DcAtSite Rfc1510Kdc Rfc1510KdcAtSite GenericGc GenericGcAtSite Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd

Link this new Group Policy to the “Lag” site, where the new DC resides

Change the policy to allow authenticated users to read and remove (Don’t deny) the right to apply
Add the computer name of the new DC and grant it Read and Apply. This will help prevent the wrong DC’s from having policy applied against.

Shut down the new Lag site DC

Open up the dns zone _msdcs and remove all of the new DC’s dns service records

Do not remove the Alias (CNAME) record at the root of the zone

Power the DC backup

During the reboot any dns records that would be needed will be rebuilt

Run dcdiag, repadmin and dnslint in verbose mode.

DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
dnslint /ad /s "ip address of your dc"

**Note 1: Using the /E switch in dcdiag will run diagnostics against ALL dc's in the forest. If you have significant numbers of DC's this test could generate significant detail and take a long time. You also want to take into account slow links to dc's which will also add to the time.

**Note 2: There are certain errors to expect, since the lag site DC won’t be advertising as a KDC you will be warned about this, etc… But, replication should be error free.

**Note 3: Forced replication will still occur, this model only prevents scheduled replication.

Posted by Paul Bergson | 0 Comments

Thursday, April 25, 2013 6:53 AM

Upgrading AD from 2003 to 2008

Upgrading Active Directory from 2003 to 2008

--- (Note: This is a copy from another site and at this time my snapshots are missing)---

· Microsoft’s Preupgrade check list

· Before upgrading AD verify all current applications are compatible

o Verify you are on the correct version for 2008

§ For example, does your SAN at its current release support 2008

§ Does the version of Exchange you are running support 2008

o Ensure all dc’s Windows 2000 dc’s are at least at SP4

§ From a command prompt run

Ø repadmin/showattr

· Verify that your Active Directory forest is healthy

o DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log

o netdiag.exe /v > c:\netdiag.log (On each dc)

o repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

o ntfrsutl ds your_dc_name > c:\sysvol.log

o dnslint /ad /s "ip address of your dc"

· Get a backup up of at least two separate dc’s, including your PDCe

· Although you can upgrade, I would strongly urge you to do fresh install on all new 2008 installations

o Upgrading

§ Verify that the hardware will be compatible with 2008

§ You cannot directly upgrade from W2K to W2K8, you must go W2K to W2K3 and then W2K3 to W2K8

§ The bloat associated with patching, etc… just is a waste of space

Ø Verify you have plenty of disk space available

Ø If you don’t have a good 20gb of free space, you are probably going to run into space issues, trust me on this. All future patches, etc… that roll into the o/s are kept in the system folder and slowly over time start to chew your volume.

§ verify that the machine upgrading holds the FSMO role of operations Master (Upgrade DC order)

o Fresh install

§ Ensure you had at least a 50gb system partition

§ Consider using x64, all future Windows server operating systems are going to x64 bit, starting with 2008 R2

Prep the forest, domain and dns zones

· Prep your forest

o Copy the adprep folder to a local folder on your dc or run from the cd

o Make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain.

o Execute adprep (See KB753437, Be sure this is run on the Schema master, otherwise it will not run)

C:\adprep>adprep /forestprep

ADPREP WARNING:

Before running adprep, all Windows 2000 Active Directory Domain Controllers in the forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.

[User Action]

If ALL your existing Windows 2000 Active Directory Domain Controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit.

c

Opened Connection to DCTEST

SSPI Bind succeeded

Current Schema Version is 30

Upgrading schema to version 44

Connecting to "DCTEST"

Logging in as current user using SSPI

Importing directory from file "C:\WINDOWS\system32\sch31.ldf"

Loading entries............................................................................................................................................

139 entries modified successfully.

You should see multiple entries similar to above. Just let the system spin and you can go take a break while waiting. At the end you will see the following (Hopefully!).

................................................................................

Adprep successfully updated the forest-wide information.

o Although this dc has completed the schema upgrade, you must wait until ALL dc’s in your forest receive this change via replication (Converge).

§ Depending on your forest this could be in a few minutes to possibly days

· Once the proper amount of time has passed, the domain’s should now also be ready to be prep’ped

o If you would like to verify that the forest has been upgraded

§ Start up ADSIEdit

1. Connect to Configuration / Configuration / ForestUpdates / ActiveDirectoryUpdate

1. Right Click and select Properties

1. Revision = 2

Ø Connect to Schema / Schema

Right click and select properties

1. ObjectVersion = 44

o Adprep /domainprep (Domain must be in Native Mode 2003)

§ Adprep /domainprep /gpprep (Use this command line if upgrading from Windows 2000, Windows must be in Native Mode 2000)

C:\adprep>adprep /domainprep

Running domainprep ...

Adprep successfully updated the domain-wide information.

The new cross domain planning functionality for Group Policy, RSOP Planning Mode, requires file system and Active Directory Domain Services permissions to be updated for existing Group Policy Objects (GPOs). You can enable this functionality at any time by running "adprep.exe /domainprep /gpprep" on the Active Directory Domain Controller that holds the infrastructure operations master role.

This operation will cause all GPOs located in the policies folder of the SYSVOL to be replicated once between the AD DCs in this domain. Microsoft recommends reading KB Q324392, particularly if you have a large number of Group policy Objects.

o Although this dc has completed the domain prep upgrade, you must wait until ALL dc’s in this domain receive this change via replication (Converge).

§ Depending on your domain this could be in a few minutes to possibly days

· Once the proper amount of time has passed

o If you would like to verify that the domain has been upgraded

§ Start up ADSIEdit

Ø Connect to Configuration / Configuration / ForestUpdates / ActiveDirectoryUpdate

· If there are any near or far term plans to install RODC’s, prep your dns zones

o Adprep /rodcprep

§ This will traverse through the separate partitions and update the permissions

Ø Verify that the prep completed without error

Adprep completed without errors. All partitions are updated. See the ADPrep.log in directory C:\WINDOWS\debug\adprep\logs\yyyymmdd999999 for more information.

· Prep your domain

o Connect to the FSMO Infrastructure Master role holder

o From the cd either copy the \sources\adprep or run the following:

§ Adprep /domainprep /gpprep

Begin the actual installation

· New 2008 DC

o Verify that the AD DS role has been installed on your 2008 member server

o From an elevated command prompt promote this new DC

§ Dcpromo

·

· The following will pop up

o

· Followed by, Select Next

o

· Read the description on new secure channel controls and verify that you understand its impact and then select next

o KB942564 explains in greater details its impact within your organization

o

· Select Existing Forest and click next

o

· Verify the forest and credentials are properly set and click next

o

· Select a domain for this additional domain controller and click next

o

· Select the site where you would like the new dc to be placed in and click next

o

· Select those additional services you would require this dc to have and click next

o

· If the following pop up box appears

o

§ If you are installing an additional domain controller in either the forest root domain or a tree root domain, you do not have to create the DNS delegation. In this case, click Yes and disregard the message.

· Verify the default locations are as expected and click Next

o

· Enter the AD DS password and click Next

o

· On the Summary dialog box, verify all settings are correct and hit Next

o

· The following box will appear while the promotion advances. Please be patient during this process, depending on the size of your AD environment this could take a few minutes to multiple hours.

o

· Once the promotion is complete, click Finish and Restart the newly promoted dc

o

· Once complete allow all DC’s to properly replicate all changes within the infrastructure

· Microsoft recommends moving the FSMO roles to a 2008 DC

o From Active Directory Users and Computers (ADUC) right click on the domain and select Operations Masters

§

o From each of the three tabs (RID, PDC and Infrastructure) change to a 2008 DC

§

§ If your destination IM is also a GC, make sure all other dc’s are gc’s or that this is a single domain forest. Otherwise you can create phantom object problems.

o From Active Directory Domain and Trusts

§ Verify you are connected to the DC you want to transfer the Domain Naming role to

§ Right click and select Operations Manager

§

o From Schema Management

§ If you haven’t already, register the schema management

· From a command prompt

o regsvr32 schmmgmt.dll

· In the mmc console add the Schema management

· Select the Schema management console and connect to the DC you want to move the FSMO role to

· Right click on Schema management and Select operations Management

o

o To verify all fsmo roles have been transferred run the following from a command prompt

§ Netdom query fsmo

Posted by Paul Bergson | 0 Comments

Filed under: Active Directory upgrade 2003 2008

Wednesday, January 02, 2013 2:21 PM

Preventing Spoke DC’s from Advertising in the Hub Site for Authentication Availability

If you have a hub and spoke site topology, it may not be a good idea for certain (Or all) spoke dc’s to be advertising, via dns services, the ability to provide authentications services. If you have a remote site with a dc that fails it is usually best that the spoke send its users to the hub for authentication purposes. By default Active Directory (AD) doesn’t act this way. If you would like set up your spokes to only advertised in its own site then you will want to configure a group policy (Windows 2003 and above) to prevent these spoke dc’s from advertising. For machines running Windows 2000 you will need to do a reg hack (KB article defined later).

You will need to create a new group policy and define which DC’s will have read and apply policy. Make sure to remove the authenticated users apply permission otherwise ALL dc’s will have this policy applied once it is link to the Domain Controllers ou.

· Open up Group Policy Management and create a new Policy

· Select this new Policy and click on the Delegation tab

o Select the Advanced button

§ Remove the apply permission to the Authenticated users

§ Add each DC you would like to apply this policy to and provide read and apply permissions

· Right click on the policy and select Edit

o Computer Configuration / Administrative Templates / System / Net Logon / DC Locator DNS records

§ Double click on DC Locator DNS records not registered by the DCs

· Key in the Mnemonics below (Copy and paste)

DC DcByGuid Gc GcIpAddress GenericGC Kdc Ldap LdapIpAddress Rfc1510Kdc Rfc1510Kpwd Rfc1510UpdKdc Rfc1510UdpKpwd

· See below for Mnemonics definitions

Wait for/or force replication and then from a command prompt on each dc in question key in the following:

· Gpupdate /force

o This will apply the new policy

· Restart the NetLogon service (Or run netdiag /fix)

o This will update the dns records. Make sure when you check that you verify on the server this dc is attached to or wait for replication to take place.

The following table was taken from the KB article KB306602

Reference Tables

The following tables contain mnemonics, types, and the owner names of the domain controller locator DNS records that should not be registered by the satellite domain controllers and global catalogs to optimize the domain controller location.

Domain Controller-Specific Records

Collapse this tableExpand this table

Mnemonic	Type	DNS Record
LdapIpAddress	A	<DnsDomainName>
Ldap	SRV	_ldap._tcp.<DnsDomainName>
DcByGuid	SRV	_ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>
Kdc	SRV	_kerberos._tcp.dc._msdcs.<DnsDomainName>
Dc	SRV	_ldap._tcp.dc._msdcs.<DnsDomainName>
Rfc1510Kdc	SRV	_kerberos._tcp.<DnsDomainName>
Rfc1510UdpKdc	SRV	_kerberos._udp.<DnsDomainName>
Rfc1510Kpwd	SRV	_kpasswd._tcp.<DnsDomainName>
Rfc1510UdpKpwd	SRV	_kpasswd._udp.<DnsDomainName>

Global Catalog-Specific Records

Collapse this tableExpand this table

Mnemonic	Type	DNS Record
Gc	SRV	_ldap._tcp.gc._msdcs.<DnsForestName>
GcIpAddress	A	gc._msdcs.<DnsForestName>
GenericGc	SRV	_gc._tcp.<DnsForestName>

Posted by Paul Bergson | 1 Comments

Wednesday, July 25, 2012 7:01 AM

How to Decommission a Domain Controller

Decommissioning a dc requires all domain services that currently reside on a server need to be moved to other dc’s.

You need to move any fsmo roles from this dc to another dc (KB255960)
- To learn where the roles reside run the command netdom query fsmo
- If the PDCe fsmo role resided on this DC then you need to reconfigure the new holder of the PDCe to either use the internal hardware clock or an external source. I would recommend using an external source KB816042.
There needs to be at least one Global Catalog (GC) in each domain and it is recommended that there is one in each site (KB313994)
Move DNS services to other DC’s if this DC is a DNS provider. Also point all clients that use this server for DNS to the new DNS server
- If AD integrated simply installing DNS on a member server prior to promotion will bring up a new DNS server
- If not AD integrated and this is a primary server then a new primary server will need to be brought online. From DNS server manager the server needs to be promoted to primary
- If a secondary server then make the new dc a new secondary server
If a dhcp server then the dhcp servers database needs to be backed up and copied to the new dhcp server. The old dhcp server deauthorized and the new dhcp server authorized (KB325473)
If you have Encryption File System (EFS) enabled you will need to move the private key if it resides on this dc (KB241201). You use the recovery agent's private key to recover data in situations when the copy of the EFS private key that is located on the local computer is lost
If this server manages Terminal Server Licensing (TSL) then it will have to be moved to a new DC. From Add/Remove programs you will need to add a new TSL. You can then restore the licenses by using the TS License Manager tool with the Telephone activation mechanism. You can switch to the Telephone mechanism by right clicking on the server in TS License Manager, and then selecting properties from the menu. (TS FAQ)

Finally once this is all accomplished go ahead and demote the dc to a member server (KB238369)

Posted by Paul Bergson | 0 Comments

Filed under: dcpromo "active directory" fsmo

Tuesday, July 03, 2012 5:04 PM

Create A Test Domain (Old Style)

This document was prepared for the building of a copy of the production Active Directory. Following these steps will define how to rebuild the entire Microsoft Active Directory for a test domain. *** Be careful ***

The first set of steps is to get a good pc into the production domain. Once this pc is a member it needs to be promoted and be a healthy participant in the network. The new DC then needs to be removed from the network before it is restarted (From its restore) to prevent any replication activity from damaging the production system. Reconnection to the production system will create major problems in the production system

1. Shutdown ALL pc’s within the test sub-net (For this document it will be 192.168.1.x, gateway = 192.168.1.250), mask = 255.255.255.0

2. Remove the physical cable for the new pc and build the member server (This all should reside within the test domain) in production

· Install DNS (AD Integrated needed for this document)

3. Re-connect the cable and join the Domain_Name.com domain

· Select the IP Address 192.168.1.101

· Select the mask to 255.255.255.0

· Select the Gateway 192.168.1.250

· Point the DNS services to a production AD DNS server

4. Promote the server to a Domain Controller (DC) via dcpromo.exe

5. Promote the server to a Global Catalog Server

6. Let the system sit idle (2 hours) for Replication to sync up

· Point the DNS services to itself

7. Open up a command prompt

· dcdiag /v /test:ridmanager

· Make sure no errors with the rid manager

· Create an object on the new DC

· Physically disconnect the cable

· Bring up “Active Directory Users and Computers”

· By disconnecting you force the system to attach locally

· Create a test user with the account disabled

· Reconnect the physical cable

8. At a command prompt type in NTBACKUP and do a system state backup saving the file to the local server

9. Demote this server to a member server with in the production domain (DCPROMO)

· Remove the NS record in the production environment

10. Physically disconnect the server from the network by unplugging the cable from the hub

11. Move the server to the test domain

12. Re-Promote once this system has been disconnected and the ip changed

· Dcpromo

· Domain Name = Domain_Name.com

· NetBios Name = NetBIOS_Name

· Allow the promotion to create the DNS domain

· Once this DC is brought online (The DNS services on the member server can be shut down), define it with Integrated Active Directory DNS and all name space records will be restored. Make sure to bring up DNS and select reload to refresh all data

· Active Directory Integrated

· Only Secure Updates

13. Reboot this server and After the POST Select F8

· Scroll down and select the option

“Directory Services Restore Mode (Windows 200x domain controllers only)”

14. Log on as the administrator (This is within the old SAM account)

15. Restore the System State from the previous NTBACKUP

16. Re-boot the Domain Controller (DC)

Now that the DC is restored it needs to take control of all Flexible Single Master Operation roles (FSMO and the File Replication service). Because of this utilities need to be loaded off of the Windows 200x install CD. NTDSUTIL will perform most of these steps. Since this is the first DC it needs to be a Global Catalog server and validate that it is the primary server in the domain.

17. After the POST Select F8

· Scroll down and select the option

“Directory Services Restore Mode (Windows 200x domain controllers only)”

18. Log on as the administrator (This is within the old SAM account)

19. Install the Windows 200x Active Directory Administration Tools from the server cd

· D:\i386\ Adminpak.msi

20. Install the Windows 200x Server Resource Kit from the server cd

· D:\support\tools\200xrkst.msi

21. Re-boot the Domain Controller (DC)

22. Log on as the administrator (This is with the AD account)

23. Reset the ip address to the test domain, the restore resets the ip address. Make sure to also point the dns server to itself as well

24. Set this server as a Global Catalog (Ignore this step in a multi-domain environment and this DC holds the Infrastructure Master Role)

· Click Start, click Run, type mmc, and then click OK

· On the Console menu, click Add/Remove Snap-in, click Add, double-click Active Directory Sites and Services, click Close, and then click OK

· Double Click Active Directory Sites and Services

· Double Click Sites

· Double Click MP-Default-Site

· Double Click Servers

· Double Click the DC

· Right Click on NTDS Settings and Select Properties

· If the “Global Catalog” check box is not checked, check it

25. All Flexible Single Master Operations (FSMO) roles need to reside on this DC

· Seize the PDC

· Click Start and then click Run

· In the Open text box, type ntdsutil

· Type roles

· Type connections

· Type connect to server <DC name>

· Type q

· Type seize pdc

· Click “Yes”

· Seize the Infrastructure master role

· Type seize infrastructure master

· Click “Yes”

· Seize the Domain Naming master role

· Type seize domain naming master

· Click “Yes”

· Seize the schema master role

· Type seize schema master

· Click “Yes”

· Seize the RID Master Role

· Type seize rid master

· Click “Yes”

· Type q

26. Remove all other DC server objects (Repeat this step for each DC) KB216498

· Click Start and then click Run

· In the Open text box, type ntdsutil

· Type metadata cleanup

· Type connections

· Type connect to server <DC>

· Type q (The metadata cleanup prompt should now show)

· Type select operation target

· Type list domains (A list of domains should be displayed)

· Type select domain <#> (This is the domain of the server to be pruned)

· Type list sites (A list of sites should be displayed)

· Type select site <#> (This is the site of the server to be pruned)

· Type list servers in site (A list of servers should be displayed)

· Type select server <#> (This is the server to be pruned)

· Type q

· Type remove selected server (You should get confirmation of the removal)

· Type q

27. Remove all other DC orphaned records in Active Directory (Repeat this step for each DC) KB216498

· Click Start - Programs - Windows 200x Support Tools - Tools - ADSI Edit

· Delete the computer account in OU=Domain Controllers, DC=Domain_Name,DC=com

· Delete the FRS member object in CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=Domain_Name,DC=com

28. Remove all other DC orphaned records in DNS

· Click Start - Programs - Administrative Tools - DNS

· Click <DC>.Domain_Name.com - Forward Lookup Zones - Domain_Name.com

· Delete the cname (alias) of all other DC’s

· Delete the a record of all other DC’s

29. This DC needs to be the File Replication Service Master (KB316790)

· Stop the File Replication service on the DC

· Make sure the following folders exist, if not create them

· C:\WINNT\SYSVOL\staging

· C:\WINNT\SYSVOL\sysvol (Share as SYSVOL)

· C:\WINNT\SYSVOL\sysvol\Domain_Name.com

· copy the contents of C:\WINNT\SYSVOL\domain to this folder

· Start Registry Editor (Regedt32.exe)

· Locate and then click the BurFlags value under the following key in the registry:

· HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

· On the Edit menu, click DWORD, click Hex, type D2, and then click OK

· Quit Registry Editor

· Restart the File Replication Service

· Check the FRS event viewer to see if the system states that the sysvol is now being shared and defines all the paths

30. Ensure that the DC has registered the proper computer role

· Enter net accounts at a dos prompt

· The computer role should say "primary”

Finally any information related to the old DC’s need to be purged from AD.

31. Re-boot the Authoritatively restored DC

32. Within the production system delete the test user and computer account

33. Within the production system delete the server object within the site that it was placed into for replication

Note: The File Replication Service can prevent the computer from becoming a Domain Controller (See below). If when doing a dcdiag a message states that the rid pool is corrupt, what is probably happening is there are problems with replication. Check the “File Replication Service” Event Log. Also make sure that all sub-folders are available within c:\winnt\sysvol.

To re-test just the rid pool: dcdiag /v test:ridmanager

Never again connect this server to the production system!!!

When you restore a domain controller from backup (or when you restore the System State), the FRS database is not restored because the most up-to-date state exists on a current replica instead of in the restored database. When FRS starts, it enters a "seeding" state and then tries to locate a replica with which it can synchronize. Until FRS completes replication, it cannot share Sysvol and Netlogon.

If you restore all of the domain controllers in the domain backup, all the domain controllers enter the seeding state for FRS and try to synchronize with an online replica. This replication does not occur because all of the domain controllers are in the same seeding state. Setting the primary domain controller FSMO role holder to be authoritative forces the domain controller to rebuild its database based on the current contents of the system volume. When that task is completed, the Sysvol and Netlogon shares are shared. All the other domain controllers can then start synchronizing from the online replica

(See - KB316790)

Posted by Paul Bergson | 0 Comments

Tuesday, May 15, 2012 1:39 PM

Windows 2000/2003 Replication through a Firewall

Configuring Domain Controller Ports

To establish secure communications between DC’s defined and variable ports (High Ports) need to be able to communicate. In the scenario defined below the internal dc’s have no outbound restrictions, inbound is restricted to a need to have with the restriction of 200 RPC ports are set for on demand need.

The following port definitions should be defined on ALL DC's within the DMZ that could be replicating to external DC’s. These define which ports will be made available to there requesting DC's.

Start Registry Editor (Regedt32.exe).

Restrict FRS Traffic to a Specific Static Port - KB319553

Locate and then click the following key in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters

New = Reg_DWORD

Name = RPC TCP/IP Port Assignment

Value = 10000 (Decimal)

Restricting AD replication traffic to a single port - KB224196

Locate and then click the following key in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

New = REG_DWORD

Name = TCP/IP Port

Data = 10001 (Decimal)

RPC dynamic port allocation - KB154596
(Only allow ports 10002 - 10200 for RPC from other machines)

Locate and then click the following key in the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\

Create a New Key = Internet

Locate and then click the following key in the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\

Add the values

"Ports" (MULTI_SZ) = 10002-10200

"PortsInternetAvailable" (REG_SZ) = Y

"UseInternetPorts" (REG_SZ) = Y

Configure 2003 Firewall Ports – KB179442

135	TCP	RPC	RPC Connector Helper (Machines connect to find out what high port to use)
137	TCP	UDP	NetBIOS Name
138		UDP	NetBIOS Netlogon and Browsing
139	TCP		NetBIOS Session
123		UDP	NTP
389	TCP	UDP	LDAP
636	TCP		LDAP SSL
3268	TCP		LDAP GC
3269	TCP		LDAP GC SSL
42	TCP		WINS Replication
53	TCP	UDP	DNS
88	TCP	UDP	Kerberos
445	TCP	UDP	SMB over IP (Microsoft-DS)
123		UDP	NTP
10000	TCP		RPC NTFRS
10001	TCP		RPC NTDS
10002 –10200	TCP		RPC – Dynamic High Open Ports
	ICMP

If you would like to test connectivity to validate FRS communication

NTFRSUTL version server_name

If the two can communicate through the firewall via FRS the response will provide the current version number

If you would like to validate connectivity between DC’s use the tool PortQryUI

Download PortQryUI and run the tool

Select the destination DC or PDC

Select Domains and Trusts

Validate the ports that should be open in fact are via the output provided by the tool.

For additional info on this tool see PortQry features, this is the backend tool for PortQryUI

Posted by Paul Bergson | 0 Comments

Filed under: "Active directory" firewall ports 2000 2003 "domain controller"

Thursday, May 03, 2012 6:51 AM

How to Remotely Promote Server Core to a Read Only Domain Controller (RODC)

If you would like to promote a Windows 2008 server core o/s to a RODC but the server is at a remote location, you can run into multiple road blocks. Firewall ports need to be opened, remote management needs to be enabled plus you need configuration information configured. The following text should help assist you in building this remote installation.

By default Server core has the firewall enabled. To open up the ports on the Firewall requires either setting up group policy if a domain machine or logging locally and configuring. By default, when a server role is installed, the correct ports are automatically configured to allow the role to function as well as to allow remote management, so no additional work is required.

Configuring the firewall:
To open the firewall for remote management, as a local admin from a command prompt on server core, key in the following:
netsh advfirewall firewall set rule group="Remote Administration" new enable=yes

Enabling Remote Management:
To enable remote management via the Remote Shell, as a local admin from a command prompt on server core key in the following:
Winrm quickconfig

If you want to run this on a secure channel you can open an HTTPS listener, as a local admin from a command prompt on server core key in the following:
winrm quickconfig -transport:https

Installing the DNS role:
To install DNS, from a command prompt on the remote workstation key in the following (Be sure to replace servercore = Remotely Managed Server):
Winrs -r:servercore start /w ocsetup DNS-Server-Core-Role

Promoting to an RODC: (Performing a Staged RODC Installation)

Start by pre-creating the server account (From Microsoft’s pre-staged deployment):

Save the text below and execute the following command to pre-create the RODC account (Note: Be sure to replace DomainName with your Domain Name)
dcpromo.exe /CreateDCAccount /ReplicaDomainDNSName:DomainName.com /unattend:\\longhorn\netlogon\precreate.txt

The next line is the start of pre-create RODC unattended text file
; DCPROMO unattend file
; Usage:
; dcpromo.exe /CreateDCAccount /ReplicaDomainDNSName:pbbergs.com /unattend:\\longhorn\netlogon\precreate.txt
;
[DCInstall]
; Read-Only Replica DC promotion (stage 1)
DCAccountName=servercore
; RODC Password Replication Policy
PasswordReplicationDenied="BUILTIN\Administrators"
PasswordReplicationDenied="BUILTIN\Server Operators"
PasswordReplicationDenied="BUILTIN\Backup Operators"
PasswordReplicationDenied="BUILTIN\Account Operators"
PasswordReplicationDenied="PBBERGS\Denied
RODC Password Replication Group"
PasswordReplicationAllowed="PBBERGS\Allowed RODC
Password Replication Group"
SiteName=Default-First-Site-Name
InstallDNS=Yes
ConfirmGc=Yes
ReplicationSourceDC=Longhorn.pbbergs.com

The end of the pre-create RODC unattended file

To install the Domain Services role and promote the server core to a Domain Controller, from a command prompt on the remote workstation key in the following:
Winrs -r:servercore dcpromo /unattend:c:\unattended\promote.txt

The next line is the start of the dcpromo RODC unattended text file

; DCPROMO unattend file (automatically generated by dcpromo)
; Usage:
; dcpromo.exe /unattend: \\longhorn\netlogon\answer.txt
;
[DCInstall]
;
ReplicaOrNewDomain=Replica
ReplicationSourceDC:"pbbergs.com"
InstallDNS=Yes
ConfirmGc=Yes
CriticalReplicationOnly=Yes
DatabasePath="C:\Windows\NTDS"
LogPath="C:\Windows\NTDS"
SYSVOLPath="C:\Windows\SYSVOL"
; Set SafeModeAdminPassword to the correct value prior to using the unattend file
SafeModeAdminPassword=pa$$w0rd
; Run-time flags (optional)
RebootOnCompletion=Yes

The end of the dcpromo RODC unattended text file

Hopefully this article has helped you to get started, it is not trivial, and it took me multiple attempts on many steps to get it correct and working.

I would love to hear feedback on your success or problems that may have arisen in your attempt to remotely promote a server core to a RODC. You can write to me at pbbergs@msn.com.

Posted by Paul Bergson | 1 Comments

Filed under: core "active directory" unattended rodc

Tuesday, May 01, 2012 8:48 AM

External Forest Trust Configuration with a Firewall - Windows 2003 and NT4

An external forest trust relies on NetBIOS name resolution, dns is not involved.

All trust communication traffic flows between the Windows 2003 PDCe and the PDC. It doesn’t matter how you have your LMHosts table setup or your firewall setup the trust is only going to work with these two being able to talk to one another.

WINS Configuration

Using the web site LMHost Creator create the lmhost files for the trust for name resolution. (Per KB180094)

I highly recommend using this site to generate the LMHosts file!!!

Windows 2003

10.0.0.1 NT4_Server #PRE #DOM:NT4_Domain ß The name NT4_Server should be your PDC
10.0.0.1 "NT4_DOMAIN \0x1b" #PRE

NT4

10.0.0.1 2003_Server #PRE #DOM:2003_Domain ßThe name 2003_Server should be your PDCe
10.0.0.1 "2003_DOMAIN \0x1b" #PRE

Note The domain name in this entry is case sensitive. Make sure that you use uppercase characters for the domain name. If you use lowercase characters for the domain name, NetBT does not recognize the name.

Note Make sure that you space these entries correctly. Replace 10.0.0.1 with the IP address of your primary domain controller (PDC). Replace PDCName with the NetBIOS name of your PDC, and replace domain with your Windows NT domain name. There must be a total of 20 characters within the quotations (the domain name plus the appropriate number of spaces to pad up to 15 characters, plus the backslash, plus the NetBIOS hex representation of the service type).

To help determine where the sixteenth character is, copy the following line to your Lmhosts file:
# IP Address "123456789012345*7890"

Line up the double quotation marks (") by adding or removing spaces from the comment line, and put the \ on the sixteenth column (the column marked with the asterisk). You must use spaces after the name and before the \, not a tab.

Name Resolution Tests

Windows 2003

Nbtstat –R - Purges and reloads the remote cache name table
Nbtstat -c - Lists NBT's cache of remote [machine] names and their IP addresses

NT4

Nbtstat –R - Purges and reloads the remote cache name table
Nbtstat -C - Lists NBT's cache of remote [machine] names and their IP addresses

Note The -c is case sensitive and must be lowercase (Uppercase for NT4). After you type this text, you should receive a display that is similar to the following:

Node IpAddress: [10.0.0.5] Scope Id: []

NetBIOS Remote Cache Name Table

Name Type Host Address Life [sec] ----------------------------------------------------------

PDCName <03> UNIQUE 10.0.0.1 -1

PDCName <00> UNIQUE 10.0.0.1 -1

PDCName <20> UNIQUE 10.0.0.1 -1

Domain <1B> UNIQUE 10.0.0.1 -1

Configuring Domain Controller Ports

The following port definitions should be defined on ALL DC's within the DMZ that could be replicating to external DC’s. These define which ports will be made available to there requesting DC's.

Start Registry Editor (Regedt32.exe).

Restrict FRS Traffic to a Specific Static Port - KB319553
Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters
New     =          Reg_DWORD
Name   =          RPC TCP/IP Port Assignment
Value   =          10000              (Decimal)

Restricting Active Directory replication traffic to a specific port - KB224196
Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
New     =          REG_DWORD
Name   =          TCP/IP Port
Data     =          10001              (Decimal)

RPC dynamic port allocation - KB154596 (Only allow ports 10002 - 10200 for RPC from other machines)
Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\
Create a New Key = Internet

Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\
Add the values
"Ports" (MULTI_SZ)                            =          10002-10200
"PortsInternetAvailable" (REG_SZ)       =          Y
"UseInternetPorts" (REG_SZ)               =          Y

If you would like to test connectivity to validate FRS communication (This communication is for Windows 2003 to Windows 2003 communications only)

NTFRSUTL version server_name

If the two can communicate through the firewall via FRS the response will provide the current version number

If you would like to validate connectivity between the NT4 and PDCe use the tool PortQryUI

Download PortQryUI and run the tool
Select the destination DC or PDC
Select Domains and Trusts
Validate the ports that should be open in fact are via the output provided by the tool.

For additional info on this tool see PortQry features, this is the backend tool for PortQryUI

Configure 2003 Firewall Ports – KB179442 (This is between a dmz’d DC and an internal DC, these settings are for AD replication as well)

135	TCP	RPC	RPC Connector Helper (Machines connect to find out what high port to use)
137	TCP	UDP	NetBIOS Name
138		UDP	NetBIOS Netlogon and Browsing
139	TCP		NetBIOS Session
123		UDP	NTP
389	TCP	UDP	LDAP
636	TCP		LDAP SSL
3268	TCP		LDAP GC
3269	TCP		LDAP GC SSL
42	TCP		WINS Replication
53	TCP	UDP	DNS
88	TCP	UDP	Kerberos
445	TCP	UDP	SMB over IP (Microsoft-DS)
123		UDP	NTP
10000	TCP		RPC NTFRS
10001	TCP		RPC NTDS
10002 –10200	TCP		RPC – Dynamic High Open Ports
	ICMP

Configure NT4 Firewall Ports (If there is only an NT4 box outside the firewall than the previous is unneeded)

135	TCP	UDP	RPC Connector Helper
137	TCP	UDP	NetBIOS Name
138		UDP	NetBIOS Netlogon and Browsing
139	TCP		NetBIOS Session
42	TCP		WINS Replication
123		UDP	NTP
10000 – 10200	TCP		RPC – Dynamic High Open Ports

Made following Changes in Default Domain Controller Group Policy

Computer Configuration \ Windows Settings \ Security Settings \ Security Options
      Microsoft network client: Digitally sign communications (always) DISABLED (Default ENABLED)
      Microsoft network client: Digitally sign communications (if server agrees) ENABLED (Default ENABLED)
    Microsoft network server: Digitally sign communications (always) DISABLED (Default ENABLED)
    Microsoft network server: Digitally sign communications (if client agrees) ENABLED (Default ENABLED)
    Domain member: Digitally encrypt or sign secure channel data (always) DISABLED (Default ENABLED)
    Domain member: Digitally encrypt secure channel data (when it is possible) ENABLED (Default ENABLED)
    Domain member: Digitally sign secure channel data (when it is possible) ENABLED (Default ENABLED)
    Network access: Restrict anonymous access to Named Pipes and shares DISABLED (Default ENABLED)
    Network access: Do not allow anonymous enumeration of SAM accounts and shares DISABLED (Default ENABLED)
    Network access: Do not allow anonymous enumeration of SAM accounts DISABLED (Default ENABLED)
    Network access: Allow anonymous SID/Name translation  ENABLED (Default DISABLED)
    Domain member: Digitally encrypt or sign secure channel data (always) DISABLED (Default ENABLED)
    Domain member: Require strong (Windows 2000 or later) session key DISABLED (Default ENABLED)

Made following Changed in Registry of 2003 PDCe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\EveryoneIncludesAnonymous 1 (default 0)HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters\restrictnullsessaccess 0 (default 1)

Once all these steps have been completed the Trust can now be established

How to establish trusts with a Windows NT-based domain in Windows Server 2003

There is a complete set of troubleshooting options available on KB889030

Posted by Paul Bergson | 0 Comments

Filed under: "NT4 trust" "Active Directory" firewall ports portqryui

Monday, April 23, 2012 7:04 AM

User Account Lockout Troubleshooting

Do any of these symptoms sound familiar?

·         A users account keeps getting locked out, even though they haven’t even had to enter their credentials except to maybe unlock their screensaver
·         A scheduled task quit working, such as a night backup job
·         Services that used to start up at boot up will no longer start even if attempted manually

These are typical symptoms of a recently changed password where other resources are using this same account but are unaware of the recent password change. Things to check to assist in this troubleshooting are:
·         Is the account logged onto more than one machine
    o   A user could have mapped drives to a resource from one machine, on a different machine he changes his password and then the first machine attempts to stay mapped to a drive and the password is no longer correct and eventually locks the user out.
·   If a service is running that is attempting to authenticate and has an invalid password, it may attempt multiple times and lockout the account

Also ensure to review any mobile devices that your user might be using. If they have a cell phone/tablet with an embedded password the handheld maybe attempting to authenticate. This error will show up in the event logs and may the hardware may show up as a router or switch.

To help try and track down where the account is getting locked out use eventcombMT.exe from the Account Lockout tools found out Microsoft's website. Use the built in search AccountLockouts. Once the Event logs have been inspected and a new text file has been created, search within this text file for the locked account in question.

You can also set the debug flag on NetLogon to track authentication. "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."

http://support.microsoft.com/kb/189541
http://support.microsoft.com/kb/109626

Posted by Paul Bergson | 1 Comments

Filed under: "Account Lockout" "Active Directory"

Thursday, June 30, 2011 9:21 PM

Configuring IPv4 as Default over IPv6

Starting with Windows Vista and Server 2008, IPv6 is the default over IPv4. This can be annoying if your enterprise network isn’t prepared to support this. You can modify this default behavior by OR’ing and registry setting on your machine.

The registry setting is the DisabledComponents registry value and it controls a series of bit flags as defined below:

· Bit 0 Set to 1 to disable all IPv6 tunnel interfaces, including ISATAP, 6to4, and Teredo tunnels. Default value is 0

· Bit 1 Set to 1 to disable all 6to4-based interfaces. Default value is 0

· Bit 2 Set to 1 to disable all ISATAP-based interfaces. Default value is 0

· Bit 3 Set to 1 to disable all Teredo-based interfaces. Default value is 0

· Bit 4 Set to 1 to disable IPv6 over all non-tunnel interfaces, including LAN interfaces and Point-to-Point Protocol (PPP)-based interfaces. Default value is 0

· Bit 5 Set to 1 to modify the default prefix policy table to prefer IPv4 to IPv6 when attempting connections. Default value is 0

Note Bits beyond Bit 5 are not used at this time

A single byte consists of 8 bits, these bits can have a value of 1 or 0. In the DisabledComponents instance each of the first five bits refer to a switch, with 1 being on a 0 being off. This can also be thought of as either true/false or on/off.

The zero bit refers to 0 or 1
The one bit refers to 0 or 2
The two bit refers to 0 or 4
The three bit refers to 0 or 8
The four bit refers to 0 or 16
The five bit refers to 0 or 32
The six bit refers to 0 or 64
The seven bit refers to 0 or 128

If you add all the bits up when set to a one the maximum value is 255. Why do I bring this up? In order to modify a bit you need to not modify the bits around it. So first off you realize that the last three bits aren’t used so the maximum value will be – 1 + 2 + 4 + 8 + 16 + 0 + 0 + 0 = 31. So the largest this key can ever be (Barring disabling IPv6 which will be set to the DWord of 0xFFFFFFFF).

So on to setting the default of IPv4 over IPv6 is to examine the fifth bit if it is zero then you need to modify the value by adding 16. If the current value is equal to or greater than 16 than you know that the fifth bit is already set.

To take an example:

If the key is equal to 10, then you can see that:

· 6to4-based interfaces is disabled

· Teredo-based interfaces is disabled

By adding (Or’ing 00010000) 16 to the key you end up with 26 which says, bits 1, 3 and 4 are all set to a 1 (Or are true).

For additional details refer to the technet article:
http://technet.microsoft.com/en-us/library/bb878057.aspx

I have a seperate Blog on disabling IPv6
http://blogs.dirteam.com/blogs/paulbergson/archive/2009/03/19/disabling-ipv6-on-windows-2008.aspx

Posted by Paul Bergson | 0 Comments

Filed under: Windows IPv6 IPv4 DisabledComponents

Wednesday, April 27, 2011 9:29 PM

How to Create an Active Directory User Provisioning System

This blog will detail how I created an Active Directory (AD) user provisioning tool with PowerShell. It probably won’t be what you expect; the amount of front end entry is almost non-existent. The key to consistency within your enterprise is to take as much of the human element out of the picture as possible. Without proper edit and control, organizations will find two user objects created by the same employee won’t hold to a standard of entry. There in lies the key to this project.

Although the code and the process in this endeavor is new, the original project itself is a rewrite. Previous team members Steve Laskowski, Richard Narum and Dale Peterson have all written Perl or VB.Net in different forms to create an user object. This newest process was created in Powershell. The GUI was developed using Primal Forms by Sapien. There is both a freeware tool as well as a full version, I opted for the full version. Primal Forms generated all the lines of code for me, I am by no means a .Net developer but this development tool allowed me to create a tool rather quickly.

The jr admin running this front end script does not have to have any special permissions within AD. The user just needs the ability to run the script and be able to save an XML file created by the script to a pre-defined location (Queue). Once this file has been saved, a backend scheduled task (I execute it every minute from 6:00 am to 6:00 pm) to inspect the folder for a new file specially named as defined below. The file has a random number built into the system to ensure that duplicate names can be created (Even though you can’t create duplicates) and multiple users can create files at the same time, so as you will see the real power is being able to have a secondary process drop XML files into the queue and the process can process them as required. This will allow an administrator to run a script and drop all the users they need into a folder and generate as many users as needed. That was the emphasis behind this project, our Human Resources (HR) synchronization process currently when a user is discovered missing within AD a report is generated, with this new process the user can be created without any intervention on the AD side. One this is complete, we can then examine synchronizing other LDAP systems such as secondary Oracle db’s.

I have provided the Primal Forms so you can modify the form and the attirbutes passed within the xml. So whatever you want to pass, you can but we went to the absolute minimums so as to keep things consistents as possible.

All of the scripts, xml files and cmd file all reside in the same location.

When the GUI is started, there is a cmd file which verifies that PowerShell has been loaded. The code is displayed below.

As you can see the check is to see if the Powershell executable exists, if not a message is displayed, if so then call frontEndForm.ps1

########################################################################

@echo off

Rem Verify that Powershell is loaded on this desktop before proceeding

if not exist "%systemroot%\system32\Window~1\v1.0\powershell.exe" goto noPowershell

Rem Start up the GUI

net use v: \\server\share\newADUser

v:

cd \

powershell -ExecutionPolicy Unrestricted -command .\frontEndForm.ps1

c:

net use v: /del /y

Goto End

Rem Can't Proceed, Powershell needs to exist to run the front end script

:NoPowershell

Echo.

Echo Powershell not loaded on this workStation

Echo Script aborted

Echo.

Pause

:End

########################################################################

Once the newUser script is called the form has to be built. There are several drop down boxes that need to be populated, two by XML files and a third by the user objects within AD.

Front End:

There are only four fields for user data entry; User Id, First Name, Middle Initial and Last Name. Along with this there are eight additional selections; three drop downs and five check boxes. The drop down boxes Business Unit and Account Type are built from xml files.

Business Unit:

The drop down box is populated by the attribute businessUnitNameX and the attribute businessUnitDNX will be used in the backend process to place the new user object in the defined OU. A partially defined XML file is shown below:

<?xml version="1.0"?>

<!-- Below is the configuration settings for the newuser Powershell Script

businessUnitX - Company the new user is defined to work for

businessUnitNameX - Complete Company Name

businessSMTPX - E-Mail Domain Name

businessUnitDNX - Distinguished Name of the OU where the new user will be placed

-->

<row>

<businessUnitDNX>OU=Acme,OU=Employees,OU=Users,DC=acme,DC=com</businessUnitDNX>

</row>

<row>

<businessUnitNameX>Acme Pencil Unit</businessUnitNameX>

<businessUnitDNX>OU=APU,OU=Employees,OU=Users,DC=acme,DC=com</businessUnitDNX>

</row>

Account Type:

The drop down box is populated by the attribute accountTypeX which will be used in the backend process to prepend the value, along with other values discussed later, on the user account description attribute. A defined XML file is shown below:

<?xml version="1.0"?>

<!-- Below is the configuration settings for the newuser Powershell Script

accountTypeX - Descriptive value used for association the user type being created

-->

<row>

<accountTypeX>Local Administrator</accountTypeX>

</row>

<row>

<accountTypeX>Permanent Employee</accountTypeX>

</row>

<row>

<accountTypeX>Service Account</accountTypeX>

</row>

<row>

<accountTypeX>Temporary Employee</accountTypeX>

</row>

</Configuration>

Account Requested By:

This drop down box is populated by all the user accounts, within AD, that exist from a base defined in the XML configuration file. This leads me into the XML Configuration file, my goal was to allow this script to be installed by just modifying the four XML files. The values within the Configuration file are

Configuration.xml

<?xml version="1.0"?>

<!-- Below is the configuration settings for the newuser Powershell Script

Description - Description to be placed in user attribute

OrganizationalUnit - Distinguished name where to place newly created user

Description - Value to be placed in the new user's description attribute

Root - Root location of where share is to be created for the new user

ScriptPath - Executable for the logon script for the new user

HomeDrive - Drive letter for the home drive for the new user

xmlLocation - Location of xml files that contain the request for the new user .\ = same location as configuration files (Must end with a \)

expirationLength - Length of time in days, before the account is expired

sqlServerX - Optional SQL Server Database, if populated then script expects to write to sqlDataBaseX audit details

sqlDataBaseX - SQL database

-->

<row>

<descriptionX>User Account Created by Powershell Script</descriptionX>

<rootX>\\usera\useradmin$\user</rootX>

<scriptPathX>logonScript.cmd</scriptPathX>

<xmlLocationX>\\server\share\newADUser\queue\</xmlLocationX>

<userBaseX>OU=Employees,OU=Users,DC=acme,DC=com</userBaseX>

<emailFromX>adAdmin@acme.com</emailFromX>

<emailToX>NewActiveDirectoryUserDL@acme.com</emailToX>

<sqlServerX>sqlServer</sqlServerX>

<sqlDatabaseX>adAuditDB</sqlDatabaseX>

</row>

</Configuration>

StorageGroups.xml

<?xml version="1.0"?>

<!-- Below are the server/storage group/Database's that are randomly selected to where a new user will be created

By duplicating targets you can weight updates to go more often to those if so needed

Pattern is ExchangeServer\StorageGroup\Database

To list out all db's in you enterprise bring up the Exchange Management shell as an admin and key in the following

get-mailboxDatabase

-->

<xmlSGX>exchangeServer\StorageGroup1\MailBox1</xmlSGX>

</target>

<xmlSGX>exchangeServer\StorageGroup2\MailBox1</xmlSGX>

</target>

</Databases>

After “Ok” is selected, the xml file NewUser_UserName_RandomNumber.xml is built via userTemplate.xml from data entered by the jr admin running the gui script.

userTemplate.xml

<?xml version="1.0"?>

<!-- Below is the configuration settings for the newuser Powershell Script form that is created

aliasX - UserId (Free form entered)

firstNameX - First name of newly created user (Free form entered)

mInitialX - Middle initial of newly created user (Free form entered)

lastNameX - Last name of newly created user (Free form entered)

createdByX - Computer and User running this tool that created this file (From WMI call)

requestedByX - Person who requested this new user be created (From Drop Down)

businessUnitX - Business Unit the new user belongs to (From Drop Down)

accountTypeX - Type of account this new user is (From Drop Down)

emailFlgX - Should this new user not be given an email mailbox (Check box - True or False)

postiniFlgX - Should this new user not be added to Postini for external email inbound (Check box - True or False)

enableAcctFlg - Should this new user's account be enabled (Check box - True or False)

expireAcctFlg - Should this new user's account expire after 90 days (Check box - True or False)

folderFlgX - Should this new user not be given an home folder (Check box - True or False)

<row>

</row>

</employee>

Example:

newUser_pbbergs_1175854108.xml