Still an MVP but now DS MVP
I have been awarded the Microsoft Most Valuable Professional for a 9th time. I started off as an MIIS MVP (even though ILM had been released 4 months previous). Then I became an ILM MVP in 2008, then in 2010 it was FIM MVP (or was that 2011). Now with FIM changing to MIM and in an effort to reduce the administrative paperwork the Microsoft MVP team has every time MMS/MIIS/ILM/FIM/MIM changes names all FIM MVPs have become DS (Directory Services) MVPs. ;) Actually, they decided that there was enough overlap and dependency that it made sense to combine them. So now I am a Directory Services MVP
Escaping an AD Replication Island
On a dark and stormy night an Active Directory upgrade was underway, Windows Server 2003 domain controllers decommissioned, consolidated and replaced with Window Server 2008 R2 servers. Suddenly I got a call from those doing the upgrade, “I can’t see some of the new domain controllers on the existing domain controllers, what’s wrong?”
A replication island had been created and several domain controllers were trapped on it. Could we rescue them in time?
What AD Attributes are indexed? ANR? Tuple? PowerShell
Import-Module ActiveDirectory
Write-Host “Tuple Index Enabled Attributes”
Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext) -SearchScope OneLevel -LDAPFilter “(searchFlags:1.2.840.113556.1.4.803:=32)” -Property objectClass, name, whenChanged, whenCreated, LDAPDisplayNAme | Out-GridView
Write-Host “ANR Enabled Attributes”
Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext) -SearchScope OneLevel -LDAPFilter “(searchFlags:1.2.840.113556.1.4.803:=4)” -Property objectClass, name, whenChanged, whenCreated, LDAPDisplayNAme | Out-GridView
Write-Host “Indexed Enabled Attributes”
Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext) -SearchScope OneLevel -LDAPFilter “(searchFlags:1.2.840.113556.1.4.803:=1)” -Property objectClass, name, whenChanged, whenCreated, LDAPDisplayNAme | Out-GridView
The above script is something I use to quickly look and see what is indexed in an AD environment
Phoenix MVP Roadshow Transform the DataCenter Wed Sept 24 4 PM-8PM
Register Now! to attend MVP Roadshow Sept 24th 4 PM - 8PM
I will be presenting on why we want to get to Active Directory based on Windows Server 2012 R2 and how to get there. My fellow MVP’s will be covering the rest of the agenda. I also created an IT clue game to play in small groups where the objective is to figure out who stole the data and how it could have been prevented.
ADUC Common Queries: Days Since Last Logon
Recently a client asked me how Active Directory Users and Computers (ADUC) performs the Days Since Last Logon query found in the Find Dialog box’s Common Queries option.
LastLogon is not replicated so to really get it you have to query every single DC. So I was reasonably certain that the query didn’t use LastLogon but rather used the LastLogonTimestamp which was created “to help identify inactive computer and user accounts.” Assuming default settings “the lastLogontimeStamp will be 9-14 days behind the current date.”
Happy Independence Day -- Using PowerShell for Reporting
Unfortunately, my Independence day is not free – I am working. Just so happens I need to report on when computer objects are getting migrated to a new AD forest. Day 1 4 Day 2 30 Day 3 25 etc.
Now I could have taken the data and imported it into SQL and then busted out some awesome queries in no time flat. But my buddy Craig Martin, keeps insisting how awesome this PowerShell stuff is. So I decided to give it a try, plus if I can get it to work then it will be faster to run this repeatedly from PowerShell rather than needing to import it into SQL Server. I am actually a big believer in using the right tool for the job. Otherwise you end up blaming the tool for failing you when you should have picked a different tool, one better suited for your task.
Windows 2012 R2 and Windows 8.1 RTM now on MSDN and Technet
One of my fellow MVPs and Insight teammates Alessandro Cardoso (he runs one of our practices down under) announced on his blog that Windows 2012 R2 and Windows 8.1 RTM now on MSDN and Technet.
He goes on to mention the salient points around 2012 R2 for virtualization so I thought I would discuss some of the benefits for Active Directory and ADFS
One key thing is that ADFS on Windows Server 2012 R2 doesn’t require IIS so now it can and should be installed on domain controllers.
Massive FIM and AD LDS project at DPDHL
Watch the presentation that James Booth (who worked with us on the project) and Joe Gasowski (DPDHL) gave at the Redmond Identity Summit 2013 about our project at DHL to replace the DPDHL Sun One Directory and deploy FIM to replace both CriticalPath and a home-grown admin portal.
http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices
Revisiting GUIDs, Octets and Base64
After re-reading my earlier post on this subject I decided I could be clearer.
GUIDs are often used in three different formats:
Representation
Example
Canonical form
8c4ac332-975f-4717-ad7b-ba4a4e968fff
Octet String
32c34a8c5f971747ad7bba4a4e968fff
Base64 Encoded
MsNKjF+XF0ete7pKTpaP/w==
Representation
Comment
Used in
Canonical form
This format stems from the way GUIDs (UUIDs) are generated. Each dash separating the various components. In version one of the UUID specification, the first the last component was the MAC address of the computer that generated the GUID.