Still an MVP but now DS MVP
Thanks Scott. David Lundell - Jul 3, 2015Thanks Scott.
Thanks Scott. David Lundell - Jul 3, 2015Thanks Scott.
I have been awarded the Microsoft Most Valuable Professional for a 9th time. I started off as an MIIS MVP (even though ILM had been released 4 months previous). Then I became an ILM MVP in 2008, then in 2010 it was FIM MVP (or was that 2011). Now with FIM changing to MIM and in an effort to reduce the administrative paperwork the Microsoft MVP team has every time MMS/MIIS/ILM/FIM/MIM changes names all FIM MVPs have become DS (Directory Services) MVPs.
On a dark and stormy night an Active Directory upgrade was underway, Windows Server 2003 domain controllers decommissioned, consolidated and replaced with Window Server 2008 R2 servers. Suddenly I got a call from those doing the upgrade, “I can’t see some of the new domain controllers on the existing domain controllers, what’s wrong?” A replication island had been created and several domain controllers were trapped on it. Could we rescue them in time?
Import-Module ActiveDirectory Write-Host “Tuple Index Enabled Attributes” Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext) -SearchScope OneLevel -LDAPFilter “(searchFlags:1.2.840.113556.1.4.803:=32)” -Property objectClass, name, whenChanged, whenCreated, LDAPDisplayNAme | Out-GridView Write-Host “ANR Enabled Attributes” Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext) -SearchScope OneLevel -LDAPFilter “(searchFlags:1.2.840.113556.1.4.803:=4)” -Property objectClass, name, whenChanged, whenCreated, LDAPDisplayNAme | Out-GridView Write-Host “Indexed Enabled Attributes” Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext) -SearchScope OneLevel -LDAPFilter “(searchFlags:1.2.840.113556.1.4.803:=1)” -Property objectClass, name, whenChanged, whenCreated, LDAPDisplayNAme | Out-GridView The above script is something I use to quickly look and see what is indexed in an AD environment
Register Now! to attend MVP Roadshow Sept 24th 4 PM - 8PM I will be presenting on why we want to get to Active Directory based on Windows Server 2012 R2 and how to get there. My fellow MVP’s will be covering the rest of the agenda. I also created an IT clue game to play in small groups where the objective is to figure out who stole the data and how it could have been prevented.
Recently a client asked me how Active Directory Users and Computers (ADUC) performs the Days Since Last Logon query found in the Find Dialog box’s Common Queries option. LastLogon is not replicated so to really get it you have to query every single DC. So I was reasonably certain that the query didn’t use LastLogon but rather used the LastLogonTimestamp which was created “to help identify inactive computer and user accounts.
Unfortunately, my Independence day is not free – I am working. Just so happens I need to report on when computer objects are getting migrated to a new AD forest. Day 1 4 Day 2 30 Day 3 25 etc. Now I could have taken the data and imported it into SQL and then busted out some awesome queries in no time flat. But my buddy Craig Martin, keeps insisting how awesome this PowerShell stuff is.
One of my fellow MVPs and Insight teammates Alessandro Cardoso (he runs one of our practices down under) announced on his blog that Windows 2012 R2 and Windows 8.1 RTM now on MSDN and Technet. He goes on to mention the salient points around 2012 R2 for virtualization so I thought I would discuss some of the benefits for Active Directory and ADFS One key thing is that ADFS on Windows Server 2012 R2 doesn’t require IIS so now it can and should be installed on domain controllers.
Watch the presentation that James Booth (who worked with us on the project) and Joe Gasowski (DPDHL) gave at the Redmond Identity Summit 2013 about our project at DHL to replace the DPDHL Sun One Directory and deploy FIM to replace both CriticalPath and a home-grown admin portal. http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices
After re-reading my earlier post on this subject I decided I could be clearer. GUIDs are often used in three different formats: Representation Example Canonical form 8c4ac332-975f-4717-ad7b-ba4a4e968fff Octet String 32c34a8c5f971747ad7bba4a4e968fff Base64 Encoded MsNKjF+XF0ete7pKTpaP/w== Representation Comment Used in Canonical form This format stems from the way GUIDs (UUIDs) are generated. Each dash separating the various components. In version one of the UUID specification, the first the last component was the MAC address of the computer that generated the GUID.