In this blog post we provide Windows systems administrators with a high-level overview of the Blackbird Auditor, an Active Directory auditing solution.

The Blackbird Group is raffling off a 1,000 user license including a 1st year maintenance (total value 7,200 USD) for Blackbird Auditor for Active Directory. The deadline of this contest is June 27, 2012. If you want to take part, please send an email with the subject Blackbird to .

In Microsoft Windows Active Directory administration nomenclature, auditing refers to the capture and display of user- and/or system-generated activity.

Many systems administrators are required by governmental and/or industry regulations to track changes on our domain systems to a fine degree of granularity. Some of these regulatory laws include the following:

• FISMA
• HIPAA
• PCI
• SOX

(more…)

ManageEngine has created a great suite of free tools that helps Active Directory admins by simplifying common tasks that admins would typically accomplish via PowerShell or an MMC console. Using Free Active Directory Tools can tremendously expedite mundane tasks like viewing/setting a group password policy, forcing replication between domain controllers, or querying the Active Directory database.

Let’s take a look at some of the ManageEngine Free Active Directory Tools.

ManageEngine Free Active Directory Tools

(more…)

Rate this tool: (2 votes, average: 4.50 out of 5)

 Loading ...

Submit a free admin tool | Free admin tools index | Browse free admin tools

In the last post we summarized the content underlying domain 2, subobjective 6 (“Configure Operations Masters”) in the Microsoft 70-640 Active Directory Configuration certification exam blueprint. Today we will provide a sample practice question along with a detailed explanation and analysis.

You are the administrator for a single Active Directory domain that consists of two Windows Server 2008 R2 domain controllers named DC01 and DC02.

DC02, which holds the schema master role, has gone unexpectedly offline. You need the schema master role in order to be available in the domain. You log onto the domain by using the domain Administrator account.

A. Add your domain user account to the Schema Admins built-in group.

B. Register the Schmmgmt.dll dynamic link library.

C. Transfer the schema master role to another domain controller.

D. Seize the schema master role to another domain controller.

(more…)

In the last post in this series we summarized the content underlying domain 2, subobjective 5 (“Configure the Global Catalog”) in the Microsoft 70-640 Active Directory Configuration certification exam blueprint. Today we will provide a sample practice question along with a detailed explanation and analysis.

You are an enterprise administrator for an organization that consists of a multi-domain, multi-site Active Directory forest. The forest functional level is Windows Server 2008 R2. A total of 500 users are associated with the HQ Site. A total 300 users are associated with Branch 2 Site. A total of 50 users are associated with Branch 1 Site. The site topology for the environment is shown in the following exhibit:

(more…)

In this article we will review the subject area “Configure the Global Catalog” from the Microsoft 70-640 certification exam objectives.

In this series, we will move through the content blueprint of the Microsoft Windows Active Directory Configuration (70-640) exam objectives with an eye toward preparing you to pass this Microsoft Certified Technology Specialist (MCTS) exam.

The screenshot above shows the relevant section from the 70-640 exam blueprint on configuring the Active Directory Domain Services (AD DS) Global Catalog.

Today’s subobjective centers upon the Global Catalog, which is a Windows Server 2008 R2 sub role that facilitates Active Directory name lookups and speeds up inter-domain authentication.

(more…)

In this article I introduce a VBScript script that populates the description field of the Active Directory computer object with the account name of the last user who logged on to this machine.

As a systems administrator, you’ve probably noticed that computer objects in Active Directory have a description field that is shown in the default view of the Active Directory users and computers MMC console. It’s very rare to see an IT department that makes regular use of this field for something useful – never mind keeping it up to date!

I thought that it would be a good idea to automatically populate this field with the last user to logon to the computer object. With a slight tweak to our AD security and a little bit of scripting, it’s quite easily achieved. I also added even more information to the field so I could see the system service tag and model number.

(more…)

In the last post we summarized the content underlying domain 2, subobjective 4 (“Configure Active Directory Replication”) in the Microsoft 70-640 Active Directory Configuration certification exam blueprint. Today we will provide a sample practice question along with a detailed explanation and analysis.

You are an Active Directory architect for your organization. The domain consists of two sites, each of which contains three Windows Server 2008 R2 domain controllers.

You take a domain controller named DC01 offline for maintenance, and you note that intersite Active Directory replication immediately fails. You run repadmin /kcc in both sites to force the KCC to run on all DCs, yet intersite replication still fails.

Which of the following statements best explains the root cause of this problem?

A. The sites use the SMTP replication transport instead of RPC over IP.

B. DC01 is configured as the preferred bridgehead server for its site.

C. Kerberos V5 authentication is not in use in the domain.

D. Site link bridging is disabled.

(more…)

In this article we will review the subject area “Configure Active Directory Replication” from the Microsoft 70-640 certification exam objective.

In this series, we will move through the content blueprint of the Microsoft Windows Active Directory Configuration (70-640) exam objectives with an eye toward preparing you to pass this Microsoft Certified Technology Specialist (MCTS) exam.

Microsoft Exam 70-640 – Configure Active Directory Replication/ Domain 2, Subobjective 4

The screenshot above shows the relevant section from the 70-640 exam blueprint on configuring Active Directory Domain Services (AD DS) sites.

(more…)

In the last post we summarized the content underlying domain 2, subobjective 3 (“Configure sites”) in the Microsoft 70-640 Active Directory Configuration certification exam blueprint. Today we will provide a sample practice question along with a detailed explanation and analysis.

You are a domain administrator for your organization. The company recently established a second campus in another state and installed two new domain controllers at that location. You create a new Active Directory site for the second campus and establish a new site link that joins the local site to the second campus site.

What remaining tasks are necessary in order to complete the new site topology? (Select the two best choices)

A. Enable site link bridging on the site link.

B. Move the domain controller objects to the second campus site object.

C. Define subnet objects for the second campus.

D. Change the link cost for the site link object.

E. Edit the replication schedule by editing the properties of the second campus’ domain controller objects

(more…)

In this article we will review the subject area “Configure sites” from the Microsoft 70-640 certification exam objective.

In this series, we will move through the content blueprint of the Microsoft Windows Active Directory Configuration (70-640) exam objectives with an eye toward preparing you to pass this Microsoft Certified Technology Specialist (MCTS) exam.

For each exam domain, I will give you two blog posts. One blog post represents a nutshell summary of the content underlying a particular subobjective from the 70-640 certification exam outline. The second blog post offers a representative practice exam question that covers one topic from that content domain.

The screenshot below shows the relevant section from the 70-640 exam blueprint on configuring Active Directory Domain Services (AD DS) sites.

Microsoft Exam 70-640 – Configure Sites / Domain 2, Subobjective 3

(more…)

In the last post I summarized the content underlying domain 2, section 2 (“Configure trusts”) in the Microsoft 70-640 Active Directory Configuration certification exam blueprint. Today I will provide a sample practice question and a detailed explanation and analysis.

You are the Active Directory architect for a two-forest enterprise whose logical topology is shown in the following diagram:

Active Directory – Logical topology

(more…)

In this article we will review the subject area “Configure Active Directory trusts” from the Microsoft 70-640 certification exam objective.

In this series, we will move through the content blueprint of the Microsoft Windows Active Directory Configuration (70-640) exam objectives with an eye toward preparing you to pass this Microsoft Certified Technology Specialist (MCTS) exam.

The screenshot below shows the relevant section from the 70-640 exam blueprint on configuring Active Directory Domain Services (AD DS) trust relationships.

Microsoft Exam 70-640 – Configure Active Directory Trusts

(more…)

In the last post I summarized the content underlying domain 2, section 1 (“Configure a forest or a domain”) in the Microsoft 70-640 Active Directory Configuration certification exam blueprint. Today I will provide a sample practice question and a detailed explanation and analysis

You are the administrator of a multi-domain Active Directory forest in which all domain controllers run Windows Server 2003. You want to introduce a new Windows Server 2008 R2 computer as a domain controller into one domain in the environment.

Sample practice question

Which of the following actions should you undertake in order to accomplish your goal?

a. Install the R2 update on all existing Windows Server 2003 domain controllers.

b. Run dcpromo /forestprep on an existing domain controller.

c. Run adprep /domainprep on an existing domain controller.

d. Run admt computer /n on the Windows Server 2008 R2 computer.

(more…)

In this article we will review the subject area “Configure a forest or a domain” from the Microsoft 70-640 certification exam objective.

In this series, we will move through the content blueprint of the Microsoft Windows Active Directory Configuration (70-640) exam objectives with an eye toward preparing you to pass this Microsoft Certified Technology Specialist (MCTS) exam.

Microsoft Exam 70-640 – Configure a forest or a domain / Domain 2, Subobjective 1

(more…)

In this tutorial you will learn how to point the authoritative time server in your Active Directory domain at an Internet-based atomic time source.

As you probably already know, the Kerberos authentication protocol has limited tolerance for time skew between client and server. Specifically, the time difference between domain computers needs to be less than five minutes.

Some Windows administrators want to synchronize their Windows Server 2008 system clocks to an external atomic time source. How can we accomplish this goal? Well, read on!

The Windows Time Service: Basic operation

The Windows Time (W32Time) service exists in both Windows Server 2008 R2 as well as Windows 7, and is the “engine” that drives system time synchronization within an Active Directory domain.

By default, the domain controller that holds the PDC Emulator FSMO role is the authoritative time source for the domain. More broadly, the PDC Emulator in the forest root domain holds the authoritative time for the entire forest. Check out the following Visio diagram:

(more…)