In my last post, I explained how you can provision Active Directory to offline domain join a computer. Doing this for one computer is one thing; deploying a large number of computers which are already domain members when they boot up the first time is another thing.

It is possible to offline domain join a computer in an unattended installation. For this, you have to perform the two steps I outlined in my last post, i.e., create the computer accounts in your domain and the blob that contain the meta data. Then, you can add the following section to the unattend.xml:

(more…)

The Active Directory Recycle Bin is a great new feature of Windows Server 2008 R2 that allows you to restore accidentally deleted Active Directory objects. If you want to have similar functionality for Windows Server 2008 with a free utility, then you should have a look at the Directory Service Comparison Tool (DSCT). But DSCT can do even more: It not only allows you to restore deleted objects, it also lets you undo attribute changes. The tool requires at least a Server 2008 domain controller, .NET 3.5, and (Microsoft Management Console) MMC 3.0.

(more…)

Rate this tool: (1 votes, average: 4.00 out of 5)

 Loading ...

Submit favorite free admin tool | Free admin tools index | Browse free admin tools

In my last post, I described how you can perform quick queries with MaxPowerSoft Active Directory Reports 5.1.1.1. Today, I will focus on the tool’s special features, that is membership reports, filters and print preview. Note that you can win a license worth 299 US dollars (see info at end of the article).

Group Membership

When you load a report and then select some users, the “Load Membership” menu item becomes available and you can load membership for those selected users. The detail grid with membership information will be loaded as a sub grid of every record and the “+” sign will be highlighted meaning that membership is available for that particular users. You can click that little “plus” sign, extend that row to see membership information.

(more…)

A few days ago, MaxPowerSoft released a new version of their Active Directory Reporting tool, which has quite a few interesting new features. 4sysops readers have the chance to win a license worth 299 US dollars (more information can be found at the end of this article).

The most obvious new feature of Active Directory Reports 5.1.1.1 is the new Outlook-like user interface. I think, it is the tool’s biggest advantage over competing products. It does not only look cool, it is also very effective. Even if you already have an Active Directory management suite, you definitely should have a look at this specialized AD reporting tool; it could speed up your reporting tasks significantly. You only need few minutes to have an idea about how you can retrieve all kinds of information from your domains with AD Reports.

(more…)

The introduction of PowerShell was a major improvement for all administrators who are not afraid of the CLI. However, it also has some drawbacks. For instance, it is not included in the OS and it lacks many features. Microsoft wanted to correct those shortcomings. PowerShell Version 2 is now a part of Windows 7 and Windows Server 2008 RC2 and offers many new Cmdlets. One area that was improved is the management of the Active Directory (AD).

If you want to use these new features, you have to add the Cmdlets first. PowerShell v2 is now modularized. This only works under Windows Server, because you need to install the role “Active Directory Services” and the feature “Remote Server Administration Tools.” You can use the Server Manager for the installation, or if you prefer typing the following commands, you will have the same results:

import-module servermanager
Add-WindowsFeature -Name “RSAT-AD-PowerShell” -IncludeAllSubFeature
import-module ActiveDirectory

(more…)

OK – please forgive the rather large gap between Part 2 and 3 of this series. There are many conflicting reasons for the time blow-out but the biggest one was that I didn’t want to write this last bit until I’d actually gone through and completed the project in a live environment and verified it to be 100% successful. Yes that’s right – the methodologies I’ve documented weren’t just extracted from a sterile lab environment, but from a live production environment with real users and servers. But before I could get to the point at which I could raise the forest functional level, there were various sub-projects which cropped up – new domain controllers (all virtual – see Part 2), new Hyper-V hosts, network time considerations, WAN reconfiguration, DNS changes and so on.

The actual process of raising the functional level is pretty straightforward – a couple of clicks and you’re done. However, every domain controller has to be able to support the new level, so that means taking existing DCs based on earlier versions of Windows Server out of commission. They can still stick around as member servers, but you have to use DCPROMO to revoke their role as DCs. In my case, the last DC (which was Server 2008 Standard) happened to be the first DC of a new domain, so that meant it also took the FSMO roles for the domain (Flexible Single Master Operations) which are still part of Active Directory Domain Services. These do not get transferred automatically so this must be done manually.

(more…)

In the last post of this series I described Active Directory management features of AD Manager Plus. Note that you can win a license worth 2,695 US dollars (see info at end of the article). Today I will introduce the tool’s delegation and reporting features.

Active Directory Delegation

You probably know that the Active Directory User and Computer interface (ADUC) supports delegation. This allows you to assign specific AD management privileges to help desk personnel . The idea behind AD Manager Plus’s delegation feature is the same; however, the tool’s capabilities are more sophisticated.

The main difference to the delegation feature in ADUC is that ADManager Plus allows you to configure delegation roles. These roles are basically templates which you can reuse to assign a certain set of privileges to a user or a user group. Another advantage of ADManager Plus is that you cannot only apply delegation roles to a single container, but also to multiple containers in one step.

(more…)

In my last post, I gave a general introduction to ManageEngine AD Manager Plus. Note that you can win a license worth 2,695 US dollars (see info at end of the article). Today, I will focus on the tool’s Active Directory management features.

ADManager Plus allows you to manage the most important Active Directory objects. You can create and modify user objects, computers, contacts, and groups. The tool also supports bulk creation and bulk modification of AD objects.

User Management

AD Manager Plus’s most important functions are its user management features. The tool distinguishes between single user and bulk user management tasks. Creating a single user is different than in the Active Directory User and Computer interface (ADUC). You don’t have to navigate through a wizard and modify the attributes after the creation of the user object. Instead ADManager Plus presents all important attribute fields on a page with five tabs for the different attribute groups (see screenshot).

(more…)

Zoho Corp. has a generous offer for 4sysops readers. You have the chance to win a license for ManageEngine ADManager Plus Professional Edition, a powerful web-based Active Directory management and reporting tool. The raffled license is valid for one Active Directory domain with an unlimited number of AD objects and five help desk technicians. The regular price of this license would be 2,695 US dollars!

ADManager Plus has three main functions: Active Directory management, reporting and delegation. Today I will make some general remarks about the tool and in the next two posts I will explain its features in more detail.

(more…)

Shortly after I finished my series about the new Active Directory Recycle Bin feature in Windows Server 2008 R2, I stumbled across the Active Directory Recycle Bin PowerPack for PowerGUI. As I noted in my review, restoring Active Directory objects via PowerShell or the LDP.exe GUI is quite cumbersome. I recommended using Quest Object Restore for Active Directory or ADRestore.NET instead. But this PowerGUI PowerPack is an even better solution because it has some useful additional features to offer.

Since Active Directory Recycle Bin PowerPack is an add-on, you have to import it manually once you installed PowerGUI. This will add a new folder to the PowerGUI tool which lists all deleted AD objects. I like that it preserves the hierarchical structure of deleted objects. This is useful if you deleted an organizational unit that contained other objects.

(more…)

Rate this tool: (3 votes, average: 3.33 out of 5)

 Loading ...

Submit favorite free admin tool | Free admin tools index | Browse free admin tools

In the last post of this series, I outlined the changes that the Active Directory Recycle Bin introduces to Windows Server 2008 R2 when it comes to restoring Active Directory objects. Today, I will give you an overview of how the Recycle Bin can be used.

Upgrade the Active Directory functional level to Windows Server 2008 R2

Before you can work with the Recycle Bin, you have to raise the functional level of your Active Directory. Basically, you have to run ADPREP /FORESTPREP on the forest Schema Master and then ADPREP /DOMAINPREP on the Infrastructure Master, with the ADPREP version on the Windows Server 2008 R2 DVD. I recommend that you read James Bannan’s guide to migrate the Active Directory functional level to Windows Server 2008 R2.

Enable Active Directory Recycle Bin

Raising the functional level alone does not make the Active Directory Recycle Bin available. This feature has to be explicitly enabled. Not that this process is irreversible. Once you have enabled Active Directory Recycle Bin, you can’t disable it again. Since this step will affect your backup strategy, you should fully understand how Recycle Bin works, before going ahead.

(more…)

In the last article in this series, I recapitulated briefly how Active Directory objects have to be restored in Windows Server 2003/2008. Today, I will explain how the new Active Directory Recycle Bin feature works and the changes that comes with it. Let’s see first in what way the Recycle Bin improves AD object restores.

Advantages of Active Directory Recycle Bin

There are three advantages in using the new Recycle Bin feature:

• You can restore the state of Active Directory objects that they had at the time they were deleted, and not just the state of the last available backup.
• You don’t have to disable the directory services during the restore process, as with authoritative restores.
• In contrast to tombstone reanimation, the object will be restored with all its attributes.

Active Directory Recycle Bin requirements

There are four requirements that have to be fulfilled so that an Active Directory object with Recycle Bin can be restored:

(more…)

Active Directory Recycle Bin is a new Windows Server 2008 R2 feature that allows you to easily restore accidentally deleted Active Directory objects. When I first heard about this feature, I thought that the Active Directory User and Computer Interface (ADUC) would just provide a Recycle Bin like the one we know from Windows Explorer. However, things are a lot more complicated with the Active Directory Recycle Bin. This is why I need two posts only to summarize the essentials that every Windows administrator has to know.

Before I describe how the Recycle Bin works, however, I will recapitulate how the restoration of Active Directory objects works with previous Windows versions. This makes it easier to understand the changes that were introduced in Windows Server 2008 R2.

(more…)

In Part 1 we extended the forest and domain schema in preparation for the first 2008 R2-based DC, and now in Part 2 we’ll create and fire up the new DC.

The big question was whether to create a virtualized domain controller or not. There are obvious concerns with going down this path in terms of redundancy and reliability, and particularly if the underlying hypervisor is a member of the domain, but after reading this article by Virtual PC Guy Ben Armstrong, I’m quite comfortable in taking this approach. With suitable precautions, of course.

(more…)

In order to get full management of a Windows 7 environment, or to take advantage of the new features in Active Directory Domain Services like Applocker or the AD Recycle Bin, you need to upgrade the functional level of the forest and domain to Server 2008 R2.

There are a few upgrade paths available – it is possible to perform an in-place upgrade of Windows Server to Server 2008 R2, but you need to verify that the path you have planned is supported. Here’s a list of supported in-place upgrade paths. However, performing a live upgrade of a domain controller is a gutsy move, so a side-by-side migration is the less dangerous (and recommended) path.

(more…)