Posted by chrisbeams on May 15, 2009
http://technet.microsoft.com/en-us/magazine/cc462796.aspx
So I have to admit I am a little behind in terms of W2k8 and AD. It looks like the whole recovery mechanism has changed, it looks interesting and I will be giving the recovery a go over the weekend to see how it fits into the overall AD Recovery picture. Does this mean we don’t need third party products???
Chris
Posted in Active Directory | Tagged: Recovery | Leave a Comment »
Posted by chrisbeams on May 15, 2009
http://msdn.microsoft.com/en-us/library/bb332056.aspx
http://msdn.microsoft.com/en-us/library/bb267453.aspx
Something I need to progess is my .Net related AD skills. I have done a considerable amount of ASP.NET but none of it really related to Active Directory. Recently I have had a couple of requests to look at health checks around the directory and how they can be globally achieved. Looking at the tools available none of them do everything you want and some of them cost a considerable amount of cash. Perhaps writing something yourself is the only way to go ?
Anyone got any hints or tips on what they are doing?
Chris
Posted in .Net | Tagged: .Net | Leave a Comment »
Posted by chrisbeams on May 15, 2009
Something I need to go to this year is the TEC 2009 three day forum
Getting to hear all the latest info from the gurus in the directory services area. A great list of speakers including a couple of MVPs. Just need to find the money 🙂
Cheers
Chris
Posted in Active Directory | Tagged: Forum, TEC2009 | Leave a Comment »
Posted by chrisbeams on May 12, 2009
I wonder how many people out there have a proven domain and/or forest recovery process. We can all follow the MS White paper but it’s a lengthly process. What happens if your company wants a 4 hour turn around of a multi domain globally distributed forest. How likely is domain or forest failure anyhow? I think a schema change is a possibility but a very remote one. I guess more likely is user error, deleting an Ou perhaps.
So really we need object recovery, and potentialy worst case scenario recovery for a corrupt schema.
I have used the Quest product and also normal ntbackup. The Quest product is v cool but also costs money which in these times is tricky.
I am going to have a play in my VM lab at home and upload my results
Cheers
Chris
Posted in Active Directory | Tagged: Active Directory, Recovery | 3 Comments »
Posted by chrisbeams on May 11, 2009
Excellent post on the use of variables in GPP
Cheers
Chris
Posted in Group Policy Preferences | Tagged: Group Policy Preferences | Leave a Comment »
Posted by chrisbeams on May 10, 2009
Posted in Group Policy, Windows 2008 | Tagged: Group Policy, Windows 2008 | Leave a Comment »
Posted by chrisbeams on May 10, 2009
extract
This document can help you implement the Domain Name System (DNS) GlobalNames Zone feature on Microsoft® Windows Server™ 2008. The GlobalNames Zone is a new feature that provides single-label name resolution for large enterprise networks that do not deploy WINS and where using DNS name suffixes to provide single-label name resolution is not practical.
Posted in DNS | Tagged: DNS, GlobalName, ZOne | Leave a Comment »
Posted by chrisbeams on May 10, 2009
Posted in Windows 2008 | Tagged: Windows 2008 | Leave a Comment »
Posted by chrisbeams on May 10, 2009
There is an attribute on every OU that has group policy linked to it called:
gPOptions
If this equals 0 then block inheritence is off
If this equals 1 then block inheritence is on
Posted in Group Policy | Tagged: Group Policy | Leave a Comment »
Posted by chrisbeams on May 10, 2009
four main components of a security descriptor: owner (O:), primary group (G:), DACL (D:), and SACL (S:).
O:owner_sid
G:group_sid
D:dacl_flags(string_ace1)(string_ace2)… (string_acen)
S:sacl_flags(string_ace1)(string_ace2)… (string_acen)
for example
“O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)S:(AU;SAFA;WDWOSDWPCCDCSW;;;WD)”
Owner = Account Operators
Group = Domain Admin
Dacl = everything in the bracket
Sacl = everything after the S: in the brackets
So this gives you :
Revision: 0x00000001
Control: 0x0004
SE_DACL_PRESENT
Owner: (S-1-5-32-548)
PrimaryGroup: (S-1-5-21-397955417-626881126-188441444-512)
DACL
Revision: 0x02
Size: 0x001c
AceCount: 0x0001
Ace[00]
AceType: 0x00 (ACCESS_ALLOWED_ACE_TYPE)
AceSize: 0x0014
InheritFlags: 0x00
Access Mask: 0x100e003f
READ_CONTROL
WRITE_DAC
WRITE_OWNER
GENERIC_ALL
Others(0x0000003f)
Ace Sid : (S-1-0-0)
SACL
Revision: 0x02
Size: 0x001c
AceCount: 0x0001
Ace[00]
AceType: 0x02 (SYSTEM_AUDIT_ACE_TYPE)
AceSize: 0x0014
InheritFlags: 0xc0
SUCCESSFUL_ACCESS_ACE_FLAG
FAILED_ACCESS_ACE_FLAG
Access Mask: 0x000d002b
DELETE
WRITE_DAC
WRITE_OWNER
Others(0x0000002b)
Ace Sid: (S-1-1-0)
Posted in Active Directory | Tagged: Active Directory, Security Descriptor | 1 Comment »
