Blog

Active Directory Health Check

From time to time its worth running a health check on your Active Directory to make sure everything is running smoothly. We occassionally get a support questions that after some investigation boil down to an issue with the domain. Below we’ve listed some common areas to check and commands you can run to make sure your domain is healthy.

- Event Viewer
- Domain Controller Diagnostics Tool (Dcdiag.exe)
- Network Diagnostics Tool (Netdiag.exe)
- Replication
- DNS
- Defragmentation

Event logs

Checking the Event Viewer is the first place to visit, make sure you re-check the logs after you make any changes. Check the Event Viewer logs for the following areas DFS Replication, Directory Service and DNS servers. Abnormal errors related to Active Directory services will be shown here, some common errors event are:

· Replication lingering(event ids 1388,1988,2042)

· Replication DNS lookup problems (event ids 1925,2087,2088)

· Replication connectivity problems (event id 1925)

· Replication topology problem (event id 1311)

Domain controllers diagnostic

We can use DCDIAG to analize each domain controller in the forest and report back any problems (http://technet.microsoft.com/en-us/library/cc731968.aspx ).

Command: Dcdiag.exe /v >> c:\dcdiag.txt
Description: Runs all tests in Verbose mode. Use >> to write the results to a file for easy reading.

Command: dcdiag /test:dns
Description: Test to validate DNS health.

Command: dcdiag /e
Description: Run a test on every domain controller from your enterprise.

Command: dcdiag /q
Description: Reports only detected errors.

Command: dcdiag /s: name of the server.
Description: Run dcdiag against a specified domain controller.

Network Diagnostics Tool (Netdiag.exe)

NetDiag is a command-line tool that performs a nnumber of network connectivity related tests.

Command: Netdiag.exe /v >> c:\netdiag.txt
Description: Run the command on each DC to check for network related issues.

Replication

First lets check replication is working, replication status can be checked with repadmin command (http://technet.microsoft.com/en-us/library/cc770963.aspx). This command is used to detect Active Directory replication problems between domain controllers from the same forest/domain, there are several arguments we can use.

Command: repadmin /showrepl
Description: Run this command too view all replication, it will show successes and errors.

Command: repadmin /replsummary
Description: List domain controllers that have issues with Active Directory replication.

Command: repadmin /replicate
Description: Force Active Directory domain controller replication.

Command: repadmin /kcc
Description: Force Active Directory domain controller to check its inbound replication topology and generate missing connections.

DNS

Active Directory relies on a correctly configured DNS infrastructure. DNS issues can be checked using the DNSLint tool. DNSLint is a command line utility for troubleshooting common DNS problems ( http://support.microsoft.com/kb/321045 ). There are three arguments that allow us to verify the DNS is working correctly.

Command: dnslint /ad
Description: Check DNS records used by Active Directory replication. This command should be followed by the IP address of an Active Directory domain controller.

Command: dnslint /d
Description: This argument checks causes of lame delegation. The domain name that you test can be a name that is registered for use on the Internet or a name that is used in a private namespace. When you test domain names on a private network, or domain names registered on the Internet that are more than two levels deep, you must use the /s option must be used.

Command: dnslint /ql
Description: Check a used-defined set of DNS records. Use this switch to test the DNS records from a text file. The full path for the file is required in order to run this command.

Defragmentation

Defragmentation is an automated process for Windows 2008 Server onwards. If you do have 2003 DCs then Active directory database compaction has to be done manually. You can do this following the steps on the page below.

http://technet.microsoft.com/en-us/library/cc772931(v=ws.10).aspx

Hopefully the list above will help, it’s not meant to be a comprehensive list  just a place to start.

Read More

AD Bulk Export version 4

AD Bulk Export version 4 the latest version of our Active Directory export tool is now available to download. It is a significant upgrade over version 3, to start with version 4 is now 1500% quicker and uses 75% less RAM!

AD Bulk Export version 4

You can now select a mix of OUs and groups to retrieve the users, contacts, groups or computer from using our suberb new AD tree browser.

Version 4 now contains a built-in scheduler so you can easily schedule exports of data from Active Directory at intervals you decide. You can now export Excel (.xls) and PDF as well as CSV, database export now includes Oracle databases as well as SQL.

AD Bulk Export 4 Scheduler

We’ve built-in some a fantastic new filter which makes it easy to get to the data you need, the filter also works from the command line and scheduler.

AD Bulk Export 4 Filter

Click the following link to read more http://www.dovestones.com/products/Active_Directory_Export.asp.
You can download AD Bulk Export 4 now from http://www.dovestones.com/demos.asp.

Read More

AD Bulk Users and thumbnailPhoto

AD Bulk Users 3.3.1.5 is now available, in this incremental release it is now possible to import photos for into the thumbnailPhoto attribute, this has become popular recently with Microsoft using the thumbnailPhoto attribute in Outlook 2010. AD Bulk Users will check you are using a .jpg image and that the image size is smaller than 10KB and its dimensions are less than 96 x 96 pixels, whilst on the subject of photos it’s worth pointing out that support for the jpegPhoto attribute was added back in April this supports a bigger image (25KB and 200×200 pixels) but note this isn’t used by Outlook 2010.

Changing the sAMAccountName (logon name) in bulk

With this release it is now possible to change a users logon name by updating the sAMAccountName attribute (shown as ‘User logon name pre-Windows 2000′ in Active Directory Users and Computers), to change the logon name use a CSV file similar to the one below, add the new logon names to the newsAMAccountName column.

CSV file to change sAMAccountName

After the import the log will show the users logon names have been changed.

Log showing logon name change

As always if you have any questions or feature requests please get in touch.

 

 

 

|

More

Read More

AD Photos updated

Now your users can put a face to a name by using Outlook 2010, one of many great new feature in Outlook 2010 is the ability to view a small photo of other users. This is done by reading the photo from Active Directory, the thumbnailPhoto attribute has been available in Active Directory since Windows 2000 but no Microsoft products (that I know of!) have used it until now.

thumbnailPhoto attribute displayed in Outlook 2010

thumbnailPhoto attribute displayed in Outlook 2010

With AD Photos we’ve created a simple but incredibly useful tool for importing single and multiple photos into Active Directory, you can view existing photos stored in AD and remove them if needed. The ability to import photos in bulk is very useful if you’re planning on making the most of Outlook 2010 and adding a photo of all your users to AD.

Active Directory Photo Import

AD Photos, import photos in to Active Directory.

We’ve just updated AD Photos to version 1.5.1, read more about AD Photos and download the trial version by clicking the URL below.
http://www.dovestones.com/products/Active_Directory_jpegPhoto_thumbnailPhoto.asp

 

 

 

|

More

Read More

AD Bulk Users, 10x faster and support for Exchange 2010

Happy New Year!

AD Bulk Users 3.3 is now available, in this release we’ve made some changes to the way AD Bulk Users creates new users and we’ve gained a significant speed increase, approx 10x faster in our tests when compared to the previous version, for those that import a large number of users on a regular basis this is a big improvement.

Microsoft Exchange 2010 is now supported!

AD Bulk Users now includes support for Exchange 2010, perfomance when creating mailboxes during import is the same as it was for 2007, from what we’ve seen so far Exchange 2010 is an all round improvement on Exchange 2007 however it’s worth noting the Exchange 2010 management tools can only be installed on Windows 7, Vista SP2, Windows 2008 SP2, 2008 R2.

Microsoft Technet article on how to Install the Exchange 2010 Management Tools:
http://technet.microsoft.com/en-us/library/bb232090.aspx

Windows 2008 R2 and Windows 7

We’ve also made some improvements to how the program runs on Windows 2008 R2 and Windows 7. As always if you have any questions please get in touch.

Read More

Importing users with duplicate names

When importing a large number of users into Active Directory it is possible that 2 or more users will share the same name. When using AD Bulk Users the users first name (givenName attribute) and second name (sn attribute) are used internally by the program to construct the Common-Name (cn attribute), this cn value is used by Active Directory to construct the distinguishedName which has to be unique as its value is the path to the user object, for example ‘CN=John Smith,OU=Managers,DC=domain,DC=com’.

Read More

Using AD Bulk Users to update Exchange Storage Limits

In the latest build of AD Bulk Users we’ve added support setting the Exchange Storage Limits, these limits are stored in the attributes mDBStorageQuota (Issue warning at), mDBOverQuotaLimit (Prohibit send at) and mDBOverHardQuotaLimit (Prohibit send and receive at).

Exchange Storage Limits

The check box ‘Use mailbox store defaults’ shown above is toggled on and off using the attribute mDBUseDefaults, so to set non default storage limit we need to set mDBUseDefaults to FALSE. If you want to turn the default storage limits back on just set mDBUseDefaults to TRUE in the CSV file.

Below is an example CSV file that would set ‘Prohibit send and receive at (KB):’ to 1Gb, 2GB and 3GB for the 3 users in the file. The sAMAccountName is the users logon name and is used to locate the user in Active Directory, the Modify column tells the program we are modifying an existing user.

Storage Limits CSV

In my example above a 1Gb quota may be too low for some, if a user receives 100 x 50k messages a day for 30 days this would consume 150MB, or 1.8GB over a year.

All the best.

Read More

Automatically update e-mail addresses based on recipient policy?

When importing new users (or modifying existing users) with an Exchange mailbox you may not want to have the Exchange recipient policy update the e-mail addresses for those users, by default when AD Bulk Users creates the mailbox ‘Automatically update e-mail addresses based on recipient policy’ is checked i.e. TRUE, to prevent this being set add a column to your CSV file entitled AutoUpdateOnRecipientPolicy and set the value to FALSE.

Click here for an example CSV file.

The result of setting AutoUpdateOnRecipientPolicy to FALSE is ‘Automatically update e-mail addresses based on recipient policy’ is unchecked meaning the recipient policy won’t update the mailbox for the user.

Automatically-update-e-mail-addresses-based-on-recipient-policy

All the best.

Read More

Append, Drop and Truncate with AD Bulk Export 3.0.7.2

This latest release of AD Bulk Export includes a couple of minor bug fixes and a change to the way saving to a SQL database can be done. Two new command line arguments have been added, these are /dropTable and /truncateTable, you can also enable these options via the GUI in the ‘Options’ section of the ‘Save to Database’ window.

By default the data pulled from Active Directory will be appended to the table this can now be changed by using the command line arguments /dropTable or /truncateTable or by selecting either of the two options in the GUI. By checking ‘Drop table first’ the program will delete the table and then recreate the table before inserting the data pulled from Active Directory. Checking ‘Truncate table first’ will delete the table rows but leave the columns intact, this is especially useful if you are going to add custom columns. Both options are retained when the program is closed and reopened.

AD Bulk Export, Saving to SQL

Read More

Storing photos in Active Directory using the jpegPhoto Attribute

The latest version of AD Bulk Users now has support for adding (and removing) photos to Active Directory using the jpegPhoto attribute, the jpegPhoto attribute was added to Windows 2003 AD and supports the JPEG format. There are a few things to consider when importing images such as the size and dimensions of the image, AD Bulk Users will check you are using a .jpg image and that the image size is smaller than 25KB and its dimensions are less than 200 x 200 pixels (it doesn’t need to be square, 180 x 100 would be fine).

An example CSV file would look like:

sAMAccountName,Modify,jpegPhoto
jsmith,TRUE,e:\photos\%username%.jpg
pjones,TRUE,e:\photos\%username%.jpg

To clear the photo simply leave no value in the jpegPhoto column, an example CSV file would look like:

sAMAccountName,Modify,jpegPhoto
jsmith,TRUE,
pjones,TRUE,

We’ve added jpegPhoto to the Organization tab in AD Bulk Users so when you load your CSV file you should see the path shown here.

jpegPhoto

How do you view the images you may ask? Well you can use a web page a custom application or Sharepoint.

Read More

AD Bulk Users 3.2.2.0

The latest release of AD Bulk Users contains a number of great new features, the first worth mentioning is the detection of all your Exchange Stores, no need to type in store paths anymore. As you can see in the screen shot below we’ve redesigned the Exchange section of the Settings tab to accommodate the new drop down menu entitled ‘Default Exchange Store’. This is where you can select the store where you want your users mailboxes created. You can still use the ‘ExchangeStore’ column in your CSV (or SQL table) and specify a store for each user or simply use the default store here.

Exchange Stores Detected

The next new feature to mention is the ability to create Security Groups and Organizational Units, in previous versions of AD Bulk Users you could add users to a group but if that group didn’t exist then the log would show “Unable to add user to group..”. With the new ‘Create Groups’ feature turned on if the group doesn’t exist AD Bulk Users will create it and then add the user to the group.

Create Groups and OUs

Below is a simple CSV file (opened in Excel) that would create 1 user and add that user to a group called ‘Network Team’:

Group Creation Example

Now assuming the group doesn’t exist and the ‘Group Creation’ feature is on we would see the following in the log:

Log showing group creation

As the log shows the user and group were created and the user made a member of the group. This can be especially useful when moving domains/migration/creating test domains and you don’t want to create 100′s of groups.

Now what happens if the OU that the group resides in doesn’t exist! Well now we have OU creation, so with OU Creation on the Organizational Unit would be created then the group would be created and then the user is added to the group, neat eh!

With OU Creation turned on AD Bulk Users will create an OU under two circumstances, the first is as I have just described above, you are adding the user to a group and both the group and the OU don’t exist. The second is if you have used the column header destinationOU in your CSV file and a value such as “OU=Managers,DC=Domain,DC=Com”, if the OU ‘Managers’ doesn’t exist then normally the program wouldn’t be able to create the user, with OU Creation turned on the OU would be created and then the user(s) created within that OU.

These are of course very powerful features hidden behind two innocent checkboxes, group and OU creation is a real saviour if you want to migrate to a new domain and want to take across your OU structure and groups but you do need to remember when it’s ON and when it’s OFF. When AD Bulk Users is launched if the OU and Group creation feature has been left ON then you’ll see a note in the log to remind you.

Notes shown in the log

These are two great new features, there are several more which I’ll cover in a new post soon.

Read More

AD Find and Replace 1.9.5 New Features

We’ve added a few new features to AD Find and Replace, the first is called ‘Replace within N characters’, this allows you to perform a replace only with the first N number of characters or the last N number of characters. This is especially useful for replacing numbers within telephone numbers, as the screen shot below shows. For example if we want to replace the area code 044 with 043 for each user in a selected OU or Group then we can check ‘Replace within N characters’ and set the ‘Replace within the First’ value to 3, this will tell the program to only replace 044 with 043 when a match is found within the first 3 characters. Now without this feature we run the risk of changing a telephone number that contains 044 anywhere in the number, for example 043 12044044 would be updated to 043 12044044 which is not what we want. We can now replace 044 only if it is within the first 3 characters if a match is not found then it will be left alone. We can also replace in the last N characters. I’m sure you’ll agree a worth while addition.

adfindandreplace-replaceinncharacters2

The second new feature is the ability to Active Directory as a different user, this has been available in our other programs for some time but was need in AD Find and Replace.

adfindandreplaceconnectas

The final update is the ability to insert wild cards (variables) into the ‘Replace with’ text box. The wild cards read the value of another attribute and insert that value into the attribute you are working with. Wild cards aren’t new and have been included with the program since version 1 but unless you read the help file you may not know they existed so we’ve added the the wild card list to the GUI so you can easily see the wild cards available.

adfindandreplacewildcards1

Read More

AD Bulk Users 3.1.3.0

Version 3.1.3.0 was released today adding the ability to set the ‘User Cannot Change Password’ option. To set this add a column to your CSV file called userCannotChangePassword and set the value to TRUE or FALSE.

User Cannot Change Password

Below is an example CSV file using userCannotChangePassword, this file would modify/update existing Active Directory users.

Example CSV file using userCannotChangePassword

This version also adds two new command line arguments /removeUsersFromGroups and /addUsersToGroups, both tell the program what to do when you have included a group in the memberOf column.

We’ve also added a line number to any warning messages that are shown when you validate your file. For example the program now shows “Validating user: jsmith (line 210) This user does not have a password set, your password policy may require one”.

Read More

Welcome

Welcome to our first post on our new blog — we hope to keep you posted on updates to our products, Active Directory news and any relevant tips and tricks that we think network engineers, technicians and managers will find useful.

Read More