vrijdag 16 oktober 2009

Exchange 2010 Certified!

I just recieved the following email from MS Learning:

Congratulations on earning your Microsoft Exchange Server 2010, Configuration certification! We hope you enjoy the benefits of your certification and of membership in the Microsoft Certified Professional community.

zaterdag 10 oktober 2009

Active Directory: AD Recycle Bin GUI

Earlier on I blogged about the AD Recycle Bin. In this blog we checked out how the AD Recycle Bin is activated and how it's used through Powershell or LDP.

The fellows at Overall Solutions Inc. made a very nice GUI. In this GUI it's possible to see which items are deleted and also recover the deleted items.

The download can be found http://www.overall.ca/index.php?option=com_content&view=article&id=40:adrecyclebin&catid=15:adrecyclebinexe&Itemid=64

The GUI is built like this:

vrijdag 9 oktober 2009

Exchange 2010 RTM!

Yesterday at TechNet Live they already had some interesting information. At the end of the day when asked the question: "When will Exchange 2010 be RTM" the only answer we got was: "Check out the Exchange Team blog tomorrow". And what have we got? Finally! Exchange 2010 got RTM'd!

For the full announcement see: http://msexchangeteam.com/archive/2009/10/08/452775.aspx

In my opinion some very good news to get on Friday!


Stefan Hazenbroek

maandag 5 oktober 2009

Active Directory: FSMO Roles in Windows Server 2008 R2

I've been getting alot of questions and debate about FSMO roles in an Active Directory domain environment. Where should you place what role? What does a specific role do? Should I seize it if it's not available?

I'll start by summing up the available roles and their task. The function of each role is defined for Windows Server 2008 R2.

Schema Master

There can only be one Schema Master defined per forest. The Schema Master contains the only writable copy of the schema and additions to it can only be done by a member of the Schema Admins and the Enterprise Admins security group.

When this role is unavailable additions or changes to the schema  cannot be made.

Domain Naming Master

The Domain Naming Master is responsible for the addition or removal of domains in the forest. The Domain Naming Master is a forest-wide role, which means only one can be defined per forest.

When this role is unavailable no domains can be added, removed or renamed.

Infrastructure Master

The Infrastructure Master is a domain-wide role, which means it is defined per domain. Logically, if you have 3 domains within your forest, you have 3 domain controllers that contain the Infrastructure Master role. The Infrastructure Master is responsible for updating links to objects in the domain to objects in other domains. There can only be one defined per domain.

When the infrastructure master is unavailable changes in objects do not get replicated. However, when all domain controllers are also a Global Catalog, the Infrastructure Master does not have a function.

RID Master

The RID (or Relative-ID) Master is responsible for RID-requests from all domain controllers within that domain. When the RID pool of a domain controller depletes, it requests a new pool from the RID Master. The RID Master can only be defined once per domain.

When the RID Master is unavailable and a domain controller runs out of available RID's no new objects (as users, groups, computers and such) cannot be created.

PDC Emulator

The PDC (or Primary Domain Controller) Emulator role is used to act as PDC when Windows NT BDC's are used. The PDC Emulator also acts as Master Browser for the domain and handles password updates for the domain. The PDC Emulator can only be defined once per domain.

When the PDC Emulator is unavailable password-changes get updated with the regular replication traffic instead of right away through the PDC emulator. Also, the time (net time) will not get synced during this time, which can be an issue in a domain environment.

Now, what if a domain controller is unavailable for a while and you need to seize the role? In a pre-windows 2008 R2 environment, thus: in an environment without the use of AD Powershell this can be quite the hassle. When you need to move the Schema Master you first have to load the dll for the mmc, after which you can move it. It just costs needless time.

Move-ADDirectoryServerOperationMasterRole -Identity ADDirectoryServer -OperationMasterRole ADOperationMasterRole []

For example, when you want to move the Infrastructure Master to domain controller "DC001" you'll use:

Move-ADDirectoryServerOperationMasterRole -Identity DC001 -OperationMasterRole InfrastructureMaster

Now, if the server that contains the role is unavailable you can ofcourse Seize it. This can also be done in Powershell, by adding the -Force parameter to the CMDLet. In case of seizing the Infrastructure Master to domain controller DC001 you'll use:

Move-ADDirectoryServerOperationMasterRole -Identity DC001 -OperationMasterRole InfrastructureMaster -Force

Finally, one shell to manage your complete AD in!


Stefan Hazenbroek