Archive for May 2013

Windows 2012 Domain Controller Command Line Tools

May 31, 2013 Windows Server 2012 No comments

tools-icon

Once you install the Windows 2012 Domain Controller Role, you will find you are able to right click on the server in the console and a menu will appear showing that you are able to connect to several different command line tools. This looks like a very handy feature to have so lets have a deeper look at these tools

You can run these commands in the Active Directory Module for Windows PowerShell or cmd.exe

tools

What does Dcdiag.exe do?

This command-line tool analyzes the state of one or all domain controllers in a forest and reports any problems to assist in troubleshooting. DCDiag.exe consists of a variety of tests that can be run individually or as part of a suite to verify domain controller health and DNS Health

dcacls

What does Dsacls.exe do?

Dsacls.exe is a command-line tool that you can use to query the security attributes and to change permissions and security attributes of Active Directory objects. It is the command-line equivalent of the Security tab in the Windows Active Directory snap-in tools such as Active Directory Users and Computers and Active Directory Sites and Services.

dsacls

What does Dsdbutil.exe do?

Dsdbutil is a command-line tool that is built into Windows Server 2008. It is available if you have the AD LDS server role installed. To use dsdbutil, you must run the dsdbutil command from an elevated command prompt It performs database maintenance of the Active Directory Domain Services (AD DS) store, facilitates configuration of Active Directory Lightweight Directory Services (AD LDS) communication ports, and views AD LDS instances that are installed on a computer

dbsdbutil

What does Dsmgmt.exe do?

Dsmgmt is a command-line tool which is available if you have the AD LDS server role installed. To use dsmgmt, you must run the dsmgmt command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. It facilitates managing Active Directory Lightweight Directory Services (AD LDS) application partitions, managing and controlling flexible single master operations (FSMO), and cleaning up metadata that is left behind by abandoned Active Directory domain controllers and AD LDS instances. (Abandoned domain controllers and AD LDS instances are those that are removed from the network without being uninstalled.)

dsm

What does Gpfixup.exe do?

This tool is used to fix domain name dependencies in Group Policy Objects (GPOs) and Group Policy links after a domain rename operation

gpfixup

What does ldp.exe do?

This GUI tool is a Lightweight Directory Access Protocol (LDAP) client that allows users to perform operations (such as connect, bind, search, modify, add, delete) against any LDAP-compatible directory, such as Active Directory. LDP is used to view objects stored in Active Directory along with their metadata, such as security descriptors and replication metadata. LDP is a GUI-based, Windows Explorer–like utility with a scope pane on the left that is used for navigating through the Active Directory namespace, and a details pane on the right that is used for displaying the results of the LDAP operations. Any text displayed in the details pane can be selected with the mouse and “copied” to the Clipboard.

  • Connect through PowerShell to ldp.exe
  • Click Connection
  • Put in your DC Name
  • You are then connected and ready to use the tool

http://technet.microsoft.com/en-us/library/cc756988%28v=ws.10%29.aspx

ldp

What does Netdom.exe do?

This command-line tool enables administrators to manage Windows Server 2003 and Windows 2000 domains and trust relationships from the command line. You can join a machine to a domain, manage computer accounts for domain member workstations and member servers, establish one-way or two-way trust relationships between domains, including certain kinds of trust relationships, verify and/or reset the secure channel for the following configurations and manage trust relationships between domains

http://technet.microsoft.com/en-us/library/cc781853%28v=ws.10%29.aspx 

What does Nltest.exe do?

Nltest.exe is available if you have the AD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT) This tool can do the following

  • Get a list of domain controllers
  • Force a remote shutdown
  • Query the status of trust
  • Test trust relationships and the state of domain controller replication in a Windows domain
  • Force a user-account database to synchronize on Windows NT version 4.0 or earlier domain controllers

http://technet.microsoft.com/en-us/library/cc731935%28v=WS.10%29.aspx

What does Ntdsutil.exe do?

Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators.

ntdsutil

What does Repadmin do?

This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.

Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors.

Repadmin.exe can also be used for monitoring the relative health of an Active Directory forest. The operations replsummary, showrepl, showrepl /csv, and showvector /latency can be used to check for replication problems.

http://technet.microsoft.com/en-us/library/cc736571%28v=ws.10%29.aspx

What does W32tm.exe do?

W32tm.exe is used to configure Windows Time service settings. It can also be used to diagnose problems with the time service. W32tm.exe is the preferred command line tool for configuring, monitoring, or troubleshooting the Windows Time service. The W32Time service is not a full-featured NTP solution that meets time-sensitive application needs and is not supported by Microsoft as such

http://technet.microsoft.com/en-us/library/cc773263%28v=WS.10%29.aspx

Active Directory Lightweight Directory Services on VMware

May 29, 2013 AD LDS No comments

images

What is AD LDS?

AD LDS is a Lightweight Directory Access Protocol (LDAP) directory service that provides flexible support for directory-enabled applications, without the dependencies that are required for Active Directory Domain Services (AD DS). AD LDS provides much of the same functionality as AD DS, but it does not require the deployment of domains or domain controllers. You can run multiple instances of AD LDS concurrently on a single computer, with an independently managed schema for each AD LDS instance.

AD DS provides directory services for both the Microsoft® Windows Server server operating system and for directory-enabled applications. For the server operating system, AD DS stores critical information about the network infrastructure, users and groups, network services, and so on. In this role, AD DS must adhere to a single schema throughout an entire forest.

The AD LDS server role, on the other hand, provides directory services specifically for directory-enabled applications. AD LDS does not require or rely on Active Directory domains or forests. However, in environments where AD DS exists, AD LDS can use AD DS for the authentication of Windows security principals.

How does ADLDS apply to Applications?

AD LDS can store “private” directory data, which is relevant only to the application, in a local directory service—possibly on the same server as the application—without requiring any additional configuration to the server operating system directory. This data, which is relevant only to the application and which does not have to be widely replicated, is stored solely in the AD LDS directory that is associated with the application. This solution reduces replication traffic on the network between domain controllers that serve the server operating system directory. However, if necessary you can configure this data to be replicated between multiple AD LDS instances.

VMware Considerations

With the introduction of vSphere 4.x, vCenter 4.x started using

  • Active Directory Application Mode (ADAM) on Windows Server 2003
  • Active Directory Lightweight Directory Services (AD LDS) on Windows Server 2008

This Mode/Service accommodates information relating to

  • Linked Mode
  • Licensing
  • Roles
  • Permissions for vCenter
  • Inventory Service

The roles and permissions are stored in the ADAM or AD LDS database which is called VMwareVCMSDS. In order to restore the roles and permissions, the ADAM or AD LDS database must be backed up. This data is regularly backed up every 5 minutes to the vCenter Server database in the VPX_BINARY_DATA table

vCenter Visibility

  • Control Panel

adlds

  • VMwareVCMSDS Service

adlds2

It is not recommended to uninstall this service unless you have a backup of the vCenter Server and vCenter Server Database Server!

 

Installing a Windows Server 2012 Domain Controller and DNS

May 24, 2013 IT, Windows Server 2012 No comments

corpdir-lg

Installing a new DC

  • Install Windows Server 2012
  • Click Manage > Install Roles and Features
  • The Add Roles and Features Wizard will start

step_1

  • Click Next
  • Choose Role based or Feature installation

Step-2

  • Select the Server

Step-3

  • Click Next and Choose Active Directory Domain Services

Step-4

  • A box will pop up as per below
  • Click Add Features

Step-5

  •  Click DNS as well

step-9

  • A box will pop up
  • Click Add Features

Step-8

  • Click Next
  • Read the Notes

Step-7

  • Read the Notes about the DNS Server

step-10

  • Select Restart

Step-11

  • You will get the following message after selecting the checkbox for Restarting

step-12

  • Click Install
  • The final screen will show the progress of the install

step13

  • You can also Export Configuration Settings which are in the form of PowerShell commands allowing you to install from these to another DC in the future
  • Click Export Configuration Settings

step14

  • Once AD Domain Services has been installed, you now need to promote this server to be a Domain Controller
  • In Server Manager, you will see a notification triangle in the top right. Click this and you will get the following message

step15

  • Click Promote this server to a Domain Controller

step16

  • I am going to add this Domain Controller to my current domain dacmt.local
  • Click Next

step17

  • Type in a Directory Services Restore Mode Password
  • Click Next
  • Click Next on the DNS Screen

step18

  • Choose your replication option

step19

  • Choose paths for the AD Files
  • Note Best Practice would advise you to separate out these services on different redundant drives but this is just a demo so they all reside on the C Drive

step20

  • Check the Preparation Options

step21

  • Review Options

step22

  • Pre Requisites Check

step23

  • Click Install
  • Reboot when Install is finished
  • Once in Server Manager and you have chosen the AD DS role scroll down and you will see a section called Best Practices Analyzer. You can then go to Tasks and choose to run the BPA scan. This BPA scan can also be run from Windows PowerShell

Microsoft Technet Further Information

http://technet.microsoft.com/library/hh472162.aspx

Changing between Windows Server 2012 Installation Types

May 20, 2013 IT, Windows Server 2012 No comments

core4

As in Windows Server 2008 and Windows Server 2008 R2, Windows Setup in Windows Server 2012 allows you to choose one of two installation types:

  • Server Core Installation
  • Server with a GUI (also called a full installation)

server2012c

One of the more interesting new features in Windows Server 2012 is the ability to convert a full installation to a Server Core Installation and vice versa. You can switch between a Server Core installation and full installation in Windows Server 2012 because the difference between these installation options is contained in two specific Windows features that can be added or removed

server2012full

Features

  • Server Core. None of the options are selected. No GUI Interface
  • Graphical Management Tools and Infrastructure (Server-Gui-Mgmt-Infra) This provides a minimal server interface and server management tools such as Server Manager and the Microsoft Management Console
  • Server Graphical Shell (Server-Gui-Shell) It is dependent on the first feature and provides the rest of the GUI experience, including Windows Explorer
  • Desktop Experience is a third available GUI feature. It builds on the Server Graphical Shell feature and is not installed by default in the Server with a GUI installation of Windows Server 2012. Desktop Experience makes available Windows 8 client features such as Windows Media Player, desktop themes, and photo management.

The Different Types of Setup

Windows 2012 brings in another user interface for use; GUI, Server Core & Something in-between called Minimal Server Interface

  • Server Core – always installed and enabled; the baseline feature for all Windows Servers

server2012core

  • Server Graphical Management Tools & Infrastructure – functionality for Minimal Server Interface. No Desktop, Start Screen, Windows Explorer or Internet Explorer

server2012_minimal

  • Server Graphical Shell – equivalent to Server with a GUI

server2012full

Using PowerShell to swap between different Installations

  • Making Server 2012 a Server Core Installation

PowerShell Core

  • Making Server 2012 a Minimal Interface Installation

PowerShell Minimal

  • Making PowerShell a Full GUI Installation

Powershell Full

sconfig in a Server Core Installation

In Windows Server 2012, you can use the Server Configuration tool (Sconfig.cmd) to configure and manage several common aspects of Server Core installations. You must be a member of the Administrators group to use the tool.

Sconfig.cmd is available in the Minimal Server Interface and in Server with a GUI mod

sconfig

Reference Table

2012

Changing the queue depth for QLogic and Emulex HBAs in VMware 4

May 7, 2013 Storage No comments

ladies-que-2

If the performance of your hardware bus adapters (HBAs) is unsatisfactory, or your SAN storage processors or heads are over-utilized, you can adjust your ESXi/ESX hosts’ maximum queue depth value. The maximum value refers to the queue depths reported for various paths to the LUN. When you lower this value, it throttles the ESXi/ESX host’s throughput and alleviates SAN contention concerns if multiple hosts are over-utilizing the storage and are filling its command queue.

When one virtual machine is active on a LUN, you only need to set the maximum queue depth. When multiple virtual machines are active on a LUN, the Disk.SchedNumRegOutstanding value is also relevant. The queue depth value, in this case, is equal to whichever value is the lowest of the two settings: adapter queue depth or Disk.SchedNumReqOutstanding

Instructions

  • On vSphere 4, go to Hosts and Clusters > Configuration > Software . Advanced Settings
  • Highlight Disk and scroll down to Disk.SchedNumReqOutstanding

queuedepth1

  • Change Queue Depth to 64
  • Open Putty or Local Console
  • Verify which HBA module is currently loaded by entering one of these commands on the service console:
  • vmkload_mod -l | grep qla
  • vmkload_mod | grep lpfc

queuedepth2

  • As you can see the first command did not return anything but the second command returned information about the Emulex driver
  • To modify Q Logic, do the following

qlogic2

  • To modify Emulex, do the following

emulex

  • For multiple instances of Emulex HBAs being presented to a system, use:

emulex2

  • Reboot your host
  • Run this command to confirm if your changes are applied
  • esxcfg-module -g driver. Where driver is your QLogic or Emulex adapter driver module, such as lpfc820 or qla2xxx.

VMware Links

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1267