Showing posts with the label Active Directory

DCLocator | Acitve Directory Client logon

                                 The netlogon service in DC is responsible for registering SRV records in the DNS server under It then registers the SRV records of Domain Controller under based on their site location.

Automatic Site Coverage | Active Directory

                          In an Active Directory environment where you have at least a single Domain Controller, the clients in that site will contact this Domain Controller for handling service requests. But suppose, you have a site without a Domain Controller (yes, it is possible). In that scenario, which Domain Controller does the client contact for handling its service requests. This is where the Automatic Site Coverage comes into play!!!

Using Automatic Site Coverage, each Domain Controller checks all sites in the domain and calculate replication cost matrix. Thus the Domain Controller from a site which appears as the closest one (using site link cost calculation) to the site without Domain Controller will advertise itself as the authoritative one. If there are multiple sites with the same cost link to the site without Domain Controller, then the site with the most number of Domain Controllers will be chosen. If the tie appears here as well, the site which comes in first alphabet…

SYSVOL Explained

          Whenever someone asks me ' What is SysVol ?', my answer would be - the folder which stores group policy. 

But is it just a folder ??..Let us find it out.

What is Sysvol ?

Sysvol is a special folder which is available in C:\Windows\SYSVOL directory in all domain controllers within the domain. This special folder contains the domain's Group Policy settings, default profiles and logon/logoff/startup/shutdown scripts. 

Active Directory Recycle Bin

Focus: Active Directory Recycle Bin

Active Directory Recycle Bin

This is a new feature of Windows 2008 R2 which is disabled by default. This feature will be available only if your forest functional level is Windows 2008 R2 and above. Once you enable this feature, it cannot be disabled.

How to enable?

There is no GUI to enable AD recycle binOpen powershell execute the below:Import-Module ActiveDirectoryEnable-ADOptionalFeature -Identity "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target "globomantics.local" -whatif

Active Directory Tombstone

Focus: Active Directory Tombstone, TSL, Tombstone reanimation

Active Directory Tombstone

When an object is removed from Active Directory, it is said to be tombstoned. Tombstone is something which a Domain Controller uses to notify other Domain Controllers about an object deletion.

Active Directory USN Rollback

Focus: USN, USN Rollback, DSA GUID and Invocation GUID

Unique Sequence Number (USN)

USN is an AD database change tracking number. Any change or transaction made in a DC is represented by a USN increment. The USN of DCs in the same domain need not be same.

Active Directory Replication Explained

Focus: Active Directory Replication, USN, HWMV and UTDV

                                   Intrasite replication replicates changes made in one DC to all other DCs in the same site. AD replications are generally pull operations. For example (A site with two DCs : DC1 & DC2) , If a change is made on DC1 then DC1 will inform DC2 about the change.

Software installation using group policy

This can be done in 2 methods

Contents of System State Backup

The content of the system state backup includes:

RegistryCOM+ Class Registration databaseBoot files, including the system files

Why Infrastructure Master should not be a Global Catalog server?

The most confusing question in Active Directory. Will try to explain this in a simpler way.
Infrastructure Master role is responsible for managing any cross domain references. When we discuss about cross domain references, its essential to discuss about Phantom objects.
An AD group is something which can hold members of its own domain and groups from other domain(Eg: Global group and Universal group). For a group in one domain to contain members from another domain, a pointer or cross-domain reference is required. This cross-domain reference is called a Phantom object.

Active Directory FSMO Roles

Focus : Active Directory FSMO Roles

FSMO - Expansion and its relevance

FSMO is the short representation of Flexible Single Master Operations. Each of these word has its own significance. Operation Master is a set of roles which handles a separate operation. So why ‘Flexible’ & ‘Single’ used?

Active Directory Global Catalog Server

Focus: Global Catalog Server Global catalog (GC) is a role handled by domain controllers in an Active directory model. The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest.

Active Directory Backup and Restore in Windows 2008

Focus: Active Directory Backup and restore

Taking backup

1. Open command prompt and execute “wbadmin start systemstatebackup -backuptarget:e:\” 
- In Windows 2008, need to install the Windows server backup feature, as it is not installed by default.
2. Confirm that the backup is successful using the command “wbadmin get versions” 


1. Restart the server in Directory Service Restore Mode (DSRM)
2. Get the version ID of the available backup using “wbadmin get versions” 
3. Run the restoration using the command “wbadmin start systemstaterecovery -version:versionID"

Making the Restoration Authoritative

1. At a command prompt, type ntdsutil, and then press ENTER.
2. Type authoritative restore, and then press ENTER.
3. You will be prompted as "Active Instance not set. To set an active instance use "Activate Instance ".
4. Type activate instance ntds and then press ENTER
5. Then type the command restore subtree dc=Domain_Name,dc=xxx
and then press ENTER:
Note: In windows 2008,…

Enable replication - tombstone lifetime exceeded

Step 1
Run the repadmin /showrepl command on the domain controller that received the error to determine which domain controller has been disconnected for longer than a tombstone lifetime.

Step 2
Modifying the registry

Cannot set folder permissions to AD groups in Windows 2003


I've an environment with Windows 2003 & Windows 2008 servers in Windows 2000 Native mode. If I try to add any AD group in a folder security group of a Windows 2008 server, the AD group name won't get resolved.

Active Directory | KCC vs ISTG

Focus : Active Directory KCC and ISTG

KCC (Knowledge consistency checker) is responsible for generating site replication toplolgies between domain controllers. KCC runs in each DC of a domain and creates a