Active Directory tips and tricks - Spiceworks http://community.spiceworks.com/how_to/122676-active-directory-tip...

How-tos

DNS
Windows Server
Active Directory & GPO

by Gregory for Microsoft on Sep 10, 2015 at 1:09am

I have been wanting to do an Active Directory Tips and Tricks post for troubleshooting and proper setup for some time now
and so after a nice relaxing weekend I decided to work this up for the community.

Many times I have come across AD setups with bad choices for the domain name. Most of you will be aware that as of a few
years ago you can no longer issue 3rd party SSL certs with the *.local domain name in the Subject Alternative Names.
Further I have found many times the root domain is chosen as the AD domain name. This is also not viable for a long term
AD domain choice as the AD wants to be Authorative for the Domain name you choose. So with both those things in mind,
to choose properly we need to choose a subdomain of our root DNS domain name.

Most deployments I have found have one site and this is usually the corporate office. So I would usually choose
office.domainname.com or corp.domainname.com
This would allow me to put up an A Record in the Root DNS servers pointing at the WAN address of the corporate office
firewall. That way we can have everything routable and we can issue 3rd party SSL certs for the subdomains or just get a
*.domainname.com wildcard SSL for the whole organization.

Choose right from the beginning and it will keep your event logs clear and keep everything looking for AD services pointed in
the right direction.

Setting up AD DNS is basically handled for you when you create a brand new Forest and Domain using Server Manager
and the Active Directory Wizard.
Choosing the right domain name is critical for this step in your AD infrastructure build out so get it right the first time...

If you find yourself like I often do encountering AD that is already setup and not functioning correctly then you need to clean
up the DNS entries as a first step.

Start by finding and logging into the PDC so you can do a top down cleanup of any DNS issues.
*Tip - To find the PDC, open a CMD prompt and type:
NetDom Query FSMO

Once you locate the PDC, then remote in and open DNS Manager from Administrative Tools. The next few steps is what I
do to clean up DNS.

Expand
I have a quick check of the time stamps to get an idea of what is going on with the DC's.
Once in DNS we need to check the following items:

1 of 6 11/13/2015 1:46 PM
Active Directory tips and tricks - Spiceworks http://community.spiceworks.com/how_to/122676-active-directory-tip...

outside this 7 day range, that is a problem as they are not updating the DNS records and most likely are not replicating as
well. This is my very first indicator of any Domain Controller DNS or replication issues.

Expand
Start by looking over _MSDCS DNS Zone and checking the time stamp to see if you can spot the problem DC's. Usually it is
an old DC that was decommissioned but not gracefully DCPROMO'd from the environment. These extra entries will cause
confusion about where your servers and workstations look for LDAP services from Active Directory. This can at its least
cause delays in finding resources, and at worst can cause AD to stop responding altogether.

If the server listed is one that is Orphaned or is no longer in play you need to delete that bad data out of DNS, and that
means checking EVERY SINGLE DNS ZONE under _MSDCS. Look for that orphaned server or IP and delete it.

NameServers on the Zone files also need to be looked over so right click on the zone and choose properties then
NameServers tab. Verify top to bottom that the name servers listed are the ones that are operational DC's and remove any
old entries. I also like to verify the existing ones by clicking them one at a time, and then choose edit and then resolve, to
force the server to be sure it gets the green check. That way you really know all is tip top...

Now that DNS is clean and all the settings for DNS have been checked and verified, one further step I do after I clean DNS
is to setup the DNS console with all the DNS servers in the environment.

This accomplishes two things:

1)it confirms that you have the correct IP's for those servers listed in the PDC DNS, and
2) it gives you a single pane to work your DNS checks from.

Expand
Now that we have a clean DNS we need to verify that all the AD Replication connects between the servers are set properly
and we do this from AD Sites and Services.

Open Server Manager and then Tools and Active Directory Sites and Services.

Once in the console drill down to the Default-First-Site-Name and then expand the Servers node.
You will see a list of all the DC's in that Default site. What you now need to do is be sure all of the Domain Controllers
showing are actually in play. If you find some that have been decommissioned / offline but not gracefully DCPRMO'd from
AD then you need to first delete the NTDS connections under that orphaned server and then delete the NTDS subtree and
then finally the server reference. This will allow REPADMIN to run correctly and find good servers so that we can move on.

Once all the orphaned NTDS AD Replication Connections have been deleted and the server references as well you can
then move on to assigning the proper subnets to the respective sites.
Create the smallest number of sites possible to keep replication performance acceptable. Go ahead and right click Sites and
choose New Site if you have more than one site with domain controllers located in it. You really only want to create sites that
have DC's located on premise.

One thing that is often overlooked is setting the IP Subnet assignments for your sites. Most of you will have a few DC's in
the same Site and subnet assignment can be overlooked. Once you expand your AD into another site and subnet over VPN
or MPLS then you would want to first define all the various subnets and then assign those subnets to the sites. You can

2 of 6 11/13/2015 1:46 PM
Active Directory tips and tricks - Spiceworks http://community.spiceworks.com/how_to/122676-active-directory-tip...

Subnets will be entered like

192.168.1.0/24
Just right click the Subnets Folder and choose New Subnet. Drop down to choose the sites

Expand
Replication between domain controllers happens every 180 min or 2 min if you reset a password. Once you have a clean
Sites and Services replication links (*usually setup automatically by the replication engine) you can then go about testing
replication using the following commands.
The first command is a quick sync and does all the connects at once and reports success or error. The command with the
/ADEP is a step by step through each connect stopping for you to hit continue and does a full sync with extended attributes
synced.

RepAdmin /SyncAll

RepAdmin /SyncAll /ADEP

RepAdmin for Experts

https://technet.microsoft.com/en-us/library/cc811549

Expand
Now open a CMD prompt run as Administrator so we can run DCDIAG to check AD health.
This will give a quick high level overview of your AD health so we can narrow down any issues with accessing LDAP
resources.

What I like to do after I clean up DNS is to save and clear the event logs and reboot the PDC. This will have the PDC go
through the AD motions during boot and then you will get a good solid picture of your current issues when running DCDIAG.

Now open CMD RunAs Administrator and Type

DCDIAG

This will verify the DC health so you should make note of any errors and then researching those specific issues and event
ID's on the internet.

Run the DCDiag DNS Health Checks

DCDIAG /DnsAll

Dump DCDiag results to a text file

DCDIAG /f:C:\DCDIAGReport.txt

10

3 of 6 11/13/2015 1:46 PM
Active Directory tips and tricks - Spiceworks http://community.spiceworks.com/how_to/122676-active-directory-tip...

Expand
The last step is to run a Best Practices Scan from the Server Manager Console for AD DS and remedy any errors and
warnings. This final step will confirm that all with AD is operating correctly. Just research the errors if they are displayed and
follow the necessary resolution steps. To many to mention here but one that will show for most is the check to see if this DC
is running as a Virtual Machine and makes reference to best practices needing to be followed. This one is common and can
be ignored in most cases.

Protect all OU's in this organization from accidental deletion command to protect all unprotected OU's.
Open PowerShell on the PDC RunAs Administrator
Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where
{$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

11

The next evolution of AD is Azure Active Directory. This is easy to connect to your local AD using the Azure AD connect tool
which you can download here.
http://www.microsoft.com/en-us/download/details.aspx?id=47594
Once you connect your on-premise AD to Azure you can then leverage the new features in Windows 10 that will allow you to
connect remote users to your internal AD without the need for VPN. This cloud ready AD is the future and I would
encourage all of you to give it a try.

Active Directory can be tricky if it is not setup correctly and I hope this how-to helps you with your AD adventures!

Good Luck and Happy Computing!

Best Practices Analyzer for Active Directory

ReapAdmin TechNet
DCDIAG Syntax
Active Directory Domain Naming Considerations

antonpozdnyakov Sep 11, 2015 at 5:59pm

Wow, great list of really useful stuff. Very helpful! Added to Pocket to come back and read again.

I would also recommend checking out the Active Directory Tips and Tricks twitter account (https://twitter.com/ADTipsTricks)
Also really good and can add to the some good points to the subject

BlueComp2 Sep 11, 2015 at 6:12pm

What's a PDC? ;-) I seem to remember hearing something about them in history class...

actionhank1786 Sep 11, 2015 at 6:55pm

This is super helpful!
I'm working on my MCSA currently, but I've also realized that the company I work for that I'm slowly inheriting more and
more responsibility at was setup without...well, from what I can tell, without a ton of long-term planning. And it hasn't really
been followed up with since. We've got 120+ users, and we're growing by at least 3 to 5 people every month. Despite that,
we still only have a massive cluster of users in AD, without any sort of GPO to make life easier. I'm still doing printers by
hand every time someone moves desks, or a new person arrives.

Needless to say, my MCSA motivation is definitely high. Thanks for a great article to help with a solid foundation! Definitely
bookmarking this.

4 of 6 11/13/2015 1:46 PM
Active Directory tips and tricks - Spiceworks http://community.spiceworks.com/how_to/122676-active-directory-tip...

LFCavalcanti Sep 11, 2015 at 7:00pm

PDC = Primary Domain Controller

I would also add that you should set up regular backups of the SYSVOL. In case of corruption you don't have to worry about
authoritative restores.

I also set SYSVOL and NTDS folders on a dedicated partition in the PDC.

Jason1121 Sep 11, 2015 at 7:18pm

I think Blue was being sarcastic. I've seen a ton of comments here over the past few years claiming that there is no longer
such a thing as a primary domain controller anymore. Perhaps that is technically true, but to me the schema master is the
PDC.

Let the arguing commence? :)

Jason1121 Sep 11, 2015 at 7:21pm

Good article, btw.

I'm curious how many of us still run with .local domains since that was the recommendation way back when? Quite a few
customers of ours are still set up that way. Some don't have any kind of subdomain configured. In fact, one customer's
domain name is just "domain". Not our work - we inherited them from another MSP. AD functions fine though.

How many used to be like that but have managed to move away to a proper naming scheme?

actionhank1786 Sep 11, 2015 at 7:46pm

I don't know if our main guy knew of it, or just didn't really think it would ever be much of an issue, but we're on
companyname.local.

I wouldn't mind moving away from it, but sadly, that's beyond my current level of responsibility.

Steve_S Sep 11, 2015 at 8:25pm

Great post! I am in a Windows Server class now and will preparing for MCSA soon. It is nice to see what current users
recommend to manage an efficient AD.

LFCavalcanti Sep 11, 2015 at 10:14pm

+Jason1121
Well, I didn't got the joke... sorry.
I agree, in reality there is no real PDC anymore. There's a server with the assigned role of Schema Master but if you keep
multiple GC on the domain, you just transfer or seize the role if needed.
However I still tend to use one server as reference for backups and authoritative restores.

The ".local" part, well... most of my clients have ".local" domains, just because they were built ages ago, most of them not
started by me.
It was not a question of long-term planning back then. People now make jokes or even gloat about these "bad decisions",
but if you think about how much technology changed in the last 15 years. I started working with IT back on WinNT, I know
people even "older" in the field. These decisions seem bad for "newer" people, for me not so much, it's just the natural
evolution.

John Hanson Sep 12, 2015 at 3:56am

Very helpful, you forgot to mention the perils of trying to backup and restore active directory (EEEK!)

Gregory for Microsoft Sep 12, 2015 at 4:25am

Yea I will do a more in depth Active Directory Disaster Recovery How-To Next Week.
Also if anyone in the community has a topic you want me to cover just PM me.

5 of 6 11/13/2015 1:46 PM
Active Directory tips and tricks - Spiceworks http://community.spiceworks.com/how_to/122676-active-directory-tip...

Indignified Sep 17, 2015 at 2:42am

NICELY DONE! Typo in #8 and the hyperlink references - "ReapAdmin" ... Do you have something on your mind sir?

christophe Sep 21, 2015 at 8:37pm

PDC is called PDC emulator now ... see wiki on it:
https://en.wikipedia.org/wiki/Flexible_single_master_operation

Kirk Lashbrook Sep 24, 2015 at 1:54am

Why would you need to connect to the PDC to manage DNS ?

1 2

Add your comments on this How-to! Join the IT Network or Login.

6 of 6 11/13/2015 1:46 PM