I have recently had a few customers who are focusing on a consolidation or ‘modernization’ of their directory services infrastructure, including delegation models.  A big part of this adjustment is the consolidation or restructuring of OUs.  Then the question becomes, “How do we approach this?”  The following is not meant to be a comprehensive solution but rather a high-level introduction to the migration considerations and approach. Background In Active Directory, organizatio... [More]

I had a customer request to disable ActiveSync for all Exchange 2007 users and only allow active sync when an administrator enables the feature for a specific user. Below are the steps I developed to determine the devices that are enabled and how to disable ActiveSync for accounts with no devices paired with the mailbox. To automate the process, all you need to do is create a scheduled task on one of the Exchange servers to run daily. Happy Exchanging!!!! 1. We want to run this command to get ... [More]

Not too long ago, through the InitialAssist program, I had the opportunity to spend some time assisting an organization in the recovery of directory data and resource access.  The organization had put out a request for assistance from the Microsoft newsgroups and had received some excellent suggestions but unfortunately they didn’t resolve the issue. On Saturday afternoon, after a half day session at the Microsoft Directory Services Masters program, I became involved through the requ... [More]

While I was out at the Microsoft Certified Masters program for Directory Services a while back, I realized that I made a mistake in a post about NETLOGON SRV registration intervals.  Thanks to Microsoft Platforms PFE Matt Reynolds for helping me catch this error.  I apologize to everyone for the mistake in my post.  The traces which are attached to the original post show the correct intervals as you’d imagine but I didn’t do a good job of writing to that.  I have ... [More]

!!! WARNING:  IT Systems Administrator blasphemy ahead !!!  Actually, here it is right here:  I know that NetDiag is a staple tool for systems administrators but I’ve never been a big consumer of the tool and that’s mostly because I just don’t care for it.  There is some great functionality in the tool but a lot of it can be found in other tools without all of the excess effort and output.  The other thing is that there are some limitations and known issues which often m... [More]

Recently a question came up in the newsgroups about what the difference is between the set of partitions on a domain controller and the set of partitions on a global catalog server.  I wanted to take the opportunity to include the answer here and expand upon it slightly. The question specifically was, “In a multi-domain environment, what is the main difference between the partitions on a domain controller that is also a global catalog server, versus other domain controllers that are ... [More]

Well, we’ve made it through the debug logs for normal mode and merge mode and now it is on to replace mode and time to answer our original question, “In replace mode, when does the user configuration portion of policies which apply to the computer object get applied.  Is it applied when the computer starts up?  Or is it applied when a user logs on?” This post is part 3 of a 3 part series where we are examining the debug output for each policy processing mode: Loopback Policy Proce... [More]