I have recently had a few customers who are focusing on a consolidation or ‘modernization’ of their directory services infrastructure, including delegation models.  A big part of this adjustment is the consolidation or restructuring of OUs.  Then the question becomes, “How do we approach this?”  The following is not meant to be a comprehensive solution but rather a high-level introduction to the migration considerations and approach. Background In Active Directory, organizatio... [More]

Greetings All. Eric here again. Recently I was doing an ADRAP remediation and one of the High Risk findings that the tool found was "Multiple Copies of a Primary zone Stored in Different Locations". In this environment all of the DC's were Windows Server 2008 R2. I've seen this finding on the ADRAP report a number of other times where the same zone was in the ForestDNSZones, DomainDNSZones, and Domain partitions, among other file based zones across different DC's all at the same time in some pre... [More]

Eric here again. Recently I had an interesting issue with one of my customers that I caught on accident while looking for something else related to a different problem. When combing through the event log I found the following error in the event logs: After the other issue was fixed, I started to look into my new finding. In this scenario Domain.com is a relatively newly built domain that trusts the domain that MemberServer resides in, however the domain that MemberServer lives in doesn't trus... [More]

While on the topic if DNS, one of the DC's that had the corrupt application partition (discussed in my last blog entry) also had another interesting issue that's not all that common, at least in my experience. One DC in one of the child domains, was missing a few AD integrated DNS zones that were stored in the ForestDNSZones application partition, however it had other zones loaded that were stored in the same partition. To clarify what I mean when I say missing, I mean missing from the DNS conso... [More]

Hello all, Eric here again. Just recently I was at a customer site in Japan for a few weeks and they had a number of interesting issues, so while I have some time here in the Naha airport, I thought I'd write about a couple of them. One issue that we encountered across a number of their domains was that we couldn't create zones in the DomainDNSZones partition ("All DNS servers in this domain" option). It wasn't due to permissions; unfortunately I didn't write down the exact error syntax that wa... [More]

Hello all, Eric here again. Just recently I was helping one of my customers with some ADRAP remediation efforts. One of the items that they requested some guidance on was creating a delegation plan to put in place so that they could remove a number of users from the default administrative groups. They had a few groups nested into these groups, one example being the Help Desk group, that was nested into the Administrators group. Anyhow, after coming up with a plan, we put the delegations in plac... [More]

Not too long ago, through the InitialAssist program, I had the opportunity to spend some time assisting an organization in the recovery of directory data and resource access.  The organization had put out a request for assistance from the Microsoft newsgroups and had received some excellent suggestions but unfortunately they didn’t resolve the issue. On Saturday afternoon, after a half day session at the Microsoft Directory Services Masters program, I became involved through the requ... [More]