Active Directory Troubleshooting Tips and Tricks Blog

The Microsoft TechNet Gallery is a big improvement over previous incarnations of a scripting center on the TechNet site....Read the rest of entry >>

I’m attending my eighth annual Microsoft MVP (Most Valuable Professional) Summit up in Bellevue and on Microsoft campus in Redmond, Washington. It’s three days of NDA discussions with product teams, executives, and some excellent networking with with other MVPs from around the globe. I don’t know how many countries are represented, but I do know when someone in a Directory Services meeting I haven’t met yet opens their mouth to speak, I have no idea what kind of accent they’ll have ....Read the rest of entry >>

In my last blog post, I talked about using a REPADMIN command to quickly stop the replication of changes you don’t want to spread around the forest (“The ‘Oops’ Command: Minimizing Object Deletion Damage”). This made me think of a tuning parameter you can use to speed up replication to the far corners of your forest. As with any tuning knob, however, it has its tradeoffs....Read the rest of entry >>

A common problem associated with administering Active Directory is the “fatfinger” issue, when an account administrator accidentally deletes an important account, computer, group, or (heaven forbid) an OU. (Of course, YOU would never do this.) Much has been written about how to recover from this accidental object deletion situation. What’s rarely mentioned is how to minimize the damage....Read the rest of entry >>

RunAsRadio today published an interview I did with them a few weeks ago. In it, we talk about the evolution of identity management, an overview of cloud identity, and what IT pros that work with identity management need to learn to stay in front of their customer’s demands when they use cloud applications....Read the rest of entry >>

A few months ago, I posted in this blog that my deep investigative reporting (okay, he walked up to me and introduced himself) had revealed the person behind all those cool Microsoft posters is Martin McClean, an Aussie currently working at the mothership in Redmond. Well, he’s gone and done it again....Read the rest of entry >>

Over the course of my career I’ve worked for both big and well known companies like Intel and Texas Instruments, and small and not so well known companies like Advaiya and Platform Vision. I’ve just made what is, for me, a very natural step to the next phase in my career....Read the rest of entry >>

    For example, the output for REPADMIN /SYNCALL tells you what DCs were synchronized, but does this by giving your their GUIDs rather than their CNs: One quick way to find a DC’s GUID is to run a REPADMIN /SHOWREPS against a DC that has the DC you’re interested in as a replication partner. For example, if I wanted to get KYOSHI’s GUID I could run a /SHOWREPS against GODAN, because I know KYOSHI is a replication partner with GODAN. (In my current test environment it’s the only replication partner, and so many failures because it’s an VM that’s offline much of the time). “DSA object GUID” lists it: The easiest way is to select the GUID with the mouse (I recommend setting QuickEdit on as a property in your command prompt), hit Enter to get it in the clipboard, then enter “REPADMIN /DSAGUID The thing to remember about /DSAGUID is that you must specify a target DC to run it against, or it will fail. If you just paste the GUID in without the target DC, you’ll get the following error: If you read it carefully, you’ll see that even though the command errored out, it actually GAVE you the name of the DC from the GUID – because the command allows you to enter a GUID for the target DC as well as the DNS name...Read the rest of entry >>

Sorry for the re-post if you’ve seen this before, but I realized in the confusion resulting from my job change there’s no clear posting any more of my interview with Ping Identity’s CTO Patrick Harding. In it, he shows why why we need to work towards elimination of the many extra passwords we currently must have for the cloud apps we use. In a related, timely announcement, Twitter now requires that all apps that want to use it (like the popular Tweetdeck desktop and mobile client) must use OAuth instead of prompting you for your Twitter account and password. What does this mean? It means fewer userids and passwords you must create (and keep track of); it’ll happen automagically....Read the rest of entry >>

I don’t think it’s widely known, but when you aren’t able to normally demote a domain controller in Active Directory and have to perform a metadata cleanup, if you’re running Windows 2008 or R2 it’s become much easier....Read the rest of entry >>