I am aware of Federated Services only in passing. In their usual manner, Microsoft has seen to it that there’s enough jargon littering the path to understanding what technology actually does to deter all but the most focused. Luckily, there’s Federated Identity and Microsoft ADFS explained and illustrated with Microsoft Paint!
Get thee hence and be enlightened. (Hat tip to Laura).
→ No CommentsTags: Documentation · Packages · Protocols
The find operation is my friend in ADUC, but where exactly are the AD objects you find? What OU? What if you search for ‘Mark’ and there are four ‘Marks’ in your forest?
Mark Parris has a nifty little tip: http://wp.me/pJxvX-4l
This is why I love the ‘net. On Mark’s blog post from which I stole the above graphic, another person added the following command, using Joe’s adfind command.
adfind -sc u:mark dn
→ No CommentsTags: Active Directory
Did you know …
Fully Qualified Domain Name (FQDN): The Fully Qualified Domain Name (FQDN) of an object cannot exceed 64 characters.
Group Memberships: Users, Groups and Computer accounts can be classified as Security Principals and as such Security Principals can be a member of approximately 1015 Groups. This is to do with access token size limitations.
Maximum Number of Users in a Group: In Windows 2000 the recommended maximum number of members in a group was 5000. Starting with Windows Server 2003 FFL , this limited has been removed, due to Linked Value Replication (LVR). There is now no set limit for group memberships.
Active Directory Objects: All Domain Controllers can create nearly 2.15 billion (2 147 483 393) objects. The objects created can be originating locally or created via replication.
Security Identifiers (SIDS): There is a limit of approximately 1 billion (1 073 741 823) Security Identifiers.
File Name Length: The maximum length of a file name including the path must not exceed 260 characters.
NetBIOS: Computer and Domain names are limited to 15 characters.
Domain Name System (DNS): DNS host names are limited to 24 characters.
Organization Units (OUs): OU Names are limited to 64 characters.
Group Policy Objects (GPOs): The maximum number of GPO’s that can be applied to a user or computer account in total is 999.
Display Names: Display Names are limited to 256 characters in the schema.
Pre-Windows 2000 user logon name (SAM-Account-Name): The SAM-Account-Name is limited to 256 characters in the schema – but hard coded to 20 characters to ensure backward compatibility.
Common Names: Common Names are limited to 64 characters in the schema.
Trust Limitations: Kerberos clients can traverse a maximum of 10 trust links to locate a requested resource in another domain.
LDAP Simple Bind operations: Limit the Distinguished Name (DN) of an object to 255 characters or less, else the bind operation will fail.
Recommended Maximum Number of Domains in a forest:
Windows 2000 = 800
Windows Server 2003 (at FFL 2) = 1200
Recommended Maximum Number of Domain Controllers in a Domain: Windows 2003 = 1200 (if you host Active Directory Integrated DNS and plan to exceed 800 DC’s – see KB267855)
Distributed File System – Namespaces(DFS-N) – Number of links per DFS namespace:
Windows Server 2003: Domain based DFS – 5000 Links; Stand alone DFS – 50000 Links
Windows Server 2008: Not Published/Not Tested
→ No CommentsTags: Active Directory · Documentation · Miscellaneous · Performance
Mark Parris (Microsoft MVP) has a post about reducing client authentication loads on a DC.
Essentially, to reduce the number of client authentication requests processed by a DC, adjusting the server’s DNS weight and/or priority will do the trick. Specifically, the number of client authentications is decided by the weight while to ensure the DC does not receive any client authentication requests unless it is the only accessible domain controller, adjust the priority.
These properties are detailed in the DCs DNS records, but for some strange reason, adjustments are done using regedit(?)
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
is the key you want. Creating a DWORD value called LdapSrvWeight and setting the decimal value to 50—the default is 100—will ensure the number of client requests is lower than the other DCs with higher weights.
It will be necessary to restart NetLogon.
The default value for all DCs’ priority is 0. The higher this value is, the less likely that DC will receive authentication requests. A value of 200 will effectively ensure the DC will never receive authentication requests. The lower the value, the higher the DC’s utilization.
A DC with an LdapSrvPriority setting of 100 has a lower priority than a DC with a setting of 10 which means clients will use the DC with the 10 setting first. That DWORD (decimal) value can be created in the
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
key. As usual, restarting NetLogon is necessary. I wonder why this can’t be done by editing the DNS records directly?
→ No CommentsTags: Active Directory · Performance · Protocols · Server
That is the opening sentence of an article on the New York Times’ Opinionator dealing with obesity and exercise. According to this enlightening article by Olivia Judson,
It doesn’t matter if you go running every morning, or you’re a regular at the gym. If you spend most of the rest of the day sitting — in your car, your office chair, on your sofa at home — you are putting yourself at increased risk of obesity, diabetes, heart disease, a variety of cancers and an early death. In other words, irrespective of whether you exercise vigorously, sitting for long periods is bad for you.
→ 2 CommentsTags: SysAdmin
Microsoft has released an updated Active Directory design guide. Although it mentions the healthcare sector, it should provide a basis for designing an AD regardless of sector.
Thanks to Mark Parris for the link.
→ No CommentsTags: Active Directory · Documentation
If you’re a Microsoft Windows administrator, this magazine is required reading. There are good articles (some better than others, look for anything by John Savill) and links to resources galore. Microsoft’s TechNet Magazine is a close second, but it’s no longer available except online. Booooo.
Prior to today, the magazine’s website was atrocious—the layout was busy beyond belief and, for some weird reason, presented the mobile version of the site regardless of what browser or platform I used. I’m happy to say that when I logged on today, the site was more streamlined than before.
I still have a problem with them setting some of their more popular articles locked behind an additional fee-required prison, however.
→ No CommentsTags: Miscellaneous
It was with wry mirth that I read somewhere the Microsoft response to Google’s privacy snub (apparently someone from Google mentioned we all should get used to not having any privacy when using Google’s tools). Microsoft’s bing search engine—which I’ve only used a very few times, if at all because I find it lacking in many ways. I also really despise those commercials—will only keep data on users for a much shorter time than will Google.
Whatever.
That’s supposed to make me change search providers? I think not. When you jokers start providing good results, maybe I’ll give you a try. Until then, bing off.
Yes, I’m a dye-in-the-wool Googler and always will be. Have you ever tried finding anything on Microsoft’s various sites using the Bing search? Rare is the time you find what you’re looking for the first time out. Case in point: today, I was looking for the outstanding RichCopy tool and decided to search the official Microsoft Download Center site. Using bing, I found … nothing! At. All.
Comments OffTags: Rant
Working some more with my new Windows Server 2008 R2 virtual machine, I discovered that the server manager console has a “Resources and Support” section per role; roles being the function or service the server provides (AD domain Services, DNS, etc.)
Kind of a nomenclature mess, but who am I to complain?
Comments OffTags: Active Directory
I’ve been having some fun with Exchange Server 2007 SP1. Installing this beast on to a Windows Server 2008 R2 is an adventure, made even more adventurous by these kinds of errors:
This error comes right at the start of the installation, after the so-called “pre-requisites” have been met, supposedly. That’s right, the installation process actually checks to ensure all the proper files and services are in place then, like a sick joke, throws up this error.
What file?!?
My dear mom, French language teacher, taught me there were two types of articles, definite and indefinite. When the word “the” precedes an object, as in “the file,” it is taken for granted that the file in question is a known, definitive object known to both speaker and hearer.
This is as opposed to “a file” which could mean any file in the entire known, unknown and unknowable Universe. Thus, the “indefinite” which means, undefined. All that is known about such a file is that it is a file, period.
Microsoft’s error is mind-boggling and reminds me a story my colleague told me about a cousin of his who was enamored of the macabre. Apparently, the gentleman in question was in the habit of creating, out of thin air, words whose definitions were known only to himself. That’s not the surprising part: the guy would use these made-up words in everyday conversation only to be deeply surprised and shocked when no one else knew what he was talking about.
Microsoft is my crazy cousin.