Executive Summary:
Explore some lesser-known tools to make Active Directory (AD) administration easier, including Group Policy Object (GPO) backup and recovery, File Replication Service (FRS) monitoring, NTDSUTIL scripting, preventing accidental deletion of organizational units (OUs), using the Attribute Editor, and running REPADMIN.
|
Like any complex system, Active Directory (AD) and its related support tools have literally hundreds of commands and techniques to make administering it a little easier and more efficient. As you acquire AD skills and knowledge, your administrator toolkit will grow larger and you’ll branch into using less-well-known tools and methods. In this article I present several AD nuggets you might not have discovered yet.
Free GPO Disaster Recovery
Backup and recovery is a key area any AD administrator must pay attention to. But just instituting a domain controller (DC) backup and recovery plan isn’t enough. You also need a separate backup and recovery plan for Group Policy. Unlike DCs, Group Policy Objects (GPOs) are typically delegated to a larger group of organizational unit (OU) administrators, rather than just the overall AD service administrators. The more people who work with GPOs—especially relatively inexperienced admins—the greater the chance that a GPO will be accidentally (or intentionally) altered or deleted. Because changes to a production GPO almost always affect multiple users, restoring the GPO quickly is a high priority. You can restore a GPO from DC backups, but the process can be slow and obtrusive.
Setting up basic GPO backup and recovery is easy. Group Policy Management Console (GPMC), which is included in Windows Server 2008 and Windows Server 2008 R2 and available as a download for Windows Server 2003 (at http://bit.ly/4DpDVp), has a great library of 32 sample scripts to perform Group Policy maintenance. After you install GPMC in Server 2003, these scripts are located in C:\Program Files\GPMC\Scripts. Although Server 2008 and R2 no longer include the scripts by default, they will work with these OS versions. You can download the scripts from Microsoft at http://bit.ly/1Jef98. In Server 2008 and R2, the scripts will install in C:\Program Files\Microsoft Group Policy\GPMC Sample Scripts. All the scripts let you perform various useful operations on GPOs; but the backup and recovery scripts we’re interested in for the purpose of this discussion include BackupGPO.wsf, BackupAllGPOs.wsf, RestoreGPO.wsf, and RestoreALLGPOs.wsf. From an AD administrator’s viewpoint, we’re most interested in BackupAllGPOs to back up all the GPOs in a domain and RestoreGPO to restore a single GPO.
The scripts are written in either VBScript or JScript. If cscript.exe isn’t your default scripting host, you’ll need to explicitly specify cscript.exe on the command line. To back up all the GPOs in your domain, navigate to the script directory and run
Cscript backupallgpos.wsf <BackupLocation>
[/Comment:<Comment>] [/Domain:<DNSDomain>]
The script will back up all the GPOs in your domain to the location you specify and create subfolders for each GPO, named by the 128-bit GUID that uniquely identifies the GPO. Once you’ve backed up all the GPOs, you can use RestoreGPO.wsf to restore them individually:
Cscript restoreGPO.wsf <backup location> <GPO name> /
domain:<DNSDomain>
Although these scripts will back up and restore both the GPOs in AD and the Group Policy templates on SYSVOL, they don’t back up or restore the links between the GPOs and the OUs they’re applied to. You must track these links separately, or you can use the ListSOMPolicyTree.wsf script to list the relationships between the GPOs and the site, domains, and OUs they could be linked to.
Monitoring FRS
An area related to Group Policy is SYSVOL, the folder structure on every DC that contains the domain’s Group Policy templates and logon scripts. A replication mechanism—File Replication Service (FRS) in Server 2003, Distributed File System Replication (DFSR) in Server 2008 and R2—ensures that the SYSVOL structure stays synchronized between all the DCs in a domain. Using DFSR for SYSVOL replication is a huge improvement over the trouble-prone FRS replication method. However, because DFSR requires both Server 2008 and a manual FRS-to-DFSR upgrade process, the majority of production domains still run FRS.
You should monitor FRS for two reasons. First, a properly functioning SYSVOL is critical to a healthy domain. However, most AD administrators don’t proactively check or monitor FRS—partly because FRS Event Log messages are infrequent and not especially informative, and partly because FRS problems take a while to surface. Second, you need to ensure that FRS is functioning properly before you attempt an upgrade to DFSR replication, or you might corrupt your SYSVOL.
Microsoft has an FRS monitoring tool called Ultrasound, which you can download at http://bit.ly/gMy6S. An unusual name for a Microsoft utility, the tool was christened Ultrasound because it was the successor to a simpler tool named Sonar. (Don’t ask me how Sonar got its name.) Ultrasound consists of three major components. One component is a small Windows Management Instrumentation (WMI) provider that’s installed on every DC. It gathers FRS status information and sends it to the next component: the Ultrasound controller. This component consists of a service and a database that holds the FRS status data the controller pulls from the monitored servers. The database can be either Microsoft SQL Server Desktop Engine (MSDE—which you can download at http://bit.ly/20HiM) or SQL Server, and it doesn’t have to be on the same system as the controller. The final component is the Ultrasound administrator’s console, which must be installed on the same system as the controller component. This is where you can add and remove members (DCs) that are being monitored and view the general health of the monitored FRS set. You can also drill down into a great level of detail. Because the administrative console is limited in where it can run, keeping it constantly open for operators is inconvenient and probably unnecessary. I recommend that you install it, use it to clean up any existing SYSVOL replication problems, then revisit it once a week. Although Ultrasound has been around for a while, and it has the unique look and feel of a tool that grew out of Microsoft’s Product Support Services (PSS) group, it gets the job done.
NTDSUTIL Scripting
We all use NTDSUTIL for relatively common tasks, such as metadata cleanup from unplanned DC failures. But did you know that you can build simple scripts to run NTDSUTIL actions in the task scheduler or interactively? Simply list the NTDSUTIL commands one after another on a single line. If the command has multiple arguments, enclose them in quotes.
Previous
Register
