Setting a password for Directory Services Restore Mode is something that is done during the setup of Active Directory.  As a best practice it has always been recommended to change that password on a regular basis, as you would with any other password.  The challenge was the process to do this was complicated and required you to use NTDS in Windows 2003.

This has been addressed in Windows Server 2008 where we can now sync the DSRM password with a Domain Administrator account.  There is a hotfix that needs to be installed which you can download here.  (Note: You do need to request the hotfix and it should be included in SP2)  After it is installed and the server is rebooted, you can run the following command to sync the passwords.

ntdsutil "set dsrm password" "sync from domain account <DomainAdminAccountName>" q q

In a previous entry, guest blogger Sean Kearney shared a new feature in Windows Server 2008 R2 directory services called the Active Directory Recycle Bin.  Sean is back to show us how to recover those deleted objects.

-------------------------

So you’ve done it.  We all have.  Deleted a user, group, OU by accident but thankfully you have 2008 R2 in place and the AD Recycle Bin enabled.  To recover now is a breeze!  Start by launching Powershell V2 on Server 2008 R2 and run the following command

GET-ADOBJECT –filter {name –like “missingitem*”} –includedeletedobjects | RESTORE-ADOBJECT

That’s it.  Nothing harder than that. Was that so hard?  The great thing, is as long as it’s an object in Active Directory, it’s protected by this new feature for 180 days.  Also, this just does restore the object.  It’s restores the object, its security, its trusts!

If you’d like to learn more about the Active Directory Recycle Bin, Check out these great resources on Technet.com

Active Directory Recycle Bin - Instructional Video on Technet Edge

I’ve done it, I know people who have done it, and I bet you have done it before as well.  Right-click an object in Active Directory Users and Computers and instead of clicking the properties link you accidentally hit delete.  Boom, gone and the only way to get it back is via a restore from backup.  Restart the DC, boots into Directory Services Restore Mode (DSRM), restore the system state backup and apply either a authoritative or non-authoritative restore.

Guest author, Sean Kearney, covers this new feature in Windows Server 2008 R2.

-------------------------

One of the fantastic features provided in Server 2008 R2 is the new Recycle Bin for Active Directory.

I recognize that nobody here is going to intentionally mess up their own Active Directory.  But problems can happen.   A Junior technician misheard the phrase “Disable” with “Delete”, a malicious Administrator leaving the company, dumb luck.  Any number of problems can occur and this feature will save the day.

There are a few caveats to using this

• You must have the Domain functional level in Server 2008 R2 mode.
• You must enable the feature by using LDP.EXE or Powershell.
• It is managed and used 100% by Powershell.  There is no GUI version presently.
• Once enabled, you cannot disable it.  This is a one way trip folks
• The enabled Recycle Bin has a 180 day retention policy.

That’s it.  In Server 2008 R2, select the new Active Directory Powershell under Administrative Tools and type in the following command

GET-ADOPTIONALFEATURE –filter {name –like “*”}

You will be presented with a screen showing you

FeatureScope       : {Forest}
Name               : Recycle Bin Feature 
RequiredForestMode : Windows2008R2Forest 
IsDisableable      : False 
ObjectGUID         : 0599c1a6-6f8f-42d4-b9a0-ab2791d4719e 
ObjectClass        : msDS-OptionalFeature 
FeatureGUID        : 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a 
EnabledScopes      : 
RequiredDomainMode : 
DistinguishedName  : CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=energized,DC=energizedtech,DC=com

Looking at the information above, there are no enabled scopes which confirms that the AD Recycle Bin is presently disabled. So to make all this useful, I guess we should turn it on.  So in the same Powershell Window key in this command

ENABLE-ADOPTIONALFEATURE ‘Recycle Bin Feature’ –score forest –target ‘domainfqdn’

You will get a prompt warning you that it will make the change.   Choose “Yes” if you wish to enable this feature or CTRL-C to abort. Once you’re done, it’s active.  To confirm, run the following command again

GET-ADOPTIONALFEATURE –filter {name –like “*”}

And you’ll get a similar response but note

FeatureScope       : {Forest}
Name               : Recycle Bin Feature 
RequiredForestMode : Windows2008R2Forest 
IsDisableable      : False 
ObjectGUID         : 0599c1a6-6f8f-42d4-b9a0-ab2791d4719e 
ObjectClass        : msDS-OptionalFeature 
FeatureGUID        : 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a 
EnabledScopes      : {CN=Partitions,CN=Configuration,DC=energized,DC=energizedtech,DC=com} 
RequiredDomainMode : 
DistinguishedName  : CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=energized,DC=energizedtech,DC=com

You’ll see the “Enabled Scopes” is now covering the domain.

For more information see:

Active Directory Recycle Bin Step-by-Step Guide

For as long as we have had Active Directory domains, we have been required to to join client to the domain while they were online and connected to AD.  Without that the join would fail.  Now you always had the ability to join with a script using the NETDOM command but with Windows Server 2008 R2 we can now join a client to our AD domain while offline.  The real benefit hear is that there is no need to supply or enter domain admin credentials.  As you’ll see below a TXT file is created but just for fun open it up with notepad and see what you can make out :)

It is a simple three step process that requires you to run a new utility called DJOIN from an already joined Server 2008 R2 computer.

1. Create a text file with DJOIN that contains the required information for a computer to join AD
2. Import the text file using DJOIN on the target computer you wish to join AD
3. Once connected to the domain, reboot the computer and it will join AD

For joining a computer to the domain using DJOIN there are some switches you need to know about first.

• /provision – used when there is no existing AD account for the computer
• /reuse – if you already created a computer account in AD and would like to use it
• /domain – specifies the domain to join
• /machine – specifies the name of the machine, if the computer has a different name it will be renamed
• /machineou – specifies the OU to join, if you omit this it will automatically be placed in the default computers OU
• /savefile – saves the file to be imported.

A typical command would be…

djoin.exe /provision /domain thelazyadmin.com /machine client01 /machineou Desktops /savefile client01.txt

To join client01 to the domain we would next import client01.txt with the following command run with administrative privileges…

djoin /requestODJ /loadfile client01.txt /windowspath %systemroot% /localos

Reboot once the client is connected to the domain and the join will be made.

Hardware dies, it always has and it always will eventually.  And if you ever had a Windows 2000/2003 domain controller die on you, you’ve no doubt gone through the painless but time consuming process of removing a failed DC.  I wrote an article on it a few years ago and while you might be planning to migrate your DCs to 2008, or already have, one thing you’ll like is the automated metadata clean up when removing a failed Windows Server 2008 based DC from your AD domain!

Now a DC can be removed in three simple steps!  First right-click the computer account in Active Directory Users and Computers and select delete.  You will be prompted with a warning asking you to confirm.

Ensure you have selected the proper DC and then click Yes.  You will then be presented with another box telling you to perform a DCPromo to demote the server.  Since the server is dead and we can’t do such a thing, check the box about the DC being offline permanently and then click Delete.

 

In the event that the DC is also a Global Catalog server you will be prompted with another warning.  This doesn’t mean much other that to remind you to ensure you have another GC in your AD organization.

Once you click Yes the DC will be deleted from AD including all it’s metadata!

As with each edition of Windows Server, the 2008 release also includes some new additions.  In order to take advantage of some of these new features you need to upgrade your Active Directory Forest and Domain functional levels.  You can read about the Windows 2000/2003 domain and forest functional levels as a refresher if you like, but here we'll cover the 2008 versions.

Windows 2008 Forest Functional Level

The Windows 2008 Forest functional level does not provide any additional features to your Active Directory forest.  It does require that all Domain Controllers in the forest are running Sever 2008.  You should only change this once you have upgraded all DCs in the forest to Server 2008.

Windows 2008 Domain Functional Level

The Windwos 2008 Domain functional level does provide quite a few useful new features to your Active Directory forest.  Some of these you've probably been asking for!  All Domain Controllers in the domain (but not forest) will need to be running Windows Server 2008.

• Fine grained password policies.  Finally you can have seperate password policies for different OUs aside from the domain level policy.
• Last Interactive Login information.  You can use this information to get details on the last time an account was used to login to the domain.
• Distributed File System updates.
• AES support for Kerberos

The process for upgrading your forest or domain are the same as they were in the past.