Microsoft Loopback adapter

What is a Loopback Adapter?

The Microsoft Loopback adapter is a testing tool for a virtual network environment where network access is not available. Also, you must use the Loopback adapter if there are conflicts with a network adapter or with a network adapter driver. You can bind network clients, protocols, and other network configuration items to the Loopback adapter, and you can install the network adapter driver or network adapter later while retaining the network configuration information.

Manual installation

To manually install the Microsoft Loopback adapter in Windows XP, follow these steps:

  1. Click Start, and then click Control Panel. Because this is XP, you may have it set up this way, or you may have your interface set up in Classic view. Either way, navigate your way to ‘Add Hardware’, or ‘Printers and Other Hardware’

  1. Launch the Wizard to Add Hardware to your system. Do not be confused because you are not actually installing any new hardware, just simply adding a ‘network adapter’ which is acting as a virtual adapter.
  2. Click next, once you have launched the Wizard.  You will see a series of dialog boxes open to ask you about scanning for hardware changes, etc – you will want to do everything manually in this exercise. There will be no automatic scanning for any reason because you have not installed anything, the installation will immediately fail.

  1. You will next be asked if the hardware is connected. You can select Yes from the options and click Next.

  1. Now, select *from the bottom of the list* the ‘Add a new hardware device’ option, and then click Next.

  1. Click Install the hardware that I manually select from a list, and then click Next.

  1. Select ‘Network adapters’ from the Common hardware types section within the dialog box. Click Next.

  1. Select Microsoft and then the Microsoft Loopback Adapater, and then click Next.

Lastly, you will be prompted to Finish up the installation.

Viewing and Configuring the Loopback Adapter

Once you have finished the installation, you will have a brand new loopback interface configured on your PC. There are a few things that you should know about the use of the loopback adapter.

  • First, it will appear as a new interface connection in the properties of My Network Places. It will also show up with you view IPCONFIG from the command line.
  • Second, you will be confused about it when you see it because if you have multiple adapters set up as most do, you will see Local Area Connection, Local Area Connection 2, Local Area Connection 3 and so on. A trick to seeing what is what is to hover your mouse over the connections until you find the right one as seen in the illustration here:

  • It is recommended that you rename the connection to something like ‘LOOPBACK’ so you can differentiate what it is quicker, and if you use IPCONFIG, check out the output below, you will know it’s the LOOPBACK.


<<Output Omitted>>

Ethernet adapter LOOPBACK:

Connection-specific DNS Suffix  . :
Autoconfiguration IP Address. . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :


  • Lastly, notice that the address given to the adapter is on the APIPA subnet. APIPA, which is Automatic Private IP Addressing, is a way for the PC to put itself on the network if DHCP is configured but not available. You can keep this on the APIPA range or hard code a static IP address in to use and test with.
  • Unless you disable the interface, it will always appear as up because it cannot go down from a hardware failure as there is no hardware to fail.

Metadata Cleanup Using NTDSUTIL in Windows Server 2008 R2

In the previous Active Directory article, we have seized an Operations Master Roles from the Offline Domain Controller to the New Domain Controller. After this, we have to clean out the offline domain controller data from the new domain controller. This process of removing data in AD DS is known as Metadata Cleanup. NTDSUTIL is used to clean up domain controller metadata. If a domain controller that is damaged and cannot be started from Active Directory service, we can then use NTDSUTIL to clean out the unsuccessful domain controller demotion, and it is very important that you do so. This will solve problems with slow login in domain controller, replication as well as knowledge Consistency Checker (KCC).


Here, server is a failed domain controller, which we want to remove. To do this, we will use the NTDSUTIL command line tool.

Follow these steps to clean up the directory from a failed domain controller:

1. Open a command prompt, type ntdsutil and press Enter.

2. At the Ntdsutil prompt, type metadata cleanup and press Enter.

3. At the Metadata Cleanup prompt type connections and press Enter.

4. At the Server Connections prompt, type connect to server KTM-DC02-2K8
(where KTM-DC02-2K8 is the name of an available domain controller which holds Operations Masters Roles)

(If you have not logged on using an account that is a member of the Enterprise Admins group, you can set your credentials at this point by typing set creds domainname username password and then press Enter)

5. At the Server Connections prompt, type quit and press Enter.

6. At the Metadata Cleanup prompt, type select operation target and press Enter.

7. At the Selected  Operations Target prompt, type list domains and press Enter. This list all the domains in the forest are listed with a number associated to each.

8. At the Select Operations Target prompt, type select domain 0, where number “0” is the failed domain controller, and press Enter.

9. At the Select Operations Target prompt, type list sites and press Enter. This list all the sites in the forest are listed with a number assigned to each.

10. At the Select Operations Target prompt, type select site 0, where number “0” is the site containing the failed domain controller, and press Enter.

11. At the Select Operations Target prompt, type list servers in site and press Enter.

12. At the Select Operations Target prompt, type select server 0, where number “0” is the failed domain controller, and press Enter.

13. At the Select Operations Target prompt, type quit and press Enter.

14. At the Metadata Cleanup prompt, type remove selected server and press Enter.

15. You will receive a warning message. Read it, and if you agree, Click Yes to confirm removal of the server.

16. Type quit at each prompt to exit Ntdsutil.

In addition to cleaning up the Active Directory object using Ntdsutil, we should clean up the DNS records for the failed domain controller. Remove all DNS records from DNS, including all domain controller records, GC server records, and PDC emulator records. (The last two will exit only if the domain controller was configured with these roles.) If you do not clean up the DNS records, clients will continue to receive the DNS information and try to connect to the domain controller. This can result in slower connections to Active Directory as clients fail over to use alternate domain controllers.

1. Open DNS Manager, expand Forward Lookup Zones, Right Click, Click Properties.

2. On the Properties dialog box, Click on Name Server Tab, select the offline domain controller and Click on Remove

3. Click Apply and Click OK.

4. Right Click on, and then click Properties.

5. On the Properties dialog box, Click on Name Servers Tab, select the offline domain controller and Click on Remove.

6. Click Apply and then Click OK.

7. Do the same process on Reverse Lookup Zones.

8. Remove all DNS records ( from DNS, including all domain controller records, GC server records and PDC records.

9. Open Active Directory Sites and Services; expand Default-First-Site-Name, Servers, Right Click on KTM-DC01-2K8, Click Delete.

10. On Active Directory Domain Services dialog box, Click Yes.

11. Close the Active Directory Sites and Services Console.


Metadata Cleanup process is very important whenever the Domain Controller is non-functional for business continuity. The above article outlines how to carry out the Metadata cleanup process using NTDSUTIL in Windows Server 2008 R2 and this process also works in Windows Server 2003.  I hope this helps.

Administrator Password error

The local administrator account becomes the domain administrator account when you create a new domain. The new domain cannot be created because
the local administrators account password does not meet requirements.

Currently, a password is not required for the local administrator account. We recommend that you use the net user comand-line
tool with the /passwordreq:yes option to require a password for this account before you create the new domain; otherwise, a password will not be required for the domain administrator account.

Unable to complete DCPROMO

To resolve the problem:

The password for your local account needs to meet the minimum password complexity:
The password is at least six characters long.
The password contains characters from three of the following four categories:

English uppercase characters (from A through Z)
English lowercase characters (from a through z)
Base 10 digits (from 0 through 9)
Non-alphanumeric characters (for example: !, $, #, or %)

If your still having a problem, this is what you have to do to bypass dcpromo.exe Administrator Password required error 

Open your command prompt and enter the following command
net user Administrator /passwordreq:yes command

dcpromo.exe Administrator Password required error

Adjusting the Tombstone Lifetime

I just had a pretty interesting discussion via a mailing list with some other Active Directory MVPs and some members of the Active Directory Product Group in Redmond.

As we know, there is a new default for the tombstone lifetime in Active Directory. The discussion initiated because there is an article on Technet which is incorrect: Currently point 8 states that the tombstone lifetime, if it is <not set>, depends on the version of the Operating System of the first DC in the forest. However this is not correct and the article is already being changed.

If you are not familiar with tombstones, I wrote Some details about Tombstones, Garbage Collection and Whitespace in the AD DB a while ago. Basically, a tombstone is an object which is deleted, however a small part of it is maintained in AD for 60 or 180 days (by default) to make sure that all DCs receive the information that the object needs to be deleted. When the 60 or 180 days are over (this is the tombstone lifetime) every DC will delete the object locally (this is not replicated, the DC simply calculates if “time-of-deletion + tombstone-lifetime < now”, if yes the object is cleaned up. This “cleaning up” is done during garbage collection, which is by default every 12 hours.

The tombstone lifetime therefore is also the limit of the “shelf live” of an backup – if you’d use an backup which is older it would reintroduce objects which were already deleted, so the maximum age of an backup is the same as the tombstone lifetime.

In Windows Server 2003 SP1 Microsoft decided to increase the tombstone lifetime to 180 days, as I wrote in Active Directory Backup? Don’t rush – you’ll get more time. However, in Windows Server 2003 R2 there was a minor slip so this version introduced 60 days again. To clarify, this only changes if you set up a new forest and the value will depend on the level of the operating system of that first DC.

Operating System of first DC tombstoneLifetime (days)
Windows 2000 Server 60
Windows Server 2003 w/o SP 60
Windows Server 2003 SP1/2 180
Windows Server 2003 R2 (SP1) 60
Windows Server 2003 R2 SP2 180
Windows Server 2008 and higher 180


You can verify what your tombstone lifetime is by looking at the Attribute “tombstoneLifetime” of the object cn=directory service,cn=windows,cn=services in the Configuration-Partition.

dsquery * “cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=” –scope base –attr tombstonelifetime

If the attribue has an value, tombstone lifetime is that value in days, if it has no value it is 60 days. What changed the default to 180 is the file schema.ini, which is creating the default objects in a new AD. The version of Windows Server 2003 SP1 and higher (see table above) of schema.ini sets simply the value 180 in the attribute tombstoneLifetime.

Is it recommended to adjust the Tombstone-Lifetime to the new default?

Over the years there were many infrastructures who’s DCs didn’t replicate within 60 days, leading to replication issues and lingering objects. There were many cases within Microsoft PSS and I’ve also seen a couple of infrastructures where I had to fix this. Therefore Microsoft decided to raise the default tombstone lifetime to 180 days, which also extends the lifetime of your backup. It is up to your company to decide whether to change the tombstone lifetime to the new default.

In the E-Mail-Thread we were also discussing if there are any issues with changing the tombstone lifetime.

If you lower the tombstone lifetime, there is no issue. The garbage collection process will be a bit more busy (usually it only needs to clean up changes from a 12 hour timeframe 60 or 180 days ago, but if we go down from 180 to 60 garbage collection needs to clean up the changes of 120 days the next time it is running). However this shouldn’t lead to a performance issue, and if you think it’ll be an issue you can stage it (e.g. moving from 180 to 150, waiting at least for replication + 12 hours, then go from 150 to 120 and so on).

However, if you want to raise the tombstone lifetime, e.g. from 60 to 180 to match the new default, there’s one scenario which needs to be considered:

Lets say we have two DCs, DC-Munich and DC-LA (L.A. because that where The Experts Conference will be in April). On DC-Munich we change the tombstoneLifetime from (=60) to 180. When garbage collection runs on DC-Munich it is bored – it already cleaned up all changes from 60 days ago but we instructed it to keep everything now to 180 days, so the next 120 days garbage collection does not need to do anything. However a bit later DC-LA (who hasn’t gotten replication with the new tombstoneLifetime yet) runs garbage collection and cleans up everything which happened in the 12h timespan 60 days ago.

In this scenario, DC-Munich has objects (tombstones) which were cleaned up on DC-LA, leading various detection mechanisms to identify them as lingering objects (repadmin will detect them, as well as various update processes which will prevent you from doing operations like schema updates for the next 120 days). This will resolve after 120 days, however is pretty inconvenient.

To increase tombstoneLifetime in big infrastructures, there is only one valid solution:

  • make sure that garbage collection will not run instantly after you changed the attribute, then after changing the attribute force replication and make sure it’s replicated everywhere
  • lower the tombstone lifetime before increasing it. e.g. set it to 55 and make sure it has been replicated everywhere, then wait at least 12 hours or ensure that garbage collection was running on all DCs. This ensures that there are no objects which need to be taken care of garbage collection for the next couple days. Then increase the tombstone lifetime to the value you intended, e.g. 180 days. Make sure that replication works and every DC is getting the update in the next few days, and you are on the safe side
    Thanks to Jesko who discussed this scenario with me – I was wrong – increasing is always causing trouble with lingering objects. Controlling garbage collection is the only way to go.

I think this scenario is very interesting, so I wanted to share it.

Easy Commands in PowerShell

The command and its associated output are shown in the image that follows.

Image of command output

“Another easy Windows PowerShell command is the Get-Service cmdlet, which returns information about services on the computer. Go ahead and try it,” I suggested.

The Scripting Wife typed the following command:


The resulting command and its output are shown in the following image.

Image of command output

“Another easy cmdlet is the Get-Date cmdlet. It retrieves the current date and time from computer. Why don’t you try it as well,” I said.

The Scripting Wife quickly typed the following:


The command and its associated output are shown in the image that follows.

Image of command output

“One other cmdlet that is very useful, and is also extremely easy to use is the Get-Hotfix cmdlet. It displays a listing of all the hotfixes that are installed on the computer. Go ahead and give it a try,” I suggested.

She typed the following keystrokes.


When she pressed ENTER, the computer paused for a second, and then the output that is shown in the following image appeared.

Image of command output

“That is pretty cool,” the Scripting Wife said.

“There are two other commands that are really useful, and really easy to use: Get-History, which shows you all of your previously typed commands, and Start-Transcript, which records the commands and the associated output. Why don’t you type Get-History and see what it displays,” I suggested.

She typed the following characters:


She then used the Up arrow to recall the previous command, and then entered it again. The output is shown in the following image.

Image of command output

“Let me show the output from a transcript,” I said as I turned my laptop screen towards her. The transcript is shown in the image that follows.

Image of command output

“Yes, there are other really easy cmdlets to use, such as Get-Culture, Get-Acl, Get-ChildItem, and Get-Random. They all return information, but they are not quite as immediately useful as the previous cmdlets,” I said, “By the way, why do you ask?”

Active Directory user creation

Click Start, highlight “Administrative Tools” and select “Active Directory Users and Computers”

Now, expand your domain name on the left side, and go to the bottom where it says “Users”.  Once you click on that, you will see all of the automatically created users, you will also see all of the users you made before you ran dcpromo – that’s because they all stay through the promotion to DC.  Anyway, to add a user, you can either right click the “Users” folder on the left side, or the blank area on the right side, and highlight “New” then click “User”

In the next dialog we can set the user’s First name, Last name and various other pieces of information, including their log-on name, and domain to which we want to add them

After clicking “Next” you are presented with the password-settings screen.  You can set the user’s password and then have them change it on their first log-on by selecting “User must change password at next logon”.  But in this tutorial, I will set it as their password, and not allow them to ever change it without asking me (the administrator) to change it for them

In the next dialog, we get a summary of the user to be created.  Click “Finish” and the user has been created

And we’re finished!

How to create CON folder

Try out creating a folder named CON or LPT or COM1

Not only CON, we cannot create any of these
CON, PRN, AUX, CLOCK$, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, LPT9 and more

The reason is that con, prn, lpt1..lpt9, etc are underlying devices from the time dos was written. so if u r allowed to create such folders, there will be an ambiguity in where to write data when the data is supposed to go to the specified devices. In other words, if i want to print something, internally what windows does is — it will write the data to the folder prn (virtually u can call it a folder, i mean prn, con, etc are virtual folders in device level). So if we are able to create con folder, windows will get confused where to write the data, to virtual con folder or real one.

So Now, Try this…

Open the Command prompt by Start -> Run and typing cmd

C:\> md \\.\c:\con

Now, Open My Computer and browse through the path where you created CON folder… Surprising.. ?? Yeah.. you have created it successfully

Now, try to delete the folder from My computer

OOPS!!! You cant delete it…

Now, try this in command prompt console

C:\> rd \\.\c:\con

Yeah!! You did it…

%d bloggers like this: