Active Directory Videos


Privileges required for Collecting audit data

For ADAudit Plus to collect audit data from Domain Controllers provide either of the following user privileges under the Domain Settings Tab of ADAudit Plus.

 For 2003 Domain Controllers

  1. A user with Domain Admin Account credentials (or)
  2. User with Read Permission on the Event log (security logs) with access to C$.

For 2008 Domain Controllers

  1. A user with Domain Admin Account credentials and
  2. Additional DCOM and WMI permissions


  1. User with Read Permission on the Event log (security logs) and
  2. Additional DCOM and WMI permissions.


Providing A User with Event Log Read Permission

  1. Log in to the Domain Controller as an administrator.
  2. Click on “Start –>>All Programs –>>Administrative Tools –>>Local Security Policy.
  3. Open the Security Settings –>>Local Policies –>>User Rights Assignment –>>Manage Audit and Security Logs
  4. Click on “Add User/Group” and add the corresponding user.

Providing A User with Event Log Read Permission


Providing DCOM and WMI permissions:


These permissions are specific to Windows 2008 Domain Controllers.

  1. Providing DCOM Permissions
  2. Providing WMI Permissions

To Provide DCOM Permissions:

  1. Login to the Domain Controller as an administrator
  2. Go to “Start –>> Run”
  3. Type “dcomcnfg”
    1. Go to Components Services –>> Computers –>> My Computer
    2. Right click “My Computer” and go to “Properties”
    3. Go to tab “COM Security”
    4. Click on “Edit Limits” of “Launch and Activation Permissions”
    5. In the “Security Limits” click “Add” and add the user for which WMI permission has to be provided.
    6. Provide with “Allow” to “Local Launch”, “Remote Launch”, “Local Activation” and “Remote Activation”


Providing DCOM Permissions

To Provide WMI Permissions:

  1. Login to the Domain Controller as an administrator
  2. Goto “Start –>> Run”
  3. Type “wmimgmt.msc”
    1. Goto “Security” tab
    2. Expand and go to “CIMV2”
    3. Click on “Security”
    4. Similarly add the user there and provide with “Allow” for all permissions provided below.
  4. Also ensure that there is “Read & Execute” permission for the files under root folder of the Domain Controller. i.e., C:\WINDOWS\system32 files are accessible to the user configured in the “Domain Settings” page of ADAudit Plus.



Metadata Cleanup – Unsuccessful Demotion of Domain Controller

Why Metadata Cleanup ?

When a domain controller crashes or removed from network. Active Directory assumes that the Domain Controller is alive and you will see replication problems. This affects Microsoft Exchange Server and other mission critical applications which are dependent on AD.

DcDiag and NetDiag will help us understand if there is any replication problems.

Permission Requisites

The account should be a member of Domain Admins and Enterprise Admins Group.

Lets Explore


Two Domain Controller – DC-13 and DC1


Figure 1.1 : Netdom query DC

In figure 1.1 what we see is both the DC is available, however the fact is DC1 is crashed. Lets say they are crashed for following reason

  1. Drive Crashed
  2. Blue Screen of death
  3. Hardware Issue
  4. Unsuccessful Demotion of DC (Unplugged from Network).
  5. Virus infected

In our scenario DC1 is crashed.

Before we move ahead lets check where does FSMO roles exists.


Figure 1.2 : Netdom Query FSMO

Since FSMO roles are available in DC-13 we will start Metadata cleanup.

Go to command prompt and type the below command.


Figure 1.3 : Ntdsutil

Ntdsutil is the utility which can be used for various active directory tasks.


Figure 1.4 : Metadata Cleanup

Type Metadata cleanup as shown in figure 1.4.


Figure 1.5 : Connections

Type connections as shown in figure 1.5.


Figure 1.6 : Connect to server

Connect to server. In our scenario we will connect to DC1 which is crashed.


Figure 1.7 : Quit

Type quit as shown in figure 1.7.

Metadata cleanup appears


Figure 1.8 : Select Operation Target


Figure 1.9 : List Domain


Figure 1.10 : Select Domain 0

In figure 1.10 it says no site found. To list the site we have to run the below command.


Figure 1.11 : List Site

Now in figure 1.11 it list the site which is “Default-First-Site-Name”


Figure 1.12 : Select Site 0

In figure 1.12 again it says No Current Server. To list the server in the site type the below command.


Figure 1.13 : List servers in site

In figure 1.13 it has listed two servers in the site.


Figure 1.14 : Select Server 1


Figure 1.15 : Type Quit


Figure 1.16 : Remove Selected Server


Figure 1.17 : Select Yes

Now the process will perform Metadata cleanup for the failed DC.

Post performing the above task we have to ensure that DNS information is also removed. Please remove them using DNS management console.


The server object has to be removed manually from Active Directory Sites and Services.


When you use DFS Replication in Windows Server 2008 and in later versions, the current version of Ntdsutil.exe does not clean up the DFS Replication object. In this case, you can use Adsiedit.msc to correct the DFS Replication objects for Active Directory Domain Services (AD DS) manually. To do this, follow these steps:

  • Logon a domain controller as a domain administrator in the affected domain. 
  • Start Adsiedit.msc. 
  • Connect to the default naming context. 
  • Locate the following DFS Replication topology container:

CN=Topology,CN=Domain System Volume,CN=DFSR-Globalsettings,CN=System,DC=Your Domain,DC=Domain Suffix 

  • Delete the msDFSR-Member CN object that has the old computer name.

Tested On

Windows Server 2003

Windows Server 2008

How to Restore Deleted Active Directory Object using LDP.exe in Windows Server 2008 R2 Domain

Before we begin

The account with which we are going to perform this action should be a member of Domain Admins group.

Best Practices

It is always recommended to have a proper system state backup. To know how to perform system state backup in 2008 machines please click here. Recycle bin is just an option in Windows Server 2008 R2. Once enabling this feature it cannot be reversed under any circumstances. So plan accordingly.


We will be deleting the same account named as “Sunder” for testing purpose.

Open command prompt in elevated mode as follows.

Go to Start > Right click Command Prompt > Select Run as Administrator as shown below.


Figure 1.1 : Open Command Prompt in elevated mode.


Figure 1.2 : Type ldp.exe and then press enter


Figure 2.1 : Click on connect


Figure 2.2 : Type the server name with which you want to connect. In our scenario its DC1.

Click on OK.


Figure 3.1 : Click on Bind


Figure 3.2 : Bind as currently logged on user (Default). Click ok.


Figure 4.1 : Select Options in the menu bar and then select Controls.


Figure 4.2 : Option to select.

In figure 4.2 please select “Return deleted objects” in the drop down menu as shown above.


Figure 5.1 : Select Tree

Go to view and Select “Tree” and select the option as listed below.


Figure 5.2 : In BaseDN Select Domain Partition.


Figure 6.1 : Click Modify

In Figure 6.1 navigate to Deleted Objects container and locate the Deleted Objects which was deleted. Right click and then select Modify.


Figure 6.2 : Modify the selected object.

In figure 6.2 type “isDeleted” and under Operation select Delete and then press Enter as shown above.


Figure 6.3 : Changing the DN.

In figure 6.3 type distinguishedName and in the Values type the original DN of the object. In our case it is “CN=Sunder,OU=All Company Users,DC=MSEXCHANGETEAM,DC=IN”. Select the check box Extended without fail.

Under Operation select Replace and again press Enter. And finally click Run.

Object restored successfully.


Figure 7.1 : Object restored Successfully.

It is always important to make a note of the object from where it was deleted. This will help in fetching the DN of the object.

Conclusion : Using Powershell it is pretty straight forward. However we have two easy option to recover deleted objects which was deleted accidentally. Choice is yours.

Enable Active Directory Recycle Bin in Windows Server 2008 R2 and How to Restore Single Deleted Object using PowerShell.

Before we begin

The account with which we are going to perform this steps must be a member of Domain Admins and Enterprise Admins Group.

The Forest Functional level should be Windows Server 2008 R2.

Best Practices

It is always recommended to have a proper system state backup. To know how to perform system state backup in 2008 machines please click here. Recycle bin is just an option in Windows Server 2008 R2. Once enabling this feature it cannot be reversed under any circumstances. So plan accordingly.


One Domain Controller by the name as follows.


Forest Functional Level : Windows Server 2008 R2.

By Default Recycle bin is not enabled. We have to enable them manually.

Below is the step by step scenario on how to restore single AdOject which was deleted.


Figure 1.1 : Object which will be deleted.

Before deleting the object we have to enable Recycle Bin.


Figure 2.1 : Importing Active Directory Module.

In figure 2.1 we import Active Directory Module to install Ad Optional Features.


Figure 2.2 : Enable AdOptionalFeature.


Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=MSEXCHANGETEAM,DC=IN’ –Scope ForestOrConfigurationSet –Target ‘MSEXCHANGETEAM.IN’

Figure 2.3 : Command for reference.


Figure 3.1 : Object marked for deletion.


Get-AdObject -Filter {displayname -eq “Sunder”} -IncludeDeletedObjects | Restore-ADObject

Figure 4.1 : Command to restore AdObject


Figure 5.1 : Object Restored Successfully.

Thanks to Microsoft for bringing such a wonderful feature for which Windows Administrators waited for almost a decade.

In the next part series we will walk you through the steps using LDP.exe tool.

Courtesy Microsoft.

Disclaimer : The above scenario is thoroughly tested on lab. Please ensure that MSEXCHANGETEAM.IN would not be held responsible for any data loss or outage by following the above steps. Please read the documents carefully before proceeding further.

Happy Learning

Group Policy Central Blog

Active Directory Domain Services: Install from (restored backup) media (IFM)

As with Windows Server 2003, you can use restored backup media to minimize replication traffic during AD DS installation on a server that is running Windows Server 2008.  You can use this installation method to install a new (additional) domain controller in an existing domain. 

Of course the amount of data to be replicated, depends on the up-to-dateness of your backup.  Objects that were modified, added or deleted since the backup was taken, must be replicated after the AD DS installation process. 
If the backup was recent, the amount of replication data required will be considerably smaller than the amount of replication data required for a normal AD DS installation.

The Install From Media (IFM) option only appears when the check box for “Use advanced mode installation” is selected on the Welcome page of the wizard.  This “advanced mode” is an alternative to running dcpromo /adv.

IMPORTANT: The installation media that you use must be prepared from the same type of domain controller that you are installing. The following aspects of the domain controller source and target must be identical:

  • Domain controller option: Writable (RWDC) or Read-Only (RODC)
  • Operating system: Windows 2000 Server, Windows Server 2003 or Windows Server 2008
  • Platform: x86, IA64 or x64

NOTE: A Server Core installation can be the source for installing a new domain controller on a Full installation of Windows Server 2008.

Installation Media

Windows Server 2008 includes an improved version of Ntdsutil.exe that you can use to create the installation media for both writable (RWDC) and read-only DCs (RODC).  Ntdsutil.exe can create four types of installation media:

  1. Full (or writable) domain controller (Create Sysvol Full %s)
  2. Full (or writable) domain controller without SYSVOL data (Create Full %s)
  3. Read-only domain controller (Create Sysvol RODC %s)
  4. Read-only domain controller without SYSVOL data (Create RODC %s)

Ntdsutil allows to create four types of installation media.

If the installation media does not include SYSVOL – by default – the entire SYSVOL data must be replicated from another domain controller.  If the installation media includes SYSVOL, then the new domain controller will need to replicate only changes that have been made to SYSVOL since the installation media was created.

So, you can run the ntdsutil ifm command on a writable domain controller to create an installation media for an RWDC and/or an RODC.  You can only create an installation media for a RODC from another RODC.  In case of an RODC installation media only, ntdsutil removes any cached secrets, such as passwords.

As you can see below, ntdsutil uses VSS (Volume Shadow Copy Service) to create a snapshot of AD from the running DC, replays its logs and defragments the AD database.
Ntdsutil ifm allows to create IFM media for RWDC and RODC.

After also running a “Create Sysvol full” IFM creation, this is what the filesystem looks like. Notice the StartGPOs folder…

You can also create installation media by using the Windows Server Backup tool – feature not installed by default – in Windows Server 2008.  In this case, you need to use the wbadmin (WindowsBackupAdmin) command-line tool option to restore system state data to an alternate location.

However, you should use Ntdsutil.exe because Windows Server Backup can back up only the set of critical volumes, which occupies much more space than is required for AD DS installation data.

More information: Installing AD DS from (Installation) Media

%d bloggers like this: