Saturday, December 20, 2014

How to Remotely Manage AD from a Member Server

How to Manage AD from Member Server

This was once a default option for Windows member servers in an organization's domain. An administrator user in the domain was able to click Start then Run then type in ad.msc and start Microsoft Active Directory Users and Computers from a member server in the domain. This feature was useful indeed and was removed as a default with Windows Server 2008.
For administrators that are looking to enable remote management of Active Directory from a member server there is a simple way to add this functionally to a member 2008 and 2008 R2 server in the domain. It is done by installing Remote Server Administration Tools for AD DS. 

Remotely Access Active Directory from Another Server

When an administrator installs Active Directory Domain Services (AD DS) on a member server to create a new or additional domain controller, tools that are used to manage AD DS are installed automatically. To  manage Active Directory domain controllers remotely from another server or a Windows desktop operating system that is not a domain controller, Remote Server Administration Tools (RSAT) can be installed on a member server that is running Windows Server 2008 R2 or Windows Server 2008. RSAT can also be installed on a computer that is running running Windows 7 or Windows 8. The Active Directory Remote Server Administration Tools (RSAT) component that's used to access and manage AD Directory Services is Active Directory Domain Services Tools.

Installing Remote Server Administration Tools for AD DS

Active Directory Domain Services Tools on a member server

Open Server Manager on the member server and click Add Features.

In Features, check the box to expand Remote Service Administration Tools and Role Administration Tools:

Windows Server 2008 member server: 
Expand Active Directory Domain Services Tools, and then click Active Directory Domain Controllers Tools.

Windows Server 2008 R2 member server: 
Expand AD DS and AD LDS Tools, then expand AD DS Tools, and then click AD DS snap-ins and command-line tools.

Click Next and then click Install. The setup wizard will install the necessary files and create the shortcust to manage Active Directory (AD) from this member server.  

The Active Directory Domain Services Administration Tools are available on the Administrative Tools menu.
In some cases even before a reboot of the server is performed , you can run the active directory suers and computers management console AD.msc by clicking Start > Run > then typing AD.msc , then click open. 

Installing Active Directory Domain Services Tools on a computer that is running Windows 7 or Windows 8

Windows 7 and Windows 8 does not ship with RSAT installation files as does Windows Server 2008. To install RSAT on Windows 7 or Windows 8, you must first download the RSAT installation package. See Remote Server Administration Tools for Windows 7 and Windows 8 at   

Wednesday, March 26, 2014

Faster Active Directory Replication - Decrease Intersite Replication Interval to Seconds

Enable Fast Domain Controller Replication

Active Directory Intersite Replication Interval Enable Faster AD and DNS updates

Enable Faster Active Directory AD and DNS Replication Updates Between Sites 

Although for some newer administrators making changes to Active Directory could be a nerve rattling proposition, making this change to speed up active directory replication can only be accomplished using this method. Using the standard GUI Microsoft Management Consoles to make the change to speed up Active Directory replication is not possible. The best result of using administrator consoles will be to increase domain replication between domain controllers to 15 minutes. These large time values were instituted into Active Directory at version 1 because inter-site connections during that era of computing and networking were much lower in bandwidth with the most common being frame-relay or 56k circuits. Since then, inter-site connections and the Internet speeds have increased tremendously so faster domain controller replication is possible even over wan links. 

Fast Intersite Replication Interval - Speed up DC Replication, Updates are in Seconds 

To enabled faster Intersite Replication, to nearly the speed of intra-site or LAN replication, use ADSI Edit.

Start ADSI edit and go to
   Configuration > then Sites > Inter Site Transports > IP. 

Note this setting cannot be enabled for SMTP InterSite links.
Unless it has been renamed, right click on  the default Intersite link and choose properties. Then scroll down to the options line. Double-click and change the value to 1 if it has a value .

  is the default unless this option has been previously modified.  Once changed to 1, click OK twice to save and close the properties window.
Force a replication using Sites and Services so this setting get pushed/pulled to the other domain controllers.

Faster AD DNS Replication Updates Between Sites and Domain Controllers. 

Test by creating a test account in AD, I use 123, 1234, 111, etc., just so the test account was at the top of the list in AD users and computers. Check your other domain controller or controllers for the new account. You will see it appear in 15 seconds or less. I was getting an average of about a 2 second delay for the test account to appear. Delete the account from the other domain controller and see it get removed in less than 15 seconds on the original domain controller you were working from.

Thursday, January 23, 2014

Updating SSL Certificate on Netscaler VPX Resource Already Exists Error

Updating or Replacing an SSL Certificate on Netscaler VPX 10

Resource Already Exists error Citrix Netscaler

When replacing or updating an SSL certificate on a Netscaler VPX version 10 appliance you get a Resource Already Exists error message. even when yo utry to add the certificate as a new certificate bypassing the update option in the Netscaler the message persists.

This can be caused by the same serial number or thumbprint on the re-issued certificate. This scenario is rare and most often occurs if there are two or more Netscalers in a load balance fail over configuration.

Oddly enough , this error can also occur if there is a problem with the SSL certificate itself. The cert can be from any CA and although it seemingly looks okay, closer inspection will reveal the certificate was generated with SHA2 encryption algorithm.  Have the certificate re-issued using SHA1. The Netscaler version 10 does not support SHA2 for SSL certs on virtual servers yet. Most likely, Netscaler 9 also does not support SHA1.

Contact your CA certificate provider and ask them to re-issue the certificate but generate it using SHA1 .