Automatically generate description field for computers in Active Directory.Having worked in help desk roles in the past I know the importance of knowing which user has logged onto which computer.Its simple stuff really, but unless you have 3rd party systems like System Center 2.SC1. 2 or client agents, its either hard or time consuming to find out the relation between users and computers.What we needed was an easy way to find out what the last logged on user was for every machine.In our particular environment we had this very need even more so as we adopt automatic operating system deployments that use generated computer names containing serial numbers.Our support staff could now go to Active Directory and see useful information populated in the description field for all computers.Originally we were hoping to use SC1.For this simple task I tackled it simply with a log on script and a small amount of config to Active Directory.The Requirements.Below are the list of requirements we had for our environment.Include users Full Name Helps the technician when they call the user.Include user name helps find user in active directory.Make and Model Useful to determine what form factor they are LaptopDesktopTabletSerial number helps to verify quickly with our asset inventory system not required but useful nonetheless.Date Note I do not use this, but have added it to the script for some that may want to.There is a lot more information that we could have included, both from WMI and Active Directory easily but we did not have a need for it.Im happy to modify the script if someone can think of something useful to add.Active Directory Changes USNActive Directory uses Update Sequence Numbers USN as its primary mechanism to control replication between Domain Controllers.Each time a change is made on an object like a computer the attribute on that object u.SNChanged increases.Changing the description of a computer object increases the u.SNChanged value which allows it to replicate to other domain controllers.Active Directory replication does not primarily depend on time to determine what changes need to be propagated.Instead it uses update sequence numbers USNs that are assigned by a counter that is local to each domain controller.Because these USN counters are local, it is easy to ensure that they are reliable and never run backward that is, they cannot decrease in value.REFERENCE How the Active Directory replication model workshttp technet.I could not find the correct documentation or supporting evidence for the below but I believe it is correct please let me know if I am wrong There is a limit to the amount of USNs that an Active Directory object can have, and this script can cause the USN limit to be reached in a large environment.To counter this problem the script does not change if the value is the same, therefore the majority of object descriptions will stay the same and not affect the USN count in a dramatic way.If you were to include a timedate stamp for example in the description field, ever time a user logs in it will increment the USN.USN count within a couple of years.DNS. Because the WSFC will be deployed without an Active Directory CNO, it will have to rely on DNS for both the administrative and client access points.WS1. 2 has some differences in this space with the new Active Directory system.So to sum the above up without scaring you too much, if you have a small environment and little AD changes you could put in the date and you probably wont have any problems for the next 2.I have a smaller environment but still chose to not include the date because I did not find it useful.I would rely on SC1.The Active Directory configuration requiredYou need to allow Authenticated Users to be able to read and write ONLY the Description attribute of the Computer objects.To do this please follow the below steps Open Active Directory Users and Computers.The Issue. By now, anyone who has managed, deployed, or worked with an Exchange 2007 or later environment should be familiar with Autodiscover.If you arent yet, I.Ensure you have Advanced Features enabled.To do this click on View and make sure there is a tick next to Advanced FeaturesRight click on the domain in the left hand pane, and select properties.Click on the Security tab, and then on AdvancedClick on Add, and enter Authenticated Users in the text box.How Does Active Directory Update Dns Records' title='How Does Active Directory Update Dns Records' />Click Check Names then Ok.Select Descendant Computer objects from the Apply to drop down box and then click on the Properties tab.Tick Allow next to Read Description and Write Description.Note we need the Read Description property to allow the script to compare existing variables with newly generated one.Click Ok. Once you have followed the steps above, any authenticated user can update the description field, either with the below script or using another method.From a security perspective I think this is acceptable for almost all environments.The script. The below VBScript is what actually sets the Computer Description.This script needs to be run on the client machines for it to work. Microsoft Office 2007 Enterprise 20 Keys here. There are several ways you can achieve this.Ones that come to mind are Group Policy Log on script.Group Policy Log off script.VPN post connection script.Scheduled task on client pcpsexec.By far the easiest will be using Group Policy.This wont be documented here, but basically you create a new Group Policy object, and under the User context you configure the log on script.Note you do not configure it in the computer context as it will not know who the user is.Author Ivan Dretvic.DATE CREATED 0. 81.Documentation http ivan.This script is designed to assist System Administrators by populating.Active Directory Computers.The sript can run.You need to set. appropriate permissions on Active Directory for Authenticated Users.Refer to documentation.On Error Resume Next.Set obj. Sys. Info Create.ObjectADSystem. Info.Set obj. Computer Get.ObjectLDAP obj. Sys.Info. Computer. Name.Set obj. User Get.ObjectLDAP obj. Sys.Info. User. Name.If leftobj. Computer.Then. If a tilda exists the script will terminate.This allows custom.Sets variables for Computer name, Manufacturer, Model.Serial number. str.Computer. Set obj.WMIService Get. Objectwinmgmts impersonation.Levelimpersonate str.Computer rootcimv.Set col. Computer.System obj. WMIService.Exec. Query Select from Win.Set col. BIOS obj.WMIService. Exec.Query Select from Win.BIOS. For each obj.Computer. System in col.Computer. System.Get. Computer. Manufacturer obj.Computer. System.Manufacturer. Get.Computer. Model obj.Computer. System.Model. For each obj.BIOS in col. BIOS.Get. Serial. Number obj.BIOS. Serial. Number.String cleaning Manufacturer includes only first word, and.Count In. StrGet.Computer. Manufacturer, 1.Get. Computer. Manufacturer LeftGet.Computer. Manufacturer,txt.Count. Get. Serial.Number ReplaceGet.Serial. Number, ,.Below are two variants in building the final string.Please chose. which you prefer.I did read but could not validate that excessive.AD change limits to be reached.First one is without dates and second is with dates.Below ar examples.The string is also trimmed to 1.AD schema. req just in case.DESCRIPTION WITHOUT DATE.John Doe jdoe Dell Optiplex 9.DRP4. 21. S. str.Comp. Desc obj. User.SAMAccount. Name obj.User. CN Get. Computer.Manufacturer Get.Computer. Model Get.Serial. Number. str.Comp. Desc Leftstr.Comp. Desc,1. 02.Compares AD string and generated string and skips if they are.This saves AD change count.If str. Comp. Desc obj.Computer. description Then.Computer. Description str.Comp. Desc. obj. Computer.Set. Info. DESCRIPTION WITH DATE.John Doe jdoe Dell Optiplex 9.DRP4. 21. S. str.Date YearDate MonthDate DayDate.Comp. Desc str. Date obj.User. SAMAccount.Name obj. User. CN Get.Computer. Manufacturer Get.Computer. Model Get.Serial. Number. str.Comp. Desc Leftstr.Comp. Desc,1. 02.Computer. Description str.Comp. Desc. obj.Computer. Set. Info.For those not familiar with VBScript you need to copy the above script to a text editor and save the file as with an extension of.If you need to execute the script from a command prompt you can enter run the following from a command prompt wscript script.Attached is the original vbs script file for reference.Be sure to rename extension of file.Comments and feedback welcome.Restoring failed Active Directory Domain Controllers.Just when you think everything is going well, disaster happens, and one or more of your domain controllers gets offline.This can happen due to a hard disk crash, a bad network card, file system corruption or corruption of the Active Directory database.Even if you have good backups somewhere on the shelf thats only 5.Backing up virtual disks for VMs or using disk image software like Norton Ghost are specifically not supported for domain controller backups.Even if you might be tempted recovering your failed domain controllers using one of this methods can have catastrophic results on the consistency of the directory as a whole like SID rollback, lingering objects and USN rollback.Also, it is not supported by Microsoft.There are two options to choose from when restoring your domain controllers restore from replication or restore from backup.Restore from replication.You can use this method only if you have multiple domain controllers in your environment, so the restored domain controllers can replicate from the existing ones.The recovery is done by promoting a newly installed machine and allowing replication to copy all of the data to the DC.Bear in mind, even tough this is an easy going process, in large environments with thousands of users it will create a lot of replication traffic, and this is something to take into consideration if the traffic is across a WAN link.As a last thing, before you promote the freshly installed server, the remnants of the old domain controller must be removed from Active Directory.To do that, open Active Directory Users and Computers, locate your failed domain controller and deleted the computer object from the Domain Controllers container.The metadata cleanup steps will be performed automatically if your domain controllers are running Windows Server 2.Under Windows Server 2.Im not going to discuss it here.You will get a big warning message after hitting the Yes button a little different in 2.You are attempting to delete a Domain Controller without running the removal wizard.To properly remove the Domain Controller from the domain, you should run the Remove Roles and Features Wizard in Server Manager, or the Active Directory Domain Services Installation Wizard DCPromo for Windows Server 2.If you are sure this domain controller is permanently offline and you will never restore it from a backup, check the box Delete this Domain Controller anyway.It is permanently offline and can no longer be removed using the removal wizard then click Delete.If the domain controller was also a Global Catalog GC, you will get another warning message.Click Yes on that message to delete the object from AD.The last clean up step is to remove the computer account from Active Directory Sites and Services.Locate the domain controller in the console, right click it and choose Delete then Yes to confirm.If you get the bellow error message is because the domain controller still has some objects representing it.Usually this happens if you open the Active Directory Sites and Services console to delete the domain controller just after a couple of minutes after you removed the object from AD.So you either wait for the replication to kick in and delete the representing objects automatically or you delete them manually, then try to remove the server.Its easy. Just right click the object, choose Delete then confirm the action.After the clean up process wait a few hours or a even a day in large environments for the replication to do its magic in the forest then go ahead and rebuild the domain controller.As a first step reinstall the operating system and any other applications you support on your domain controllers, then promote the server as an additional domain controller in your domain, and then configure the necessary roles the failed domain controller had, like GC, DNS, FSMO roles.And thats it, your domain controller should be back on line just like it was before.Now lets look at the second restore option.Restore from backup.Restoring a failed domain controller using this method has two approaches known as nonauthoritative restore and authoritative restore.Nonauthoritative restore does not require you to remove any objects from Active Directory.You simply restore the failed domain controller from backup and let it replicate to make it current its AD database gets overwritten with any changes that occurred after the backup was taken.For branch offices this might generate some traffic, but it all depends on how many changes were made in the forestdomain since your last backup.To restore a failed domain controller using this method, first, reinstall the operating system and any other applications you support on your domain controllers then go ahead and restore from backup.Warning Do not in any way delete the computer object from Active Directory or Active Directory Sites and Services because the domain controller will not function correctly after restore.Leave the server as a standalone computer WORKGROUP and restore from backup this way you cant even join it to the domain anyway using the old name.Depending on what backup product you are using, restore the system state onto the machine.For those that have System Center Data Protection Manager, go to the Recovery section, select the domain controller and the recovery time then choose Recover.Choose to copy the backup to a network folder and click Next.Select a destination share where you want to put the backup and continue the wizard using the default settings.Click Recover to begin the recovery process.Depending on how big your system state is, it can take some time.DPM does not restore the domain controller, it only exports the backup, and now we need to use that backup to restore the system state of the domain controller.Go to the target server and reboot in the so called Directory Service Repair Mode using the System Configuration utility.Open Run msconfig.Go to the Boot tab, check the Safe boot check box and select Active Directory repair.Choose Restart when prompted.Server should now be in Directory Service Repair Mode.Open the command prompt and use the bellow syntax to get the backup version identifier.This is needed in order to know what version of the backup to use in the restore process if there is more than one.ServerShare gt Replace ServerShare with the path where your system state backup for the domain controller resides.Since we are interested in recovering the system state, use the following command 1wbadmin start systemstaterecoveryversion lt version identifier gt backuptarget lt Server gt lt Share.Name gt If you are doing this over the network make sure you are doing it when there is less activity or after work time.Another option is to copy the backup folder locally on the server and run the restore from there.The restore process might take a while and all this depends on the size of your Active Directory database.At the end you get a message that you need to reboot the server in order for the restore process to finish.Before doing this, dont forget to set the normal boot back.Open the System Configuration utility again and un check the Safe boot check box.Now you can go ahead and press Y to reboot.If you need to review any logs about the restore process you can find them in the specified path in the window C WindowsLogs.The first time you log in you get a message that system state recovery has successfully completed.Press Enter to close the message window.In a few minutes the replication process will start and the domain controller AD database will get updated with the latest changes.If the failed server had any FSMO roles or was a GC, you can configure the new server to have these roles.So far Ive talked about restoring a domain controller and performing a nonauthoritative restore.This was easy stuff, with little impact on the infrastructure, since all we simply wanted is to get the domain controller back up and running but there are situations where you may need to restore data in Active Directory.This is done using an Authoritative Restore and you use it in situations like Corruption of objects or the entire directory Accidental deletion of an entire subtree Accidental deletion of important objects Reversing certain object additions or modifications.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |