BPuhl’s Blog

A little bit of everything without actually being much of anything

Archive for July, 2006

Useful repadmin switch

Posted by BPuhl on July 22, 2006

Repadmin is the “swiss army knife” of AD tools – But the following can be one of those “big red buttons” that you keep in your back pocket and hopefully never need.  But sometimes it’s just useful to slow things down until you figure out what’s going on…

repadmin /options * +disable_outbound_repl

repadmin.exe – the tool
/options – Did you even know this was there?  If not, try repadmin.exe /experthelp
* – means run against all DC’s
+disable_outbound_repl – Self explanatory?  I hope so…

Please don’t go running commands willy-nilly in your production environment – play with repadmin.exe (or any other tool) in a lab or against some virtual DC’s so you can learn what it’s doing and how to use it…then sit back and let the tools do all the work for you.


Posted in Active Directory, Random Tecnical Stuff | Leave a Comment »

AD Training

Posted by BPuhl on July 22, 2006

hmmm….ok, so here’s an interesting problem:  I’m  a Microsoft employee.  My blog is hosted on Technet.com.  And I’m pretty sure that there is a policy somewhere, which I’m unaware of, that addresses blog posts about 3rd party companies…  But I’ve never really been one for following too many rules anyways, so here you go:

I wrote a post back in May about changes to our organizational structure for supporting AD internally at Microsoft.  While I still think the re-org was a great thing to happen within IT, and we’re making big progress on many things that had been stalled in the past (ADFS, smartcards, selective auth forest, etc…) – one thing that I noticed were all of the new faces who were going to be managing the DC’s.  Now, most people in the org have AD experience, but let’s face it, there’s a big difference between reviewing schema extensions and doing delegations; versus troubleshooting replication or a server on which lsass.exe is taking 90% of the CPU.  Both can be difficult, but they are seperate skills.  So, to make a long story short, (too late), I fired off an e-mail to Dean at MSETechnology to see if he could help us out with some training.  Many people who have been around AD for a while know Dean (or at least “of” him), whether it’s the random references in Joe’s blog, his answers on ActiveDir.org, or from NetPro’s Directory Experts Conference

Anyways, after a bit of back-and-forth figuring out the logistical details, Dean came on-site here in Redmond and has spent the last week giving what can only be described as the most entertaining, in-depth training on AD that I’ve ever seen.  Topics ranging from replication and topology, to sid history/filtering, to the most…ummm….”descriptive”…segment on the FILE replication service which I’ve ever sat through, I would have to say that if you’re looking for some 300-400 level AD information (as opposed to someone standing up reading a book to you), then this was the class you want to be in. 

There’s no comparison to the quality of the content, but two things stood out most…and note, that I didn’t even sit through the entire week, but was coming and going at random:

  1. While there was definitely structure and order to the content, there was never hesitation to go off on wild tangents which would ultimately enhance the topic being discussed.  Most impressive are the impromptu labs, which went something like:  “That’s a great question…why don’t we log into the VPC and try running xyz command and see what happens…ok, well since that didn’t work, let’s figure out why and then see what we should do.”  Having taught classes before, I can say that it takes an ENORMOUS amount of confidence in your knowledge to make up labs on the fly.
  2. Professionalism – Yes, a couple of you just looked and said “what?  that’s not the Dean I know!”  Well, actually it is and you know it, but it’s fun to play.  Most mornings and some afternoons we sat down to go over the class progress and to make sure we were hitting the right topics.  There wasn’t ever any hesitation to change things “on the fly” (again, very difficult for ‘structured’ instructors) and the open dialog was exactly what we needed to make sure that everyone was getting the most out of the class.  He truly cared about making sure we got the most of the time spent.

So if you’re looking to bring in some custom (in-depth, not MOC based) training, and wondering what other people have done, then MSE Technology is worth a look.

Posted in Active Directory | Leave a Comment »

AD and DC Builds, tweaks, configurations… The Registry

Posted by BPuhl on July 6, 2006

The first installment, what our hardware looks like, may have been useful…but I know that’s not really the juicy gossip that everyone is looking for…so here’s a quick and follow-up with the registry tweaks that we set internally…

Strict Replication is enabled on Windows Server 2003 – For Windows 2000 there is the “Correct Missing Objects” key which has similar (though reversed) funcationality.  Basically, this stops a DC from replicating lingering objects
HKLM\system\currentcontrolset\services\NTDS\parameters” /v “strict replication consistency” /t REG_DWORD /d  0x1

The Exchange team requires this for RPC/HTTPS functionality
HKLM\system\currentcontrolset\services\NTDS\parameters” /v “NSPI interface protocol sequences” /t  REG_MULTI_SZ /d “ncacn_http:6004”

Causes an event to be logged after each online defrag task.  The event includes file statistics about the DIT including whitespace.  We run a seperate task to harvest these events for database file maintenance.
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v “6 Garbage Collection” /t REG_DWORD /d 1

Set to 5 causes an event to be logged for “expensive” and “inefficient” queries.  Extremely useful during troubleshooting isolated load issues.
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v “15 Field Engineering” /t REG_DWORD /d 5

The following keys enable the database perfmon counters (note that these are just the reg keys, you have to enable the counters themselves as well using “Lodctr.exe Esentprf.ini”)
HKLM\system\currentcontrolset\Services\ESENT\Performance /v “Open” /t REG_SZ /d “OpenPerformanceData”
HKLM\system\currentcontrolset\Services\ESENT\Performance /v “Collect” /t REG_SZ /d   “CollectPerformanceData”
HKLM\system\currentcontrolset\Services\ESENT\Performance /v “Close” /t REG_SZ /d “ClosePerformanceData”
HKLM\system\currentcontrolset\Services\ESENT\Performance /v “Library” /t REG_SZ /d  “%systemroot%\system32\esentprf.dll”
HKLM\system\currentcontrolset\Services\ESENT\Performance /v “Squeaky Lobster” /t REG_DWORD /d 1

Just what it sounds like.  Causes DFS to use site costed referrals.
HKLM\System\Currentcontrolset\Services\DFS\Parameters” /v “SiteCostedReferrals” /t REG_DWORD /d 1

Last but not least, on some of the servers we set LdapSrvPriority and LdapSrvWeight.  These are used for load balancing and isolation, but are not consistent across all of our servers.  Older/slower hardware gets lower weight, and special case servers that we want to shield from general traffic get higher priorities.  Check here for more info on these keys:  http://support.microsoft.com/?id=306602

Posted in Active Directory | Leave a Comment »

AD and DC Builds, tweaks, configurations… (1)

Posted by BPuhl on July 6, 2006

I received a mail from a blog reader (Jim) who asked:

“Can you provide any insight regarding and tweaks or configuration settings you guys use on your DC builds?”

Sure, I’m happy to do this, so here I am typing happily along, and realized that there is a lot more configuration/tweaking/settings that we use than I should reasonably put into a single blog entry.  Instead this will be the first of multiple entries…

So, let’s start at  the very beginning (it’s a very good place to start)…  With our standard hardware platforms.  All MS IT domain controllers are based on either our “large” or “small” SKU…internally, we call these are DC-E (enterprise) or DC-F (field) platforms.

The DC-E specs are:

  • DL585

  • 2 x 1.8GHz AMD Opteron (64-bit) dual core processors

  • 16GB RAM

  • 172GB total storage

    • Internal Array Controller – 2 x 72GB – RAID 1

      • 50GB OS partition

      • 18.8GB partition for Log files (L: Drive)

    • Array Controller 1 – External Storage – 6 x 36GB – RAID 0+1

      • 103.2GB partition for DIT, SYSVOL, Backups (M: Drive)

The DC-F specs are:

  • DL385

  • 1 x 2.2GHz AMD Opteron (64-bit) dual core processor

  • 8GB RAM

  • 137GB total storage

    • Internal Array Controller

    • Disk 0 – RAID 1 – 2 x 72GB

      • 50GB OS partition
      • 18.8GB partition for Log files (L: Drive)

    • Disk 1 – RAID 0 + 1 – 4 x 36GB

      • 68.8GB partition for DIT, SYSVOL, Backups (M: Drive)

All of our DC’s run x64 OS’s…well…unless we have some dogfood requirement for 32-bit OS runtime (which we periodically do)…but for all intents and purposes, let’s just pretend because we really WANT to run all 64-bit OS’s.

Somewhere previously I mentioned that our average DIT size is 10-11GB on disk.  The DC-E with 16GB of RAM let’s us cache the entire database with room for growth, the DC-F with only 8GB of RAM is usually deployed where we need services, but don’t have the load so caching is less of an issue.  In that case, the DC-F is significantly cheaper for us.

Posted in Active Directory | Leave a Comment »