Network Audit and Documentation, CENTREL Solutions Blog

When updating our DNS service audit tool  we were looking for a way to read the replication scope for an Active Directory integrated zone - for example "All Servers in the Domain" and found that this information isn't available in the standard DNS WMI class  MicrosoftDNS_Zone . This is unfortunately another thing that Microsoft have not exposed on their WMI classes. There is some good news however - this information is now exposed on Microsoft's new Management Infrastructure (MI) WMI classes - see the property ReplicationScope   DnsServerPrimaryZone This information will be audited and available for DNS servers running Windows Server 2012 and above in XIA Configuration Server v6.

After you've installed Windows Server 2012 R2 if you skip entering the license key you can then run this again later either by running the msoobe.exe command as follows %systemroot%\system32\oobe\msoobe.exe /a This displays the following settings screen Or alternatively Start > Right click My Computer and select P roperties From this screen select Change product key Please see our Network Audit Tool  XIA Configuration Server. Dave

When using the Group Policy management console you may see the error Invalid Pointer  or The data is invalid  as you expand the domain. This can be caused if there is an invalid gPLink  value on one of the organizational units. As you can see here the distinguished name has been modified placing a "f" character before the LDAP:// prefix. To resolve the error you need to locate the faulty gPLink and correct the distinguished name value. You can either look at the organizational units or scan the domain with our Active Directory audit tool  can help locate the faulty link. http://www.centrel-solutions.com/XIAConfiguration/Capabilities.aspx?capability=ActiveDirectory

Be warned if you're trying to find out whether the Active Directory recycle bin feature is installed in the forest. Many documents suggest that you read the msDS-EnabledFeature attribute of the following location of Active Directory CN=Partitions,CN=Configuration,DC= somedomain ,DC= int However if you are not an Enterprise Admin or Domain Admin in the forest root domain you'll see the setting displayed as <Not Set> even if the Recycle Bin is installed. This is misleading as <Not Set> is what is displayed if the Recycle Bin is not installed. Running the following PowerShell command does work correctly Get-ADOptionalFeature 'Recycle Bin Feature' This is because the tool looks at the servers NTDS settings, where another msDS-EnabledFeature attribute can be found. This attribute is populated as each domain controller is informed that the optional feature has been installed in the forest. A permissions friendly LDAP query is as fo

I have recently been trying to trace all LDAP queries executed against Active Directory and found it difficult to find any Microsoft tools to perform this task. The ADInsight tool seems to be deprecated and has several issues including running on virtual machines. The simplest solution I found was here. http://social.technet.microsoft.com/Forums/windowsserver/en-US/c1677d2b-7e29-4382-9bea-84f3399d37e3/ldap-connectionsqueries-logging?forum=winserverDS By setting the following registry entries the LDAP queries are logged to the Directory Services  event log HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostic 15 Field Engineering DWORD = 5 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters Expensive Search Results Threshold DWORD = 1 Inefficient Search Results Threshold DWORD = 1