Florian’s Blog

I’ve been with a customer recently and we’ve looked at data they had in their Active Directory. We were looking at using some of the data for Dynamic Access Control for claims-based access control. We had a list of attribute that contained viable data and were looking to see whether we could use the attributes for DAC. For this, we’d run a couple checks and see whether all users had a value set for the attribute we were looking at.

One of the attributes we ran the check for was the “title” attribute. We would see whether all users had a value for their “title” attribute. Doing this with ADFind, we ran two queries: (1) Check how many users we have and (2) Check how many users have the “title” attribute set with a value. Then, we would compare both numbers and see where we are at.

Read more »

I was with a customer recently and had my first experiences with the failover functionality in Windows Server 2012. DHCP failover is a new feature in Windows Server 2012 that allows for true failover functionality between two 2012-based DHCP servers. Modes are “Load balancing” and “Hot Standby”.

The idea behind this is that you might want two running DHCP servers at all times and have them communicate over a heartbeat system – such that the hot standby server can take over if the active server won’t answer a set of consecutive heartbeats.

The feature is described on the DHCP Team’s blog: http://blogs.technet.com/b/teamdhcp/archive/2012/06/28/ensuring-high-availability-of-dhcp-using-windows-server-2012-dhcp-failover.aspx

Read more »

When things go wrong in Active Directory, there are a number of options to remediate and restore “normal” behavior. For catastrophic failures that cannot be restored by bringing back single objects from a backup, there is a process of recoverying the whole forest and restoring the distributed system to a working state.

This recovery process – in its required steps – has a required foundation and looks always similar. There are variations based on any customer’s environment or applications and services that are run – but the overall process in its structure is the same. We don’t discuss specific steps here but focus on the overall steps required.

How a forest recovery is performed is documented at http://technet.microsoft.com/en-us/library/planning-active-directory-forest-recovery(v=WS.10).aspx and http://www.microsoft.com/en-us/download/details.aspx?id=16506. The descriptions give guidance and a very generic step-by-step outline of what’s required. However – the process needs tailoring for any organization and you should have your custom Forest Recovery plan ready. I can guarantee that you will not be successful with pulling out the standard DOC file from the download locations above. It _needs_ tailoring.

Read more »