Distinguished Names for Complex Items

Distinguished Names are pretty simple, right? Well… it depends on several factors.  To figure out the DN for swmi.ca it is… dc=swmi,dc=ca.  An Organizational Unit is not much harder… Let’s take an OU called Toronto in the swmi.com domain… ou=Toronto,dc=swmi,dc=ca.  Simple.

But what happens when we add a little complexity to our environment?  Say… OUs within OUs, and domains within domains?  Here’s an example:

Domain: Canada.swmi.ca
OU: OntarioToronto

Okay, this is a little more complex… but it’s actually pretty easy, once you know what you are doing.


See? That’s not that much harder than the simple Distinguished name…it’s just longer.

Spaces… what happens when you add spaces into the names of your OUs?  Of course, the space is not a valid character in a domain name, but there is nothing stopping you from putting them into your OU names.  You know… aside from common sense ;’)

We know that in PowerShell (and most scripting- and command-line interfaces) you have to put quotes around names that have spaces.  But when I run a PowerShell script that includes the DN of an object, it will already have quotes around it… do I have to double-quote?

No.  Distinguished Names do not change because you are scripting.  So let’s look at an example:

Domain: Canada.swmi.ca
OU: OntarioToronto – File Servers

Take a deep breath… relax, and let’s do what we did before…

OU=File Servers,OU=Toronto,OU=Ontario,DC=Canada,DC=swmi,DC=ca

We can go on and on with this game… one particular client that I am working with right now has a domain with OUs embedded six levels deep.  It is crucial that I get the DN right when I am scripting… refer to my article on Failover Cluster OUs and you will see why.  My clusters must be placed in the right place.  So I spent the time to make sure I had it right… and it worked!

…So what if you are hesitant, unsure, unconfident?  Before you run your script, run a simple command to test it:

dsquery ou “OU=File Servers,OU=Toronto,OU=Ontario,DC=Canada,DC=swmi,DC=ca

A simple dsquery should return the following response:

“OU=File Servers,OU=Toronto,OU=Ontario,DC=Canada,DC=swmi,DC=ca”

Now this isn’t very exciting… it is just parroting back to me what I said, right?  Well know that the alternative is an error message (dsquery failed: A referral was returned from the server, or dsquery failed: Directory object not found) and not getting that is golden.

Distinguished Names can be intimidating… but with a little bit of knowledge, you should be on easy street!

Failover Cluster OUs

I recently created a proof of concept for a client that was built into their production environment.  The POC required me to create a couple of failover clusters, so I got the names from the customer, and created them… like I’d done a thousand times before.

Several weeks went by and the customer called me and asked why they weren’t able to move the cluster name object (CNO) into an Active Directory (AD) Organizational Unit (OU).  Before I went chasing unicorns I opened an AD console and tried to move it myself.  Sure enough, I got an Access Denied response.

Hmmm… I was using my Domain Admin account… Wasn’t that supposed to give me the keys to the kingdom?

Like every object in your computer, the CNO has security properties, and by default, these protect them from being moved.  Of course, you can change these permissions if you like, but I am not a huge fan of doing that if I don’t have to.  Instead, what I would rather do is place the CNO into the proper OU when it is created, and then leave it there.

The problem with that is the New Failover Cluster Wizard… there is no option to place the cluster into a non-default OU.  Well, that’s not entirely true… the option is there, and it is hiding in plain sight.  In the Cluster Name dialogue box, simply enter the canonical name… CN=ClusterName,OU=Clusters,DC=SWMI,DC=ca

Simple, huh?  It’s so simple that I’ll bet you will want to know how to script this, so you can do it over and over again, right?  So watch this:

PS C:\> New-Cluster -Name CN=ClusterName,OU=Clusters,DC=SWMI,DC=ca -Node Server1, Server2, Server 3

Simple as pie, right?  It is… but make sure you get your canonical name right, otherwise this will fail, and you won’t know why.

No get back to work!

Virtualizing your Domain Controllers

I am asked all the time what the best practices are for domain controllers in a virtualized environment.  There are several that I will call out, but let’s begin with the simplest rule.

You should never have ONE domain controller.

This rule is not only true in virtualized environments, it is always true.  If you are too small to have a domain that is fine, but if you have a domain you should have two DCs.  If you run Windows Small Business Server that rule is just as true – join a second server to the domain and promote it.  YES IT DOES WORK, please don’t argue it again! Smile

You can absolutely virtualize your domain controllers.

I hear this question from people all of the time… and the reality is that there is nothing wrong with virtualizing your DCs.  If the main concern is the Time Synchronization issue, then there is a simple answer for that.  Your Active Directory domain resources will not be able to authenticate if the time is off by more than 300 seconds (5 minutes).  However that skew is from the domain, and not your wrist watch.  If your radio says it is 3:15pm and your domain says that it is 10:38am, the only thing that matters is that your network resources think that it is between 10:34 and 10:42. 

In simple terms, if one time resource is off it is bad… if ALL of your time resources are off, it’s not.  This theory may fall down with external resources – I have noticed that Twitter (or at least many Twitter clients) are sticklers for time, and if you are off then you will not be able to authenticate.  Lync can also be an issue, and I am sure there are dozens of other externally provided services that will cause issues.  However internally as long as your client and your server have the same wrong time, you’ll be fine.

So with that being said, my tendency is to select one domain controller and configure it to synchronize with an external time server.  I will then create a GPO in my domains to use that server as the authoritative time source for the entire network.  That prevents all manner of things from going wrong if you find the time is off.

Your Domain Controllers should be just that… and not much else!

Your DC should not be a file server, database server, media server, deployment server, update server… there are only three services that my domain controllers generally perform: Active Directory Domain Services, Domain Naming Service (DNS) server, and Distributed Host Configuration Protocol (DHCP) servers.  In my networks these three services go together nearly all of the time.  I don’t know of any good reason to put anything else on a domain controller, and every time someone says ‘Well what about…THIS?’ I disagree.

Of course, sometimes you don’t have a choice… Windows Small Business Server is a good example of that, but as you have likely heard me say before, SBS out of the box forces you to break a lot of rules that are simply not meant to be broken.  If you ever hear me discuss it I have said there are ways to make it more palatable… but that does not change the facts.  This is one reason I always tell my classes that it is easier for an enterprise administrator to adapt to small business IT than it is the reverse… the good habits of the enterprise admin will never hurt the SBS (although they may be considered overkill); some of the habits of small business IT Pros can, conversely, do serious damage to the enterprise IT environment.

Don’t P2V your domain controllers.

This rule is not as clear-cut as the others, but calls on some of them.  I do not believe in performing physical to virtual (P2V) migrations of domain controllers.  If an organization does have a physical domain controller that they would like to retire, I feel the following is a much safer and cleaner practice:

  1. Before you begin (as much as 10-14 days in advance) I will reconfigure the DHCP scope on the server in question to shorten the address length from whatever is currently in place (by default 8 days) to 1 hour.  This will prevent or at least minimize problems later on.
  2. When you are ready, create a new virtual machine and install the operating system.  Make sure you patch it to the most recent service pack, and apply all applicable critical and security patches.
  3. Join the new server to the domain, and promote it to domain controller.  Assuming you are on Windows Server 2008 R2 Service Pack 1 (which you should be by now!) you need to install the Active Directory Domain Services role, but the dcpromo.exe command will do that for you.
  4. After the server reboots, it will begin to synchronize with the Active Directory.  Remember, since AD is a distributed database, when you add a new server to the mix it will simply (over a period of time directly related to the size of your organization, factoring for network bandwidth issues) receive a complete copy of the AD that will be identical (upon completion) to the original server.  DNS will do the same thing, as long as you a) install the DNS role when you promote the server, and b) your DNS Zones are configured as Active Directory Integrated.
  5. Install and configure the DHCP Server role in the new domain controller.  If you have room to grow with your IP addresses I would recommend creating a completely different scope, but if you are tight then creating an overlapping scope will only cause very temporary headaches, most of which will be mitigated by doing this switchover during off-peak hours.  Remember to copy any reservations from the original server, especially when you have devices (such as printers) that require specific addresses.  Also, do not forget to verify that all of your Scope Options are properly configured.
  6. Stop the DHCP Server service on the original server (net stop “DHCP Server”).  Again, If your scopes are overlapping be sure to do this during off-peak hours.
  7. If the physical box held any of the Flexible Single Master Operations (FSMO) roles then you should transfer them to the new server, or to another domain controller in the organization.  If you forget to do this they can later be seized, but this is the easiest and least intrusive way of doing it.
  8. You can leave your source DC on for a week or two, but after a day or so I would usually power it down; don’t reformat it or throw it out just yet, but at this point you are ready to go!

One of the rules of P2V Migrations is GIGO: Garbage In, Garbage Out.  In other words, any legacy issues you may have had previously – whether it’s clutter, breaks, bugs, or whatnot – goes with you.  With the distributed database replication model of Active Directory you get to start fresh, with all of your data. 

This method is also a great way of upgrading a DC from Windows Server 2003 to Server 2008 R2 – rather than do an in-place upgrade, you can simply do the side-by-side virtualization dance.  It won’t change your schema or upgrade your Domain (or Forest) Function Level, although if it is the first 2008 R2 domain controller in your domain you will have to run a couple of scripts to prepare the domain by running the following commands:

(On the server that holds the Schema Master FSMO role): adprep /forestprep

(On the server that holds the Infrastructure Operations Master FSMO role): adprep /domainprep /gpprep

That’s about it… as I mentioned, there may be exceptions if your DC is doing something that (according to my guidelines) it is not supposed to be doing, but then again this may be a great opportunity for you to step in line with best practices and separate other roles from the domain controller.

No go forth and virtualize your Active Directory Domain Controllers!

Wow that certification exam was TOUGH!

I was so excited in 2003 when I passed my first certification exam and became a Microsoft Certified Professional.  I immediately went out and printed new business cards with my new MCP logo, quit my (reasonably low-paying) job, and decided to make my own way as an independent computer consultant.  It was, up to that point, the proudest day of my IT career.

Whenever people complain to me that certification exams are hard, I remind them that if they were easy then the credentials would be worthless.  The harder we have to work for a goal, the higher we value it – the higher it is valued by others.  As the famous quote states:

“The harder the conflict, the more glorious the triumph. What we obtain too cheap, we esteem too lightly; it is dearness only that gives everything its value. I love the man that can smile in trouble, that can gather strength from distress and grow”  –Thomas Paine

So really, why would you ever want a certification exam to be easy?  I remember walking out of one exam that I took several years ago fuming because it was too easy.  I was angry because I felt it diminished the value of all of my certifications, and was glad when Microsoft Learning revisited that exam and did make it tougher… somewhat.

I know, looking at my transcript, which were easier and which were not… but I also know by speaking with my peers.  There was a time when we simply didn’t discuss failed exams… although one good friend of mine, with whom I went through many of my early certs, made me a bet about one exam that he had failed three times.  I couldn’t understand at that point how someone could actually fail one exam that many times… I have since learned the hard way.

One friend of mine – someone I consider to be smarter than I am – has failed one particular exam four times.  That is rough… but it is among the hardest exams I have ever taken.  To be fair, it took me a second try to pass it, but I was glad when I did.  Maybe glad is the wrong word… thrilled, relieved, exhausted, and elated are all accurate.  The exam was 70-647 PRO: Windows Server 2008, Enterprise Administrator.  It is easy to underestimate these exams, but it is a PRO exam, which means you have to really know your stuff… and not just the answer to questions, you have to be able to weigh the needs of different people and departments in a client environment before selecting an answer.  The exams that go through scenarios (testlets) and ask you several questions on that environment help to not only understand the technology, but also what is required to be a trusted business advisor to your customers.


That certification – the MCITP: Enterprise Administrator – is in my experience the toughest of the MCITP certifications available today.  It is a worthy successor to the retired Microsoft Certified Systems Engineer (MCSE) which remains among the most recognized industry certifications today.  It is rigorous – you need to pass five exams – 70-640, 70-642, 70-643, 70-647, and a desktop exam.  However when you do obtain this credential, hiring managers will take notice.


If this is a bit much (and for a lot of people it is not just a question of being too hard, it is simply overkill) then Microsoft offers another certification – MCITP: Server Administrator – that I see as the successor to the Microsoft Certified Systems Administrator (MCSA) from Windows Server 2000 and 2003.  It is also tough, but only requires three exams… 70-640, 70-642, and 70-646.  If you are paying attention, you will notice that the SA cert requirements are a subset of the EA cert, so if you are working toward your Enterprise Admin, but need more time, it may be worthwhile to take the extra exam and get the SA once you have passed the first two exams.

MCITP(rgb)_1084_1085 MCTS(rgb)_1078_1080_1079_1310

Once you earn both credentials you will actually have six separate certifications, which may not be more knowledge than you would have had with the MCSE model, but it does make for a slightly more impressive transcript.  For all of the people who would say ‘I have four MCPs’ or ‘I am an MCP in Server Infrastructure and Active Directory’ they were really just MCPs.  Today you can show potential employers exactly where you are in your certification roadmap, and what you have left.  It also, frankly, looks better.

The harder you work on your certifications the sweeter they will be… but the current model also allows you more milestones along the way… I remember thinking back when I started out that it was cool that I got a certification with my first exam, but how disappointing was it that I needed to pass six more exams until I got my next cert?  The introduction of the MCSA made it a little better – only four exams for that.  Now every time you pass an exam you can add it to your transcript, and it does show more granular progress.  So the MCITP: EA may be harder than previous iterations, but you can at least hang your hat along the journey with measured progress.

Of course… soon enough Microsoft will be releasing Server 8, and I’ll have to start all over again…