Wednesday, July 31, 2013

Configuring HA DHCP on Windows Server 2012 Without Clustering

Server 2012 has brought a much welcomed improvement to the DHCP Server role. You can now do lease replication for highly available DHCP without needing to do clustering or split-scope. This is beneficial, because you don't need to add the complexity of a failover cluster or the ugliness of split-scope to have multiple DHCP servers provide IP addresses for a given scope.

Monday, July 29, 2013

Creating a new Active Directory domain on Windows Server 2012

Windows Server 2012 has brought many improvements and has phased out some legacy tools. One of those tools is good old dcpromo.exe. It's been deprecated in favor of PowerShell's Install-ADDSForest or the Server Manager-based GUI, which simply manipulates PowerShell under the hood. The video below walks you through the creation of a new AD install using Server Manager in Windows Server 2012.


Wednesday, July 24, 2013

Enabling and using the Active Directory Recycle Bin in Windows Server 2012

Server 2008 R2 introduced the AD Recycle Bin, which was a great addition to any AD environment, but it was only accessible via PowerShell. This made it tricky for a lot of people to enable. Server 2012 makes it much simpler to enable and to work with. You can still do everything via PowerShell (and you should learn it if you don't know it already!), but you can also handle restores through the GUI as well.

Tuesday, July 23, 2013

Making Active Directory replication between sites almost instant

When you have a multi-site environment in AD, the lowest interval that you can set your replication schedule to is 15 minutes. This has been around since the old days when replication could significantly impact a sub-megabit WAN connection. Now, with modern MPLS connections of 20Mbps or greater being extremely common, it makes sense to enable change notification between sites. This allows for near-instant replication like you're accustomed to enjoying with domain controllers in the same site.



Friday, July 19, 2013

SCSM 2012 service accounts and denying interactive logon

I recently did a System Center Service Manager 2012 SP1 install for a customer that has a blanket policy of denying interactive logons to all service accounts in their domain. The first issue that we ran into was that the Service Manager Data Warehouse could not be registered. After allowing interactive logon, it registered fine. We also hit a snag where the AD connector wouldn't start synchronizing until interactive logon was allowed. The workflow account will also fail at various tasks when denied interactive logon.

The moral of the story is that you should not deny the "Logon Interactively" right to your SCSM 2012 service accounts!

Wednesday, July 3, 2013

More documentation from Microsoft about properly naming your AD domain

I've written about this before and not to beat a dead horse, but I just came across this TechNet article on Server 2012 AD DS and found this nugget part-way down the page:

Do not create new Active Directory forests with the same name as an external DNS name. For example, if your Internet DNS URL is http://contoso.com, you must choose a different name for your internal forest to avoid future compatibility issues. That name should be unique and unlikely for web traffic. For example: corp.contoso.com.

Just more proof that split-horizon naming for your AD is not recommended, no matter what your Lync or Exchange people tell you. There's some extra configuration on their end, especially with certificates, but split-horizon is not recommended and should not be deployed. Since this is from Server 2012 documentation, there's really no way anyone can dispute this by calling it outdated or no longer relevant.