Considerations when using a domain-based service account with AD LDS Author: Tony Murray :: Date: Monday, April 13, 2009 9:39 PM
Categories:
Active Directory,
Tips and Tricks,
Windows ServerWhen creating an AD LDS instance you are prompted to specify an account to use as the service account. At this point you can specify either the Network Service account or another account. Unless you have a particular need, you should choose the built-in Network Service account. If you opt for a domain-based service account you have to jump through a whole lot of hoops to get things working. Also, you typically end up giving your domain-based service account more permissions than are strictly necessary (as described later in this article). The Network Service account on the other hand provides an easy set up option and is a good choice from a security perspective given that the account has limited access to the local computer.
So why bother to use a domain-based service account at all? Well, if you have a number of services on your server all running under the context of the Network Service account there is potential for security compromise. In this scenario you may want to consider isolating the services from each other using dedicated service accounts.
What follows is a discussion of the steps required to configure AD LDS to use a domain-based service account.
Vbscript to determine domain and forest functional levels Author: Alexei Segundo :: Date: Wednesday, April 08, 2009 7:09 PM
Categories:
Active Directory,
ScriptingThis script was created to help when raising domain and forest functional levels, especially in larger environments. The script uses an authoritative DC to enumerate all the DCs in the forest. Each DC is then contacted in turn to determine what it thinks is the current domain and forest functional level. The goal is to ensure that the information is consistent across DCs before raising the functional level, and to ensure that replication distributes the changes successfully after raising the functional level.
The (Almost) Definitive Active Directory Blogroll Author: Tony Murray :: Date: Saturday, November 01, 2008 8:42 PM
Categories:
Active DirectoryI subscribe to a number of Blogs with Active Directory content. As it took me a while to accumulate the list, I thought I would share it here.
Let me know if I have missed any out there that should be on this list.
LDAP tips #3: Searching for Computers Author: Tony Murray :: Date: Thursday, September 25, 2008 10:57 PM
Categories:
Active Directory,
Tips and TricksThis article is the third in a series providing tips for common LDAP searches.
Multiple Domain Forests: Still a Valid Design Model? Author: Tony Murray :: Date: Monday, July 21, 2008 2:52 PM
Categories:
Active Directory,
Windows ServerOn the ActiveDir.org list there has been some good discussion about whether the multi-domain forest is still considered a valid design option. This article attempts to crystallise the discussion for use as a reference for those involved with the design or review of forest models.
The general consensus is that single domain forests are now the preferred design option for all but the most marginal cases. Note that this does not preclude the use of multiple forests within a single organisation. For example, the use of the Exchange Resource forest in environments that have a distributed NOS architecture but a centralised messaging architecture is common in larger organisations.
Bulk Updates to Active Directory User Attributes Author: David Wiseman :: Date: Thursday, June 12, 2008 3:52 PM
Categories:
Active DirectoryDescribes how to make bulk updates to Active Directory User Attributes using freeware tools (from WiseSoft.co.uk).
How to Enable, Disable and Maintain OCS 2007 (Office Communications Server) User Attributes using VBScript. Author: Matty Holland :: Date: Thursday, May 15, 2008 4:51 PM
Categories:
Active Directory,
ScriptingThis script will enable and configure Active Directory users for OCS 2007. This is an updated version of the re-written LCS reskit script published in article: How to Enable, Disable and Maintain LCS (Live Communications Server) User Attributes using VBScript.
How to delete corrupt mail items with MFCMAPI Author: Alexei Segundo :: Date: Tuesday, April 22, 2008 12:58 AM
Categories:
ExchangeI recently encountered a situation where Outlook could not open two emails within a mailbox located within an Exchange mail store. Not only could I not open the items, I couldn’t move or delete them either. It was frustrating as it was causing some problems for an email archiving product.
I eventually managed to delete the two emails using the MFCMAPI tool. This article explains the method used and provides screenshots to guide you through the process.
Tracking LDAP Searches with Windows Server 2008 Reliability and Performance Monitor Author: Tony Murray :: Date: Tuesday, February 26, 2008 4:39 PM
Categories:
Active Directory,
Windows ServerWindows Server 2008 ships with the Reliability and Performance Monitor (RPM) snap-in. On DCs, RPM incorporates an Active Directory Diagnostics feature that includes the abilility to track LDAP searches against a DC. The amount of information captured can be very useful when troubleshooting LDAP issues.
This article provides a step by step guide on how to use RPM to track LDAP searches.
Making bulk changes to Active Directory users with ADModify.NET Author: SuperUser Account :: Date: Tuesday, December 18, 2007 5:09 PM
Categories:
Active DirectoryProvides a step-by-step tutorial of how to make bulk changes using the ADModify tool