Store users personal contacts in Active Directory

The follow whitepaper describes how you can modify the schema to allow users store there personal contacts within Active Directory as a child objects of there own user account.
Go to Now

How to Enabling Audit Policy Collection

Have a look at the whole article. Go to Now

Working with Active Directory Permissions in Microsoft Exchange, How to Delegate to Exchange Administrators
Microsoft release a guide that helps Exchange architects in their understanding of how Exchange uses Active Directory in the context of permissions.
Go to now
Active Directory Resources

Most Recent Posts

  Active Directory Snapshot Backup feature in Longhorn Server

Microsoft has introduced Snapshot Backups for Active Directory in Windows Server Longhorn Server. This feature uses the VSS API as many other Microsoft products and technologies use for the same purpose.
The snapshots can be generated/taken at anytime and can also be scheduled.
Active Directory Administrators can then mount a snapshot from a given time and browse Active Directory with the exactly same content at the given time, and perform restore individual objects. I cover Active Directory Snapshots in my 2 day course "Active Directory features in Longhorn Server" among many other new features. You can read more In detail about my lab here:,433,147.aspx

Here is a step-by-step guide for anyone that wants to get started with Active Directory Snapshot Backups by their own now since Longhorn Server Beta 3 is released public to the web.

  1. Create and mount an Active Directory snapshoot backup
    1. Type the following command at a domain controller running Longhorn Server Beta 3:
      ntdsutil and press enter. Type act inst ntds and press enter.
    2. Type snapshot and press enter, type help and review the options.
    3. To create a snapshot type the following command:
      Create and press enter, Verify that the command completed successfully.
      This command can be scheduled using an at job.
    4. To mount the snapshot type the following command:
      mount <snapshot guid> and press enter.
      The snapshot guid is reported by the create command output.
    5. Verify that the snapshot was successfully mounted.
      Note: Write down or memorize the path to the D:\ partition (since the database resides within that partition.
      Sample: C:\$SNAP_<TimeStamp>_VOLUMED$\
    6. Start Windows Explorer and navigate to C:\ and ensure that you can see the there mount points, and browse them.
    7. Start a new command prompt by click start click run and type cmd and press enter.
    8. Type the following to start the offline browser as a live directory services.
      dsmain –dbpath:C\$SNAP_<TimeStamp>_VOLUMED$\NTDS\ntds.dit –ldapport 345 –sslport:346 –gcport:347 –gcsslport:348 and press enter
    9. Verify that the start-up was complete.
  2. Browse a snapshot backup using LDP.exe
    1. Start a LDP.exe by click start and click run and type ldp.exe and press enter.
    2. Within ldp.exe click the Connection menu and choose Connect and specify the following options:
      Server: localhost
      Port: 345
      Click the OK button.
    3. Click the Connections menu and chose Bind (or press Ctrl + B) and accept the default settings (bind as currently logged on user) and click the OK button.
    4. Click the View menu and chose Tree (or press Ctrl + T), Choose the Domain NC and click the OK button, and verify that you can browse the Domain NC from the snapshot backup.
    5. Close ldp.exe
    6. In the command prompt where you launched the DS Offline Browser (dsamian.exe) and press Ctrl + C to kill the instance, Type exit to close the command prompt.
    7. In the command prompt where you running ntdsutil with the snapshot context, type the following command:
      list mounted and press enter.
  3. Dismount and delete an Active Directory Snapshot backup
    1. Type the following command to dismount the snapshot backup:
      Dismount <snapshot GUID reported by the list command above> and press enter.
    2. Type the following command to delete a snapshot backup
      delete <snapshot GUID reported by the list command above> and press enter.


Posted 5/22/2007 by Christoffer Andersson
  Longhorn Server Beta 2 already deployed in my ntdev forest

Longhorn Server
it’s almost a year now since I touched the Longhorn Server bits for the first time, or at least what’s going to be Microsoft’s next Windows Server Operating System. I have been involved in Longhorn Server in many different aspects, what I have been focus on mostly is Active Directory (AD) and Distributed File System (DFS)


“The ntdev forest” is my development and testing forest, it’s necessary to having a dedicated testing forest for early bits of new Operating System, since I have to deal with beta versions of the Active Directory Schema etc.  How ever this forest is trusted with my production forest so it’s really used, it’s not an isolated environment.


Active Directory

It’s a bit early to go public on what’s new in AD with this release of Windows Server,

However there is a new feature that going to change the AD Infrastructure a lot when it comes to design and deployment of domain controllers. We are introducing a new type of domain controllers, Read-Only Domain Controllers. If you where at the Directory Services Conference you may already know this, it were there Microsoft officially announced that they are building Read-Only Domain Controllers.


Read-Only Domain Controllers are up to the following:


  • Complete (RO) replica of the Active Directory Database (NTDS.dit)
  • Full (RO) SYSVOL
  • RODC caches passwords for users\computers
    • No end user\computer passwords are cached by default
    • Caching occurs “on demand” when the user\computer first logs on
  • RODC is stateless
    • No Branch to Hub replication (less bridgeheads required)
    • By definition, none of the local data is critical (unique)


Longhorn Core Server

Longhorn Core Server is a new version of Windows Server that’s not are like anything else we seen before. It’s a stripped down server OS without no GUI, all you have when you logon to windows is a command line prompt. Longhorn Core Server can have the following roles:

  • File Server
  • DHCP Server
  • DNS Server
  • Domain Controller

I have a bunch of Read-Only Domain Controllers running on Longhorn Core Server OS, it works really nice, and when you start thinking why should a domain controller really have a GUI at the server it self?

If you want to find out more about the Longhorn Core Server OS, Have a look at the Core Server team blog:


Distributed File System

Same things applies to DFS about going public with features, how ever as you may have noticed DFS was improved and separated into two technologies in Windows Server 2003 R2. DFS-Replication (DFS-R) and DFS-Namespaces (DFS-N) there was nothing changed really to the DFS-N, How ever DFS-R was new in this release and its first now DFS has a replication technology. In fact if you enabled a namespace for replication earlier than Windows Server 2003 R2, You actually used File Replication Service (FRS) that has nothing to do with DFS. DFS-N and DFS-R are both hosted under the name DFS. One of the most amazing feature in the entire Windows Server 2003 R2 Release is the Remote Differential Compression (RDC) technology that improves replication by only replicate the actually changed blocks within a file, instead of the entire file when it becomes updated, this saves a lot of WAN bandwidth

Example: Change title in a 3.5MB PPT, “delta” takes just 16KB instead of 3.5MB of data to be replicated to other replicas.


A few new features for DFS in Longhorn Server

  • On Demand Replication (ghosting)
  • SYSVOL on DFS2
  • Read-only Folder Replication Member

And there is a lot more of features planned for this release.

Posted 2006-06-12 by Christoffer Andersson
  Support for Domain Join with smart card in Windows Vista

A Microsoft Employee recently posted an interesting topic about support for domain join with smart card in Windows Vista, here is the story:
After you require smart card interactive logon in your environment, the traditional domain join will not work because you don't have a password. Windows Vista resolves this problem by allowing domain join with smart card. However, this new feature will work only if you have Root CA certifcate on smart card.

Here is how to enroll Root CA cert on smart card:
1. Run "certutil –scroots deploy" from command line to enrollment Root CA cert

2. Run "certutil –scroots view" to verify the cert

Certutil with new scroots switch is a built-in tool in Windows Vista.

After you load Root CA cert, you will be able to select a smart card instead of username/password, and enter the PIN to join a domain.

Posted 2006-04-04 by Christoffer Andersson

Most Recent Articles


Search for Articles

Search for Technical Resources:
Answers and Questions in the Newsgroups
Search Group Policy Center:

Directory Services Newsgroups

Most Active Directory Service Newsgroups
Most Active Directory Service Discussions

Get Secure in time

Green Padlock Sign up now for Microsoft Security Update e-mail alerts

Blue Padlock Learn more about the Microsoft Security Notification Service