Hi all, Ned here again. Today I will share some recent questions we’ve gotten offline that never ended up as full blown blog posts. Naturally any names have been changed to protect the innocent and things are often paraphrased. This post starts a new series that will appear every Friday, barring some kind of disaster such as me being out sick, me taking the day off, or me just not feeling like it (so nyyyaaahhh).
- DC defrag
- The whenChanged attribute
- Delegate control
- RODC app compatibility
- KB mistakes
- Other support options
Is there any risk running Windows disk defrag on a DC? I need to defrag my drives and I’m worried about NTDS.DIT corruption.
Nothing to worry about. In fact, starting in Windows Server 2008 and continuing in R2, you have been running a disk defrag every Wednesday at 1 AM whether you knew it or not. This is default behavior, even on domain controllers.
Note that the task is designed to run in idle state though, so if things stay really busy on a DC all night long, the automatic defrag may be preempted. The Task Scheduler Help has more info on what “Idle” means.
When I search AD for old computer accounts by using the whenChanged attribute that computers seem to be constantly “new”. How can I find old unused computer accounts using PowerShell?
The attribute you want to use in this scenario is lastLogonTimeStamp; Warren wrote up a pretty comprehensive treatise in this older post. You can search for these inactive accounts using things like AD PowerShell’s cmdlet search-adaccount. For example, this would find all computers in the domain that have not logged into AD in a year:
Search-ADaccount -AccountInactive -Timespan 365 -ComputersOnly
Avoid looking at stale passwords, as password changes can be disabled. And before acting upon inactive accounts, make triple sure it’s really inactive. Cluster virtual computer objects don’t necessarily “logon” but if you arbitrarily get rid of them there will be heck to pay. Automating the removal is generally a bad idea.
I am trying to use the Delegate Control wizard within DSA.MSC. When I use a custom task delegation for User Objects I can’t specify certain attributes like Office, E-Mail, City, State, or Country. How can I get these?
Choose the inetOrgPerson object class instead of User – this will get you the granularity you need with the delegation wizard. Chalk this up to vagaries of snap-in, schema, class, and inheritance.
Application X doesn’t seem to work correctly with Read-Only Domain Controllers, and I am not finding anything online that says it is compatible. What should I do?
Find out who created that application and talk to their support staff. If it’s a Microsoft application or Windows component, open a support case and ask to speak that particular specialty. If not MS, call that vendor. If internal to your company, find that developer! There’s no way for the AD developers test everything against RODC’s – not even within the MS-developed gamut of applications, which is huge. They have to rely on application developers to add it to their test harnesses. If the conversation with the vendor starts with “What’s an RODC?”, they probably don’t test it. 🙂
No matter who you talk to, once it’s established that an RODC is or isn’t supported, make them document it publically; even if it’s just a blog post, you are helping out your fellow IT humans.
Hey, I think I found an error in KB article Y. Can you fix it?
You betcha. Just tell us exactly what you think is wrong, making sure to give us repro steps. If we confirm it as factual error the KB should be corrected within a few weeks. If it comes down to semantics or a difference of opinion…well, as my wife says “we’ll just have to agree to disagree” (i.e. Ned is wrong, Lisa is right, and there’s nothing Ned can do about it).
I need some deeper support than this blog is set up for and time is not an issue, but I am a bit strapped for cash. Is there anywhere reputable I can go?
Our community forums are an excellent place to ask deeper specific questions. These are moderated by MS support engineers and MVP’s. Many questions can be answered quickly and reliably by trustworthy folks.
- TechNet forums (Windows, Exchange, Forefront, System Center, Office)
- MSDN forums (Programming languages, SQL)
If time and live support is critical though, open a support case. Time is money.
I reckon that’s enough for today. Have a nice weekend folks.
– Ned ‘going postal’ Pyle