Sam Erde
17.2K posts
Sam Erde
@SamErde
PowerShell MVP that is passionate about helping others succeed with Active Directory, Entra ID, Defender XDR, and Microsoft 365. Always learning! ✝️👨👩👧👦☕
ACTIVE DIRECTORY MIGRATION: PROPER CLEANUP, PROPER SETUP, and A LOT OF AD/GP READING TIPS! As a part of the final steps of migrating Active Directory to a new domain controller, or domain controllers, where the FSMO Roles and Time Role have been transferred successfully to our new PDCe we offline the source DC(s). We do so for 30 days as a rule as any gremlins or hidden gems will almost always show up within the first 48 hours ... but just in case. CRITICAL STEP - _MSDCS NS SERVERS The first thing to do post 30 days is to make sure the _msdcs folder has the correct NS servers assigned as of that day. It also needs to be grey in colour to indicate AD DNS is healthy. CRITICAL STEP - BACK UP THE PREVIOUS PDCe We then take a final backup of the previous PDCe FSMO Role holder. CRITICAL STEP - METADATA and DNS CLEANUP We delete the old DC VM(s) then run a metadata cleanup in AD Sites & Services (NTDSUtil if stubborn) and DNS cleanup (NS and AD Folders). 1: DELETE their AD Object in the DC OU 2: DELETE their DNS A IP records 3: DELETE their DNS NS records 4: COMB & DELETE all AD FOLDER DNS references 5: VERIFY the _msdcs stub zone as above CRITICAL CONSIDERATION - TOMBSTONE LIFETIME Now, one should check the Tombstone Lifetime to verify if it is set to 30 days or not: (Get-ADObject "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,DC=yourdomain,DC=com" -properties "tombstonelifetime").tombstonelifetime If the tombstone lifetime is 30 days then change that setting to 45. It can be changed back once the migration is complete. Ours is set to the default 180 days. CRITICAL STEP - VERIFY FSMO # Check FSMO Get-ADForest | Format-Table SchemaMaster,DomainNamingMaster Get-ADDomain | Format-Table PDCEmulator,RIDMaster,InfrastructureMaster CRITICAL STEP - AD REPLICATION REPADMIN /REPLSUM RepAdmin /ShowReps RepAdmin /ShowRepl RepAdmin /viewlist * RepAdmin /SyncAll RepAdmin /KCC Dfsrdiag pollad Dfsrdiag ReplicationState dfsdiag /testdcs /domain:HQ.MyCompany.Com Dcdiag /e /test:sysvolcheck /test:advertising net share CRITICAL STEP - AD OBJECT and GPO Create a Test User on the PDCe Verify that user on other DCs Create a Test GPO on the PDCe Verify the GUID and Date in SYSVOL Check Other DCs \\MyOtherDC\SYSVOL Edit the above on another DC FURTHER READING AND TIPS Phantoms, tombstones, and the infrastructure master learn.microsoft.com/en-us/troubles… Active Directory replication Event ID 2042: It has been too long since this machine replicated learn.microsoft.com/en-us/troubles… Reanimating Active Directory Tombstone Objects (Very Detailed) learn.microsoft.com/en-us/previous… How to create and manage the Central Store for Group Policy Administrative Templates in Windows learn.microsoft.com/en-us/troubles… Enable the AD Recycle Bin # TODO AD Recycle Bin $Domain = "MyDomain" $TLD = "Com" Enable-ADOptionalFeature -Identity "CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=$($Domain),DC=$($TLD)" -Scope ForestOrConfigurationSet -Target "$($Domain).$($TLD)"
Weekends are for building. Copilot Max users, check your account for an extra $200 in credits to power your next build in the GitHub Copilot app. Stand by for more offers for Pro and Pro+ users.
Holy Sh*t: that changes the whole Fable 5 story completely: On June 11, the very same day Amazon reportedly uncovered the jailbreak, “Mythos” allegedly breached almost all classified systems belonging to the NSA and U.S. Cyber Command, not over the course of weeks, but within hours. "On June 11th Mark Warner, the vice-chair of the Senate Intelligence Committee, said that General Joshua Rudd, who leads the National Security Agency and the Pentagon’s Cyber Command, had told him that Mythos “broke into almost all of our classified systems, not in weeks, but in hours”." Via Economist
Everyone knows @IAMERICAbooted's Microsoft 365 security truth bombs are must-reads. She's back on Entra Chat with a masterclass on securing M365 👇
Okay, I genuinely don't know what you all are smoking but I did NOT expect this post to go this feral. 😂 For context: I just wanted to share dumb little tips like this annoying Intune policy admins love rolling out. The one that blocks screenshots and copy/paste on your work Outlook or Teams. You know, for "security."