ADCS hotfixes:​ http://pkisolutions.com/adcs-hotfixes

Nice white paper from MS: http://aka.ms/adbp

Nice white paper from MS:​ http://aka.ms/securingpki

Introduction

400 error is seen by the end user when trying to access a IIS web site that has Windows Authentication enabled.  Not all users see this behavior.  The user might be a member of several Active Directory groups.

Cause

When a user logs into a workstation on the domain, a kerberos authentication ticket is created which contains the user’s Active Directory group information.  When the browser (i.e. IE) is performing pass through authentication (i.e. Windows Authentication aka IWA), it sends this kerberos ticket in the header of the request so that IIS can consume the user information.  If the user is a member of many AD groups, their kerberos ticket may exceed that allowable limit specified on the IIS server side (in this case, the ADFS signin page).

Company mergers and acquisitions often result in Active Directory domain migrations. My experience has been that in many cases, these migrations are done with limited time set aside for any type of cleanup of group memberships. Often you’re dealing with years of accumulation of groups and unfortunately it seems with little documentation on what groups may not be necessary anymore. Post-migration, you have Active Directory objects stamped with SID History and possibly hundreds of groups that may or may not be necessary but no one has the time to research them to find out.

The downside to ending your migration here is that the SID History and stale group memberships all roll up into the client’s Kerberos token size. When the Kerberos token becomes excessively large, it can start to produce one issue after another.

Issue

Issues start to arise once the user’s Kerberos token exceeds 12,000 bytes; the user will start to run into odd issues with authentication and possibly Group Policy. You’ll find some organizations work around this by setting the “MaxTokenSize” setting in the workstation’s registry to the maximum value of 48,000 bytes (the actual maximum is 65,535 but the recommended is 48,000 for reasons beyond the scope of this post).

Other reference: http://blogs.technet.com/b/surama/archive/2009/04/06/kerberos-authentication-problem-with-active-directory.aspx

Explication

The relevance to AD FS is that during the AD FS authentication, the HTTP request sent to IIS contains the Kerberos token in the HTTP header. IIS has a HTTP header size limit of 16,384 bytes by default; after you account for base64 conversion and overhead, you’re really looking at around 12,000 bytes available for your Kerberos token.

During AD FS authentication, users with tokens in the 12,000 bytes range will fail to authenticate. What the users will see, if they look closely enough, is an “HTTP 400 – Bad Request” response from the AD FS server.

Solution / Workarounds

Since the restriction here is the IIS header size, fixing just the AD FS servers may not be enough. You could certainly have other IIS-based applications in your environment that would experience the same error. The ideal solution would be to reduce the group memberships to the point that the Kerberos token size is in the allowable range. Unfortunately, this cleanup can’t always happen so the alternative is to increase the limits.

The keys “MaxFieldLength” and “MaxRequestBytes” can be added to the registry on the AD FS server and this will allow for a larger HTTP header to accommodate the large Kerberos token. Additional information on these values and their recommended maximums is available in Microsoft KB2020943. A reboot of the AD FS server after applying this change and the users with large Kerberos tokens should be able to authenticate successfully.

Token Calculation

Calculating the user’s token size is a somewhat complicated process. The token size will depend on the type of groups the user is a member of, the group nestings and the SID history in the environment. The Microsoft utility “Tokensz.exe” is probably your best estimate for the token size.

Additional Information

How to remove AD lingering objects?

http://blogs.technet.com/b/askds/archive/2014/09/15/remove-lingering-objects-that-cause-ad-replication-error-8606-and-friends.aspx

Introduction:

Event forwarding (also called SUBSCRIPTIONS) is a mean to send Windows event log entries from source computers to a collector. A same computer can be a collector or a source.

This technology uses WinRM (HTTP protocol on port TCP 5985 with WinRM 2.0, else TCP 80) . Be careful with the Window firewall and configure it to allow WinRM incoming requests.

MS reference:

http://windowsitpro.com/security/q-what-are-some-simple-tips-testing-and-troubleshooting-windows-event-forwarding-and-collec

http://technet.microsoft.com/en-us/library/cc749140.aspx

http://blogs.technet.com/b/askperf/archive/2010/09/24/an-introduction-to-winrm-basics.aspx

http://msdn.microsoft.com/en-us/library/aa384372(v=vs.85).aspx

Tutorials:

1st: Event forwarding between computers in a Domain

http://tutorial.programming4.us/windows_7/Forwarding-Events-(part-1)—How-to-Configure-Event-Forwarding-in-AD-DS-Domains.aspx

2nd: Event forwarding between computers in workgroup

http://tutorial.programming4.us/windows_7/Forwarding-Events-(part-2)—How-to-Troubleshoot-Event-Forwarding—How-to-Configure-Event-Forwarding-in-Workgroup-Environments.aspx

Print management step by step guide: http://technet.microsoft.com/en-us/library/cc753109%28v=ws.10%29.aspx

How to use Group Policy settings to control printers in Active Directory: http://support2.microsoft.com/kb/234270/en-us

AD DS Printer publishing event IDs: http://technet.microsoft.com/en-us/library/cc773824%28v=ws.10%29.aspx

Requirements for proper function of the Directory Services Printer Pruner in an enterprise: http://support2.microsoft.com/kb/246269/en-us

Printer Pruner May Prune All the Print Queue Objects on Its Site: http://support2.microsoft.com/kb/246906

Published printers disappears from AD!

Symptom:

I have a recurring problem that is strange. I have 90 published, network printers on a server that on occation will disappear from the Active
Directory. I have to stop/restart the spooler service on this server and on a DC in order to get the printers to reappear in the AD search option.

The DCs is running Win2K8 r2 with SP1. I do not have the “Directory pruning interval”, “Directory pruning priority” or “Directory pruning retry” set
with in the AD set. … The user can still find the printer by going through the old NT4 style printer search.

Has any seen this issue before? If so, what is the cause and resolution for it?

Investigation:

The printer pruner is only possible if the spooler service (printer spooler) is running on at least one domain controller. If the spooler service is not running on the

domain controller, the printer pruner is not possible. By default the spooler service is running in automatic mode (running on the context of system account) on all the domain controllers of a domain. Except on a Core server edition (the spooler service does not exist). When the Spooler service is running you can monitor the event IDs 47 or 50.

Some things to check:

1. The printer server is correctly registered in DNS ?
2. The DHCP client service is running on the printer server (for some reason, dynamic DNS updates require the DHCP client service to be running.
3. The subnet that the printer server is in is correctly registered in AD.

The printer pruner runs on DCs (not as a service, but as a thread within the spooler service) and needs to contact the print queues on printer servers in order check that
they are still available. If there is poor connectivity between the DC(s) and printer server then you can see this type of unexpected pruning behaviour. Usually the problem
is a misconfiguration in DNS, in which case you might get off-site DCs pruning the printers because bad network connectivity.

Use the EventCombNT tool to search for events 47 and 50 in the System event log on DCs. This will show you which DC is responsible for the pruning. From there you can
generally work backwards to find the problem.

If the printer server is on the same AD site than the DC (of couse; check the point 3 above), it‘s probably not a DNS issue if the DC in the same AD site is pruning the printers. The pruner will only remove the printers from AD if it can’t contact the print queue on the printer server for some reason. Some of these reasons can be:

1. Outage of the printer server for a period of more than 24 hours (by default the pruner will try to make contact 3 times with 8 hour intervals before performing the removal).
2. Network problems between the DC and printer server.
3. Firewall between the DC and printer server.
4. Problems with the DC itself.

If you don’t find a specific problem, you could try a workaround with Group Policy settings. First of all increase the Directory pruning interval (from the default
8 hours), together with the Directory pruning retry (from the default of 2 retries). You could also enable Check published state and set it to an appropriate value (12 hours should be sufficient). This is a useful setting in that it will cause pruned printers to be re-published without having to restart the spooler on the print
server.

Note:

according to the article found the TechNet article 246906 “Printer Pruner May Prune all of the Print Queues Objects on Its Site”. If
“Allow pruning of published printers” policy is disabled, enable the policy and set the interval to Never”. => I wouldn’t recommend that setting as it effectively stops all pruning. Pruning is a good thing because it helps maintain current information in AD. Consider the
following scenario: You have a printer server that has some hardware problems. You down the server, rebuild the machine with new hardware, call it something else and republish all your newly created print queues. If you have the pruning set to Never you will end up with two sets of print queue information in AD because the old printer information will never go away. This is an extreme example, but similar things can happen on a smaller scale, i.e. one or two print queues removed long ago remain published in AD forever.

Troubleshooting for Published Printers Missing:

1. Launch GPEdit.msc on the Print Server.
2. Navigate to Computer Configuration / Administrative Templates / Printers.
3. Configure the Allow Pruning of Published Printers policy to Disabled.
4. Refresh group policy.

By default the DC checks 3 times with 8 hours between checks to determine if the  printer is still valid before deleting it. “The Print Pruner is a thread that runs under the spooler context on all DCs. It  uses ADSI calls ( ADsGetObject, IID_IDirectorySearch->ExecuteSearch) to get the list of all the printQueue servers in the AD.
To check whether the server is in same site it uses Winsock call (gethostbyname) and other net APIs (DsAddressToSiteNames,DsGetDcSiteCoverage).
To check if the print queue\print server availability it uses OS APIs (NetServerGetInfo, OpenPrinter,GetPrinter).
So all the work by pruner is done using ADSI, WinSock and OS functions.”

Workaround to get the Disappeared Printers back:

Click on Start, Run, Services.msc
Stop and restart “Print Spooler” service

Note: When the spooler service is restarted on a print server it automatically republishes the printers.
Note: On a cluster service, just stop the Print Spooler service, since the cluster service will automatically start the service when it tries to bring the Print resource online.

Other resources:

http://www.adamfowlerit.com/2013/08/19/network-printers-keep-disappearing-from-directory-services/

http://blogs.technet.com/b/askperf/archive/2009/05/05/printing-and-active-directory.aspx

How to use Group Policy settings to control printers in Active Directory: http://support2.microsoft.com/kb/234270/en-us

Print management step by step guide: http://technet.microsoft.com/en-us/library/cc753109%28v=ws.10%29.aspx

AD DS Printer publishing event IDs: http://technet.microsoft.com/en-us/library/cc773824%28v=ws.10%29.aspx

http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx

http://technet.microsoft.com/library/hh994618.aspx

If you want to create access control based on claims and compound auhentication, you need to deploy Dynamic Access Control. This requires that you upgrade to Kerberos clients and use the KDC, which support these new authorization types. With Windows Server 2012, you do not have to wait until all the domain controllers and the domain functional level are upgraded to take advantage of new access control options.

Set up Windows Azure AD:  http://blogs.technet.com/b/keithmayer/archive/2013/04/09/step-by-step-provisioning-windows-azure-active-directory-free-for-production-use.aspx

Azure AD connect: http://blogs.technet.com/b/ad/archive/2014/08/04/connecting-ad-and-azure-ad-only-4-clicks-with-azure-ad-connect.aspx

How to setup a new Windows forest in Azure: http://azure.microsoft.com/en-us/documentation/articles/active-directory-new-forest-virtual-machine/

wusa <update>.msu /quiet /norestart /log

example: wusa d:\hotfixes\Windows8.1-KB29456426.msu /quiet /norestart

You can use the Windows Management Instrumentation Command-line (WMIC) to view the installed updates on your computer:

wmic qfe list

Caption CSName Description FixComments HotFixID InstallDate InstalledBy InstalledOn Name ServicePackInEffect Status

Else If the WMIC output is difficult to read, you can use Systeminfo instead, as follows:

systeminfo | findstr /i /c:”KB29456426″

[18]: KB29456426

How to use WUSA with Powershell?

Get-Item .\* | %{Expand-ZipFile -FilePath $_.FullName -OutputPath d:\hotfixes}

Get-Item d:\hotfixes\* | foreach {WUSA “”$_.FullName /quiet /norestart””;while(get-process wusa){Write-Host “Installing $_.Name”}}

Get-HotFix | Where Description -match hotfix
(Get-HotFix | Where Description -match hotfix).count

http://blogs.technet.com/b/heyscriptingguy/archive/2012/11/14/enable-powershell-quot-second-hop-quot-functionality-with-credssp.aspx

Back in the Windows Vista days, we introduced a new security delegation module called Credential Security Service Provider (CredSSP). This was originally designed to work with Terminal Services because everything in Terminal Services is basically a second hop.

Also:

http://blogs.msdn.com/b/powershell/archive/2009/11/23/you-don-t-have-to-be-an-administrator-to-run-remote-powershell-commands.aspx

ADFS deep dive planning and design: http://blogs.technet.com/b/askpfeplat/archive/2014/11/24/adfs-deep-dive-planning-and-design-considerations.aspx

Main Portal: http://technet.microsoft.com/en-us/windowsserver/dd448613.aspx

Technet videos: http://technet.microsoft.com/en-us/video/ff701694

Certificates requirements: http://technet.microsoft.com/en-us/library/dn151311.aspx Also previous: http://technet.microsoft.com/en-us/library/dd807040(v=ws.10).aspx . In general a standard SSL certificate will be sufficient and you can use the same certificate for token signing and SSL communications (if acceptable by your security policy).

Certificate Requirements for Federation Server Proxies: http://technet.microsoft.com/en-us/library/dd807054%28WS.10%29.aspx

Federation server proxies are usually exposed to computers on the Internet that are not included in your enterprise public key infrastructure (PKI). Therefore, use a server authentication certificate that is issued by a public (third-party) certification authority (CA), for example, VeriSign or Comodo. When you have a federation server proxy farm, all federation server proxy computers must use the same server authentication certificate. It is important to verify that the subject name in the server authentication certificate matches the Federation Service name value that is specified in the AD FS 2.1 Management snap-in. To locate this value, open the snap-in, right-click Service, click Edit Federation Service Properties, and then find the value in Federation Service name text box. Note: Client authentication certificates are not required for AD FS 2.0 federation server proxies.

How to Replace the SSL, Service Communications, Token-Signing, and Token-Decrypting Certificates:  http://social.technet.microsoft.com/wiki/contents/articles/2554.aspx

Recommendations: http://blogs.technet.com/b/askpfeplat/archive/2013/07/22/faq-on-adfs-part-1.aspx

Prepare your network for federation servers: http://technet.microsoft.com/en-us/library/dn151322.aspx

and create A records for your AD Federation service name not CNAME !

BIG-IP hw load balancers and ADFS: http://www.f5.com/pdf/deployment-guides/microsoft-adfs-dg.pdf

Backup ADFS: http://social.technet.microsoft.com/wiki/contents/articles/2199.ad-fs-2-0-how-to-back-up-the-federation-service.aspx

Migrate ADFS DB to SQL: http://social.technet.microsoft.com/wiki/contents/articles/948.ad-fs-2-0-migrate-your-ad-fs-configuration-database-to-sql-server.aspx

Installation checklist : http://technet.microsoft.com/en-us/library/dd807086.aspx

In addition, this is an excellent article on configuring ADFS v. 2.0: http://www.sysadminsblog.com/microsoft/installing-and-configuring-adfs-2-0/

and http://www.theidentityguy.com/articles/tag/adfs-v2

example of implementation with a cloud service: http://support.druva.com/entries/21437659-How-to-install-and-Configure-Active-Directory-Federation-Services-for-Druva-inSync-Cloud-SAML-integr

ADFS design and deployment: http://technet.microsoft.com/en-us/library/dd391937(v=ws.10).aspx

Understanding the ADFS proxy: http://blogs.technet.com/b/askds/archive/2012/01/05/understanding-the-ad-fs-2-0-proxy.aspx

http://blogs.technet.com/b/adfs_documentation/

Planning Federation Server Proxy Placement:     http://technet.microsoft.com/en-us/library/dd807130%28WS.10%29.aspx

Troubleshooting federation server proxy problems: http://technet.microsoft.com/en-us/library/adfs2-troubleshooting-federation-server-proxy-problems%28WS.10%29.aspx

How to test if ADFS is functioning: http://www.dagint.com/2011/10/how-to-test-if-adfs-is-functioning/

Guidance for Selecting and Utilizing a Federation Service Name: http://social.technet.microsoft.com/wiki/contents/articles/4177.aspx

Proxy Management:      http://blogs.msdn.com/b/card/archive/2010/06/02/ad-fs-2-0-proxy-management.aspx

Cmdlets in Windows PowerShell:      http://technet.microsoft.com/en-us/library/ee892329.aspx

Replacing ADFS certificates: http://jorgequestforknowledge.wordpress.com/2013/05/15/replacing-adfs-certificates/

Enable auditing of issued claims: http://jorgequestforknowledge.wordpress.com/2013/07/08/enabling-auditing-of-issued-claims-in-adfs-v2-x-and-adfs-v3-x/

Other web resources about ADFS:

http://en.wikipedia.org/wiki/Active_Directory_Federation_Services

http://www.overthecloud.fr/?tag=adfs

http://www.cerberis.com/produit/direct-control-pour-adfs

http://www.centrify.com/directcontrol/adfs.asp

www.tdeig.ch/windows/pellarin_M2.pdf

http://blog.auth360.net/

http://jorgequestforknowledge.wordpress.com/

Use cases:

Steps by steps and use cases: http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides(v=ws.10).aspx

http://bjornhouben.wordpress.com/tag/adfs-2-1/

http://www.flexecom.com/install-adfs-2-1-on-windows-server-2012-for-office-365-part-1/

http://www.flexecom.com/install-adfs-2-1-on-windows-server-2012-for-office-365-part-2/

http://blogs.msdn.com/b/stseverin/archive/2012/12/29/deploying-adfs-2-1-on-windows-server-2012-using-powershell.aspx

http://www.theidentityguy.com/articles/tag/adfs-v2

First impressions: http://blog.auth360.net/2013/09/13/first-impressions-ad-fs-and-windows-server-2012-r2-part-i/

ADFS overview: http://technet.microsoft.com/en-us/library/hh831502.aspx

Technet videos: http://technet.microsoft.com/en-us/video/ff701694

ADFS how to for Office 365 : http://goodworkaround.com/node/53

Replacing ADFS certificates: http://jorgequestforknowledge.wordpress.com/2013/05/15/replacing-adfs-certificates/

Enable auditing of issued claims: http://jorgequestforknowledge.wordpress.com/2013/07/08/enabling-auditing-of-issued-claims-in-adfs-v2-x-and-adfs-v3-x/

WAP (Web application proxy):

• http://technet.microsoft.com/en-us/library/dn584113.aspx
• http://technet.microsoft.com/en-us/library/dn383648.aspx

WAP Deployment using powershell: http://blog.kloud.com.au/2013/08/14/powershell-deployment-of-web-application-proxy-and-adfs-in-under-10-minutes/ 

Upgrading from ADFS 2.x to 3.0:

Web reference: http://technet.microsoft.com/en-us/library/dn486815.aspx

Principle:

We cannot upgrade a 2012 ADFS Proxy to 2012 R2 ADFS Proxy

We cannot mix a proxy in 2012 ADFS Proxy with internal ADFS in 2012R2

For proxies:

Add new WAP Proxy server box (2012 R2) on DMZ zone

For internal ADFS servers:

Add new 2012 R2 box on same zone than internal ADFS servers

Migrate WID DB from existing ADFS internal servers to the new 2012 R2 box

Swap:

DNS Vip of HWLB in front of the ADFS proxies (exposed to internet) for adfs.mydomain.com will not change

DNS Vip of HWLD in front of the internal ADFS servers for adfs.mydomain.com will not change

But you need to add:

New WAP IP@s on HWLB device for ADFS-Proxy pool

Add new ADFS 2012 R2 IP@s on HWLB device for ADFS-Internal pool

Upgrading – other articles:

http://blogs.technet.com/b/askpfeplat/archive/2014/03/31/how-to-build-your-adfs-lab-part4-upgrading-to-server-2012-r2.aspx

http://jackstromberg.com/2013/12/tutorial-upgrading-from-adfs-2-0-server-2008-r2-to-adfs-3-server-2012-r2/*

http://jorgequestforknowledge.wordpress.com/2014/03/12/additional-powershell-scripts-for-migrating-adfs-v2-x-to-adfs-v3-0/

There are various ways to check Active Directory replication status. You can use command-line tools as well as GUI tools to check the replication status for one or all domain controllers in an Active Directory forest. The REPADMIN command-line tool, which ships with Windows Server, has been the primary tool to check AD replication status since the release of Windows Server 2003.

ADREPLSTATUS, sometimes referred to as the Active Directory Replication Status Tool, is a GUI tool developed by Microsoft that also helps you find replication errors. Windows Server Tutorials ADREPLSTATUS tool uses .NET Framework library functions to process replication status commands.

Starting with Windows Server 2012, Microsoft has also included the ability to check AD replication status using Windows PowerShell. There are six PowerShell cmdlets offered by Windows PowerShell on Windows Server 2012 and later versions of the operating system.

It is important to understand that before you can use AD replication PowerShell cmdlets, you must import the Active Directory PowerShell modules using the “Import-Module ActiveDirectory” command.

If you want to check AD DS or AD LDS replication convergence, I recommend the powershell scripts (works well as is) here:

• for AD LDS convergence: http://bsonposh.com/archives/610
• for AD DS convergence:
  • Test sysvol file convergence: https://jorgequestforknowledge.wordpress.com/2014/02/17/testing-sysvol-replication-latencyconvergence-through-powershell-update-3/
  • Test AD object convergence: https://jorgequestforknowledge.wordpress.com/2014/02/16/testing-active-directory-replication-latencyconvergence-through-powershell-update-3/

Note: Active Directory PowerShell modules are imported automatically on a domain controller running Windows Server 2012 R2.

The AD replication PowerShell cmdlets that we’ll look at are available on Windows Server 2012, Windows Server 2012 R2, Windows 8.0 and Windows 8.1. You must install Remote Server Administration Tools (RSAT) for AD DS on non-domain controllers to use these PowerShell cmdlets.

1. Get-ADReplicationFailure

The Get-ADReplicationFailure PowerShell cmdlet can be used to check AD replication status for all or specific Active Directory domain controllers. The Get-ADReplicationFailure cmdlet helps you get the information about replication failure for a specified server, site, domain, or Active Directory forest. For example, to get the replication status for a specific domain controller, failure counts, last error, and the replication partner it failed to replicate with, execute the command below:

• Get-ADReplicationFailure DC1.mydomain.local

You can also set the scope to see the replication status for all domain controllers in a specific site. As an example, the below command returns the replication status for all domain controllers in the Atlanta Active Directory site and populates the result in a table:

• Get-ADReplicationFailure -scope SITE -target Atlanta | FT Server, FirstFailureTime, FailureClount, LastError, Partner -AUTO

The above command fetches the replication status of all domain controllers in the Dallas site and includes the date and time of the first failure, total failures, last error number, and the replication partner it failed with. The value returned by the LastError parameter is actually a number that can easily be decoded by running the NET HELPMSG <Error Number> command.

2. Get-ADReplicationAttributeMetadata

Get-ADReplicationAttributeMetadata shows the attribute and replication metadata for a specific Active Directory object. For example, to get an object’s replication metadata and attribute status, execute the command below:

• Get-ADReplicationAttributeMetadata -Object "CN=Domain Admins,CN=myUsers,DC=mydomain,DC=local" -Server DC1 -ShowAllLinkedValues

The above command shows the replication metadata of the “Domain Admins” object. The ShowAllLinedValues parameter instructs the command to return all linked values if any of the attributes of Domain Admins is multi-valued. This command is very useful if you are troubleshooting replication issues for a particular Active Directory object.

3. Get-ADReplicationPartnerMetadata

In case you need to see the replication metadata for a replication partner, use the Get-ADReplicationPartnerMetadata PowerShell cmdlet as shown in the following command:

• Get-ADReplicationPartnerMetadata -target DC1.mydomain.Local

Running the above command will show you the information such as LastChangeUSN, whether the compressions is enabled or not, the last date and time the replication attempt was made, and the last date and time the replication was successful. This is a very useful cmdlet if you need to get a view of the replication status for all domain controllers in the Active Directory forest. For example, the command below helps you retrieve specified metadata for all domain controllers in an AD forest:

• Get-ADReplicationPartnerMetadata -Target * -Scope Server | where {$_.LastReplicationResult -ne "0"} | Format-Table Server, LastReplicationAttempt, LastReplicationResult, Partner

4. Get-ADReplicationQueueOperation

The Get-ADReplicationQueueOperation PowerShell cmdlet is useful if you need to know if any replication operations are pending on a specified server.

5. Sync-ADObject

The Sync-ADObject PowerShell cmdlet helps you replicate an Active Directory object to all the domain controllers across an Active Directory forest. The Sync-ADObject cmdlet can be very helpful if you need an object to be replicated immediately regardless of the replication interval. For example, the following command replicates the user “James” to all the domain controllers:

• Get-ADDomainController -filter * | ForEach {Sync-ADObject -object "CN=Jack, OU=myUsers, DC=mydomain, DC=Local" -source DC1 -destination $_.hostname}

6. Get-ADReplicationUpToDatenessVectorTable

Using Get-ADReplicationUpToDatenessVectorTable, an Active Directory administrator can list the highest Update Sequence Number (USN) for a specified domain controller. To get the highest USN for a specific domain controller, execute the command below:

• Get-ADReplicationUpToDatenessVectorTable -Target DC1.mydomain.local

In case you need to see the highest USN for a specific Active Directory partition, use the -Partition switch as highlighted in the command below:

o  Get-ADReplicationUpToDatenessVectorTable -Target DC1,DC2 -Partition Schema

The above command retrieves the highest USN of the Schema partition for both the NKAD1 and NKAD2 domain controllers.

Hi folks, here are web resources to implement and  troubleshoot MS DFS and MS DFS-R:

DFS Replication in Windows Server 2012 R2 : http://blogs.technet.com/b/filecab/archive/2013/08/20/dfs-replication-in-windows-server-2012-r2-if-you-only-knew-the-power-of-the-dark-shell.aspx

DFS Replication Initial Sync in Windows Server 2012 R2: http://blogs.technet.com/b/filecab/archive/2013/08/21/dfs-replication-initial-sync-in-windows-server-2012-r2-attack-of-the-clones.aspx

DFS Replication in Windows Server 2012 R2: Restoring Conflicted, Deleted and PreExisting files with Windows PowerShell: http://blogs.technet.com/b/filecab/archive/2013/08/23/dfs-replication-in-windows-server-2012-r2-restoring-conflicted-deleted-and-preexisting-files-with-windows-powershell.aspx

Understanding DFS (how it works): http://technet.microsoft.com/en-us/library/cc782417(v=WS.10).aspx

=> Several mechanisn are used: routing, DNS, AD sites and subnets topology, WINS,  FW ports and rules shoud be open (RPC, SMB…):

NetBIOS Name Service:  Domain controllers; root servers that are not domain controllers; servers acting as link targets; client computers acting as link targets: TCP/UDP 137

NetBIOS Datagram Service: Domain controllers; root servers that are not domain controllers; servers acting as link targets; client computers acting as link targets: TCP/138

NetBIOS Session Service: Domain controllers; root servers that are not domain controllers; servers acting as link targets; client computers acting as link targets: TCP/139

LDAP Server: Domain controllers TCP/UDP 389

Remote Procedure Call (RPC) endpoint mapper: Domain controllers TCP/135

Server Message Block (SMB): Domain controllers; root servers that are not domain controllers; servers acting as link targets; client computers acting as link targets: TCP/UDP 445

Extract from the MS technet: “When a client requests a referral from a domain controller, the DFS service on the domain controller uses the site information defined in Active Directory (through the DSAddressToSiteNames API) to determine the site of the client, based on the client s IP address. DFS stores this information in the client site cache”
“DFS clients store root referrals and link referrals in the referral cache (also called the PKT cache). These referrals allow clients to access the root and links within a namespace. You can view the contents of the referral cache by using Dfsutil.exe with the /pktinfo “
“You can view the domain cache on a client computer by using the Dfsutil.exe command-line tool with the /spcinfo parameter”

Implementing DFS-R: http://technet.microsoft.com/en-us/library/cc770925.aspx AND DFS-R FAQ: http://technet.microsoft.com/en-us/library/cc773238.aspx, delegate DFS-R permissions: http://technet.microsoft.com/en-us/library/cc771465.aspx

Implementing DFS Namespace: http://technet.microsoft.com/en-us/library/cc730736.aspx AND DFS-N FAQ: http://technet.microsoft.com/fr-fr/library/ee404780(v=ws.10).aspx

Consolidation of multiple DFS namespaces in a single one : http://blogs.technet.com/b/askds/archive/2013/02/06/distributed-file-system-consolidation-of-a-standalone-namespace-to-a-domain-based-namespace.aspx

Netmon trace digest: http://blogs.technet.com/b/josebda/archive/2009/04/15/understanding-windows-server-2008-dfs-n-by-analyzing-network-traces.aspx

DFS 2008 step by step: http://technet.microsoft.com/en-us/library/cc732863(WS.10).aspx

DFS tuning and troubleshooting:

DFS-N et DFS-R en ligne de commande: http://blogcastrepository.com/blogs/benoits/archive/2009/08/22/dfs-n-et-dfs-r-en-ligne-de-commande.aspx

DFSR les commandes les plus utiles: http://www.monbloginfo.com/2011/03/02/dfsr-les-commandes-les-plus-utiles/

and http://blogs.technet.com/b/filecab/archive/2009/05/28/dfsrdiag-exe-replicationstate-what-s-dfsr-up-to.aspx

Tuning DFS: http://technet.microsoft.com/en-us/library/cc771083.aspx and Tuning DFS Replication performance : http://blogs.technet.com/b/askds/archive/2010/03/31/tuning-replication-performance-in-dfsr-especially-on-win2008-r2.aspx

DFSutil command line:  http://technet.microsoft.com/fr-fr/library/cc776211(v=ws.10).aspx AND http://technet.microsoft.com/en-us/library/cc779494(v=ws.10).aspx

Performance tuning guidelines for Windows 2008 R2: http://msdn.microsoft.com/en-us/windows/hardware/gg463392.aspx

Monitoring:

DFSRMon utility: http://blogs.technet.com/b/domaineetsecurite/archive/2010/04/14/surveillez-en-temps-r-el-la-r-plication-dfsr-gr-ce-dfsrmon.aspx

or  DfsrAdmin.exe in conjunction with Scheduled Tasks to regularly generate health reports: http://go.microsoft.com/fwlink/?LinkId=74010

Server side:

DFS: some notions: A referral is an ordered list of targets that a client computer receives from a domain controller or namespace server when the user accesses a namespace root or folder with targets. After the client receives the referral, the client attempts to access the first target in the list. If the target is not available, the client attempts to access the next target.

tip1) dfsutil domain : Displays all namespaces in the domain ; dfsutil /domain:mydomain.local /view

tip2) You can check the size of an existing DFS namespace by using the following syntax in Dfsutil.exe:

dfsutil /root:\\mydomain.local\rootname /view (for domain-based DFS)
dfsutil /root:\\dfsserver\rootname /view (for stand-alone DFS)

tip3) Enabling the insite setting of a DFS server is useful when: You don’t want the DFS clients to connect outside the site.
You don’t want the DFS client to connect to a site other than the site it is in, and hence avoid using expensive WAN links.
dfsutil /insite:\\mydomain.local\dfsroot /enable

tip4) You want DFS clients to be able to connect outside the internal site, but you want clients to connect to the closest site first, saving the expensive network bandwidth:

ex: dfsutil /root:\\mydomain.local\sales /sitecosting /view or /enable or /disable

If you do not know if a root is site costing aware, you can check its status by substituting the /display parameter for the /sitecosting parameter.

tip5) Enable root scalability mode: You enable root scalability mode by using the /RootScalability parameter in Dfsutil.exe, which you can install from the \Support\Tools folder on the Windows Server 2003 operating system CD. When root scalability mode is enabled,  DFS root servers get updates from the closest domain controller instead of the server acting as the PDC emulator master.
As a result, root scalability mode reduces network traffic to the PDC emulator master at the expense of faster updates  to all root servers. (When you make changes to the namespace, the changes are still made on the PDC emulator master,  but the root servers no longer poll the PDC emulator master hourly for those changes; instead, they poll the closest domain controller.)
With this mode enabled, you can have as many root targets as you need, as long as the size of the DFS Active Directory object (for each root)  is less than 5 MB. Do not use root scalability mode if any of the following conditions exist in your organization:Your namespace changes frequently, and users cannot tolerate having inconsistent views of the namespace.  Domain controller replication is slow. This increases the amount of time it takes for the PDC emulator master  to replicate DFS changes to other domain controllers, which, in turn, replicate changes to the root servers.  Until this replication completes, the namespace will be inconsistent on all root servers.

ex: dfsutil /root:\\mydomain.local\sales /rootscalability /view or /enable or /disable

tip6) Dfsdiag utility: http://blogs.technet.com/b/filecab/archive/2008/10/24/what-does-dfsdiag-do.aspx

/testdcs: With this you can check the configuration of the domain controllers. It performs the following tests:

• Verifies that the DFS Namespace service is running on all the DCs and its Startup Type is set to Automatic.
• Check for the support of site-costed referrals for NETLOGON and SYSVOL.
• Verify the consistency of site association by hostname and IP address on each DC.

To run this command against your domain mydomain.local just type:

DFSDiag /testdcs /domain:mydomain.local

DFSDiag /testdcs > dfsdiag_testdcs.txt

/testsites: Used to check the configuration of Active Directory Domain Services (AD DS) sites by verifying that servers that act as namespace servers or folder (link) targets have the same site associations on all domain controllers.

So for a machine you will be running something like: DFSDiag /testsites /machine:MyDFSServer

For a folder (link): DFSDiag /testsites /dfspath:\\mydomain.local\MyNamespace\MyLink /full

For a root: DFSDiag /testsites /dfspath:\\mydomain.local\MyNamespace /recurse /full

/testdfsconfig:  With this you can check the DFS namespace configuration. The tests that perform are:

• Verifies that the DFS Namespace service is running and that its Startup Type is set to Automatic on all namespace servers.
• Verifies that the DFS registry configuration is consistent among namespace servers.
• Validates the following dependencies on clustered namespace servers that are running Windows 2008 (non supported for W2K3 clusters L):
  • Namespace root resource dependency on network name resource.
  • Network name resource dependency on IP address resource.
  • Namespace root resource dependency on physical disk resource.

To run this you just need to type:  DFSDiag /testdfsconfig /dfsroot:\\mydomain.local\MyNamespace

/testdfsintegrity: Used to check the namespace integrity. The tests performed are:

• Checks for DFS metadata corruption or inconsistencies between domain controllers
• In Windows 2008 server, validates that the Access Based Enumeration state is consistent between DFS metadata and the namespace server share.
• Detect overlapping DFS folders (links), duplicate folders and folders with overlapping folder targets (link targets).

To check the integrity of your domain mydomain.local:

DFSDiag /testdfsintegrity /dfsroot:\\mydomain.local\MyNamespace

DFSDiag.exe /testdfsintegrity /dfsroot:\\mydomain.local\MyNamespace /recurse /full > dfsdiag_testdfsintegrity.txt

Additionally you can specify /full, /recurse, which in this case, /full verifies the consistency of share and NTFS ACLs in all the folder targets. It also verifies that the Online property is set in all the folder targets. /recurse performs the testing including the namespace interlinks.

/testreferral: Perform specific tests, depending on the type of referral being used.

• For Trusted Domain referrals, validates that the referral list includes all trusted domains.
• For Domain referrals, perform a DC health check as in /testdcs
• For Sysvol and Netlogon referrals perform the validation for Domain referrals and that it’s TTL has the default value (900s).
• For namespace root referrals, perform the validation for Domain referrals, a DFS configuration check (as in /testdfsconfig) and a Namespace integrity check (as in /testdfsintegrity).
• For DFS folder referrals, in addition to performing the same health checks as when you specify a namesapace root, this command validates the site configuration for folder target (DFSDiag /testsites) and validates the site association of the local host

Again for your namespace mydomain.local:

DFSDiag /testreferral /dfspath:\\mydomain.local\MyNamespace

DFSDiag.exe /testreferral /dfspath:\\mydomain.local\MyNamespace /full > dfsdiag_testreferral.txt

There is also the option to use /full as an optional parameter, but this only applies to Domain and Root referrals. In these cases /full verifies the consistency of site association information between the registry and Active Directory.

Domain controllers:

Evaluate domain controller health, site configurations, FSMO ownerships, and connectivity:

Use Dcdiag.exe to check if domain controllers are functional. Review this for comprehensive details about dcdiag:

    Dcdiag /v /f:Dcdiag_verbose_output.txt

    Dcdiag /v /test:dns /f:DCDiag_DNS_output.txt

    Dcdiag /v /test:topology /f:DCDiag_Topology_output.txt

Active Directory replication

If DCDiag finds any replication failures and you need additional details about them, Ned wrote an excellent article a while back that covers how to use the Repadmin.exe utility to validate the replication health of domain controllers:

    Repadmin /replsummary * > repadmin_replsummary.txt

    Repadmin /showrepl * > repadmin_showrepl.txt

Always validate the health of the environment prior to utilizing a namespace.

Clients:

• dfsutil /root:\\mydomain.local\myroot /view /verbose    ; display the content of root dfs (links…)
• dfsutil /pktinfo     ;to display the client cache
• dfsutil /spcinfo     ; the domain cache on a client computer
• dfsutil /purgemupcache ; cache stores information about which redirector, such as DFS, SMB, or WebDAV, is required for each UNC path
• dfsutil /pktflush   ; Dfsutil /PktFlush is a special problem repair command that should only be executed on the client.

The PKT Cache keeps information about referrals for previously accessed DFS paths. If any path is accessed after flushing this cache, the appropriate server(s) will be contacted again to get new referrals. A client benefits from high availability in DFS by getting a list of link target referrals within the same site as well as targets in farther sites. In some cases targets in the closer sites may be inaccessible at the beginning of the client’s use, causing the client to successfully failover to a target at a farther site. Once a closer and less expensive target is available, you would like the client to use it. If you do not want to reboot the client to cause a closer site to be selected, type the following at the command line: This command statement flushes the local partition knowledge table (PKT). This forces the client to get the referral list of the targets from the server again.  Some of the entries in the PKT may not get flushed, especially if DFS is in the process of using the referrals. Once the PKT is flushed from the client cache, the client gets a new list of referrals from the server and it surely will try accessing the closer targets.

Example:

If your support is asking you to check a problem on  root DFS or client computer: ie. \\mycompany.net\rootdfs

The commands I used are:

For \\mycompany.net\rootdfs (from admin wks):
Dfsdiag /testreferral /dfspath:\\mycompany.net\rootdfs    => OK
Dfsdiag /testdfsconfig /dfsroot:\\mycompany.net\rootdfs    => OK
Dfsdiag /testsites /dfspath:\\mycompany.net\rootdfs       => OK

else suspect a problem on the clients (intermittent problem of DNS or WINS or DFS cache):

Check Naming resolution with DNS
Check Naming resolution with WINS

On client PC, if problem occurs, check and flush the cache:

To check:
dfsutil /root:\\mycompany.net\rootdfs /view /verbose       ; display the content of root dfs (links…)
dfsutil /pktinfo                                                                                ; to display the client cache
dfsutil /spcinfo                                                                                ; the domain cache on a client computer
To flush:
dfsutil /purgemupcache                 ; this cache stores information about which redirector, such as DFS, SMB, or WebDAV, is required for each UNC path
Dfsutil /pktflush                              : This command statement flushes the local partition knowledge table (PKT).

For maintenance reason you want to disable DFS target(s) or DFS namespace, to do that you can:

To enable or disable referrals by using Windows PowerShell, use the Set-DfsnRootTarget –State or Set-DfsnServerConfiguration cmdlets, which were introduced in Windows Server 2012

Web resources:

https://msdn.microsoft.com/en-us/library/cc771266.aspx

https://technet.microsoft.com/en-us/library/cc771266%28v=ws.10%29.aspx

Things to check after dcpromo:

1) Check inbound and outbound AD replication:

To determine this, execute: REPADMIN /SHOWREPL /REPSTO

Make sure all last attempts are really recent, and at least within the tombstone lifetime of the AD forest

2) If the DC is a GC, check it has finished the build of the GC partitions and it is advertising itself:

To determine this, execute: Get-WinEvent -LogName “Directory Service” | ?{$_.Id -eq 1119} | FL

3) Check the SYSVOL has been initialized and finished initial replication

To determine this, execute: Get-WinEvent -LogName “DFS Replication” | ?{$_.Id -eq 4604} | FL

4) In addition, check the NETLOGON and SYSVOL shares are in place:

To determine this, execute: NET SHARE

5) Check Event Logs:

The following event logs will help determine the health of the DC. Check the events with warnings or errors and resolve anything that needs to be resolved:

Event Logs:

Directory Service
DFS Replication
File Replication Service
DNS Server
Application
System

6) Run DCDIAG:

To do this, execute: DCDIAG /C /D /V