Admin Arsenal Blog

Jane Lewis has a good piece on best practices for modifying your AD schema. It's a good list. The only addition that I would make is to ensure that you have a roll-back plan documented and tested.

Give it a read and be sure to let Jane know if you agree or disagree.

http://blogs.technet.com/janelewis

In my job of developing Admin Arsenal I have the privilege of constantly creating, deleting, changing, breaking, punching, smashing, seducing, WTFing, and generally abusing Active Directory domains. In this capacity I've seen problems that probably don't crop up for the average administrator, but sometimes I see problems that are probably fairly common.

One such problem has to do with DNS. Periodically, after changing my domains in some way, I would suddenly lose connectivity to AD. But connectivity wouldn't be lost for long, it would suddenly reconnect some time later and stay connected for a while, but then drop off again. Rebooting the clients or the server sometimes worked, sometimes it didn't. I could still authenticate and connect to servers with my AD credentials, but I couldn't connect using any management tool including Admin Arsenal (sometimes I could connect if I went straight to a domain controller, but not always.) Then I'd rebuild my AD servers to test something else and the problem would go away. I would just chalk it up to something I did to abuse AD. But it kept happening every few months, so I decided that it must be common problem and decided to delve in.

It took me several hours to track it down, but I was determined, dam-nit! I'm not sure how I finally figured it out (probably a lucky find on a forum somewhere,) but as I mentioned it was to do with DNS. At some point in all my AD thrashing I got a phantom A record in DNS for my domain. Since it was doing round robin name resolution, I would periodically get this phantom address when my machine tried to resolve lab.adminarsenal.local. As long as that address was either in my cache or kept being served up by DNS, my connectivity would be erratic.

It just goes to show how many pieces there are to a well run network. If one of them breaks, it can be difficult to find out exactly where it is. Well, I guess it keeps us all employed.

One of the more requested features in Admin Arsenal is the ability to work with more than one Active Directory container at a time. Up to version 1.4, Admin Arsenal only supports a single container. This works great if you have only a single domain or your tree is organized in a certain way – in other words, not everyone.

We’ve heard your requests and will have you covered in version 2. Not only will you be able to specify multiple containers and domains, but you can select containers to exclude, giving you a great deal of control over what Admin Arsenal sees. Consider a simple example: