Ldifde creates, modifies, and deletes directory objects on computers running Windows Server 2003 operating systems or Windows XP Professional. You can also use Ldifde to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory with data from other directory services.
Microsoft included a set of command line tools with their server operating systems to allow better and more productive management of the directory service. The DS Commands are these tools. Simple commands with but a few parameters that can increase the productivity of Systems Administrators and keep their Active Directory Domains running and in tip top shape.
You can use DSQuery user command for this purpose. DS commands are used to retrieve information from Active Directory through command line. To use DSQuery, you must run the DSQuery command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
C:\>dsquery user -inactive 4
"CN=Service User,OU=IT,DC=nishantsoft,DC=com"
"CN=IT JOURNAL,OU=Management,OU=Gurgaon,DC= nishantsoft,DC= com "
"CN=Dipak Khanna,OU=RC,OU=Gurgaon,DC= nishantsoft,DC= com "
"CN=Amit Mishra,OU=RC,OU=Gurgaon,DC= nishantsoft,DC= com "
"CN=Test Account,OU=Development,OU=Gurgaon,DC= nishantsoft,DC= com "
"CN=Jeevan Singh,OU=Development,OU=Gurgaon,DC= nishantsoft,DC= com "
If you're installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you require only the second R2 CD-ROM. Insert the second CD and the r2auto.exe will display the Windows 2003 R2 Continue Setup screen.
If you're installing R2 on a domain controller (DC), you must first upgrade the schema to the R2 version (this is a minor change and mostly related to the new Dfs replication engine). To update the schema, run the Adprep utility, which you'll find in the Cmpnents\r2\adprep folder on the second CD-ROM. Before running this command, ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or later).
Check that Windows 2000 Service Pack 4 installed on all the domain controllers and Exchange Servers. If it is not already installed install it now, after that run the Adprep.exe utility on the windows 2000 domain controllers currently holding the schema master and infrastructure master roles. The adprep /forestprep command must first be issued on the windows 2000 server holding schema master role in the forest root domain to prepare the existing schema to support windows 2003 active directory.
The tombstone lifetime in an Active Directory forest determines how long a deleted object - aka a ‘tombstone’ - is retained in Active Directory. The tombstone lifetime is determined by the value of the tombstoneLifetime attribute on the Directory Service object in the configuration directory partition.
Tombstone Lifetime assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. Actually when an object is deleted from Active Directory, it is not physically removed from the Active Directory for some days. Instead, the Active Directory sets the‘isDeleted’ attribute of the deleted object to TRUE and move it to a special container called ‘Tombstone’.
The tombstone lifetime attribute remains same on all the domain controllers and it is deleted from all the servers at the same time. This is because the expiration of a tombstone lifetime is based on the time when an object was deleted logically from the Active Directory, rather than the time when it is received as a tombstone on a server through replication.
Reconfiguring Tombstone Lifetime:
Default period of Tombstone Life time is 180 days in Windows Server 2003 SP2 or later. The default Tombstone Lifetime can be modified through ADSIEDIT console, if necessary.
This attribute is located in the below path:
cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=
To Change the Value, Run > ADSIEDIT.msc
Expand: Configuration > CN= Configuration > CN=Services > CN=Windows NT > and right click on CN= Directory Service
You will get an attribute window, Drill down to tombstoneLiftime, and double click it. You will get a field to type down the value, type the value you intended and click OK.
The below picture will help you out to reach the correct object.
The Group Policy architecture is flexible and allows for many types of design. The guiding principle as you design your organizational unit structure should be to create a structure that is easy to manage and troubleshoot.
Delegation of authority, separation of administrative duties, central versus distributed administration, and design flexibility are important factors you'll need to consider when designing Group Policy and selecting which scenarios to use for your organization.
Network tap is best solution for grabbing data packet in a network. It is a hardware device which provides a way to access the data flowing across a computer network. Computer networks, including the Internet, are collections of devices, such as computers, routers, and switches that are connected to each other.
Network taps are commonly used for security applications because they are non-obtrusive, are not detectable on the network, can deal with full-duplex and non-shared networks, and will usually pass-through traffic even if the tap stops working or loses power.
By default user account passwords are stored as password hash (Hash is based on one-way encryption, which means you can’t reverse it to get plaintext). These hashes are stored in Active Directory (C:\Windows\NTDS\ntds.dit file on DCs). If you need to get user password than you have to change the way it is stored in AD. You have store passwords ciphered with reversible encryption algorithm.
To enable this option globally:
1. Select Start > Programs > Administrative Tools > Active Directory Users and Computers.
2. In the Active Directory Users and Computers window, right click on your domain and select Properties.
3. In the Group Policy tab, select "Default Domain Policy" and click Edit.
4. In the Group Policy window, navigate to Password Policy in the left-panel Tree view: Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.
5. Right click on "Store password using reversible encryption for all users in the domain" and select Security.
6. In the Security Policy Setting window, select the "Define this policy setting" checkbox and the Enabled radio button. Click OK.
7. Close all applications and restart the computer, and log into your domain.
To enable this option for a specific user:
1. Select Start > Programs > Administrative Tools > Active Directory Users and Computers.
2. In the Active Directory Users and Computers window, right-click on the user and select Properties.
3. In the Account tab, check "Store password using reversible encryption." Click OK.
4. Close all applications and restart the computer, and log into your domain.
When this is enabled (per user or for the entire domain), Windows stores the password encrypted, but in such a way that it can reverse the encryption and recover the plaintext password. This feature exists because some authentication protocols require the plaintext password to function correctly; the two most common examples are HTTP Digest Authentication and CHAP.
Niels Teusink have done great research on it
http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
He also developed a nice tool called “RevDump” to decipher this encrypted password.
Dcpromo is the Windows 2000 and Windows Server 2003 GUI interface for promoting a server to the role of being a Domain Controller, and if is already a DC, then dcpromo will be the tool to use to demote it back to being a member server. If you run Dcpromo on an existing DC to demote it and it fails that you can Dcpromo with the /forceremoval switch (The big Hammer), which tells the process to ignore errors. With /forceremoval, an administrator can forcibly remove Active Directory and roll back the system without having to contact or replicate any locally held changes to another DC in the forest.
After you use the dcpromo /forceremoval command, all the remaining metadata for the demoted DC is not deleted on the surviving domain controllers, and therefore you must manually remove it by using the NTDSUTIL command.
For more information please read:
http://www.petri.co.il/forcibly_removing_active_directoy_from_dc.htm
http://www.petri.co.il/delete_failed_dcs_from_ad.htm