Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


October 2007

Letters@windowsitpro.com

From the October 2007 Edition
of Windows IT Pro
Editors
Readers
Letters to the Editor
InstantDoc #96931
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

LVR's Intricacies
Thank you for Guido Grillenmeier's article "Leverage LVR to Simplify AD Object Recovery" (August 2007, InstantDoc ID 96310). Guido deepened my understanding of Active Directory (AD) and how it replicates. I might have to read the article a couple of times to fully understand everything, though.

As I was reviewing my AD groups to see if they contain Linked Value Replication (LVR) links, I ran into an interesting find with the default group Domain Users, which most of our users have as their primary group. When I run the command 

repadmin /showobjmeta DC1 
  CN="Domain Users",
  CN=Builtin,OU=XYZ,OU=COM

it returns information only about the users who do not have Domain Users set as their primary group. If I go into an individual user account and change the primary user group, the individual shows up when I rerun the command.

• Why don't user accounts show up when their group is set to primary?
• Since I can't see the LEGACY, ABSENT, or PRESENT status for the users, can I assume that all the LVR links are PRESENT?
—Justin Marthaler

I'm glad you liked the article. The topic is fairly complex.

The Domain Users group is a special group just like Domain Computers and a few others in AD. As you noted, those groups' membership is typically not explicit by virtue of the user (or computer) being listed in the group's memberOf attribute. Instead, the member's PrimaryGroupID attribute is populated with the Relative Identifier (RID) of the respective AD group (513 for Domain Users). This attribute is indexed so that the OS can list all members quickly.

The Active Directory Users and Computers GUI fools you by displaying the users as normal members of the Domain Users group. When you check the memberOf tab for a user, it also displays the Domain Users group. The GUI basically checks both the backlinks and the PrimaryGroupID, just like the logon process does to add the group to a user's token. This process allows an AD domain to contain as many users (or computers) as you want and not be limited by the number of members or forward links that could fit into a group's member Of attribute.

When you change a user's primary group, the same logic is applied to the other group: The user's link is removed and instead the group's RID is written to the user's PrimaryGroupID attribute. But because you didn't remove the Domain Users group when you edited the user's PrimaryGroup, an explicit link is added to the Domain Users group.

So basically, a group that's populated with the PrimaryGroup feature doesn't use LVR. However, it works similarly in that it allows very large groups and only the membership change is replicated.
—Guido Grillenmeier

I just read "Leverage to Simplify AD Object Recovery" and liked it a lot. I hope more people will buy into taking LVR and the related issues more seriously once they or some of their staff have read the article.
—Scotty McLeod

Enhanced Defrag
Dan Gillard's article "Automate the Windows 2003 Defragmenter Without Paying Extra" (Reader to Reader, May 2007, InstantDoc ID 95487) made me wonder: Why not just use defrag.exe, which is a command-line tool that ships with Windows Server 2003 and Windows XP and can be easily scheduled with Task Scheduler? Does it offer less functionality than dfrgntfs.exe?
—Chris Munger

The batch file uses defrag.exe to launch dfrgntfs.exe. I don't use defrag .exe directly with the Task Scheduler because this process runs on a file server, and usually no one is logged on to the server. For a scheduled task to work when no one is logged on, you need a username and password that has admin rights to run the task. For all I know there might be a way to hack into the task scheduler to get passwords, and I'd rather not have that.

Instead of having a process run by a user who has admin rights on the server, I use the AT command to run the command like a service without a logon account. This approach also runs the process in the background and prevents windows from popping up.

The log file this batch file creates also is a good way to check for problems after the defrag process has run. Defrag .exe itself doesn't create a log unless you output the process to a text file.

The batch file I created is just another means to defrag the system, with extra features.
—Dan Gillard

Mysterious Behavior of the Windows Indexing Service
Thank you Bret Bennett for sharing in detail what you learned about the Windows Indexing Service ("An Unlikely Culprit Can Cause Computers to Hang," August 2007, InstantDoc ID 96343), and thank you Windows IT Pro for printing it. That article is a good example of why I subscribe to the magazine.
—Chris Hair

See Associated Figure

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...

The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...

Escape From Yesterworld

Kevin points you to the funniest SQL Server website ever! ...
Active Directory (AD) Whitepapers Sustainable Compliance: How to reconnect compliance, security and business goals

User Provisioning and Access Control

Managing Unix/Linux with Microsoft System Center Operations Manager 2007 Cross Platform Extensions Beta
Related Events Check out our list of Free Email Newsletters!
Task Automation eBooks Spam Fighting and Email Security for the 21st Century

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

IT Connections
Dive into the new Microsoft platforms and products you implement and support with the experts from Microsoft, TechNet Magazine, Windows ITPro and industry gurus. There are 70+ sessions and interactive panels with networking opportunities.

Attention User Group Leaders...
Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes and add Windows IT Pro & SQL Server Mag articles alongside your own message!.

Master SharePoint with 3 eLearning Seminars
Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!

Get SQL Server 2008 at WinConnections
Don’t miss Microsoft Exchange and Windows Connections conferences, the premier events for Microsoft IT Professionals in Las Vegas, November 10-13. Every attendee will receive a copy of SQL Server 2008 Standard Edition with one CAL.



Interested in Email Encryption?
Read about the advantages of identity-based encryption in this free report.

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Virtualization Congress Oct. 14-16 in London
Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technical Resources Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing