(2016-01-19) Free AD Tool For The IT Pro (4)

While browsing the internet I found the following AD related tools that might be worth checking out. Have fun!

–

REMARK: I do not own and do not support these tools. These tools are also not specifically recommended by me, this post is just a "FYI only!" It is your responsibility to test and check out these tools to see if these meet your requirements.

–

Z-Hire/Z-Term Active Directory, Exchange, Lync, Office 365 User Creation Tool

Z-Hire automates the IT account creation process for Exchange mailbox, Active Directory, Lync accounts, Office 365 cloud and SalesForce cloud deployments. With just a click of the button, your Exchange mailbox, and Active directory user and Lync accounts will be created simultaneousy. This tool can also create and set custom settings for Office 365 accounts using templates. Z-Hire serves as the platform for new hire accounts by allowing auto-creation of major IT user accounts with the option for custom scripts. Z-hire will decrease your new hire user account deployment time by 600%, without the need for complicated and expensive identity management solutions. This Active Directory User Creation Tool makes creating Active Directory users a breeze. Some of the features include:

• Environment Auto detection/discovery (AD/Exchange/Lync/Office 365/SalesForce)
• Copy existing Active Directory User to Z-Hire Template
• Support for Active Directory user, Exchange Mailbox, Lync 2010, Lync 2013, Office 365 user and SalesForce user account
• Template based deployment (allows consistency for all user accounts)
• Office 365 account creation with major attributes
• Office 365 license only mode (assign license only, when using DirSync)
• Office 365 Hybrid mode ( for organizations running Office 365 in Hybrid mode)
• Active Directory user account creation with major attributes
• Active Directory group selection
• Active Directory user duplicate SamAccountName verification
• Lync 2010 account creation supporting all policies
• SalesForce user creation support all major attributes
• Faster performance (compared to previous version)
• Bulk import from CSV / Text to provision Active Directory, Exchange, Lync and Office 365 users (version 5.3)
• HRIS / WorkDay driven user provisioning (Automatically provision users from WorkDay and other HRIS Systems)
• HRIS / WorkDay driven data sync (Automatically sync user data such as Title, Department from WorkDay and other HRIS systems)

–

Click HERE for more information

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2011-06-16) Pictures/Photos In Lync

Multiple (blog) resources on the internet contain information how to add and leverage pictures/photos in AD to be shown in Lync. I have summarized these resources below for your convenience.

–

WARNING: Be aware that storing pictures/photos in AD may increase the size of the NTDS.DIT extensively (depends of course on the amount of pictures and the size of each picture) and do not forget that the upload of this information impacts AD replication. It is just yet another attribute with information that needs to be replicated

–

• Photos in Lync 2010
  • Explains how to show photos in Lync 2010
    
• Microsoft Lync 2010 Photo Experience
  • Explains how to show photos in Lync 2010

–

Also see: Pictures/Photos in Active Directory

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2010-10-09) Should You Do A Domain Rename Or Not – That’s The Question?

A friend of mine asked me if a domain rename is something that should/could be used or not within an organization. What I answered him is more or less explained in this blogpost. Information about performing a domain rename can be found through the following links:

• https://jorgequestforknowledge.wordpress.com/2005/11/24/considering-a-domain-rename-2/
• https://jorgequestforknowledge.wordpress.com/2006/05/24/domain-rename-impact-2/
• https://jorgequestforknowledge.wordpress.com/2006/07/21/additional-information-about-domain-renames/
• http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=229757&messageID=2278830
• http://technet.microsoft.com/en-us/windowsserver/bb405948.aspx
• http://technet.microsoft.com/en-us/magazine/2005.05.domainrename.aspx
• http://technet.microsoft.com/en-us/library/cc794869(WS.10).aspx

Instead of performing a domain rename [1], you could also create a new domain in an existing AD forest or new AD forest and migrate [2] everything into that new AD domain. To determine which to use ([1] or [2]), you must know the AD forest environment very very well! With "AD forest environment" I mean: the size of the environment, number of DCs per AD domain/site (location), number of AD sites (locations) with DCs, the AD forest/domain structure, the version of AD, version of AD aware/enabled apps (e.g. exchange, ocs, etc.), versions of member server and member client operating systems, which client/servers apps (e.g. SQL, Citrix, etc.) exist and their versions, what the remote possibilities are to connect to the DCs (including when the DCs are booting) and the dependency of such a solution with AD, where support personnel is available and where not, etc, etc. As you can see, doing your homework is the very first step to take before anything else! Doing this homework should help you in determining how much technical and logistical pain you may experience during such as exercise. The impact of doing a domain rename is HUGE! In a test environment I do not have any issues with doing a domain rename, but in a production environment I would never do this that easily and probably I would never do it. Domain rename impacts ALL DCs in the AD forest at the same time and therefore not just the DCs in the AD domain for which you want to rename the NetBIOS Name and/or the FQDN. If you still think domain rename is still a viable option to check out, then make sure you have a very representative test environment with all applications to see where things might go wrong. Also check with the vendor of the app/system if it supports domain rename at all. Create a plan of your own and test, test, test, test, test, test, test, test, test, test, test, test! Also make sure to have an up-to-date and tested disaster recovery plan as a fallback plan when the shit hits the fan!

An example: assume your AD forest has 3 AD domains and each AD domain has 100 DCs. So in total you have 300 DCs in the AD forest. At a certain point in time (check the domain rename manual from Microsoft) ALL those DCs in the AD forest will reboot AT THE SAME TIME. It would scare the crap out of me rebooting 300 DCs at the same time! A simple test before performing a domain rename is to reboot each and every DC kust to make sure it return in normal mode without any issue.

After the domain rename, you most likely have to fix all kinds of applications in some way. Some apps/systems might not work until certain repairs have been done. It is still possible that domain rename is not possible or even not supported by Microsoft. For example, if you have Exchange in your AD environment, then this will play a very important role in determining if it is even possible to perform a domain rename.

The biggest disadvantage of a domain rename is the huge impact on the environment and the impossibility of doing it in a phased manner.

The other option that can be used, instead of a domain rename, which does not impact the environment that heavily and does allow a phased manner and with much lower risks, is a domain migration.

Remember though that if you have multiple AD domains in a specific AD forest, that this is far from a best practice. You might also want to think about consolidation your AD domains within that AD forest as much as possible. Much organizations do not do this (consolidation) because the benefits do not outweight the costs involved

The following was taken from MS-KBQ300864:

Examples of applications that are incompatible with domain rename include, but are not limited to, the following products:

• Microsoft Exchange 2000 Server
  
• Microsoft Exchange Server 2007
  
• Microsoft Internet Security and Acceleration (ISA) Server 2004
  
• Microsoft Live Communications Server 2005
  
• Microsoft Operations Manager 2005
  
• Microsoft SharePoint Portal Server 2003
  
• Microsoft Systems Management Server (SMS) 2003
  
• Microsoft Office Communications Server 2007
  

With regards to a domain rename I found the following questions to which I or others responded

#################

[Q]

OK, I have raised domain functional level to windows server 2003 and also set functional level to windows server 2003. Now how do I rename my domain name? Next steps, please advice.

[A1]

I hope you are kidding! You want to do a domain rename and are asking for the steps here? That means you did not do any homework, correct? IMHO that’s the most NOT RECOMMENDED action to take. Microsoft provides documents about the domain rename. You should read it, understand it, TEST it and decide if you really want to do it. Domain Rename has a HUGE impact on the environment and is NOT something to think easy of.

My suggestion as next step. start reading domain rename docs:

http://technet.microsoft.com/en-us/windowsserver/bb405948.aspx

http://technet.microsoft.com/en-us/library/cc738208.aspx

#################

[Q]

Does anyone know the Domain Rename Supported combinations of Windows and Exchange

For example:

W2K3 AD with E2K3SP1 = supported

W2K8 AD with E2K3SP1 = supported

W2K3 AD with E2K7 RTM/SP1 = NOT supported

W2K8 AD with E2K7 RTM/SP1 = NOT supported

How about:

W2K3 AD with E2K3SP2 = ???

W2K8 AD with E2K3SP2 = ???

[A1]

With regards to W2K8 please read http://technet.microsoft.com/en-us/library/cc816848.aspx. it says:

"The Windows Server 2008 domain rename operation is not supported in an Active Directory forest that contains Exchange Server 2003, Exchange Server 2003 SP2, Exchange Server 2007, or Exchange Server 2007 SP1.". So I guess 2nd scenario is not supported. The http://msexchangeteam.com/archive/2004/08/30/222719.aspx link has info on W2K3. It says "All Exchange servers in the org must be Exchange 2003 SP1 + " . So I guess first scenario is OK. Might be worth posting a comment on the exchange product group’s blog in case there have more recent info.

[A2]

I know about that article and what is stated there. That was the reason WHY I asked my question. I was wondering if Exchange 2003 WITH SP2 supports Domain Rename in both w2k3 and w2k8 AD. It looks like:

Domain Rename W2K3 AD with E2K3SP2 = OK

Domain Rename W2K8 AD with E2K3SP2 = NOT OK

[A3]

Windows Server 2008 Answer? –> http://technet.microsoft.com/en-us/library/cc794909.aspx

The Windows Server 2008 domain rename operation is not supported in an Active Directory forest that contains Exchange Server 2003, Exchange Server 2003 Service Pack 2 (SP2), Exchange Server 2007, or Exchange Server 2007 Service Pack 1 (SP1).

[A4]

Same info, different article. Two sources mention this… does anyone know *WHY*:

W2K3 AD + E2K3 SP2 = OK

W2K8 AD + E2K3 SP2 = NOT OK

[A5]

I found this snippet.

As part of PrepareAD, the Exchange Server 2007 setup tool stamps the Active Directory with a number of server names in GUID and fully-qualified domain name (FQDN) formats. This is to enable Exchange Server 2007 to fulfill a much-requested feature: don’t require WINS. Unfortunately, from a Domain Rename perspective, this means that once PrepareAD has occurred, it’s too late to go back. At that time, the ONLY option for a domain rename is to remove ALL Exchange servers. That includes any Exchange 2000 Servers or Exchange Server 2003 servers which may be in the environment. The goal is to be able to remove the Organization container in Active Directory (which removing the last Exchange server in a forest will do). Having an updated schema is not an issue. Once the Organization container is gone, a domain can be renamed and Exchange re-installed. But that’s a very very dangerous option. Doing a full active directory migration to a new forest may be safer. Consider yourself informed! Until next time…

As always, if there are items you would like me to talk about, please drop me a line and let me know!

http://theessentialexchange.com/blogs/michael/archive/2008/04/04/exchange-2007-and-domain-rename.aspx

[A6]

Got word. They never tested it (W2K8AD+E2K3SP2). Reason for that people almost choose migration over rename. Third-party apps most of the time do not support rename.

#################

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2009-06-19) Provisioning To AD And OCS Through ILM 2007

To provision IM-enabled AD accounts this is what you can do in your provisioning code for the AD MA… (example code snippet from my test/demo environment)

If mventry("im").Value.ToLower = "yes" Then
  Dim strSIPDomain As String
  Dim strSIPHomeServer As String
  
  strSIPDomain = AD_DS_Production_USERS_MA_Params("sipdomain")
  
  strSIPHomeServer = AD_DS_Production_USERS_MA_Params("siphomeserver")
  
  AD_DS_Production_USERS_CsEntry("msRTCSIP-PrimaryUserAddress").Value = "sip:" & Replace(mventry("displayName").Value, " ", ".") & strSIPDomain
  AD_DS_Production_USERS_CsEntry("msRTCSIP-PrimaryHomeServer").Value = strSIPHomeServer
  AD_DS_Production_USERS_CsEntry("proxyAddresses").Values.Add("sip:" & Replace(mventry("displayName").Value, " ", ".") & strSIPDomain)
  AD_DS_Production_USERS_CsEntry("msRTCSIP-OptionFlags").Value = "256"
  AD_DS_Production_USERS_CsEntry("msRTCSIP-ArchivingEnabled").Value = "0"
  AD_DS_Production_USERS_CsEntry("msRTCSIP-UserEnabled").BooleanValue = True
End If

Sipdomain and siphomeserver are values stored as parameters in an XML file. Another thing to note is that "msRTCSIP-PrimaryHomeServer" needs a DN to an OCS pool, but it is NOT a reference attribute. It is a string attribute!

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————