When making changes to Active Directory, like Schema updates, it is recommended to make a backup of AD. It is also recommended to perform these changes on an offline Domain Controller, perform your tests, and the only then replicate the changes to the remaining DCs. The topic of this article is about backing up AD.

NTDSutil provides a mechanism to perform backups on your domain controllers.

  1. Open an elevated command prompt and run NTDSutil.
  2. Run activate instance ntds to set the active instance to “ntds“.
  3. Type snapshot.
  4. Then Create.

For more details on NTDSutil: http://technet.microsoft.com/en-us/library/cc753343(v=WS.10).aspx


Time synchronization is an important aspect for all computers on the network. By default, the clients computers get their time from a Domain Controller and the Domain Controller gets his time from the domain’s PDC Operation Master. Therefore the PDC must synchronize his time from an external source. I usually use the servers listed at the NTP Pool Project website. Before you begin, don’t forget to open the default UDP 123 port (in- and outbound) on your firewall. 

  1. First, locate your PDC Server. Open the command prompt and type: C:\>netdom /query fsmo
  2. Log in to your PDC Server and open the command prompt.
  3. Stop the W32Time service: C:\>net stop w32time
  4. Configure the external time sources, type: C:\> w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com
  5. Make your PDC a reliable time source for the clients. Type:C:\>w32tm /config /reliable:yes
  6. Start the w32time service: C:\>net start w32time
  7. The windows time service should begin synchronizing the time. You can check the external NTP servers in the time configuration by typing: C:\>w32tm /query /configuration
  8. Check the Event Viewer for any errors.

Tested on Windows Server 2008 R2 (Build 7600).

There are a couple ways to determine your Windows AD Schema Version: ADSIedit.msc and/or LDP.exe. In this article I use ADSIedit.msc.

Note: The sample domain used in this article is Servusinc.com. Substitute this domain with your own AD domain.

  1. Open “ADSIEdit.msc ”
  2. Navigate to: “CN=Schema,CN=Configuration,DC=ServusInc,DC=com”
  3. Right-click on “CN=Schema,CN=Configuration,DC=ServusInc,DC=com” and select properties.
  4. Scroll down to “objectVersion” attribute.
  5. The value of this attribute will tell you the schema version.


13 -> Windows 2000 Server

30 -> Windows Server 2003 RTM, Windows 2003 With Service Pack 1, Windows 2003 With Service Pack 2

31 -> Windows Server 2003 R2

44 -> Windows Server 2008 RTM

47 -> Windows Server 2008 R2

This is an article I first published a couple of years ago to check what schema version a customer was running when performing an Exchange upgrade.  There have since been official articles published by Microsoft, but I prefer to keep my own blog post for easy access.

This article outlines how to find the Exchange schema and version in of your Exchange schemas. There is also a list of the schema versions per build type.

To find the attributes listed below use Adsiedit.msc. When you launch asdiedit.msc there are 3 containers listed.

  • Domain: [Domain Controller FQDN]
  • Configuration: [Domain Controller FQDN]
  • Schema: [Domain Controller FQDN]

Read More →

Being able to easily delegate access to domain systems is essential for administrators to enable necessary IT staff to manage their environments. The proper OU structure along with the deployment of Active Directory GPOs makes this a fairly simple task.

GPOs can be used to add users or groups to local admins or to replace the existing memberships. Using GPOs ensures access is granted uniformly and consistently for a specific group of systems, ideally separated by their OU placement.

Read More →

When managing Exchange 2007, the recipient scope for Exchange Management Shell (EMS) and Exchange Management Console (EMC) defaults to the domain where the Exchange servers are located. Recipient scope refers to the specified portion of the Active Directory directory service hierarchy that the Exchange Management Console and the Exchange Management Shell uses for recipient management. When you set the recipient scope to a specific location within Active Directory, you can view and manage all recipients stored in that location and all of the containers under it. If your environment has multiple domains, then you may need to change the scope of recipients to find specific accounts. Read More →

Recently, the time on all of my domain computers was out of sync. Each computer in my domain had the same time, but it was about 10 minutes slow. Domain computers get their time from your domain controller(s), so I looked into syncing the time of my DC with an internet time server. The steps below can be used to sync your DC with an internet time server.

Read More →