I am at the point of my working career where effectively I don’t need to be managed, I know my role, I know how to behave and I am also very aware of what will happen if I don’t perform. I have learned to ask what the priorities to the business are and I work to them accordingly, senior people within the organisation know I will get things done if given an open road and the opportunity to deliver.

With certain professions there comes a certain point in time where you have to take a step back and think am I still as effective as I once was, when professionals such as footballers and athletes face this question they often take up management or coaching roles which enables them to mentor the new talent that is coming through their profession, though this usually does not happen overnight.

I feel that am fast approaching the professional crossroads of my career, I regularly ask myself, Am I as effective as I once was? Am I still relevant? My current answer is yes, but I am aware that technology is constantly evolving and soon technology will creep up on me and when it does, it will mean that I will have to learn an entirely new set of skills, at which point I will ask myself the same questions. Am I as effective as I once was? Am I still relevant? This time I will probably answer No.

In preparation for the next phase of my career, I need to find myself a mentor, one who can help to prepare me for the future, so that when I do move into more of corporate management role, just as I now don’t need to be managed, I will know my role and what is expected of me, albeit from a totally different perspective.

So to all the current managers out there, by enabling someone else to do your job, you too maybe able to succeed further – but perhaps only if you also have a mentor.

Originally posted on: linkedIn

Microsoft have updated the must read Active Directory document on Active Directory Forest Recovery.

The guide contains best-practice recommendations for recovering an Active Directory forest if forest-wide failure renders all domain controllers in the forest incapable of functioning normally. The steps, which you must customize for your particular environment, describe how to recover the entire Active Directory forest to a point in time before the critical malfunction. They also ensure that none of the restored domain controllers replicate from a domain controller with potentially dangerous data.

The steps in this guide apply to Active Directory forests where the domain controllers run Microsoft® Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, and Windows Server 2003 operating systems.”

Please ignore the fact that the document is titled “Windows Server 2008: Planning for Active Directory Forest Recovery” it covers all supported versions of Windows Server that can run Active Directory.

April 2013 Update.

Download it here.

I have previously written about this, but feel it’s worthy of another mention.  Microsoft have hidden away on their WHDC (Windows Hardware Developer Central) website, an excellent document on Performance Tuning Guidelines for Windows Server 2008 R2.  It is worthy of a read as it details lots of changes in functionality that can affect performance.

The paper was last updated on the May 16th 2011 and details:

Choosing and Tuning Server Hardware
Performance Tuning for the Networking Subsystem
Performance Tuning for the Storage Subsystem
Performance Tuning for Web Servers
Performance Tuning for File Servers
Performance Tuning for Active Directory Servers
Performance Tuning for Remote Desktop Session Host (formerly Terminal Server)Performance Tuning for Remote Desktop Gateway
Performance Tuning for Virtualization Servers
Performance Tuning for File Server Workload (NetBench)
Performance Tuning for File Server Workload (SPECsfs2008)
Performance Tuning for Network Workload (NTttcp)
Performance Tuning for Remote Desktop Services Knowledge Worker Workload
Performance Tuning for SAP Sales and Distribution Two-Tier Workload
Performance Tuning for TCP-E Workload

October 2012 Update: 

Updated Server Core Installation Option, Correct Memory Sizing for Child Partitions, and Correct Memory Sizing for Root Partition.

September 2012 Update:

Further updates to the Performance Tuning guidance for the TPC-E Workload section

May 2011 Update:

“Performance Tuning for Web Servers” – Updated guidance to reflect that Http.sys manages connections automatically.

“Performance Tuning for File Servers” – Fixed typos in NFS Server tuning parameter registry keys.

“Performance Tuning for Virtualization Servers” – Added information about Dynamic Memory tuning.

“Performance Tuning for TPC-E Workload” – Clarified tuning guidance.

“Resources” – Updated references.

October 15th Update:

Throughout the paper – Clarified some explanations; clarified energy consumption vs. power consumption.

“Interrupt Affinity” – Added recommendation to use device-specific mechanism for binding interrupts, if supported by the driver model.

“Network-Related Performance Counters” – Added IPv6 and TCPv6.

“Performance Tuning for the Storage Subsystem” – Various minor updates throughout.

“Performance Tuning for File Servers” –Added guidance for NtfsDisableLastAccessUpdate; added “Tuning Parameters for NFS Server”, “File Server Tuning Example”, and “File Client Tuning Example”.

“Performance Tuning for Remote Desktop Session Host” – Added references to two new white papers on capacity planning.

“Monitoring and Data Collection” (multiple sections) – Updated the list of counters to monitor.

“Performance Tuning for File Server Workload (SPECsfs2008)” – New section.

“Performance Tuning for SAP Sales and Distribution Two-Tier Workload” – Substantial updates to the whole section.

“Performance Tuning for TPC-E Workload” – New section.

“Resources” – A few additions and updates.

I recently found a need to have Operating System and Service Pack information displayed dynamically in Active Directory Users and Computers rather than have it hardcoded into the Description attribute of the computer object.

I remembered that many moons ago, I had seen Dean Wells demonstrate this ability, so I dug out my notes and thought I would share (but Kudos to Dean).

If you open Active Directory Users and Computers, navigate to an OU and then select View Add/Remove Columns, we can see that the information about the Operating System is not available to add as a column.


But if we right click on a computer object  we can see that the Active Directory knows about the computers Operating System and Service Pack information.


If you view the computers attributes, we can see how these attributes are stored in Active Directory


The attributes I am interested in displaying in Active Directory Users and Computers are:

operatingSystem and operatingSystemServicePack

To add them to the Add/Remove columns tab, logon to the Active Directory with Schema Admin privileges, and start ADSIEDIT.MSC.

Navigate to the Configuration Partition and then DisplaySpecifiers and then select the code page for your language. For me this is 409.


navigate to CN=organizationalUnit-Display double click and navigate to extraColumns


Double Click extraColumns and add the following two values.

operatingSystem,Operating System,0,150,0
operatingSystemServicePack,Service Pack,0,150,0

These values equate to:

<ldapDisplayName>,<Column Title>,<Displayed by default>,<Column Width>,<unused>



Once the values are added, navigate your way out of ADSIEDIT.MSC and open Active Directory Users and Computers.  Once again navigate to an OU and then select View Add/Remove Columns we can now see two additional columns


Select Add to make then available in the displayed columns.


We now have Operating System and Service Pack information available at a glance, but many of the other attributes can be added in exactly the same way.

When troubleshooting Active Directory the first place that most people look is the Windows Server event logs, the event logs can provide a wealth of information about the state of an Active Directory, but by default the recorded information is limited to the logging of critical and error events.

To enable detailed diagnostic logging there are a series of registry keys under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics which when set to a defined value will populate the information to the event logs.

The defined values are:

Option Description
0 (None) Only critical events and error events are logged. (Default)
1 (Minimal) Very high-level events are recorded in the event log
2 (Basic) Events with a logging level of 2 or lower are logged.
3 (Extensive) Events with a logging level of 3 or lower are logged.
4 (Verbose) Events with a logging level of 4 or lower are logged.
5 (Internal) All events are logged, including debug strings and configuration changes received.

Any logging above level 3 can generate a lot of additional logged information and should be used with caution.

These values can be set against the one or more of these 24 keys


Key Name:


1 Knowledge Consistency Checker

The KCC derives its input configuration from objects in the directory (for example, sites, servers and site links). The KCC reports if these objects are incorrect or missing. Events occurring during a run of the KCC.

Messages fall into the following categories:

KCC runtime errors, such as inconsistencies, resource errors or directory access problems. KCC output configuration problems. The new configuration cannot be built or is incomplete in some way.  Perhaps too many servers are down to build a complete topology at this time.

2 Security Events

Events related to security such as a user who tries to read or write an attribute with insufficient permissions, a user binding through MAPI, or a domain that has been changed to native mode.

3 ExDS Interface Events

Events related to communication between Active Directory and Exchange clients.

4 MAPI Interface Events

Events related to communication between Active Directory and Exchange clients.

5 Replication Events

Events related to outbound replication, where changed objects are found and inbound replication, where these changes are applied to a local database. “Normal” errors during the course of replication, such as a domain controller being down, are not logged. They are kept as status and are available through the replication tools. The errors logged during replication are generally critical inconsistencies that require user intervention, as database errors. The other kind of events logged by the replication category are information about which objects and attributes were updated and why.  Note that many attributes are updated each time replication occurs. Logging detail about attributes can generate a great deal of messages very quickly.

A level of 1 is safe and might be informative as to the general types of operations occurring for replication. A level higher than level 2 can result in filling up the log file and performance degradation.

6 Garbage Collection

Events generated when objects marked for deletion are actually deleted.

7 Internal Configuration

Interpretation and display of the internal directory service operations.

8 Directory Access

Reads and writes directory objects from all sources.

9 Internal Processing

Events related to the internal operation of Active Directory code such as processing security descriptor propagation. Error events in this category might be an indicator of serious problems in Active Directory. When the directory returns the status of “internal error,” this category can be used to identify the problem for Microsoft support. Set this category to 1 on all computers involved (client and server) and reproduce the problem. Note the point in the code where the internal error was raised.

10 Performance Counters

Events related to loading and unloading the NTDS performance object and performance counters.

11 Initialization/Termination

Events related to starting and stopping Active Directory.

12 Service Control

Processes Active Directory service events.

13 Name Resolution

Resolution of addresses and Active Directory names.

14 Backup

Events related to the backup of Active Directory. Specifically, errors occurring when ESE database records are read or written for backup purposes. Generally only logged when a backup operation is underway.

15 Field Engineering

Internal debugging trace.

16 LDAP Interface Events

Events related to LDAP. An example of events logged include the following: the LDAP server closed a socket to a client, unable to initialize LDAP Simple Bind Authentication, and LDAP over SSL is now available.

17 Setup

Events related to running the Active Directory Installation Wizard.

18 Global Catalog

Events related to Global Catalog. For example, “Promotion of this server to a Global Catalog will be delayed for %1 minutes. This delay is necessary so that the required partitions can be made ready before the GC is advertised.

The operations that occurs during this time include the KCC being run to generate the new topology, all read-only partitions in the enterprise being added to this server, and the contents of these partitions being replicated into this system.  If you want to promote the GC immediately without enforcing this precondition, set the registry variable


(sec) to a DWORD value of 0. The GC will be promoted on the next attempt to check preconditions. This value can also be set to the maximum number of seconds that the DSA will wait before promoting to a GC.”

19 Inter-site Messaging

These messages are logged by the “Intersite Message” service, which is a separate service from the directory itself. There are two kinds of messages that are generated in this category:
The ISM Service is responsible for transporting replication messages between sites.
The ISM Service is also responsible for calculating site routes for the KCC to use. Note that the messages in this category are either fatal configuration errors, or informational messages about the amount of traffic being carried.

20 Group Caching

Events related to Universal Group Membership Caching on a domain controller in a site where this feature is enabled. The value is set to an integer from 0 (no logging) through 5 (most verbose logging). Significant events are reported at logging level 2. with many additional events reported at logging level 5.

21 Linked-Value Replication

Events related to Linked-Value Replication.

22 DS RPC Client

Events related to RPC Client

Controls the logging of events that are related to communication with the Directory Service.
Examples of logged events include remote procedure call (RPC) errors, cancelled calls, and service principal name (SPN)– related operations.

Real world example: Only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set diagnostics registry value to 1.

23 DS RPC Server

Controls the logging of events that are related the RPC server service.

Example, during outbound replication and replication setup operations.

24 DS Schema

Events related to the Active Directory schema.

Example of an event logged includes a successful Active Directory Schema updates which records the event with and Event ID of 1582


Two features that I have configured on Facebook that I feel are worth pointing out:

Noise reduction (or increase).

Facebook has introduced a “subscribed” feature for your friends, this allows you to control the amount of noise that is generated on your profile.

The default is “Most Updates” which for most people is enough, but Mrs P., is constantly complaining that I miss a lot of her updates, so Mrs P is now set to “All Updates

If you are fed up of people requesting “more chickens” or to “come and blow up the invading pirates” then you can un-tick “Games” which will remove those updates from your wall.


Stopping unwanted “Friends” from being able to chat you.

When you add a friend to Facebook, there is an option to “categorise” them. I have categorised my “Friends” in to a hierarchy of sorts.


Now if I only want to chat with my family and turn off the feature for everyone else I know, select the “asterix” in your Facebook chat window and select “Limit availability


Ensure Only make available to “Family” is selected, now you will appear only appear in the chat list of your friends you have categorised as family,


If you have not categorised your friends you can do so retrospectively by selecting “Account” and then “Edit friends


I hope this helps and I will be documenting other Facebook features soon – but I am not a Social Media consultant – Eileen Brown of Amastra is.


Microsoft have published an excellent document on Single-Label-Domains in Active Directory Domain Services (AD DS) – Considerations, Migration, and Co-existence. It is well worth a read, even if you are not impacted by this issue.

Management Summary

An Active Directory domain name that contains one or more labels separated by a dot is referred to as a fully qualified domain name with two or more names and it will be referred as FQDN in this document. In contrast there is the concept of single-label domain (SLD), which refers to Active Directory domain names with only one label.

Given that SLD is not a commonly deployed configuration and that many Microsoft and third-party applications have not been tested under an SLD configuration, Microsoft recommends FQDN Active Directory deployments. For companies who have deployed SLD, they should transition to an FQDN Active Directory deployment. This will ensure that they get the most value out of their deployed applications.

For companies that will be evaluating transition to FQDN from SLD configurations, this document describes the options and considerations that they will need to take into account. In particular it describes Domain Migration and Domain Rename operations and explains the different considerations of these two options, so that companies can build a transition plan that makes sense to them.

Long-term, the goal of Microsoft is to have customer infrastructures using common, tested configurations to minimize costs and effort to administrate the Active Directory (AD) and DNS environment. The use of multi-label names is Microsoft’s recommended naming configuration.

Organizations that have SLD configurations should begin by analyzing their current environment to find out the best mitigation option.

Domain rename operations might be feasible in certain scenarios, mainly for smaller organizations or those that can tolerate some outage while removing and reinstalling applications that are incompatible with domain rename.

The migration into a non-SLD forest and domain structure should be well aligned with the product lifecycle and the future IT infrastructure roadmap of the organization.

The transition from a single label to a fully qualified Active Directory domain namespace puts your clients, servers, domain controllers, the operating systems and applications in a namespace configuration that can deliver the following benefits:

  • Provides the broadest application support, including the ability to deploy applications on day 1 after release without fear that support will be deprecated in a future release, will be deferred until a future release, or will never support forests configured with SLDs, possibly even blocking installation in SLDs.
  • Receives the highest number of test passes by Microsoft and third-party application developers
  • Requires the least additional configuration to register and resolve DNS names of interest
  • Delivers the lowest total cost of ownership (TCO) by reducing complex configurations and by consolidating forest and domain structures
  • Enables enhanced security capabilities of new versions of AD DS
  • Aligns the namespace assigned to your forest with same type of namespace assigned to the top thousands of domains deployed and operated by other customers over the last decade or more
  • Receive Microsoft cloud support, because only domains with fully qualified DNS names are supported by Microsoft cloud services such as BPOS and Office 365

Download: Single-Label-Domains in Active Directory Domain Services (AD DS) – Considerations, Migration, and Co-existence