Thursday, October 25, 2007

How to create a user-defined service in Windows

Execute the following command at the command promt. You need to have Windows Resource Kit installed on the box. ‘C:\Program Files\Resource Kit\Instsrv.exe <my Service> C:\Program Files\Resource Kit\Srvany.exe’

  1. Open Registry editor and go to the following key. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<my service>
  2. From the Edit menu, click Add Key. Type the following and click OK:
    Key Name: Parameters
    Class : <leave blank>
  3. Select the Parameters key and from the Edit menu, click Add Value. Type the following and click OK

Value Name: Application
Data Type : REG_SZ
String : <path>\<application.ext>
where <path>\<application.ext> is the drive and full path to the application executable including the extension (i.e., C:\WinNT\Notepad.exe)

-------------- End of Document -----------------

Tags: Windows XP, Windows Server 2000, Windows Server 2003

Published Date: 20071025

Saturday, October 13, 2007

How to control AD relication using RepAdmin

Replication is controlled by the Options attribute on the NTDS Settings object as shown in the following table. The Options attribute value is found in ADSIEdit by browsing to Configuration -> Sites -> <Site Name> -> Servers - <Server Name> -> NTDS Settings.

RepAdmin Option

NTDS Settings/Options attribute value


Enable Inbound and Outbound


Enable Inbound, Disable Outbound


Enable Outbound, Disable Inbound


Disable Inbound and Outbound



Using RepAdmin /Options

Repadmin /options <dcname> <+/-> <DISABLE_INBOUND_REPL/DISABLE_OUTBOUND_REPL>

Here is what it looks like when you disable or enable replication via RepAdmin using the /Options switch. Note that the minus (-) character in front of the option indicates a negative disable or enable. To disable these values, use the plus (+) sign: +DISABLE_INBOUND_REPLICATION, for example.

To enable both inbound and outbound replication:

C:\>repadmin /options wtec-dc1

Current DC Options: IS_GC

To enable only outbound replication:
C:\>repadmin /options wtec-dc1 -disable_outbound_repl
New DC Options: IS_GC

To disable only inbound replication:
C:\>repadmin /options wtec-dc1 +disable_inbound_repl
Current DC Options: IS_GC

To disable inbound and outbound replication:

C:\>repadmin /options wtec-dc1 +disable_outbound_repl +disable_inbound_repl

Current DC Options: IS_GC


repadmin /Options *  is a good command that produces a quick report to determine if any other DCs have replication purposely disabled.

CAUTION: These commands remain in effect until changed. That is, if you turn on the Disable inbound repl feature, it will remain on (i.e., inbound replication is disabled) until you enable it again using the –disable_inbound_repl command).

There are several reasons why you would want to do this:

  1. If a report such as RepAdmin / replsum / bysrc / bydest / sort:delta shows that replication has not happened in the past 60 days (tombstone lifetime). Then you would want to disable outbound replication. Of course, if you have strict replication enabled you will be OK, but it's better to be safe than sorry in this instance. The RepAdmin command is quick and easy. Note that in this case there is really no need to disable inbound replication since the danger is in replicating outbound. Still, I suggest that you play it safe and do both until you determine the existence of lingering objects.
  2. If you suspect corruption or issues with a domain controller that you don't want replicated, this command is an easy way to prevent replication from that source. Remember, you can remotely execute RepAdmin. And the DCList option in RepAdmin can be used to specify a single DC, or an asterisk (*) can be used to specify all DCs.
  3. For Authoritative Restore: Authoritative restoration is used to move the Active Directory back in time by taking a single system state backup from an earlier date, stopping replication on a DC, then restoring the backup using NTDSUtil's Authoritative Restore feature. When it boots into normal mode and replication is enabled (using RepAdmin), this copy of the Active Directory is pushed out as authoritative and all DCs get a copy. Since you typically want to at least disable inbound replication before starting this -- and then enable it again -- it's easy to forget after the restore that you need to re-enable replication.
  4. Lag Sites can be another cause for replication failure. Lag sites are scheduled to replicate only once or twice per week to provide a sort of online backup for a quick authoritative restore. In case of a disaster recovery situation, such as deleting an OU, it's important to disable replication on the lag site DC(s). Some prefer to simply keep replication disabled on the lag DC(s) and manually re-enable it when they want replication. Again, it's easy to forget that it was purposely disabled.

-------------- End of Document -----------------

Tags: Active Directory, Windows Server 2000, Windows Server 2003

Published Date: 20071003