Brian Svidergol is an Active Directory chef de cuisine, and author of the Active Directory Cookbook.
In addition to AD, Brian specializes in Microsoft Infrastructure and Windows cloud-based solutions, as well as Exchange, System Center, visualization and MDOP. He's a MCT, MCITP (EA), MCITP (VA), MCITP (Exchange 2010) and holds several other industry certifications. He authored the official Microsoft curriculum for Configuring and Troubleshooting Identity and Access Solutions and Windows server 2008 Active Directory, and has developed Microsoft exams and training.
Essentially, he's the whole enchilada. I interviewed Brian about his AD expertise, his experience in IT and, of course, his peanut butter preference as part of our IT author interview series.
Besides a backup, what is your favorite tool to use to recover from catastrophic AD issues and/or corruption?
The Active Directory Recycle Bin is great for a small catastrophe such as an accidental deletion. For corruption issues, immediately turn off replication for the domain controller farthest from the source of the corruption and then use that as the source for rebuilding the corrupted domain controllers. If possible, turn off replication for any DCs that haven’t gotten the corruption yet!
What is your recommended process to backup AD?
Backing up AD is a bit OS specific. For Windows Server 2008 R2 and newer, I will use a PowerShell scheduled daily task and store the backup on centralized storage (SAN or file server). The scheduled task will run on domain controllers in at least two sites (and more depending on the architecture). I generally prefer to go with built-in tools for the backups for AD (whereas, for applications like Exchange or SQL, I typically opt for third-party products).
With the growing popularity of Virtual Servers, do you see the appropriateness of "Backup Domain Controllers" changing in SMB/E?
I’m all in for virtualization. However, that doesn’t impact the number of domain controllers required for most organizations. A “Backup Domain Controller” is really just a non-FSMO role holding DC (virtual or physical). Today, most organizations require a physical DC for complete data center shut downs (whereby the virtual environment relies on AD to come up and if AD is only virtualized, delays and other issues can crop up).
Do you have a rule of thumb when a Backup Domain Controller should be implemented with regards to a single site?
#1 - Thinking about branch offices/remote sites, I typically opt for a read-write DC if the site has a secure data center or server room (having a secure data center or server room is often indicative of the size or importance of a site too). For small sites without a secure data center or server room, I will use an RODC with limited password caching if the site has limited bandwidth, requires other servers or services on site, or has enough people. People varies, typically 50-75 people is a good place to start, but I've deployed DCs for offices of only 15, too.
#2 : Thinking about single site companies – I always deploy a minimum of 2 domain controllers no matter the number of people or servers/services.
What do you think is the coolest thing you can do with Active Directory? What about the most overlooked feature? Most improperly used?
Coolest – restore all deleted users in a one-line PowerShell command.
Overlooked feature – PowerShell and/or Active Directory Recycle Bin – I rarely get the right answers when I interview people about these topics!
Most improperly used? Without a doubt, Group Policy!
Any Active Directory horror stories to share?
I have a customer that called me years ago because AD was acting strange; A couple of FSMO roles were suddenly unavailable. I got connected in remotely and fixed the problem. A couple of weeks later, they called back. Nobody could log in, none of the AD user accounts were working, and it was thought to have been a malicious attack.
The biggest problem was that I couldn't get in remotely, as the VPN relied on AD. Worse, the customer was out of the state. I took the first flight out that day. After arriving, I learned a couple of important details:
1. There weren't any backups.
2. The state had sent an investigator over to confiscate the equipment as it was a state network and state law required it.
When I say equipment, I mean the only domain controllers in the forest. So there I was, in another state, no backups, no domain controllers, and a couple of thousand people unable to gain access to any of the network!I was thinking about ending the story here and giving readers some suspense.But, in the end, I rebuilt AD from the ground up and was able to use a database that contained some key information that allowed me to automate the majority of user object creation. The perpetrator was caught, arrested, and convicted. Turns out it was a former employee (and former member of the Domain Admins group.
If you could have put any non-Active Directory recipe into the cookbook what would it be?
I think I would add a whole chapter on managing Windows Server from the command line (Windows PowerShell, command line utils) – things like finding out if a specific patch was installed on all of the servers (one-liner), finding out the total number of servers that are running Java (or any similar product) which would also be another one-liner, and some other tasks that admins wince at if they aren't using PowerShell!
What are the features that you feel are missing from AD that IT departments could use to help maintain or troubleshoot AD?
I think self-service is missing from AD (although it is in add-on products like Forefront Identity Manager). Today, users are all about self-service (whether updating their AD info, managing groups, adding themselves to open groups, resetting their password without the help of IT, etc.). Self-service is also beneficial to IT and allows IT to focus on more important tasks.
On the troubleshooting side, there are tons of tools (old and new), lots of scripts, and many built-in methods. What’s missing is having all of that in one place, in one GUI, on every server. You have to manage based on OS version, PowerShell version, and which tools are available which is really inefficient. Once every domain controller is running Windows Server 2008 R2 or later, you will have just about everything you need out of the box.
In regards to GPO design what is your recommended best practice for applying to various OU's? What's the best method to get the most out of Group Policy without increasing complexity (ability to troubleshoot issues) or increasing something as basic as user logon times?
There are only two good reasons for creating OUs – delegation of administration and Group Policy. Many organizations design the OU structure first and think about it like it is a file server when it comes to the hierarchy. I prefer to keep the OU structure as simple as possible in order to meet the delegation and Group Policy requirements (and until I know those requirements I can’t design the OU layout). When possible, minimize the total number of GPOs, minimize the number of GPOs linked to the domain level, avoid blocking inheritance and enforcing GPOs, use security group filtering and WMI filtering to avoid blocking inheritance, perform half-yearly audits to clean up unused GPOs, unlinked GPOs, and duplicate GPOs, and use a standard naming convention for GPOs.
Given that PDC/BDC is old school (or Old Skool for the hipsters) terminology, what do YOU call it?
I just call it a plain old domain controller! I still work with people that use PDC/BDC terminology. But reality is, it is a multi-master system and all DCs are equivalent for many AD functions. I try to steer people toward referring to the specific FSMO role if needed. In such a case, I might say the RID Master or PDC Emulator.
If AD was food, how would it taste?
At first I was thinking chocolate, but I changed my mind! Now I’m thinking cereal. People don’t think about cereal when they think about food. But it is a staple item. AD is like that – people just sort of know it is there, expect it will be good, and move onto their next thought!
What is your writing process like?
Depends on what I’m writing. I think for people that don’t write, they would be surprised to see the amount of work it takes to get a paragraph written! What you know in your head and what you've done a thousand times…you can’t just write it down. You have to test it. Maybe you want to copy/paste from the successful running of the command straight into the book. If what your writing about is new (for example, I’m working on some Windows Server 2012 R2 material), you have to test what you know to be true in previous versions. Testing means building labs too! If you are writing about trusts, the building of labs and testing can take hours or days. All for a few pages of text.
Writing is also very process heavy. You are writing based on a design. There is a detailed outline of what has to be covered. There is a detailed style which varies based on the publisher. There are templates, and Word add-ins, macros, specialized document transfer methods, and versioning control systems. Deadlines. Often, you need to submit a certain amount of material per week (chapter, module, etc.). Then that gets reviewed by a technical reviewer (or two). You update based on the comments of the technical reviewer(s). Then it goes to a content development manager or similar role. You update again. Then it goes to at least one editor. You update again.
During all of these updates, you are supposed to be working on the next chapter! So a ton of hours goes into writing. And writing an entire book can mean hours a day 7 days a week for several months. And for most people, this occurs after you are done working at your regular day job. For me, I tend to work in spurts. 20 minutes of writing, play some Words With Friends or Scramble With Friends, then 20 minutes of writing. Repeat several times. Each week, I’ll also usually spend at least a few hours working in my home lab getting it ready for my current or next project (and if with beta software, running through an install process 8 or 10 times).
With all of that said, I enjoy it all. In a perfect world, I would design a book exactly as I want, write it as time allows, and then review the heck out of it to ensure high quality and low errors. In that perfect world, I would release the book at the same time that the software goes RTM too!
When did you become interested in IT as a career? If you didn't go into IT, what would you have done? What was your dream career as a kid?
I was into computers ever since I was a little kid. When we took winter vacations to the mountains, I brought my computer and so did my cousin. Who does that when laptops weren't around yet?! I didn't realize that an IT career was possible until I was in my mid to late twenties. Quite late! I was so happy when I realized that I could make a living out of it.
If I didn't go into IT, I may have ended up as a career salesman! As a kid, I only wanted to be rich. I still owe my Aunt Denise the Ferraris that I promised I would buy her when I was a kid. I never had a dream career as a kid only because I didn't know that computers could be a career then!
What is your best piece of advice for IT professionals?
Spend time at work and outside of work honing your skills, adding new skills to your wheelhouse. If your skills are only made up of what you get out of your day job, it will be very difficult to get ahead in IT (there are exceptions, of course). Build a home lab. Even if just a single computer with Hyper-V and some VMs. It will make a world of difference. Get certified – the studying alone is worth it. When you are all done at the end of the day… ask yourself if you did everything you could that day to better yourself and your career! If I could give everybody only one piece of advice, it would be to build the home lab.
Do you have any other books in the works?
Right now, I'm buried in some other writing and writing-related work. I'm working as a writer on several Microsoft Official Curriculum courses, as a Microsoft certification exam item writer, and as a reviewer on several certification related books. I’m hoping to get a book project going again by the beginning of 2014
What do you do in your spare time?
In my spare time, I fill it up and stay super busy. I have a wife and a 4 year old son. I spend a couple of hours of one on one time with my son every single day (gives the wife a break for a while). I really like gaming – whether on my phone, computer, or console. My son Jack is just getting into console gaming so I’m looking forward to that quite a bit. Other stuff that keeps me busy – I’m Jack’s soccer coach, I lift weights and play basketball – although if you ever saw me, you would be sure I've never lifted weights in my life. Favorite games are mostly word games, chess, car racing, and first person shooters. I was fascinated with Age of Empires II for a long time (and that was years after it was released)! Jack and I go outside every day to ride bikes, swim, ride scooters, find bugs, and play with friends too.
Crunchy or smooth peanut butter?
Smooth. Any crunch in my peanut butter is bad.
What are your thoughts on bacon?
Bacon goes with almost anything. I like it on pizza, on burgers, in burritos, by itself, etc. The smell of bacon cooking is burned into my brain.
--
Thank you, Brian! Do you have AD troubles? The Spiceheads with the best questions will win a free copy of his e-book, Active Directory Cookbook!