Category Archives: Windows Server 2012

Fix DirectAccess Windows Internal Database – PowerShell Module

I ran into an odd problem with one of the Windows systems at a customer that was running with a very high CPU load. The system is running Windows Server 2012R2 with the DirectAccess role enabled. Upon further investigation it seemed that the SQL Server process that is running the Windows Internal Database for DirectAccess was to blame here:


I did some digging around on the web and found this blog post by Richard Hicks that described the exact problem I was experiencing on the DirectAccess servers:
DirectAccess SQL Server High CPU Usage – Richard Hicks/

In his blog post Richard used the GUI to manually create an additional index to reduce the CPU load on the DirectAccess server. Because I was having this issue on multiple servers I decided to create a PowerShell module based on his instructions. I have finalized the PowerShell module and made it publicly available: FixDaDatabase

The module comes with three cmdlets:

  • Get-DaDatabaseIndexStatus
  • Add-DaDatabaseIndex
  • Remove-DaDatabaseIndex

To get started with the module either download the module from GitHub, the TechNet Script Gallery or the PowerShell Gallery. In order to install the module directly from the PowerShell gallery run the following command:

Install-Module -Name FixDaDatabase -Verbose


First we run Get-DaDatabaseIndexStatus to establish if an Index is already present on the system:



Since the additional Index is not available the Add-DaDatabaseIndex cmdlet can be used to create the Index:



To verify the results of this cmdlet the Get-DaDatabaseIndexStatus cmdlet can be used:

Get-DaDatabaseIndexStatus -Verbose


After creating the additional Index the CPU load of the system dropped down significantly within a minute:


The module is available at the following locations:

If you have any questions or suggestions for this module feel free to leave a comment below or submit a pull request on GitHub.

All the links mentioned in this article are available below:

Links in this Article
PowerShell Gallery – FixDaDatabase
TechNet Script Gallery – FixDaDatabase
GitHub – JaapBrasser – FixDaDatabase
DirectAccess SQL Server High CPU Usage – Richard Hicks
Direct Access: Windows Internal Database (SQL) High CPU Usage – Thomas Vuylsteke


Troubleshooting ADFS: Enabling additional logging

I ran into some issues with one of the ADFS setups at one of my clients and I decided to run some troubleshooting. In order to gather more data on what is happening in your ADFS environment additional logging can be configured. My first step in this process was to check the enabled logging on the system:


After confirming that SuccessAudits and FailureAudits were not configured I added those to the logging results for troubleshooting purposes:

Set-AdfsProperties -LogLevel ((Get-AdfsProperties).LogLevel+'SuccessAudits','FailureAudits')


To ensure the audit results are visible in the event logs we need to ensure that ‘Application Generated’ auditing is enabled, to verify and configure this the following commands can be used:

# Verify 
. $env:\systemroot\system32\AUDITPOL.exe /GET /SUBCATEGORY:"Application Generated"  
# Configure
. $env:\systemroot\system32\AUDITPOL.exe /SET /SUBCATEGORY:"Application Generated" /FAILURE:ENABLE /SUCCESS:ENABLE

Now when an ADFS request is processed there will be logging available in the Application Log and it is easier to pinpoint and troubleshoot issues with your ADFS configuration.
For further analysis, I would recommend the ADFS Diagnostics Module created by the ADFS team, it is available here:
ADFS Diagnostics Module
There are a number of useful cmdlets available in this module that can aid in troubleshooting your ADFS configuration. The Test-AdfsServerHealth cmdlet is particularly useful for finding common misconfigurations:



Additionally the Get-AdfsServerTrace cmdlet simplifies tracing a user request for troubleshooting purposes, for example using the following cmdlet:

Get-AdfsServerTrace -ActivityId 00000000-0000-0000-8000-0080000000d4

In order to fully disable logging again the following code can be executed:

. $env:\systemroot\system32\AUDITPOL.exe /SET /SUBCATEGORY:"Application Generated" /FAILURE:DISABLE /SUCCESS:DISABLE
Set-AdfsProperties -LogLevel ((Get-AdfsProperties).LogLevel| Where-Object {$_ -notmatch 'Audits'})

For more information on this subject and to view the links available in this article:

ADFS Logging additional Links
Under the hood tour of Azure AD Connect Health: AD FS Diagnostics Module
ADFS Diagnostics Module


PowerShell 4.0 Update available for 2012/2008R2/Windows 7

New PowerShell 4.0 updates have been released, part of the Windows Management Framework 4.0 (WMF 4.0). With WMF 5.0 released and then later temporarily retracted from the download center there might be some confusion about who this patch is for, I hope to clear up some of that in this blog post.

So first and foremost, this is a PowerShell 4.0 Update package now also released for Windows Server 2012/2008 R2 SP1 and Windows 7SP1. This upgrade package contains some improvements in regards to DSC and PowerShell logging, please refer to the following two blog articles by the PowerShell team for full details:
Windows Management Framework (WMF) 4.0 Update now available…
Windows Management Framework (WMF) 4.0 Update is coming your way

So more importantly who is this patch intended for, from my perspective this patch is for the following situations:

  • You have WMF 4.0 installed and are in need of the features and fixes offered by this patch
  • Upgrading to PowerShell 5.0 (once it is re-released) is not an option because of incompatibilities which prevent you from upgrading
  • You are in an enterprise environment where roll-outs of completely new versions is limited but patching is possible
  • You are a curious individual and would like to play with the latest, supported, version of PowerShell on your version of Windows


For more information about what is new in this update, please refer to the following article:
What’s New in Windows PowerShell

The WMF 4.0 updates are currently available as a separate downloads for the following Windows versions:

Operating System Service Pack Prerequisites UPDATE
Windows Server 2012 WMF 4.0 is installed and .NET Framework 4.5 KB3119938
Windows Server 2008 R2 SP1 WMF 4.0 is installed and .NET Framework 4.5 KB3109118
Windows 7 SP1 WMF 4.0 is installed and .NET Framework 4.5 KB3109118

For more information these WMF 4.0 Updates and the links in this article please refer to the links below:

Links in this Article
Windows Management Framework (WMF) 4.0 Update now available…
Windows Management Framework (WMF) 4.0 Update is coming your way
What’s New in Windows PowerShell


Restoring an Object from the AD Recycle Bin

Using the Active Directory Recycle Bin I will demonstrate the consequences of deleting and restoring an Domain Administrator user account and display which properties are affected or changed.

First off we create a new user which we then add to the Domain Admins group with the following PowerShell commands:

New-ADUser -Name Admin_Jaap -SamAccountName Admin_Jaap -Enabled:$true `
-AccountPassword (ConvertTo-SecureString -AsPlainText 'Secret01' -Force)
Add-ADGroupMember -Identity 'Domain Admins' -Members Admin_Jaap

Then we capture output of Get-ADObject with all properties in a variable:

$BeforeDel = Get-ADObject -LDAPFilter "(samaccountname=Admin_Jaap)" -Properties *

The next step is to delete the user using Remove-ADUser:

Remove-ADUser -Identity Admin_Jaap -Confirm:$false

Now the account can be restored:

Restore-ADObject -Identity $BeforeDel.ObjectGUID -Confirm:$false

Now that the object has been restored, the password that we originally set has been recovered as well. This can be verified by running the following PowerShell command:

Invoke-Command -ScriptBlock {whoami} -Credential admin_jaap -ComputerName dc1

We capture the information stored in AD to the $AfterRes variable:

$AfterRes = Get-ADObject -LDAPFilter "(samaccountname=Admin_Jaap)" -Properties *

Now that we have captured both the account information when the account was just created and after the account was restored we can use this information to have a look at which attributes if any have changed. To make this comparison the Compare-Object Cmdlet can be used. To be able to compare these AD Object, the variable is first piped into Out-String and then split up into an array of strings.

Compare-Object -ReferenceObject (($BeforeDel|Out-String) -split '\n') `
-DifferenceObject (($AfterRes|Out-String) -split '\n') -IncludeEqual

The results show that most attributes are completely unchanged. Attributes containing information related to either replication, or when the object was last changed will be the only changed objects.

Continue reading


AD queries and the Active Directory Recycle Bin

Lately I have been playing around with the AD Recycle Bin on Windows Server 2012. It is a  useful feature that was introduced in Server 2008 R2 and has been improved in Server 2012. New features include:

  • AD Object restore from GUI
  • Password restore
  • Restore of a entire OU
To enable this feature using PowerShell the following line of code should be executed:
Enable-ADOptionalFeature -Identity 'Recycle Bin Feature' `
-Scope 'ForestOrConfigurationSet' -Target '' -Confirm:$false

Note that this feature can never be disabled after it has been enabled. To test its functionality we will create a user:

New-ADUser -SamAccountName Jaap -Name Jaap -Enabled:$true `
-AccountPassword (ConvertTo-SecureString -AsPlainText '$ecret01' -Force)
This command creates a new account named Jaap with $ecret01 as the password. To be able to set a password this string is first converted into a SecureString. To verify that this account was created we can query it using Get-ADobject:
Get-ADobject -Filter 'samaccountname -eq "jaap"'
An alternative, and my personal preference is to utilize [adsisearcher] to query for AD object. It has the advantage that it is available natively in PowerShell, in any version. Here is the syntax to query for the account that was just created:
We have now established that the account can be found and, so let’s remove the account so it moves to the Active Directory Recycle Bin:
Remove-ADUser jaap
So now we can try the same query again:
Get-ADobject -Filter 'samaccountname -eq "jaap"'
Get-ADobject will return an error and [adsisearcher] will not return any results. This is because the user account is Tombstoned and placed in the Deleted objects container. To get the desired results, the -IncludeDeletedObjects switch should be used:
Get-ADobject -Filter 'samaccountname -eq "jaap"' -IncludeDeletedObjects
For [adsisearcher] a slightly different approach should be used, the following query will retrieve the deleted user account:
$Searcher = [adsisearcher]'(samaccountname=jaap)'
$Searcher.Tombstone = $true

And that how to query accounts have been deleted and stored in the AD Recycle Bin.