I ran into an odd problem with one of the Windows systems at a customer that was running with a very high CPU load. The system is running Windows Server 2012R2 with the DirectAccess role enabled. Upon further investigation it seemed that the SQL Server process that is running the Windows Internal Database for DirectAccess was to blame here:
In his blog post Richard used the GUI to manually create an additional index to reduce the CPU load on the DirectAccess server. Because I was having this issue on multiple servers I decided to create a PowerShell module based on his instructions. I have finalized the PowerShell module and made it publicly available: FixDaDatabase
The module comes with three cmdlets:
To get started with the module either download the module from GitHub, the TechNet Script Gallery or the PowerShell Gallery. In order to install the module directly from the PowerShell gallery run the following command:
Install-Module -Name FixDaDatabase -Verbose
Install-Module -Name FixDaDatabase -Verbose
First we run Get-DaDatabaseIndexStatus to establish if an Index is already present on the system:
Since the additional Index is not available the Add-DaDatabaseIndex cmdlet can be used to create the Index:
To verify the results of this cmdlet the Get-DaDatabaseIndexStatus cmdlet can be used:
After creating the additional Index the CPU load of the system dropped down significantly within a minute:
The module is available at the following locations:
I ran into some issues with one of the ADFS setups at one of my clients and I decided to run some troubleshooting. In order to gather more data on what is happening in your ADFS environment additional logging can be configured. My first step in this process was to check the enabled logging on the system:
After confirming that SuccessAudits and FailureAudits were not configured I added those to the logging results for troubleshooting purposes:
Now when an ADFS request is processed there will be logging available in the Application Log and it is easier to pinpoint and troubleshoot issues with your ADFS configuration.
For further analysis, I would recommend the ADFS Diagnostics Module created by the ADFS team, it is available here: ADFS Diagnostics Module
There are a number of useful cmdlets available in this module that can aid in troubleshooting your ADFS configuration. The Test-AdfsServerHealth cmdlet is particularly useful for finding common misconfigurations:
Additionally the Get-AdfsServerTrace cmdlet simplifies tracing a user request for troubleshooting purposes, for example using the following cmdlet:
New PowerShell 4.0 updates have been released, part of the Windows Management Framework 4.0 (WMF 4.0). With WMF 5.0 released and then later temporarily retracted from the download center there might be some confusion about who this patch is for, I hope to clear up some of that in this blog post.
Now that we have captured both the account information when the account was just created and after the account was restored we can use this information to have a look at which attributes if any have changed. To make this comparison the Compare-Object Cmdlet can be used. To be able to compare these AD Object, the variable is first piped into Out-String and then split up into an array of strings.
Lately I have been playing around with the AD Recycle Bin on Windows Server 2012. It is a useful feature that was introduced in Server 2008 R2 and has been improved in Server 2012. New features include:
AD Object restore from GUI
Restore of a entire OU
To enable this feature using PowerShell the following line of code should be executed:
Enable-ADOptionalFeature -Identity 'Recycle Bin Feature' `
This command creates a new account named Jaap with $ecret01 as the password. To be able to set a password this string is first converted into a SecureString. To verify that this account was created we can query it using Get-ADobject:
Get-ADobject -Filter'samaccountname -eq "jaap"'
Get-ADobject -Filter 'samaccountname -eq "jaap"'
An alternative, and my personal preference is to utilize [adsisearcher] to query for AD object. It has the advantage that it is available natively in PowerShell, in any version. Here is the syntax to query for the account that was just created:
We have now established that the account can be found and, so let’s remove the account so it moves to the Active Directory Recycle Bin:
Get-ADobject will return an error and [adsisearcher] will not return any results. This is because the user account is Tombstoned and placed in the Deleted objects container. To get the desired results, the -IncludeDeletedObjects switch should be used: