How to reduce lsass.exe bandwidth traffic

Go to windows firewall > Advance Settings >  Inbound Rules > Active Directory Domain Controller – LDAP (UDP-in) and change the connection to “Allow the connection if it is secure”.


If rule not exists, other than AD server create a new rule and apply.


List Domain Users having the dial-in permission in AD

List Domain Users having the dial-in permission in AD

Download the RRAS-vbs script and save the file.

Once script  execution completes it will output a file called rras_vpn_users.txt in same folder as script.

Using Dsquery :

Run command prompt on a Domain Controller and then run the below command.

dsquery * -Filter “(&(objectCatgegory=person)(objectClass=user)(msNPAllowDialin=TRUE))”


PowerShell Get-ADUser (with AD modules):

Get-ADUser -LDAPFilter “(&(objectCategory=person)(objectClass=user)(msNPAllowDialin=TRUE))”

What are the new features in the AD DS in Windows Server 2012

What are the new features in the AD DS in Windows Server 2012

Active Directory design remains same like DC, ADC, RODC, FSMO roles etc.

New features have been added to make it easy for the administrators for managing the Active Directory.

  • DCPROMO has been deprecated
  • More dependent upon Server Manager for installing Active Directory
  • Active Directory Recycle Bin has now a GUI – Click here for more details.
  • Different password policies can now be easily applied within the same domain
  • Virtualized domain controllers can now be safely cloned since Active Directory is now aware to changes in the virtualization environment
  • Active Directory Federation Services (ADFS) have been introduced into the Kerberos token
  • New capabilities have been added in Active Directory Certificate Services(AD CS), as below:
    • All AD CS role services is now supported on any Windows Server 2012 version
    • AD CS has been fully integrated with Server Manager
    • AD CS can now be deployed and managed via PowerShell
    • AD CS now supports automatic certificates renewal for non-domain joined computers
    • International domain names are now supported
  • Active Directory Right Management Services (AD RMS) now supports Remote Deployment.
  • Bit Locker can now be installed before the Operating system is deployed unlike previous OS versions where Bit Locker was provisioned post installation.
    • Administrator can choose if entire volume needs to be encrypted or only used space, unlike previous OS versions that encrypt entire volume including free space.
    • New Network Unlock feature that doesn’t prompt you to enter TPM+PIN in a domain environment  by automatically unlocking the Operating System at system reboot provided system is connected to a trusted wired corporate network.  It is generally useful while installing software patches in unattended fashion to desktops and servers.


  • Active Directory PowerShell History Viewer User Interface- Click here to know about this feature.
  • Fine-Grained Password Policy User interface
  • Active Directory Replication & Topology Cmdlets
  • Dynamic Access Control
  • Active Directory Based Activation (BA): To activate Windows 8 or Windows Server 2012.
  • Group Managed Service Accounts
  • Windows Server 2012 promotions employ an indefinite retries
  • Flexible Authentication Secure Tunneling (FAST)
  • Volume Activation Management Tool (VAMT)- Click here to know about VAMT.

Setting Up Domain Controller With Windows Server 2012

In Windows Server 2012, dcpromo has been deprecated.

In order to make the windows server 2012 domain controller we will install ADDS (Active Directory Domain Services) role from the server manager on Windows Server 2012.

First we will change the server name let say server2012dc and  the IP address as shown below.

Installing AD DS Role

“Before You Begin” screen provides you basic information such as configuring strong passwords, IP addresses and Windows updates.

On Installation Type page, select the first option “Role-based or Feature-based Installation“.

Scenario-based Installation option applied only to Remote Desktop services.

On the “Server Selection” Page, select a server from the server pool and click next.

To install AD DS, select Active Directory Domain Services in turn it will pop-up to add other AD DS related tools. Click on Add Features.

After clicking “Add Features” above, you will be able to click “Next >” as shown in the screen below.

On the “Select Features” Page, Group Policy Management feature automatically installed during the promotion. Click next.

On the “Active Directory Domain Services” page, it gives basic information about AD DS. Click Next.

On the “Confirmation” Page, You need to confirm this to continue with this configuration. It will provide you an option to export the configuration settings and  also if you want the server to be restarted automatically as required.

After clicking “Install” the selected role binaries will be installed on the server.

After “Active Directory Domain Services” role binaries have been installed and now it is time to promote the server to a Domain Controller.

Promoting Windows 2012 Server to Domain Controller

To create a new AD forest called “ArabITPro.local”, select add a new forest.

Type the name ArabITPro.local

Specify the FFL, DFL, whether or not it should be a DNS Server and also the DSRM administrator password. As you can see, it has selected the GC option by default and you cannot deselect it. The reason for this is that is the very first DC of the AD forest and at least one needs to be a GC.

DNS delegation warning.

Checks the NetBIOS name already assigned.

Specify the location of the AD related folders and then click next.

Summary Of All Installation Options/Selections.

Click View script for single command  line powershell script for dcpromo.

Before the actual install of AD, all prerequisites are checked. If All prerequisite checks are passed successfully then click Install.

When you click Install, DNS and the GPMC are installed automatically.

After the promotion of the server to a DC finished server restart automatically.

Once the server is booted and you logon to it, click on  Server Manager | Tools ,  will notice that following have been installed :

•Active Directory Administrative Center

•Active Directory Domains and Trusts

•Active Directory Module for Windows PowerShell

•Active Directory Sites and Services

•Active Directory Users and Computers

•ADSI Edit


•Group Policy Management

nslookup response Default Server Unknown, Address ::1

nslookup response Default Server Unknown, Address ::1

When I do a nslookup, I get the response listed below:

Default Server:  UnKnown
Address:  ::1

As far as I can verify, EDNS0 is disabled, PTR records exist for the server in the zone. Also, on the server, if I uncheck the IPv6 protocol in the TCP/IP properties of the NIC, this issue goes away.


Check the IPv6 settings to obtain DNS server address automatically

Change the preferred DNS server from ::1 to obtain DNS server address automatically.

Microsoft Account Lockout and Management Tools for AD

Microsoft Account Lockout and Management Tools for AD

ALTools.exe is the free tool from Microsoft to help administrators to troubleshoot account related problems in the Active Directory.

The Account Lockout and Management Tools can be downloaded from Microsoft Download Link. We can install these tools on a workstation, domain controller or on any member server.

ALTools includes below 7 add-ons having their own role. Let’s see how these add-ons can help administrators in troubleshooting.

  1. Accinfo.dll will create an additional tab, called Additional Account info, in the Active Directory Users and Computers console. This tab can be used to check user details, like logon, password details, bad password counts, logon counts etc.
  2. ALockout.dll creates a log file for troubleshooting lockout problems by determining which process or application is sending wrong credentials. Microsoft recommends DONOT use this tool on servers hosting services or applications (including Exchange Servers).
  3. ALoInfo.exe displays user’s information, like account names and their expiry and password age.
  4. EnableKerbLogs.vbs allows Kerberos to log on to all clients running Windows 2000 and later.
  5. EventCombMT.exe collects event logs from different machines and stores them to one central location.
  6. LockoutStaus.exe display the list of all domain controllers involved in account lockout.
  7. NLParse.exe extracts and display entries from the Netlogon log files.