Tag Archives: Active Directory

Active Directory Domain Naming Best Practices

It’s quite uncommon to get to setup a new company Active Directory infrastructure from scratch. Usually a customer has some kind of infrastructure in place already which I then help manage, maintain and enhance.

However recently I’ve been tasked with setting up a brand new company’s infrastructure and one of my first tasks was to name the Active Directory domain.

There are a number of possible scenarios:

  • You could use a .local or other non-routable domain
  • You could use an external domain (Split brain DNS)
  • You could use a similar domain to your fqdn e.g. .net instead of .com
  • You could use a sub domain of your fqdn

But which is best?

I guess that depends on your specific scenario.

Certainly if SSL certificates are going to be involved at all (think Exchange) then non-routable domains are out due to recent changes.



After doing some research on the Internet there is no definitive answer, however I have found lots of articles relating to the best practices when naming an Active Directory domain. Rather than duplicate the work of others I have provided links below to some of the most useful webpages I found:







(Incidentally, I went for a sub domain of the fqdn).

 Related Posts:

1. How to install Exchange 2013 (SP1) on Windows Server 2012 R2

2. How to reset the Directory Services Restore Mode (DSRM) password

3. How to install Exchange 2010 (SP3) on Windows Server 2012

ADUC: Object username contains other objects. Are you sure you want to delete object and all objects it contains?

While deleting a few disabled user accounts today I came across a warning message I’ve not encountered before.

Confirm Subree Deletion. Object conatins other objects. Are you sure you want to delete object and all of the objects it contains?

I was only deleting a user account and had already deleted a number of them so what was different about this one?

In ADUC, I selected View – Users, Contacts, Groups and Computers as containers.

ADUC - User, Contacts, Groups and Computers as containers.

I was then able to drill down into the user and see what other objects they contained. It turns out that there was an iPhone listed in the ExchangeActiveSyncDevices for the users.


So, knowing what i was deleting, it was safe to proceed.

PowerShell: Get-ADUser to retrieve logon scripts and home directories – Part 1

PowerShellHaving recently taken on a new client with a system that had been neglected somewhat I wanted to find out about the state of their user accounts.

I’d already looked at a couple of users at random and noticed some users had logon scripts while others didn’t, and some users had home drives while others didn’t.

Although the organisation wasn’t large, they had more than enough user accounts that I didn’t want to manually check every one. So i turned to PowerShell’s Get-ADUser command.
Continue reading

Where are my FSMO roles?


Here is a quick and easy way to find out the location of the FSMO roles. It works from Windows 2008 to Windows 2012, I’ve not tried it on 2003, but then you should of upgraded by now anyway!

Open a Command Prompt.

Type: netdom query FSMO

netdom query fsmoObviously on my SBS server above they are all going to be in one place, but in larger environments, they will quite often be split up and moved from server to server as and when new hardware is introduced and old hardware retired.