demoted Domain Controller still present in SCOM

If you demote a Domain Controller, SCOM will generate a lot of alerts. By design, there is no automatically undiscovery for the Rules and Monitores for the Active Directory Roles.

Solution 1

This solution will remove all disabled Class instances from an existing object. it will not change any other properties of the object.

  • Open the Operations Management Shell
  • type in this command:

  • Stop the System Center Management service
  • Delete the folder C:\Program Files\System Center Operations Manager\Agent\Health Service State
  • Start the System Center Management service

Solution 2

This solution will clear only the agent cache. Sometime this will be sufficient, if the server discovery / undiscovery was already done well:

  • Stop the System Center Management service
  • Delete the folder C:\Program Files\System Center Operations Manager\Agent\Health Service State
  • Start the System Center Management service

Solution 3

This solution will remove the entire object and then recreate the object with it’s discovery. The new object wouldn’t be discovered as Domain Controller. The new object will have an new guid and any overwrites to the old object will be lost. read more

recover deleted Bitlocker Recovery Informations

Today I had a request from a first-level-admin which need the Bitlocker Recovery Password for a already deleted computer object. Here is what I came up with:

Please note that you need to be a Domain Admin (or equivalent) to be able to read the Deleted Objects Container. The tombstones will have a lifetime, after their expiration, you can’t access anymore to the recovery passwords.

Clone your Active Directory in 18 minutes using VMware

Anyone out there who runs a successful Microsoft Windows Active Directory, knows that it is pre-eminently useful to have a test environment that very nearly represents your production environment…to do…you know…testing!

I thought I would give that a try, and here’s what I came up with:

  1. Shutdown and clone a Virtual Domain Controller with a 50GB disk drive, 10 minutes.
  2. Attach the virtual DC to a totally private network, visible only to other virtual machines on the same box, 15 seconds.
  3. Restart the cloned DC, 1 minute.
  4. Seizing FSMO roles from Domain Controllers that aren’t in this private network, 3 minutes.
  5. Sit back in wonder, 45 seconds.

These simple steps aren’t completely error free. Because the DC I chose was a replication partner with a bunch of other DCs and Active Directory Sites, it was necessary to do some tweaking to remove the “defunct” Domain Controller properties from the Active Directory. That process is documented well, here: Remove old Domain Controller Settings from FRS and the Domain. If you have a lot of Remote Domain Controllers and you only need your clon e for a little test, it may be to expensive to remove all remote DC’s. In this case you can create this registry value, so your clone isn’t waiting anymore for replication partner: read more

unwilling Server

I’m working now for over 15 years in information technology, but i got never before a server response which is so straight and funny too:

The server is unwilling to process the requestThe server is unwilling to process the request.

Maybee the server could do it, but he doesn’t like it. The error above was caused by this simple vb-script, when user Test-User has the group Domain Users defined as primary group:

Notify AD user with mail when password expires

In my environment, i have a lot of users, which never comes to the office, but need remote access to the company network. for this they have an AD user account, which password will expires for company policy after 90 days. Cause they never logon to a domain computer, they didn’t get the “Change Password Request” when the password expires. So they will have at one day an blocked account, but needing it for syncing mobile phone or remote access over VPN. So i wrote a litle script which will notify every user per Mail about the expiring password: read more

Remove all disabled users from distribution lists

Cause of company policy we don’t delete users which are leaving, but we disabled them. The exchange mailbox will be removed after some months. For this incomming mails have to be forwarded to an exchange contact with an unresolvable address, so the sender receives an error message.

Cause of this, we need to remove the disabled users from all distribution list. If not, senders receive error messages each time a message was send to a distribution list with disabled users.

To automate this, i wrote a script. You can filter it by OU and run it first in a display-only mode before you remove the disabled users definitely from all distribution lists. read more

Find AD-User from Email-Address


Did you ever searched an special email-address in your active directory? If yes, you will know, that there isn’t a special field for the email-addresses.


Go to active directory users and computers (ADUC).

Right click on the domain and choose Find.

Select Custom Search in the Find-Field and Entire Directory in the In-Field.

Select the Advanced-Register and type this LDAP query: