The Life of Brian

Active Directory, Group Policies, Server Core and the Life of Brian

Email Notifications

Blog Search Form

Go

Recent Posts

Tags

Disclaimer

  • This blog is provided "AS IS" with no warranties, and confers no rights. This blog contains my own views and does not necessarily reflect the view of my employer.
    Locations of visitors to this page
    Add to Technorati Favorites

Sites I Visit

Archives

Windows 7 Has Brought Michael Scott Back

A couple years ago I bought a Hauppauge 1600 to go into my Home Theater room.  It worked great with Vista, but like many IT Pros after many tweaks and configuration changes I decided to reinstall.  Well little did I know that I had lost my drivers CD and could never download the software for my TV tuner card.  It was a real bummer because although the monitor I bought could display 1080P it was not a TV, it was  a monitor and I needed my TV tuner card to work to be able to watch TV.

I was so pleased that after my install of Windows 7 Ultimate that Windows detected my Hauppauge TV Tuner and I was able to watch and record TV again, especially The Office!!!  By the way, the only reason I needed this was because Sami and I had two other shows that we recorded on our DVR during that time, Supernatural and Fringe.  Seriously, why can’t good shows air on days other than Thursday?

Kudos to Windows 7 for having drivers for a device that I thought I would never use again!

Windows Event log limitations

Not sure how many people modify the size of the Windows Event Logs but it is something that I like to do simply because the default sizes of most them is just not enough.  For example you may remember the default for your System and Application log files was a measly 512kb.  That logged all of about a day of a really busy application server. 

The problem with Server 2003 was the recommended maximum size for a log file was only around 300mb and the maximum total size for all Event Log files was around 400mb.  You do the math and you can see that realistically you aren’t going be able to realize the benefits of having larger Event Log file sizes.

This has to do with Windows storing the logs in memory.  As you can tell a 32bit system would run into some serious memory issues if you wanted to expand the size of several of these.  Thankfully in Server 2008 this has changed.  Microsoft has increased the recommended maximum size of a log file up to 4gb and all of them up to 16gb.  Of course you will want to make sure you’re running the x64 flavor of Server 2008 to really see this advantage.

Take a look at the following knowledgebase from Microsoft for more info.

A Free Office is a Smart Move for Microsoft

I’ve read a few articles this morning concerning Microsoft’s move to release a web version of its upcoming Office 2010 product.  This is a direct fire toward Google’s application suite and I think Microsoft is going to this help their dominance in this market.  Microsoft really isn’t going to lose any major businesses to this free online version.  Corporations are going to continue on with using the thick client because of the full rich suite of integrated components that Office has always given them.  This is going to be take market share from places like Google because now the folks that wouldn’t pay for office will be able to benefit from it using this online version.

In the long run I hope to see Microsoft move away from the thick client.  I think Microsoft now needs to come up with an online version that can be hosted within companies.  Some companies won’t move this mode of operation because of the inherit security risks of hosting you data on Microsoft servers.  So I bet the next version of office will have some new internal online flavor for companies looking to move more toward thin clients and thin apps.

Unable to Change Share Permissions on a File Share Cluster Resource

I ran into a weird issue the other day when configuring permissions on a Share that was clustered.  I couldn’t find much online about this, and the one similar issue from Russ was not the issue here.

Here is a little background info to help set the stage.  An admin changes the permission on the Shared Folder (not the File Share Cluster Resource) that is clustered from Read to Full Control.  This works when connecting to the node explicitly but not with the cluster name.  So he fails over the resource to the other node and notices that the permissions had reset to Read.  This is where I get called in.  I’m thinking this is going to be a very easy 30 second fix (which it ended up being…but more on that later).  I had the admin explain to me what process was followed to change the permission.  Right away I knew that changing the permission on the Shared Folder and not the File Share resource was an issue. 

I went into to Cluster Administrator (cluadmin.msc) and went to alter the permissions from Read to Full Control for the group in question and I was presented with the following error:

An error occurred validating the cluster security descriptor
The RPC server is unavailable
Error ID -2147023174 (800706ba)

image

As most of you know this is a very generic error.  In fact if there is one error I can’t stand from Microsoft it is “The RPC server is unavailable” error.  After doing some research and testing we found that we couldn’t even add a new Security Principal to the permissions of this cluster.  It mentioned that the Computer was not part of the domain.  In hind sight I wish I would have got the entire error for you but I forgot to grab the screen cap for that one.  The name it was referencing was the clustered name.  Well the cluster name is not going to have an Active Directory account so I went to check in DNS and sure enough there was no record for this cluster name in DNS.  After adding the record into DNS we were able to immediately change the permission.

There I go again assuming things were set up correctly initially.  I really need to break that wall down and start from the very beginning when I’m troubleshooting.  Ah the things we take for granted when looking at a problem.

New Server Core Guide

Just saw over on the Server Core blog that Andrew posted some links to a couple excellent resources.  The first one is what I consider to be the Server Core Bible.  It has just about everything you can think of when it comes to configuring Server Core.  The next link is to a couple job aids that give you a quick look at some common commands. 

These job aids actually gives me some ideas on some things I’d like to create…now if I only had more time. 

OCD with Email

I admit it…I have issues with email.  So much so that I think I may have OCD.  I’m not trying to make fun of anyone that really has that disorder but I sure feel like I’m obsessed with unread email.  I can’t stand it in fact.  When a new mail arrives in my inbox I seem to stop what I'm doing and read it.  This is not helpful for someone that gets hundreds of emails a day.  Yes most are from monitors and alerts that technically I don’t need to read right away but I can’t stand having those little emails be bolded like they are in Outlook.  I have rules set up to move them into different folders…perhaps I should have rules to mark them as read.  It gets distracting too…like when I’m writing I see an email pops in and jump over to it and read it.  Ohhh and something that just drives me nuts is when I see someone else's Inbox and it looks like this – Inbox (313). What are you people thinking…how can you have that many unread messages???  I know you just aren’t as compulsive as me and I'm just extremely jealous.

Tonight I go to my first therapy session – Must Read Email Anonymous…crap I guess its not so anonymous now!  :)

Posted: Thu, Apr 30 2009 11:15 by BrianM | with no comments
Filed under:
Server 2008 R2 Active Directory Webcast

If you’ve got time on such short notice try to check out the webcast O’Reilly is hosting on What’s New in Active Directory for Server 2008 R2.  It is going to be hosted by two other Directory Services MVPs Brian Desmond and Laura Hunter.

This is a free event and is scheduled for 90 mins.
Date: Friday, April 24, 2009

Time: 10am San Francisco | 6pm  London | 1pm - New York | Sat, Apr 25th at 3am - Sydney | Sat, Apr 25th at 2am - Tokyo | Sat, Apr 25th at 1am - Beijing | 10:30pm – Mumbai

Registration Link - http://www.oreillynet.com/pub/e/1326

I Love April Fools Day

Everyone has there own reason for loving or hating April Fools Day.  For the last 4 years it has been a day of great joy for me.  I got the email shortly from Microsoft that I was re-awarded my MVP for Directory Services!  I really think this blog has a lot to do with it and that means that i’m especially grateful to all 17 people (12 of which are probably family) that read it too!!!  Thanks to all of you for engaging me on through the comments and I hope that you will continue.

Here's to another great year of technical discovery in the Life of Brian.

Posted: Wed, Apr 1 2009 8:41 by BrianM | with no comments
Filed under:
Recycling Active Directory Trash with the AD Recycle Bin

Hopefully some of you have been playing with Server 2008 R2 while it has been in Beta.  One of the features I’m looking forward to most is the AD Recycle Bin.  Yes you heard me correct.  We now have an easy method for restoring accidently deleted objects. 

In the past our only recovery method out of the box was to perform an authoritative restore of an object. That method had several issues that always rubbed me the wrong way.  First you had to be in Directory Services Restore Mode (DRSM).  And ever since Server 2003 we could use tombstone reanimation but that removed most of the non-link-valued attributes.  This lead to additional work after the restore. The default tombstone lifetime was 180 days with Server 2003 and 2008.

image

You are probably already familiar with tombstones and the garbage collection process.  If not read Gil’s excellent article on that here.  With Server 2008 R2 you will need to now become aware of Deleted Object and Recycled Object.  The first thing to realize here is that the AD Recycle Bin is not enabled by default with Server 2008 R2.  The following steps/requirements must first be met:

  1. Raise the Forest Functional Level to Server 2008 R2
  2. Enable AD Recycle Bin (my example uses PowerShell…get use to it now)
    1. Enable-ADOptionalFeature –Identity „CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=AdminPrep,DC=com‟ –Scope Forest –Target „AdminPrep.com‟
    2. Just make sure to replace AdminPrep with your domain

Now when an object is deleted it is not marked for tombstone it is marked as deleted.  It places the object in the Deleted Objects container which is hidden but can be located here – CN=Deleted Objects.  When you want to restore an object there are two methods that I'm aware of, one using PowerShell and the other using LDP.

Using LDP:

  1. Using elevated credentials, open LDP by typing ldp.exe from the Run Dialog box
  2. Click Connections and select Connect and then go back and select Bind
  3. Navigate to the CN=Deleted Objects
  4. Find the object you wish to restore and right-click it and select Modify
  5. In the Modify dialog box:
    1. In Edit Entry Attribute, type isDeleted
    2. Leave the Values box empty
    3. Under Operation, click Delete, and then click Enter
    4. In Edit Entry Attribute, type distinguishedName
    5. In Values, type the original distinguished name (also known as DN) of this Active Directory object
    6. Under Operation, click Replace
    7. Make sure that the Extended check box is selected, click Enter, and then click Run

To restore an object using PowerShell you must use the Get-ADObject and Restore-ADObject cmdlets.  Using PowerShell:

  1. Open the Active Directory PowerShell command Prompt and use the following syntax:
    1. Get-ADObject-Filter {String} -IncludeDeletedObjects | Restore-ADObject
  2. Here is an example of restoring a deleted user account named Brian:
    1. Get-ADObject -Filter {displayName -eq "Brian"} -IncludeDeletedObjects | Restore-ADObject

When restoring multiple items that may be linked (OU or Group that contains Users) you will want to start at the highest level.

An object can only be restored using those methods if it is still within the Deleted Object Lifetime.  The attribute is msDS-deletedObjectLifetime and if you look it up it will have a null value which the default time is 180 days.

Here is a look at what AD Recycle Bin looks like visually

image

Active Directory Recycle Bin PowerShell Scripts

I just found out that there is an Active Directory PowerShell Blog run by Microsoft’s AD PowerShell team.  I gathered that info from reading up on Jason’s post.  Its amazing how much info you can get from reading other people’s blogs…now on to the regularly scheduled post…

After writing my article on the AD Recycle Bin I thought I would include a few PowerShell scripts here that can be used to modify the tombstone lifetime along with the deleted object lifetime.  Remember that the default for both of these is going to be 180 days and will show up as Null if you use LDP to view the attributes.

PowerShell Script to change the tombstone lifetime of my domain (AdminPrep.Local) to 250 days:

Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=AdminPrep,DC=Local” –Partition “CN=Configuration,DC=AdminPrep,DC=Local” –Replace:@{“tombstoneLifetime” = 250}

PowerShell Script to change the deleted object lifetime:

Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=AdminPrep,DC=Local” –Partition “CN=Configuration,DC=AdminPrep,DC=Local” –Replace:@{“msDS-DeletedObjectLifetime” = 250}

Removing a Domain From Active Directory Gotcha

I’ve removed plenty of DCs and Domains in my years.  In fact I recently blogged about how remove a failed DC here.  It seems sometimes after removing a domain from your environment doesn’t remove it entirely. 

You may see a message that says the following:
The trusts between this domain (abc.local) and the following domain(s) are in an error state:
xyz.abc.local (inbound), the error is:
The specified domain either does not exist or could not be contacted. (0x54B)

Normally this message is pretty self explanatory.  However if you removed the domain and it still shows up then it can cause some unrest.

To remove those messages and to completely remove those messages you will want to open ADSIEdit.msc from a DC and expand out the Domain partition.  From there select CN=System.  Now you should see in the results pane a listing of objects.  In there you should find the domain in question as a trustedDomain class.  If indeed the domain has been removed go ahead and right click it and delete it.

New PowerShell Blog

Just saw that a good friend and former co-worker FINALLY has a blog up.  Jason’s blog is geared toward PowerShell and it already has some nice posts as well as some videos on PowerShell.  I’m so far behind on the PowerShell curve but i’m sure Jason’s blog will help get me up to speed. 

With Server 2008 R2’s release coming soon all AD admins should take to the time to learn PowerShell since it is going to include ways to manage AD.  So make sure you hit www.jasonhelmick.com for all your PowerShell loving…what’s with the name Jason? :)

Also i’m going to need Jason to explain to me why his videos on Microsoft PowerShell are in .MOV format???? What is up with that????

Group Policy Fails on Import in GPMC

I was working an issue where I couldn’t import Group Policy’s settings to a new policy from one environment to another using GPMC.  The error message I got was the following:

GPO: Test GPO V1.0...Failed

The overall error was: The system cannot find the file specified.
Additional details follow.

[Error] The task cannot be completed. There was an error with extension [Registry]. The file [\\domain_name\sysvol\domain_name\Policies\{AAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE}\Adm\admfiles.ini] cannot be accessed.
The following error occurred:
The system cannot find the file specified.

I got the policy from in a zipped format and all seemed well when I unzipped it.  The first thing I did was try to copy the admfiles.ini from another policy into the new policy I was trying to import the settings to.  That didn’t work.  I then took a closer look into the policy that was unzipped.  I noticed after digging further into the guts of this policy that it was in fact missing not only this file but also GptTmpl.inf and install.ins.  The culprit was Outlook blocking certain types of files due to a security configuration.

To resolve this I had to password protect the zip file to ensure those three files came through.  Once I tried to import the settings with all the files there…it worked!  Imagine that.

Posted: Thu, Feb 26 2009 10:02 by BrianM | with 2 comment(s)
Filed under:
Windows 7 Editions

Just heard word from Microsoft that they have released the official SKUs for Windows 7.  Nothing mind blowing here and it looks an awful lot like Windows Vista SKUs.  The first two 7 Starter and 7 Home Basic will not be offered in the US.  I've also heard that the upgrade from one edition to the next is going to be only a few minutes and not a total reinstall.  Now that would be a welcome relief!

Windows 7 Starter Windows 7 Home Basic Windows 7 Home Premium Windows 7 Professional Windows 7 Enterprise and Ultimate

Key Feature list
· Broad app and device compatibility with up to 3 concurrent applications
· Safe, reliable, and supported
· Ability to join a Home Group
· Improved taskbar and JumpLists

· All Starter features
· Unlimited applications
· Live Thumbnail Previews & enhanced visual experience
· Advanced networking support (ad-hoc wireless networks and internet connection sharing)
· Mobility Center

· All Home Basic features
· Unlimited applications
· Aero Glass & advanced windows navigation
· Easy networking & sharing across all your PCs & devices
· Improved media format support, enhancements to Windows Media Center and media streaming, including Play To
· Multi-touch and improved handwriting recognition

· All Professional features
· Unlimited applications
· Ability to join a managed network with Domain Join
· Protect  data with advanced network backup and Encrypting File System
· Print to the right printer at home or work with Location Aware Printing

· All Professional features
· Unlimited applications
· BitLocker data protection on internal and external drives
· DirectAccess provides seamless connectivity to your corporate network.  (requires Windows Server 2008 R2)
· Decrease time branch office workers wait to open file across the network with BranchCache. (requires Windows Server 2008 R2)
· Prevent unauthorized software from running with AppLocker
Note: Ultimate includes all Enterprise and all Home Premium features, including multi-language packs.
-  Windows 7 Enterprise is available only through Microsoft Volume Licensing

Posted: Tue, Feb 3 2009 16:40 by BrianM | with no comments
Filed under:
Windows Server 2008 Terminal Server Resources

As I’ve done with Active Directory and Failover Clustering I'm going to share with you some links and resources for Server 2008’s Terminal Services.  I for one really like some of the new features of Terminal Services.  I also seen some really cool customizations that people have been doing with these components.  Although I’m not completely sold on renaming the service to Remote Desktop Services when R2 comes out for Server 2008.

The links are bucketed in three categories but not placed in any specific order.

General Resources

Webcasts:

Terminal Server Performance Posts

Active Directory Domain Services Resources

I pulled together a few links to help point people in the right direction on resources for AD in Windows Server 2008.  You’ll find all kinds of goodies, from virtual labs to videos by some of your favorite public speakers and of course what I think are the must have…the Guides!

Links and Documents:
AD DS Operations Guide

AD DS Design Guide

AD DS Deployment Guide

Server 2008 Auditing AD DS Changes Step-by-Step Guide

Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration

Step-by-Step Guide for Read-Only Domain Controllers

Free Virtual Labs:
Managing Active Directory – Directory Services

Fine Grained Password Settings in Windows Server 2008 (Beta 3)

Videos:
AD in Server 2008

Fine Grained Password Policies

Prepare for RODCs

Install a RODC from IFM

Group Policy in 2008

How to Remove a Failed or Offline DC

I’ve seen this issue come up time and time again.  Some administrator decided to remove an old DC from the network but forgot to remove it from Active Directory or the DC has entered a failed state and cannot be recovered from.  In a perfect world DCPROMO is all you have to do to remove a DC from the environment.  However, if that DC was already shutdown or DCPROMO is giving you problems you will have to remove it the manual way.  That method involves using a command called NTDSUTIL.  NTDSUTIL is a command line tool that allows you to perform some of the more advanced Active Directory maintenance tasks.

Below are the steps needed to remove a failed or offline Domain Controller from your environment.
TIP: NTDSUTIL does not require the full command to be entered…you only have to enter enough of the command that is unique.  For Example, instead of typing metadata cleanup you could just type met cle…or better yet m c

  1. Open the Command Prompt
  2. Type ntdsutil (all the commands will be entered via this command prompt)
  3. Type metadata cleanup
  4. Type connections
  5. Type connect to server <ServerName> and replace <ServerName> with the name of a functional DC in your environment…even if you are logged in locally.  This step is not needed post W2K3 SP1.
  6. Type quit
  7. Type select operations target
  8. Type lists sites
  9. Type select site <#> where <#> is the site where the failed or offline DC resided
  10. Type list servers in site
  11. Type select server <#>  where <#> is the DC that is failed or offline
  12. Type list domains
  13. Type select domain <#>  where <#> is the domain where the failed or offline DC resided (at this point you should verify that the site, server and domain are all selected)
  14. Type quit (this should set you back to the metadata cleanup menu)
  15. Type remove selected server ( a warning message will pop up…verify that this is the correct DC…in fact get a peer to verify it for you too)
  16. Click Yes
  17. Open Active Directory Sites and Services
  18. Expand out the site that the failed or offline DC resided in
  19. Verify the DC cannot be expanded out (no connection objects and such)
  20. Right Click the DC and select Delete
  21. Close Active Directory Sites and Services
  22. Open Active Directory Users and Computers
  23. Expand the Domain Controllers OU
  24. Delete the failed or offline DC from the OU (if it even exists)
  25. Close Active Directory Users and Computers
  26. Open DNS Manager
  27. Expand the zones where this DC was also a DNS server and perform the following steps
  28. Right click the zone and select Properties
  29. Click the Name Servers tab
  30. Remove the failed or offline DC from the Name Servers tab
  31. Click OK to also remove the HOST (A) or Pointer (PTR) record if asked
  32. Verify the zone no longer has a DNS record for the failed or offline DC

You can also find more info located on Microsoft site here and here for removing orphaned domains.

Microsoft Clustering Resources

This has to be the mother of all resource collections on Microsoft clustering and high availability.  I’ve copied over the links directly from the MS Cluster blog so that I have quick access to them in the future.

General Resources

Core

Exchange Server

File Server

Hyper-V

Multi-Site Clustering

Network Load Balancing

SQL Server

Script That Displays Group Membership and Active Directory Location

The following code can be run to display the group membership of an Active Directory group and also let you know each member’s LDAP Distinguished Name.  The output will name the text file the group name and will include all the members and their location in Active Directory.  Just copy this into a txt file and rename to .vbs  Enjoy!

Set objGroup = GetObject("LDAP://cn=GroupName,ou=OUName,DC=DomainName,DC=local")
Set objFileSystem = CreateObject("Scripting.FileSystemObject")
Set objFile = objFileSystem.OpenTextFile(objGroup.Get("name") & " - Members.txt", 2, True, 0)
For Each objMember in objGroup.Members
  objFile.WriteLine objMember.Get("sAMAccountName") & VbTab & _
    objMember.Get("cn") & VbTab & _
    objMember.Parent
Next
Set objFile = Nothing
Set objFileSystem = Nothing
Set objGroup = Nothing

How to Search for an Email Address in Active Directory

From time to time I’ve had to figure out which user account has a specific email address.  Actually its more like finding who has the “reallycoolemailaccount@company.com” so another “more senior” person can get it.  Well if you work in a smaller company this can be kind of easy…but if your directory has thousands of accounts it becomes more difficult and time consuming.

What you will want to do is open up Active Directory Users and Computers and right-click the domain and select Search.  Select the drop-down arrow in the Find field to select Custom Search.  If you have multiple domains make sure to select Entire Directory on the In field.  Now just click on the Advanced tab and put the following text in the LDAP Query - proxyaddresses=smtp:<whatever the email is you’re looking for>.  Now all you have to do is click on Find Now and if the email is in use it will show the user account that is using it.

image

More Posts Next page »