A couple years ago I bought a Hauppauge 1600 to go into my Home Theater room. It worked great with Vista, but like many IT Pros after many tweaks and configuration changes I decided to reinstall. Well little did I know that I had lost my drivers CD and could never download the software for my TV tuner card. It was a real bummer because although the monitor I bought could display 1080P it was not a TV, it was a monitor and I needed my TV tuner card to work to be able to watch TV.
I was so pleased that after my install of Windows 7 Ultimate that Windows detected my Hauppauge TV Tuner and I was able to watch and record TV again, especially The Office!!! By the way, the only reason I needed this was because Sami and I had two other shows that we recorded on our DVR during that time, Supernatural and Fringe. Seriously, why can’t good shows air on days other than Thursday?
Kudos to Windows 7 for having drivers for a device that I thought I would never use again!
Not sure how many people modify the size of the Windows Event Logs but it is something that I like to do simply because the default sizes of most them is just not enough. For example you may remember the default for your System and Application log files was a measly 512kb. That logged all of about a day of a really busy application server.
The problem with Server 2003 was the recommended maximum size for a log file was only around 300mb and the maximum total size for all Event Log files was around 400mb. You do the math and you can see that realistically you aren’t going be able to realize the benefits of having larger Event Log file sizes.
This has to do with Windows storing the logs in memory. As you can tell a 32bit system would run into some serious memory issues if you wanted to expand the size of several of these. Thankfully in Server 2008 this has changed. Microsoft has increased the recommended maximum size of a log file up to 4gb and all of them up to 16gb. Of course you will want to make sure you’re running the x64 flavor of Server 2008 to really see this advantage.
Take a look at the following knowledgebase from Microsoft for more info.
I’ve read a few articles this morning concerning Microsoft’s move to release a web version of its upcoming Office 2010 product. This is a direct fire toward Google’s application suite and I think Microsoft is going to this help their dominance in this market. Microsoft really isn’t going to lose any major businesses to this free online version. Corporations are going to continue on with using the thick client because of the full rich suite of integrated components that Office has always given them. This is going to be take market share from places like Google because now the folks that wouldn’t pay for office will be able to benefit from it using this online version.
In the long run I hope to see Microsoft move away from the thick client. I think Microsoft now needs to come up with an online version that can be hosted within companies. Some companies won’t move this mode of operation because of the inherit security risks of hosting you data on Microsoft servers. So I bet the next version of office will have some new internal online flavor for companies looking to move more toward thin clients and thin apps.
I ran into a weird issue the other day when configuring permissions on a Share that was clustered. I couldn’t find much online about this, and the one similar issue from Russ was not the issue here.
Here is a little background info to help set the stage. An admin changes the permission on the Shared Folder (not the File Share Cluster Resource) that is clustered from Read to Full Control. This works when connecting to the node explicitly but not with the cluster name. So he fails over the resource to the other node and notices that the permissions had reset to Read. This is where I get called in. I’m thinking this is going to be a very easy 30 second fix (which it ended up being…but more on that later). I had the admin explain to me what process was followed to change the permission. Right away I knew that changing the permission on the Shared Folder and not the File Share resource was an issue.
I went into to Cluster Administrator (cluadmin.msc) and went to alter the permissions from Read to Full Control for the group in question and I was presented with the following error:
An error occurred validating the cluster security descriptor
The RPC server is unavailable
Error ID -2147023174 (800706ba)
As most of you know this is a very generic error. In fact if there is one error I can’t stand from Microsoft it is “The RPC server is unavailable” error. After doing some research and testing we found that we couldn’t even add a new Security Principal to the permissions of this cluster. It mentioned that the Computer was not part of the domain. In hind sight I wish I would have got the entire error for you but I forgot to grab the screen cap for that one. The name it was referencing was the clustered name. Well the cluster name is not going to have an Active Directory account so I went to check in DNS and sure enough there was no record for this cluster name in DNS. After adding the record into DNS we were able to immediately change the permission.
There I go again assuming things were set up correctly initially. I really need to break that wall down and start from the very beginning when I’m troubleshooting. Ah the things we take for granted when looking at a problem.
Just saw over on the Server Core blog that Andrew posted some links to a couple excellent resources. The first one is what I consider to be the Server Core Bible. It has just about everything you can think of when it comes to configuring Server Core. The next link is to a couple job aids that give you a quick look at some common commands.
These job aids actually gives me some ideas on some things I’d like to create…now if I only had more time.
I admit it…I have issues with email. So much so that I think I may have OCD. I’m not trying to make fun of anyone that really has that disorder but I sure feel like I’m obsessed with unread email. I can’t stand it in fact. When a new mail arrives in my inbox I seem to stop what I'm doing and read it. This is not helpful for someone that gets hundreds of emails a day. Yes most are from monitors and alerts that technically I don’t need to read right away but I can’t stand having those little emails be bolded like they are in Outlook. I have rules set up to move them into different folders…perhaps I should have rules to mark them as read. It gets distracting too…like when I’m writing I see an email pops in and jump over to it and read it. Ohhh and something that just drives me nuts is when I see someone else's Inbox and it looks like this – Inbox (313). What are you people thinking…how can you have that many unread messages??? I know you just aren’t as compulsive as me and I'm just extremely jealous.
Tonight I go to my first therapy session – Must Read Email Anonymous…crap I guess its not so anonymous now! :)
If you’ve got time on such short notice try to check out the webcast O’Reilly is hosting on What’s New in Active Directory for Server 2008 R2. It is going to be hosted by two other Directory Services MVPs Brian Desmond and Laura Hunter.
This is a free event and is scheduled for 90 mins.
Date: Friday, April 24, 2009
Time: 10am San Francisco | 6pm London | 1pm - New York | Sat, Apr 25th at 3am - Sydney | Sat, Apr 25th at 2am - Tokyo | Sat, Apr 25th at 1am - Beijing | 10:30pm – Mumbai
Registration Link - http://www.oreillynet.com/pub/e/1326
Everyone has there own reason for loving or hating April Fools Day. For the last 4 years it has been a day of great joy for me. I got the email shortly from Microsoft that I was re-awarded my MVP for Directory Services! I really think this blog has a lot to do with it and that means that i’m especially grateful to all 17 people (12 of which are probably family) that read it too!!! Thanks to all of you for engaging me on through the comments and I hope that you will continue.
Here's to another great year of technical discovery in the Life of Brian.
Hopefully some of you have been playing with Server 2008 R2 while it has been in Beta. One of the features I’m looking forward to most is the AD Recycle Bin. Yes you heard me correct. We now have an easy method for restoring accidently deleted objects.
In the past our only recovery method out of the box was to perform an authoritative restore of an object. That method had several issues that always rubbed me the wrong way. First you had to be in Directory Services Restore Mode (DRSM). And ever since Server 2003 we could use tombstone reanimation but that removed most of the non-link-valued attributes. This lead to additional work after the restore. The default tombstone lifetime was 180 days with Server 2003 and 2008.
You are probably already familiar with tombstones and the garbage collection process. If not read Gil’s excellent article on that here. With Server 2008 R2 you will need to now become aware of Deleted Object and Recycled Object. The first thing to realize here is that the AD Recycle Bin is not enabled by default with Server 2008 R2. The following steps/requirements must first be met:
- Raise the Forest Functional Level to Server 2008 R2
- Enable AD Recycle Bin (my example uses PowerShell…get use to it now)
- Enable-ADOptionalFeature –Identity „CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=AdminPrep,DC=com‟ –Scope Forest –Target „AdminPrep.com‟
- Just make sure to replace AdminPrep with your domain
Now when an object is deleted it is not marked for tombstone it is marked as deleted. It places the object in the Deleted Objects container which is hidden but can be located here – CN=Deleted Objects. When you want to restore an object there are two methods that I'm aware of, one using PowerShell and the other using LDP.
Using LDP:
- Using elevated credentials, open LDP by typing ldp.exe from the Run Dialog box
- Click Connections and select Connect and then go back and select Bind
- Navigate to the CN=Deleted Objects
- Find the object you wish to restore and right-click it and select Modify
- In the Modify dialog box:
- In Edit Entry Attribute, type isDeleted
- Leave the Values box empty
- Under Operation, click Delete, and then click Enter
- In Edit Entry Attribute, type distinguishedName
- In Values, type the original distinguished name (also known as DN) of this Active Directory object
- Under Operation, click Replace
- Make sure that the Extended check box is selected, click Enter, and then click Run
To restore an object using PowerShell you must use the Get-ADObject and Restore-ADObject cmdlets. Using PowerShell:
- Open the Active Directory PowerShell command Prompt and use the following syntax:
- Get-ADObject-Filter {String} -IncludeDeletedObjects | Restore-ADObject
- Here is an example of restoring a deleted user account named Brian:
- Get-ADObject -Filter {displayName -eq "Brian"} -IncludeDeletedObjects | Restore-ADObject
When restoring multiple items that may be linked (OU or Group that contains Users) you will want to start at the highest level.
An object can only be restored using those methods if it is still within the Deleted Object Lifetime. The attribute is msDS-deletedObjectLifetime and if you look it up it will have a null value which the default time is 180 days.
Here is a look at what AD Recycle Bin looks like visually
I just found out that there is an Active Directory PowerShell Blog run by Microsoft’s AD PowerShell team. I gathered that info from reading up on Jason’s post. Its amazing how much info you can get from reading other people’s blogs…now on to the regularly scheduled post…
After writing my article on the AD Recycle Bin I thought I would include a few PowerShell scripts here that can be used to modify the tombstone lifetime along with the deleted object lifetime. Remember that the default for both of these is going to be 180 days and will show up as Null if you use LDP to view the attributes.
PowerShell Script to change the tombstone lifetime of my domain (AdminPrep.Local) to 250 days:
Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=AdminPrep,DC=Local” –Partition “CN=Configuration,DC=AdminPrep,DC=Local” –Replace:@{“tombstoneLifetime” = 250}
PowerShell Script to change the deleted object lifetime:
Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=AdminPrep,DC=Local” –Partition “CN=Configuration,DC=AdminPrep,DC=Local” –Replace:@{“msDS-DeletedObjectLifetime” = 250}
I’ve removed plenty of DCs and Domains in my years. In fact I recently blogged about how remove a failed DC here. It seems sometimes after removing a domain from your environment doesn’t remove it entirely.
You may see a message that says the following:
The trusts between this domain (abc.local) and the following domain(s) are in an error state:
xyz.abc.local (inbound), the error is:
The specified domain either does not exist or could not be contacted. (0x54B)
Normally this message is pretty self explanatory. However if you removed the domain and it still shows up then it can cause some unrest.
To remove those messages and to completely remove those messages you will want to open ADSIEdit.msc from a DC and expand out the Domain partition. From there select CN=System. Now you should see in the results pane a listing of objects. In there you should find the domain in question as a trustedDomain class. If indeed the domain has been removed go ahead and right click it and delete it.
Just saw that a good friend and former co-worker FINALLY has a blog up. Jason’s blog is geared toward PowerShell and it already has some nice posts as well as some videos on PowerShell. I’m so far behind on the PowerShell curve but i’m sure Jason’s blog will help get me up to speed.
With Server 2008 R2’s release coming soon all AD admins should take to the time to learn PowerShell since it is going to include ways to manage AD. So make sure you hit www.jasonhelmick.com for all your PowerShell loving…what’s with the name Jason? :)
Also i’m going to need Jason to explain to me why his videos on Microsoft PowerShell are in .MOV format???? What is up with that????
I was working an issue where I couldn’t import Group Policy’s settings to a new policy from one environment to another using GPMC. The error message I got was the following:
GPO: Test GPO V1.0...Failed
The overall error was: The system cannot find the file specified.
Additional details follow.
[Error] The task cannot be completed. There was an error with extension [Registry]. The file [\\domain_name\sysvol\domain_name\Policies\{AAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE}\Adm\admfiles.ini] cannot be accessed.
The following error occurred:
The system cannot find the file specified.
I got the policy from in a zipped format and all seemed well when I unzipped it. The first thing I did was try to copy the admfiles.ini from another policy into the new policy I was trying to import the settings to. That didn’t work. I then took a closer look into the policy that was unzipped. I noticed after digging further into the guts of this policy that it was in fact missing not only this file but also GptTmpl.inf and install.ins. The culprit was Outlook blocking certain types of files due to a security configuration.
To resolve this I had to password protect the zip file to ensure those three files came through. Once I tried to import the settings with all the files there…it worked! Imagine that.
Just heard word from Microsoft that they have released the official SKUs for Windows 7. Nothing mind blowing here and it looks an awful lot like Windows Vista SKUs. The first two 7 Starter and 7 Home Basic will not be offered in the US. I've also heard that the upgrade from one edition to the next is going to be only a few minutes and not a total reinstall. Now that would be a welcome relief!
| Windows 7 Starter |
Windows 7 Home Basic |
Windows 7 Home Premium |
Windows 7 Professional |
Windows 7 Enterprise and Ultimate |
|
Key Feature list
· Broad app and device compatibility with up to 3 concurrent applications
· Safe, reliable, and supported
· Ability to join a Home Group
· Improved taskbar and JumpLists
|
· All Starter features
· Unlimited applications
· Live Thumbnail Previews & enhanced visual experience
· Advanced networking support (ad-hoc wireless networks and internet connection sharing)
· Mobility Center
|
· All Home Basic features
· Unlimited applications
· Aero Glass & advanced windows navigation
· Easy networking & sharing across all your PCs & devices
· Improved media format support, enhancements to Windows Media Center and media streaming, including Play To
· Multi-touch and improved handwriting recognition
|
· All Professional features
· Unlimited applications
· Ability to join a managed network with Domain Join
· Protect data with advanced network backup and Encrypting File System
· Print to the right printer at home or work with Location Aware Printing
|
· All Professional features
· Unlimited applications
· BitLocker data protection on internal and external drives
· DirectAccess provides seamless connectivity to your corporate network. (requires Windows Server 2008 R2)
· Decrease time branch office workers wait to open file across the network with BranchCache. (requires Windows Server 2008 R2)
· Prevent unauthorized software from running with AppLocker
Note: Ultimate includes all Enterprise and all Home Premium features, including multi-language packs.
- Windows 7 Enterprise is available only through Microsoft Volume Licensing
|
As I’ve done with Active Directory and Failover Clustering I'm going to share with you some links and resources for Server 2008’s Terminal Services. I for one really like some of the new features of Terminal Services. I also seen some really cool customizations that people have been doing with these components. Although I’m not completely sold on renaming the service to Remote Desktop Services when R2 comes out for Server 2008.
The links are bucketed in three categories but not placed in any specific order.
General Resources
Webcasts:
Terminal Server Performance Posts
I’ve seen this issue come up time and time again. Some administrator decided to remove an old DC from the network but forgot to remove it from Active Directory or the DC has entered a failed state and cannot be recovered from. In a perfect world DCPROMO is all you have to do to remove a DC from the environment. However, if that DC was already shutdown or DCPROMO is giving you problems you will have to remove it the manual way. That method involves using a command called NTDSUTIL. NTDSUTIL is a command line tool that allows you to perform some of the more advanced Active Directory maintenance tasks.
Below are the steps needed to remove a failed or offline Domain Controller from your environment.
TIP: NTDSUTIL does not require the full command to be entered…you only have to enter enough of the command that is unique. For Example, instead of typing metadata cleanup you could just type met cle…or better yet m c
- Open the Command Prompt
- Type ntdsutil (all the commands will be entered via this command prompt)
- Type metadata cleanup
- Type connections
- Type connect to server <ServerName> and replace <ServerName> with the name of a functional DC in your environment…even if you are logged in locally. This step is not needed post W2K3 SP1.
- Type quit
- Type select operations target
- Type lists sites
- Type select site <#> where <#> is the site where the failed or offline DC resided
- Type list servers in site
- Type select server <#> where <#> is the DC that is failed or offline
- Type list domains
- Type select domain <#> where <#> is the domain where the failed or offline DC resided (at this point you should verify that the site, server and domain are all selected)
- Type quit (this should set you back to the metadata cleanup menu)
- Type remove selected server ( a warning message will pop up…verify that this is the correct DC…in fact get a peer to verify it for you too)
- Click Yes
- Open Active Directory Sites and Services
- Expand out the site that the failed or offline DC resided in
- Verify the DC cannot be expanded out (no connection objects and such)
- Right Click the DC and select Delete
- Close Active Directory Sites and Services
- Open Active Directory Users and Computers
- Expand the Domain Controllers OU
- Delete the failed or offline DC from the OU (if it even exists)
- Close Active Directory Users and Computers
- Open DNS Manager
- Expand the zones where this DC was also a DNS server and perform the following steps
- Right click the zone and select Properties
- Click the Name Servers tab
- Remove the failed or offline DC from the Name Servers tab
- Click OK to also remove the HOST (A) or Pointer (PTR) record if asked
- Verify the zone no longer has a DNS record for the failed or offline DC
You can also find more info located on Microsoft site here and here for removing orphaned domains.
This has to be the mother of all resource collections on Microsoft clustering and high availability. I’ve copied over the links directly from the MS Cluster blog so that I have quick access to them in the future.
General Resources
Core
Exchange Server
File Server
Hyper-V
Multi-Site Clustering
Network Load Balancing
SQL Server
The following code can be run to display the group membership of an Active Directory group and also let you know each member’s LDAP Distinguished Name. The output will name the text file the group name and will include all the members and their location in Active Directory. Just copy this into a txt file and rename to .vbs Enjoy!
Set objGroup = GetObject("LDAP://cn=GroupName,ou=OUName,DC=DomainName,DC=local")
Set objFileSystem = CreateObject("Scripting.FileSystemObject")
Set objFile = objFileSystem.OpenTextFile(objGroup.Get("name") & " - Members.txt", 2, True, 0)
For Each objMember in objGroup.Members
objFile.WriteLine objMember.Get("sAMAccountName") & VbTab & _
objMember.Get("cn") & VbTab & _
objMember.Parent
Next
Set objFile = Nothing
Set objFileSystem = Nothing
Set objGroup = Nothing
From time to time I’ve had to figure out which user account has a specific email address. Actually its more like finding who has the “reallycoolemailaccount@company.com” so another “more senior” person can get it. Well if you work in a smaller company this can be kind of easy…but if your directory has thousands of accounts it becomes more difficult and time consuming.
What you will want to do is open up Active Directory Users and Computers and right-click the domain and select Search. Select the drop-down arrow in the Find field to select Custom Search. If you have multiple domains make sure to select Entire Directory on the In field. Now just click on the Advanced tab and put the following text in the LDAP Query - proxyaddresses=smtp:<whatever the email is you’re looking for>. Now all you have to do is click on Find Now and if the email is in use it will show the user account that is using it.
More Posts
Next page »