Thursday, April 21, 2011
Compacting active directory
I found a bug with NTDSUTIL when i compact a freshly new database. Well I call it a bug but i don't know what it is exactly, for sure my database doubles its own size, instead of being compressed. Luckily i always backup the DB before.
LDAP ports
These are the same ports than ADDS:
- port 389
- port 636 for SSL
then if you run ADDS and LDAP instances on the same member server, it will be other ports ranging from 50,000 and higher.
Best practice is to use ports higher than 50,000
PS: the defaults ports are asked at the exam although the production environment will most like never use these ports (389 and 636).
Tuesday, April 19, 2011
Cannot install certificate in Enterprise Mode
I found this issue with:
1 DC
1 member server and I could not install the enterprise certificate although i was a domain admin and the machine was already joined to the domain.
Fix: disjoin the machine to the domain and rejoin it, it should take are of the problem.
1 DC
1 member server and I could not install the enterprise certificate although i was a domain admin and the machine was already joined to the domain.
Fix: disjoin the machine to the domain and rejoin it, it should take are of the problem.
Wednesday, April 13, 2011
When to use csvde over ldifde?
Answer: use ldfide most of the time if you can.
According to Petri's website:
One of the major benefits of LDIFDE over CSVDE is that you can modify existing objects and even delete objects with LDIFDE. However, LDIFDE doesn’t support changing Group Membership, and like CSVDE, it does not work with passwords, so you cannot use it to export passwords from the database.
More here
According to Petri's website:
One of the major benefits of LDIFDE over CSVDE is that you can modify existing objects and even delete objects with LDIFDE. However, LDIFDE doesn’t support changing Group Membership, and like CSVDE, it does not work with passwords, so you cannot use it to export passwords from the database.
More here
ADMX files
Let's say you run windows XP system and your domain controllers is windows 2008 or windows 200R2.
You want to use your clients to edit domain-based GPOs in using ADMX files.
What do you need to do?
Upgrade all client computers to windows 2007
Why? Because ADMX is a new ADM with XML technology and only works on windows vista and windows 7.
You want to use your clients to edit domain-based GPOs in using ADMX files.
What do you need to do?
Upgrade all client computers to windows 2007
Why? Because ADMX is a new ADM with XML technology and only works on windows vista and windows 7.
Monday, April 4, 2011
Bug in windows 2008 SP1
I dounf a bug with the network card, everything i was going to device manager to set the property of the NIC, it would allow me, but the gateway number would disappear.
Fix: inside manager check if you NIC is enabled or not and enabled it. That should fix the problem.
Fix: inside manager check if you NIC is enabled or not and enabled it. That should fix the problem.
Sunday, April 3, 2011
The local Administrator account becomes the domain Administrator account when you create a new domain.
Message error:
"The local Administrator account becomes the domain Administrator account when you create a new domain. The new domain cannot be created because the local Administrator account password does not meet requirements. Currently, a password is not required for the local Administrator account. We recommend that you use the net user command-line tool with the /passwordreq:yes option to require a password for the account before you create the new domain; otherwise, a password will not be required for the domain Administrator account."
For this case, i even tried to change the local admin password, then rebooted and promoted DCPROMO, and it was still not working.
Finally I just ran the command: NET USER Administrator password and it worked.
It only applies to windows 2008 SP1.
"The local Administrator account becomes the domain Administrator account when you create a new domain. The new domain cannot be created because the local Administrator account password does not meet requirements. Currently, a password is not required for the local Administrator account. We recommend that you use the net user command-line tool with the /passwordreq:yes option to require a password for the account before you create the new domain; otherwise, a password will not be required for the domain Administrator account."
For this case, i even tried to change the local admin password, then rebooted and promoted DCPROMO, and it was still not working.
Finally I just ran the command: NET USER Administrator password and it worked.
It only applies to windows 2008 SP1.
AD LDS: how to remove an instance
If you want to remove AD LDS role, you first have to uninstall the instances. To uninstall any instance, go to control panel, program and features, click on uninstall.
On windows 2008 SP1, you have to reboot the member server once the instance is uninstalled, then click on server manager so that you can remove the roles.
PS: I haven't tried on windows 2008 R2.
On windows 2008 SP1, you have to reboot the member server once the instance is uninstalled, then click on server manager so that you can remove the roles.
PS: I haven't tried on windows 2008 R2.
Friday, April 1, 2011
Speeding GPOs processing
Whenever possible, only enable the users or computers configuration when you link a GPO policy.
Thursday, March 31, 2011
VMware Workstation v7 1.4 is out
Fixed bugs:
Security Fixes
* Workstation 7.1.4 addresses a local privilege escalation in the vmrun utility
VMware vmrun is a utility that is used to perform various tasks on virtual machines. The vmrun utility runs on any platform with VIX libraries installed. It is installed in Workstation by default. In non-standard filesystem configurations, an attacker with the ability to place files into a predefined library path could take execution control of vmrun. This issue is present only in the version of vmrun that runs on Linux
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-1126 to this issue.
Other Resolved Issues
* In Workstation 7.1, the default main memory VA cache size (mainMem.vaCacheSize) for 32-bit Windows guests was reduced to accommodate 3D emulation memory requirements. However, the reduced value resulted in performance loss. For 7.1.4, the default main memory VA cache size has been be increased to 1000 MB and performance is improved.
* Because Workstation failed to identify more than 10 USB host controllers in newer Windows guests, some USB devices did not appear in the Removable Devices menu. Now Workstation shows all USB devices in the Removable Devices menu as long as they are connected to the first identified 16 USB controllers.
* When using the Capture Movie option, the captured video stopped playing around the 1GB mark if the video file exceeded 1GB. Now you can capture and play video files that are greater than 1GB.
* The application vmware-modconfig UI could not start up in a KDE 4 session in a SUSE Linux Enterprise Desktop (SLED) 11 environment.
* On Windows host systems that have more than 4GB of memory, Workstation sometimes crashed during cryptographic operations, for example, when performing disk encryption.
* VMware Tools upgrade could be started by a non-administrator user from the VMware Tools Control Panel in a Windows guest. In this release, only administrator users can start VMware Tools upgrade from the VMware Tools Control Panel. To prevent non-administrator users from starting VMware Tools upgrade from a guest by using other applications, set isolation.tools.autoinstall.disable to TRUE in the virtual machine configuration (.vmx) file.
* When a virtual machine running on a Windows host was used to access an Omron Industrial CP1L Programmable Logic Controller, Workstation generated an unrecoverable error.
* When using NAT virtual networking on Windows hosts, the traceroute command did not work when used within virtual machines.
* The Easy Install feature did not work for Fedora 14 guest operating systems.
* During VMware Tools installation on a Fedora 14 64-bit guest operating system, the following warning message was generated while building the vsock module: case value '255' not in enumerated type 'socket_state'.
* Workstation crashed with an access violation when a user tried to open the sidebar after closing all tabs in Quick Switch mode.
* The Easy Install feature did not work for Red Hat Linux 6 guest operating systems.
* The VMware Tools HGFS provider DLL caused a deadlock when making calls to the WNetAddConnection2 function from an application such as eEye Rentina in a Windows guest operating system.
* There was no option to disable guest time sync when a host resumes. Now you can set time.synchronize.resume.host to FALSE in the virtual machine configuration (.vmx) file to disable guest time sync when a host resumes. See VMware Knowledge Base Article 1189 for other time sync options.
* Setting a hidden attribute on a file in a shared folder from a Windows guest on a Linux host failed with an error. This problem caused applications such as SVN checkout to fail when checking out to shared folders on Linux hosts from Windows guests
Security Fixes
* Workstation 7.1.4 addresses a local privilege escalation in the vmrun utility
VMware vmrun is a utility that is used to perform various tasks on virtual machines. The vmrun utility runs on any platform with VIX libraries installed. It is installed in Workstation by default. In non-standard filesystem configurations, an attacker with the ability to place files into a predefined library path could take execution control of vmrun. This issue is present only in the version of vmrun that runs on Linux
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-1126 to this issue.
Other Resolved Issues
* In Workstation 7.1, the default main memory VA cache size (mainMem.vaCacheSize) for 32-bit Windows guests was reduced to accommodate 3D emulation memory requirements. However, the reduced value resulted in performance loss. For 7.1.4, the default main memory VA cache size has been be increased to 1000 MB and performance is improved.
* Because Workstation failed to identify more than 10 USB host controllers in newer Windows guests, some USB devices did not appear in the Removable Devices menu. Now Workstation shows all USB devices in the Removable Devices menu as long as they are connected to the first identified 16 USB controllers.
* When using the Capture Movie option, the captured video stopped playing around the 1GB mark if the video file exceeded 1GB. Now you can capture and play video files that are greater than 1GB.
* The application vmware-modconfig UI could not start up in a KDE 4 session in a SUSE Linux Enterprise Desktop (SLED) 11 environment.
* On Windows host systems that have more than 4GB of memory, Workstation sometimes crashed during cryptographic operations, for example, when performing disk encryption.
* VMware Tools upgrade could be started by a non-administrator user from the VMware Tools Control Panel in a Windows guest. In this release, only administrator users can start VMware Tools upgrade from the VMware Tools Control Panel. To prevent non-administrator users from starting VMware Tools upgrade from a guest by using other applications, set isolation.tools.autoinstall.disable to TRUE in the virtual machine configuration (.vmx) file.
* When a virtual machine running on a Windows host was used to access an Omron Industrial CP1L Programmable Logic Controller, Workstation generated an unrecoverable error.
* When using NAT virtual networking on Windows hosts, the traceroute command did not work when used within virtual machines.
* The Easy Install feature did not work for Fedora 14 guest operating systems.
* During VMware Tools installation on a Fedora 14 64-bit guest operating system, the following warning message was generated while building the vsock module: case value '255' not in enumerated type 'socket_state'.
* Workstation crashed with an access violation when a user tried to open the sidebar after closing all tabs in Quick Switch mode.
* The Easy Install feature did not work for Red Hat Linux 6 guest operating systems.
* The VMware Tools HGFS provider DLL caused a deadlock when making calls to the WNetAddConnection2 function from an application such as eEye Rentina in a Windows guest operating system.
* There was no option to disable guest time sync when a host resumes. Now you can set time.synchronize.resume.host to FALSE in the virtual machine configuration (.vmx) file to disable guest time sync when a host resumes. See VMware Knowledge Base Article 1189 for other time sync options.
* Setting a hidden attribute on a file in a shared folder from a Windows guest on a Linux host failed with an error. This problem caused applications such as SVN checkout to fail when checking out to shared folders on Linux hosts from Windows guests
GPO management editor: registry settings
There are 2 types of configurations:
- Computer configuration
- User configuration
Both of them will modify the registry settings
When you modify the computer configuration, it will make changes inside the HK local machine and for the user configuration it will affect the HK current user.
- Computer configuration
- User configuration
Both of them will modify the registry settings
When you modify the computer configuration, it will make changes inside the HK local machine and for the user configuration it will affect the HK current user.
Office Communicator Server 2007 R2 on windows 2008 R2?
At the step 2 of the installation, its going to check for components, then the installation will bring you back to the same page in an endless loops, even after checking all the pre-requisites and best practice on Microsoft website.
However, there has been a fix available for a little over a year now: http://support.microsoft.com/kb/982021
The best practices for OCS is to stay on windows 2008 SP1 or windows 2003 32 bits. The 64 bits version for windows 2008 and the 32 bits version for windows 2003.
Of course one of the best practices is not to try products that have been released before the integration of new Operating Systems, but sometimes, for the sakes of intellectual curiosity, the human mind needs to know if this can be achieved.
Wednesday, March 30, 2011
How to make sure DCPROMO was successful
After the installation, go to the cmd prompt and type Net Share.
At the prompt you will see many files but only 2 files will indicate that the installation was successful with NETLOGON and SYSVOL.
Logon scripts are found in NETLOGON (path is something like harddrive:\windows\SYSVOL\sysvol\domain\SCRIPTS)
Share folders are in SYSVOL.
To make sure you can replicate files, copy a file inside SYSVOL Directory, then check if it replicated to other domain controllers.
The global catalog also depends on the NETLOGON service, and so do GPOs
Tuesday, March 29, 2011
Exchange pre-requisites: Net. Tcp Port Sharing
Another pre-requisite for Exchange 2010 is to set the Net. Tcp Port sharing.
You can either do this with:
1) services.msc (go to start menu, run services.msc then click on Net. Tcp Port Sharing to enable it)
or
2) Powershell commands: Set-Service NetTcpPortSharing -StartupType Automatic
PS: The mastering of windows powershell is recommended to run smoothly Exchange 2007 and 2010.
I believe that MS products will emphasize more in windows scripting within the next few years.
What does Net. Tcp Port Sharing do? It allows many applications to share the same port without configuring a client. More here
Installing Exchange 2010: unable to read data from the metabase.
When you install the client access role prerequisites, you may find this type of error:
"unable to read data from the Metabase. Ensure that Microsoft Internet Information Services is correctly installed. Then you click the link "recommended action" only to find out no explanation at all, since this link advise you to uninstall then reinstall IIS (which won't take care of the problem anyway).
At this point, we can assume that:
1) You may have read the prerequisites too fast
2) The error you encountered does not bring you enough information to take care of the issue.
or
3) You don't know enough about IIS
or a little bit of everything.
I really pulled out my hair on this issue. I uninstall then re-install IIS with different roles, only to find out that "the management compatibility" feature has to be checked in.
"unable to read data from the Metabase. Ensure that Microsoft Internet Information Services is correctly installed. Then you click the link "recommended action" only to find out no explanation at all, since this link advise you to uninstall then reinstall IIS (which won't take care of the problem anyway).
At this point, we can assume that:
1) You may have read the prerequisites too fast
2) The error you encountered does not bring you enough information to take care of the issue.
or
3) You don't know enough about IIS
or a little bit of everything.
I really pulled out my hair on this issue. I uninstall then re-install IIS with different roles, only to find out that "the management compatibility" feature has to be checked in.
Monday, March 28, 2011
SQL error [0xC3EC79FB] on Office Communicator Server 2007
For Office Communicator, you will need 2 servers, you cannot install SQL on office communicator and get away with it, you need the frontend and the backend. Maybe and I say "maybe", you can get away with installing a SQL instance on a client machine, then the Office Communicator on the server machine.
Here is what MS wrote for this error:
Here is what MS wrote for this error:
"The Office Communications Server 2007, Back-End Database, stores user data for all Enterprise Edition Servers within a pool. As a centralized repository, the Back-End Database cannot be installed on the same computer as any other Office Communications Server role. The Back-End Database cannot reside on an Enterprise Edition Server in the pool.
The Back-End Database is created automatically when you create the pool, but the computer that you designate as the back end must already be running SQL Server in order for installation to succeed. Before you deploy Enterprise Edition Server, install SQL Server 2005 with Service Pack 1 (32-bit or 64-bit) or SQL Server 2000 with Service Pack 4 or higher on a dedicated computer that meets the hardware requirements described in Infrastructure Requirements and Prerequisites in Microsoft Office Communications Server 2007 Enterprise Edition earlier in this document."
AD install tip
During AD installation, always put the IP address of the computer and make it points as a DNS as well, otherwise DCpromo will install you a backloop adapter that may be irrelevant to your infrastructure.
Working on Microsoft Office Server Installation
I've been working on Microsoft Office Server installation. It is the most painful installation, with tons of prerequisites. At this point, I am detecting all the errors encountered and I will probably post them once I am done, depending on the length of the installation at my earliest convenience.
Friday, March 25, 2011
"Run as Administrator" / UAC
In windows 2008 there is a security feature that allows you to run elevated administration if you want to start some programs; it's the case for MS virtual machine manager for example: this program will let you get connected to the virtual host but you won't be able to access the virtual machine with an error message "cannot connect to this machine". It's rather annoying since this security features on lots of programs, and can literally waste your day trying to troubleshoot the issue. So here is how to remove this security feature:
1) type secpol.msc and it will bring up the security policy snapin.
2) Go to local security tab, double click local policies then go to security options. Double click user account control: run all administrators in administrator approval and set it to DISABLED, then reboot the machine.
There is a description of elevated priviledges and UAC here: http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx
1) type secpol.msc and it will bring up the security policy snapin.
2) Go to local security tab, double click local policies then go to security options. Double click user account control: run all administrators in administrator approval and set it to DISABLED, then reboot the machine.
There is a description of elevated priviledges and UAC here: http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx
MS virtual system center manager 2008 R2 X64 SP1 is out
And i am testing it.
Make sure to upgrade your SQL server to 2005 at least or run another SQL version otherwise you won't be able to get connected and will get an EVENT ID 1602. Or ..... you can fix it manually but it will take longer to go the other road.
More later on this software as soon as I test it.
Make sure to upgrade your SQL server to 2005 at least or run another SQL version otherwise you won't be able to get connected and will get an EVENT ID 1602. Or ..... you can fix it manually but it will take longer to go the other road.
More later on this software as soon as I test it.
How to change an FQDN name
Let's say in AD you have a user that would like a better name to log in, you can manipulate the domain name with Active Directory Domain and Trusts and change the UPN suffix.
Steps:
1) Go to ADDT - click on the 1st tree - go to properties - then change the UPN suffix
2) Then go to Active Directory Users and Computers - select your user - go to account, on the second windows after User Login name change the UPN suffix
Steps:
1) Go to ADDT - click on the 1st tree - go to properties - then change the UPN suffix
2) Then go to Active Directory Users and Computers - select your user - go to account, on the second windows after User Login name change the UPN suffix
How to rename a Domain Controller
There are 2 ways, they both work the same in my opinion, although there is a warning setting from MS if you decided to choose the GUI solution:
- With the GUI: go to computer properties and rename the computer
- With the netdom command: run netdom computername oldcomputernamefqdn /add:newcomputernamefqdn
Then run netdom computername computernamefqdn /remove:oldcomputernamefqdn
Both of these commands go together, and you MUST use them in this order to make the affected changes.
- With the GUI: go to computer properties and rename the computer
- With the netdom command: run netdom computername oldcomputernamefqdn /add:newcomputernamefqdn
Then run netdom computername computernamefqdn /remove:oldcomputernamefqdn
Both of these commands go together, and you MUST use them in this order to make the affected changes.
The Module "schmmgmt.dll" Loaded but the Call to DllRegisterServer Failed with Error Code 0x80040201
During roles removal I encountered this error on the schema master with the command regsrvr32 schmmgmt.dll :
The Module "schmmgmt.dll" Loaded but the Call to DllRegisterServer Failed with Error Code 0x80040201
Solution:
Make sure the computer account belongs to "schema admins" otherwise you won't be able to do this operation, then run the CMD in administrator mode, and it will take care of the issue.
Another solution, if you would have been stuck without resolving this issue, is to use the NTDSUTIL command to manually transfer the FSMO to another computer.
Thursday, March 24, 2011
Cannot transfer RID master to main DC
For some reasons today the zone transfer between 2 DCs was not working in my lab. I tried with ntdsutils and I could not transfer the role. For this case a forced removal of the DC took care of the problem.
PS: only do that if you cannot transfer FSMO roles and if you cannot replicate in Active Directory Domain and Sites.
Steps:
1) DCPROMO /forceremoval
2) Active Directory users and computers: go to Domain Controllers, delete the damaged DC
3) Then it will ask you if you want to transfer the remaining roles to the schema master. Click yes.
done
Run netdom query fsmo to check that all the roles have been transfered :)
Re-install the damaged DC with DCPROMO
PS: only do that if you cannot transfer FSMO roles and if you cannot replicate in Active Directory Domain and Sites.
Steps:
1) DCPROMO /forceremoval
2) Active Directory users and computers: go to Domain Controllers, delete the damaged DC
3) Then it will ask you if you want to transfer the remaining roles to the schema master. Click yes.
done
Run netdom query fsmo to check that all the roles have been transfered :)
Re-install the damaged DC with DCPROMO
Wednesday, March 23, 2011
Cannot join an XP machine to the domain name
Solution: after checking internal DNS pointers inside TCP/IP, create the machine name inside AD, then disable LMHOSTS and make sure it can read netbios name inside TCP/IP settings, then join the machine to the domain.
I can't say it's a 100% solution, it worked for my case though.
How to seize and remove FSMO roles
After decommissioning a domain controller, run NTDSUTIL at the DOS-prompt.
To remove the roles, you need to type the following:
1) metadata cleanup
2)connections
3) connect to server X (establishing a connection to the schema master (your primary domain controller usually))
4) select operation target
5)list domains
6)select domain X (x is a number)
7)list sites
8)select site X
9)list servers in site
10)select server X
11) remove selected
12) q
Repeat step 4 and 11 for a 2nd or 3rd demotion.
To remove the roles, you need to type the following:
1) metadata cleanup
2)connections
3) connect to server X (establishing a connection to the schema master (your primary domain controller usually))
4) select operation target
5)list domains
6)select domain X (x is a number)
7)list sites
8)select site X
9)list servers in site
10)select server X
11) remove selected
12) q
Repeat step 4 and 11 for a 2nd or 3rd demotion.
How to remove orphaned child domains
Description: you have a domain controller named for example test.local and inside active directory users and computers when you want to change the domain controller, you notice sub domains such as sub.test.local; these sub domains of course do not exist and you need to remove them from your AD.
First and to make it short, the creation of subdomain is often due to a connectivity problem (DNS for example) or a multiple instance of DCPROMO that was unsuccessful after promoting a new domain in a new forest. There may be other reasons as well.
So what are the steps to take care of this issue?
1) removal of DCs
2) seizing FSMOs role and deleting them.
Do not try FSMO role as a first step then remove a DC.
Also you may notice an error msg " The FSMO role ownership could not be verified because its directory partition has not replicated succesfully with at least one replication" (error 0x21a2). For my case, I found out that the order of creation of sub child domain would take care of this error. Remove first the subdomain that was created first, then remove the second one if you have more than 2 to delete.
There are also other tricks with repadmin but it would not take care of my issue.
Also to remove FSMOs roles to another domain controller, refer to this article.
First and to make it short, the creation of subdomain is often due to a connectivity problem (DNS for example) or a multiple instance of DCPROMO that was unsuccessful after promoting a new domain in a new forest. There may be other reasons as well.
So what are the steps to take care of this issue?
1) removal of DCs
2) seizing FSMOs role and deleting them.
Do not try FSMO role as a first step then remove a DC.
Also you may notice an error msg " The FSMO role ownership could not be verified because its directory partition has not replicated succesfully with at least one replication" (error 0x21a2). For my case, I found out that the order of creation of sub child domain would take care of this error. Remove first the subdomain that was created first, then remove the second one if you have more than 2 to delete.
There are also other tricks with repadmin but it would not take care of my issue.
Also to remove FSMOs roles to another domain controller, refer to this article.
Event ID 2042
Event ID 2042: It has been too long since this machine replicated
There is a fix here: http://technet.microsoft.com/en-us/library/cc949136(WS.10).aspx
As far as I am concerned, my case was with a new forest in an existing domain during a DCPROMO, I just rebooted the main DC, and was able to install the new DC after 2 attempts, but now i have 2 other child-domains that will need a metadata cleanup.
There is a fix here: http://technet.microsoft.com/en-us/library/cc949136(WS.10).aspx
As far as I am concerned, my case was with a new forest in an existing domain during a DCPROMO, I just rebooted the main DC, and was able to install the new DC after 2 attempts, but now i have 2 other child-domains that will need a metadata cleanup.
Monday, March 21, 2011
The security database on the server does not have a computer account for this workstation trust relationship
The security database on the server does not have a computer account for this workstation trust relationship.
Solution: go to AD, and look if the computer is duplicated or not in the OU, if so, remove the duplicated computer (it will be a name with an SID number), and reboot the computer.
Sunday, March 20, 2011
Domain Controller in AD shows as unavailable
Solution: go to TCP/IP properties and select Internet Protocol version 6 (IPv6).
Works in windows 2008 R2 SP1
Subscribe to:
Comments (Atom)