Shariq Sheikh | Port 389

One of the exciting features of Windows Server 2008 is Powershell (command-line interactive shell and scripting language). Powershell allows Admins to achieve control over their Active Directory/Servers environment and accomplishes the remote management tasks which used to be done with VB, WMI and ADSI scripts. Where WMI and ADSI calls are still part of Powershell cmdlets pronounced command-lets (commands that trigger the call in the interactive PS shell), the number of lines and the need to know the ’scripting’ has substanially been lowered.

Powershell v1.0 can be installed as a feature in Windows Server 2008 or can be individually installed on Windows XP SP2 or Windows Server 2003 SP1 from here as RTW. This provides 130 cmdlets that enable easier system administration and accelerated automation. On top of that Quest Software has released ActiveRoles Management Shell for Active Directory (for free) that provides another set QAD (Quest Active Directory) cmdlets that extend the AD specifics management tasks. You can get the Quest Management Shell and subsequent cmdlets from here (http://www.quest.com/powershell/activeroles-server.aspx)

While Quest cmdlets run in their own shell, the quest snap-in can also be registered in the Powershell by running the following command, after installing Quest Management Shell.

Add-PSSnapin Quest.ActiveRoles.ADManagement

You may run Get-PSsnapin to validate

Alternatively you can work directly within the Quest Management Shell where you will have all the native PS cmdlets available to you. To find out all the QAD related cmdlets, run get-commad *-qad*.

And lastly give one of the QAD cmdlets a test drive, for instance to create a new user in AD and to find out how the New-QADuser can be used, run the Get-Command New-QADuser -detail to learn the full syntax and available options.

Here are a couple of great resources to hit the ground running with Powershell and Quest Management Shell (a.k.a QAD Cmdlets).

PowershellPro Tutorials
PowerGUI and QAD Wiki
PowerGUI Forums
Windows Powershell Forums

We are all aware how helpful the repadmin tool has become (available thru Windows Support Tools in Windows Server 2003 and earlier) for troubleshooting the replication issues. In Windows Server 2008, this tool along with others come pre-packaged within the OS. You no longer have to install the Support Tools to rein in the benefits of handy command line tools such as, dcdiag, netdiag, rendom and many others.

Here is one repadmin syntax I have become used to as it gives me a snapshot of source DCs and the Destination DCs and their replication status. The command is repadmin /replsum

In above scenario there are two DCs (both Windows Server 2008) showing their latest largest delta times. The Source DC is one that changes have gone out from, where as Destination DC is one who adopted changes from other DC, hence replicated.

What needs to be noticed here is under normal circumstances both DCs would show up under Source and Destination, but since the VM08-02 is a read-only domain controller it can only grab changes from other DC and can’t replicate changes out from it. It only shows up under Destination DC and shows that it was at the receiving end of applying changes to it in terms of Active Directory replication. While read-write domain controller (RWDC) shows changes replicated out from it i.e VM08-01.

The fail/total %% and error column comes very handy when somewhere out there one of your DC has stopped talking to others or hasn’t been talked to due to an issues such is incorrect firewall settings.

Repadmin is one handy tool that all AD Admins should invest a little time learning. For more information on repadmin /showrepl command, click here.

So its no news that this past Monday VMware released VMware ESXi for FREE, previously sold for $495. As witnessed by many, this is a right move in the right direction in terms of competing with Microsoft, with its free offering of Hyper-V – their flavor or native virtualization product.

However, there are things to keep in mind. While ESXi and ESX (most renowned in the market) match in the core functionality, VMware does not make the VirtuaCenter Server piece free. You would still need a licensed VMware Infrastructure 3 Suite in order to use VirtualCenter to manage multiple hosts, provision VMs easily and most importantly to take advantage of powerful tools such as HA, DRS and consolidated backup for VMs.

Nonetheless, I am excited at this prospect as many SMBs will now really be able to get the true taste of VMware ESX for their virtualization needs. I myself have run my home lab environment previously on VMware Server 1.0 and now on Virtual Server 2005 R2 (both non-native virtualization, running on top of other OS) as the news broke of FREE ESXi, I immediately wanted to know if this will run on my Dell PowerEdge 1800, a dual core Xeon processor machine. As I searched I didn’t find a definitive answer and found the provided HCL list of ESXi of no help.

I decided to give it a try and moved my Virtual Server 2005 VMs over to another storage. Got the ISO for VMware ESXi and ran the installation. It installed painlessly (following the Install Guide that comes in an email when you register for your free copy and includes the license key) and I now had a much better hypervisor performance VMware ESXi machine ready to go. I plan on migrating my Virtual Server 2005 VMs using VM converter which is available in the install when you download the eval. copy of VirtualCenter Server 2.5, and it gives you all previously mentioned features for 60 days. After the trial is over you can continue to use your Virtual Infrastructure Client to manage VMware ESXi and the VMs. I am looking forward to revamping my lab VMs and using the VirtualCenter features. Note, I installed VIC and VirtualCenter Server 2.5 on an XP machine and it works great. In future, I plan on installing the VirtualCenter Server piece on a Vista machine.

Lastly, most companies who have paid thousands of dollars for ESX and VI3 Suite should perhaps look into creating their Dev and QA environment using ESXi while utilizing their already paid license for VirtualCenter to manage multiple ESXi hosts. There is potential cost savings there.

Grab your free copy of VMware ESXi from here.

P.S – After you have installed it, don’t forget to license it with the key received in email from the Configuration tab and License option in VIC.

What is it ?

Windows Server 2003 includes support for a startup switch that lets you tune the allocation of use of memory and memory address space. Regardless of the amount of physical memory in your system, Windows uses a virtual address space of 4 GB, with 2 GB allocated to user-mode processes (for example, applications) and 2 GB allocated to kernel-mode processes (for example, the operating system and kernel-mode drivers). On systems that have 1 GB or more of physical memory, the startup switche can be used to allocate more memory to applications (3 GB) and less memory to the operating system (1 GB). This additional virtual address space helps reduce the amount of memory fragmentation.

How beneficial is it ?

You may have read many articles on this subject before. This discussion has been going on for many years now and at times has almost reached epic proportions due to the conflicting information available from Microsoft. Long story short is that by and large, you should NOT use the /3GB switch unless you meet specific criteria, please read the following article as it demystifies the whole theory. Or read the excerpt below.

http://blogs.technet.com/askperf/archive/2007/03/23/memory-management-demystifying-3gb.aspx

The /3GB option was intended as a short term solution to allow applications such as database servers to maintain more data in memory than a 2GB address space allowed. However, using the /3GB method to increase the user-mode memory space comes at a cost. If we have to allocate an additional 1GB of this address space to the user-mode space, then the System space is cut in half. Drivers, Heap, Paged & NonPaged Memory all have only half the resources to work with now. However, because of the way memory mapping works, cutting the kernel space in half does a lot more than just reducing the address space. Many of the structures within the kernel virtual memory space are cut back by far more than 50%.

For a process to access the full 3GB address space, the image file (application process) must have the IMAGE_FILE_LARGE_ADDRESS_AWARE flag set in the image header.

If the flag is not set in the image header, then the OS reserves the third gigabyte so that the application won’t see virtual addresses greater than 0×7FFFFFFF. You set this flag by specifying the linker flag /LARGEADDRESSAWARE when building the executable. This flag has no effect when running the application on a system with a 2-GB user address space. Therefore if you enable the /3GB switch, then applications that do not have this flag set can only use the standard 2GB of User mode memory, and the Kernel is still limited to the 1GB space – which means that 1GB of virtual memory is basically wasted !

All that is required to make it happen is a switch in the boot.ini file. The switch, /3GB, is placed
at the end of the line that executes the WinNT loading process.

Example:

[operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINNT="Windows NT
Server Version 4.00" /3GB

Or you may add an additional line in your boot.ini as above to have the option to boot into either environment, with or without the switch.

What to keep in mind ?

This topic deals with the the virtual memory address space and has no relevance with the physical memory, it is however a limitation of a 32bit OS if you are running 64bit OS this not applicable. At the end of the day you must decide if your application is capable of handling this switch as an added benefit. Often times, if you are having to up the threshold of your OS handling of things and or things such as over-clocking your processor to keep up, one might worry about the logic behind it. Perhaps go for 64bit OS to begin with.

Sounds like a no-brainer, but there is catch. I installed DHCP role on my Server Core that I had previously set up as Read-only Domain Controller, using this command.

start /w ocsetup DHCPServerCore

And then I went ahead and set the service configuration to “auto” with this command,

sc config dhcpserver start= auto (note the space between the equal sign and auto)

And then finally when I tried to start the DHCP service with the following command, it failed with these errors.

net start dhcpserver

A system error has occured

System error 50 has occured

The request is not supported

So the catch was, that since RODC can’t write back to the AD to create the needed DHCP security groups i.e DHCP Administrators and DHCP Users, the service would fail.

After creating those domain local security groups on another Windows Server 2008 RWDC, the service does run successfully and you can manage the DHCP Server (that is running on Server Core) from another server using RSAT.

Yes there is. Inevitable as it was, we the System Admins like to accomplish easy tasks from the tip of our fingers, and do things in a graphical click-ing environment. You might have heard of this utility, which came out few months back called ‘Server Core Configurator’ by Guy Teverovsky. I had been reading about the bugs and fixes at Guy’s site and hadn’t given a try. I have now downloaded a copy thats has been fixed up and fine tuned per the request of other readers and users who tried out this utility. I installed it on my Server Core copy and I haven’t been disappointed, it lets you do a lot of common tasks such as adding the machine to the domain, running DCPROMO on it, changing NIC settings, changing display and time zone etc. which would otherwise require you know the command line or registry edit.

While this utility will come in very handy (until Microsoft perhaps comes out of their own), remember its Microsoft’s attempt to offer a small footprint OS of Core features with the likes of Linux based DHCP, and DNS system such Infoblox, and they have tried to persuade the System Admins to learn the powerful capabilities of Cscripts, WMI and Netsh. This does take us the other way a little bit. But I sure am happy to see an option that allows to me do all those initial configuration tasks GUI-ily.

You be the judge and give it a try, download it from here,

http://blogs.microsoft.co.il/files/folders/guyt/entry68860.aspx

P.S You can only launch the application from the folder where it was installed, i.e change the directory to the C:\Program Files\Server Core Configurator where it installs by default.

Its pretty simple to turn the automatic updates in Server Core by using scregedit to modify the registry, simply type in this command :

cscript c:\Windows\system32\scregedit.wsf /au 4

After that, you do have to stop and start the Windows Update service

net stop wuauserv
net start wuauserv

The swtich /au 4 sets the time for checking the updates at 3am. It also sets the server to reboot if the updates require it to. You can disable automatic updates by using /au 1 switch or /v to view the current settings. To force an immediate check for updates, run the following command:

wuauclt /detectnow

You can use Windows Remote Shell (WinRS) in Vista and Windows Server 2008 to remotely manage and administer Server Core. The WinRS client passes the commands to a WinRS listener on Server Core, which passes the commands to a prompt, captures the output and returns it to the WinRS client. To do this, you have to enable Windows Remote Managment (WinRM) on Server Core, you will run the following command :

winrm quickconfig

You can then run for example this command to see the license status on the Server Core remotely from Vista or the full installation on Windows Server 2008

winrs -r:NameofServerCore "cscript c:\Windows\System32\slmgr.vbs -dli"

Note that you can also use tools such as Windows Management Instrumentation command line (WMIC) and PowerShell thru WMI calls to manager Server Core. At this time Server Core does not support PowerShell directly since it relies on .NET Framework which is not there in Windows Server without Windows

So In Windows Server 2008, there are roles such as AD Domain Services, DHCP, DNS, the roles services pertaining to roles such as AD Certificate Services, DFS, and finally there are optional features such as .NET Framework Services, Network Load Balancine (NLB), etc. With the exception of the Active Directory Domain Services role, you install server roles and features by using the ocsetup command. The syntax for ocsetup is the same for roles and features. The command is case sensitive, and you need to know the correct capitalization for a server role or feature, you can get that by running oclist command.

For instance, the following command installs Windows Server Backup, which is a feature

start /w ocsetup WindowsServerBackup

Using the /w switch indicates when ocsetup has finished installing the new role of feature. It also stops user from initiating another command while it’s running.

You can also find out what is already installed by running following oclist syntax

oclist | find "installed"

The Windows Server 2008 Server Core installation does support Read Only Domain Controllers (RODC). This support makes Server Core ideal for brance office scenarios. To make a Server Core part of your domain as RODC, you use the unattended answer file with the following text with your settings and passwords

[DCInstall]
InstallDNS=Yes
ConfirmGC=Yes
RebootOnCompletion=Yes
ReplicaDomainDNSName=2008.lab
ReplicaOrNewDomain=readonlyreplica
ReplicationSourceDC=dc3.2008.lab
SafeModeAdminPassword=
SiteName=Default-First-Site-name
UserDomain=2008.lab
UserName=admin08
Password=
CreateDNSDelegation=No

You can place the text file on the root of your C drive on the server core and run the following command

dcpromo /unattend:unattend.txt where unattend.txt is the text file you created above

Later on we will discuss other embedded command line structures and built-in programs such as OCSETUP which will allow you to add roles and features to your server core. Keep in mind that making the domain controller is the only setup you must not use OCSETUP for, and you must utilize DCPROMO for it, otherwise your server may not function properly.

After running the above process, you will notice that from a Windows Server 2008 full installation, using ADUC we can readily confirm that our DC is RODC.

In order to add your Server Core to a domain you must assign an IP and DNS server to the current IP Configuration and you do that using NETSH tool, otherwise using the answer file your setup will fail complaining about its inability to contact the source DC.

Netsh.exe is a tool an administrator can use to configure and monitor Windows-based computers at a command prompt. With the Netsh.exe tool, you can direct the context commands you enter to the appropriate helper, and the helper then carries out the command. A helper is a Dynamic Link Library (.dll) file that extends the functionality of the Netsh.exe tool by providing configuration, monitoring, and support for one or more services, utilities, or protocols. The helper may also be used to extend other helpers.

You will first check the index assigned to your NIC by running this at command line,

netsh interface ipv4 show interfaces

You can then using this syntax to assign your server an IP address. Note that my NIC index ID is 2.

netsh interface ipv4 set address name="2" source=static address=192.168.100.202 mask=255.255.255.0 gateway=192.168.100.1

And then you can use the following NETSH command to add your primary DNS server, in my case also the source DC.

netsh interface ipv4 add dnsserver name="2" address=192.168.100.201 index=1

Run Ipconfig /all to verify your configuration.

In a future post, I will show you how to setup Server Core to be a Read-Only Domain Controller in a Windows Server 2008 domain.

More on NETSH can be found on http://support.microsoft.com/kb/242468

So in Server Core the built-in Windows firewall comes on by default. You can choose to disable it completely to get all the networking components working by using this NETSH command,

netsh firewall set opmode disable

You can use the enable switch to turn it back on. However, completely disabling it may be a bad idea, and you should choose the following commands to specifically open up gates for certian ports and applications. For example to open up port 3389 for RDP use,

netsh firewall set portopening TCP 3389 "AnyNameHereSuchasRDP"

or

netsh firewall set allowedprogram FullPathToExecutable name=AnyNameHere

Note that above commands should be entered in one line, and are overlapped due to the page format in this post.

For more information on advanced firewall functionalty, please go here.

Even though the Server Core option of Windows Server 2008 does not have shell, you can still RDP (Terminal Services) into it by using RDC from a Windows Client. To do that, you have to first enable the RDP on Server Core by using the following cscript command.

Cscript \windows\system32\scregedit.wsf /ar 0

In order to use TS from a pre-vista OS you have to turn off the on by default high security by using the following command

Cscript \windows\system32\scregedit.wsf /cs 0

While terminal serviced into the Server Core, you can logoff.exe command line to terminate your session.

Once again, with no GUI your Windows Server 2008 Server Core can easily be renamed using Windows Management Instrumentation Command-line (WMIC), and here is how,

wmic computersystem where name="%computername%" rename name="new-name"

As result, you will get ‘Method execution successful’ message. However if your machine is domain-joined, you can use NETDOM to accomplish the same task. Here is the query.

Netdom renamecomputer %computername% /NewName:new-name /UserD:domain-username /PasswordD:*

As we know there is no GUI in Windows Server 2008 Server Core option, here is how you can activate your copy. Following was done on an eval. copy, and here is the cscript command to run.

Cscript C:\Windows\System32\slmgr.vbs -ato

You can run -xpr switch to tell how much time you have left, mine shows permanently activated. So these are out-of-box scripts that aid in Licensing Management.

Read my previous post on how to install VM additions in your lab environment (based on VS 2005 R2) to tinker with the Server Core.

In a full version of Windows Server 2008 there is Initial Configuration Tasks that allows you to configure various things after a fresh install. However since Server Core is GUI-less or more like Shell-less and not entirely GUI-less, the various initial configuration tasks are to be done from the command-line or thru the few built-in cpls.

In next few posts, I will be showing you the basic configuration of out-of-box Server Core. Lets start with changing the Administrator’s password which does not happen during the installation. You may use the good-old net command to do that,

net user administrator *

or change it by pressing CTRL+ALT+DEL and click Change Password.

You may also need to set the date, time and time zone, and there is a left-behind GUI cpl available for it.

control timedate.cpl

Above cpl will launch the normal Date and Time control panel for you to change the settings. The only other cpl included in Server Core is intl.cpl which allows you to change the keyboard layouts

Using Uptime utility from Microsoft you can get your server uptime (i.e time since the last reboot) which can come in handy particularly when you are trying to troubleshoot a server’s unexpected reboot and failures.

Uptime.exe can be used to display the current uptime of the local or remote system. Optionally, it can also scan the Event log for key system events such as system restart or computers that are not responding (hanging). Where possible, it also calculates system availability. It is primarily intended for Windows NT Server 4.0 Service Pack 4 or later, though it operates in limited fashion on earlier versions.

You can download it from the link below and drop it on the root of the c:\ or where you wish and the command line to run is simply uptime

http://support.microsoft.com/kb/232243

In a previous post we discussed the FSMO Roles and we know that one of the FSMO Roles is RID Master. What a RID Master does and whats its significant, let’s recap. RID Master – Each object must have a globally unique number (GUID). The RID master makes sure each domain controller issues unique numbers when you create objects such as users or computers. For example DC one is given RIDs 1-4999 and DC two is given RIDs 5000 – 9999.

In this post I will be showing you the command which you can run to check the available Relative Identifiers (RID) pool on one of your DCs.

You should have the Windows Server 2003 Support tools installed and the command to run is as follows:

dcdiag /v /test:ridmanager

/v is for verboselogging and the /test:ridmanager is to define the specific test and to avoid the other dcdiag test runs. Take a look at the attached screenshot above, It shows the current RID Allocation Pool and the Previous Allocation Pool. 500 RIDs are assigned from the RID Master and after 50% of the pool has been consumped, another request for pool refill is made to the RID Master.

Previously you have been able to use RENDOM utility provided by Microsoft to rename your Window 2000 and Windows Server 2003 domains. However in Windows Server 2008 domain you don’t have to separately install Rendom utility. It gets installed as part of “Active Directory Domain Services” role when you promote a server to the DC role. And It can be found here : %windir%\system32\rendom.exe.

I used it to rename a Windows Server 2008 domain in my test lab environment. The process was pretty straightforward but it may require more tasks if you have multiple DCs in a multi domain environment.

The Forest and Domain Functional Level should be Windows Server 2008 to proceed with the following task.

From the command prompt, I started out by running rendom /list which outputs an XML file (Domainlist.xml) to the directory where rendom resides. You edit that file to change your domain configuration to the new domain name. i.e ForestDNSZones, DomainDNSZones, Netbios name. See referenced link for details.

After you have modified the file you can run rendom /showforest which shows you the future configuration, verify and make changes if necessary.

Upload the changes you have made in the XML file: Run rendom /upload

Verify readiness of Domain Controller(s): Run rendom /prepare

Execute domain rename instructions: Run rendom /execute

After thats finishes up successfully, you should also run GPFIXUP tool to fix up GPO references to your old domain name. See Step 12 of this document.

Here is an example :

C:\Users\Administrator>gpfixup /olddns:08r2.lab /newdns:mcts.lab
Group Policy fix up utility Version 1.1 (Microsoft)

Start fixing group policy (GroupPolicyContainer) objects:
……..

Start fixing site group policy links:
.

Start fixing non-site group policy links:
….
gpfixup tool executed with success.

C:\Users\Administrator>gpfixup /oldnb:08r2 /newnb:mcts
Group Policy fix up utility Version 1.1 (Microsoft)

Start fixing group policy (GroupPolicyContainer) objects:
..
gpfixup tool executed with success.

Lastly, run rendom /clean

The identity (domain GUID) of the renamed domain does not change during a domain rename operation. Thus a computer’s domain membership does not change as a result of the holding domain being renamed.

However, every member computer joined to the renamed domain needs to be rebooted twice. Please refer to “How Domain Rename works” technical reference for more info.

How Domain Rename Works : Microsoft Technet

Other References:

http://dsg.port.ac.uk/~hx/rename_domain/index.php

http://www.msexchange.org/tutorials/Domain-Rename.html (for domains with Exchange)

Every domain has a default setting for ms-DS-MachineAccountQuota value 10. This means that any user can add up to 10 machines to a domain. You can modify this object in directory by using ADSIedit tool to prevent this behavior.

Warning: Using ADSIedit can have adverse effects on your Active Directoy environment, if not handled with proper knowledge.

Launch ADSIedit from run command, ADSIedit.msc

Under Domain Configuration, expand and find your domain. Right click and go to the Properties

Look for the following property and modify it to ‘0′

Hit OK, Apply and exit

How does it keep track of how many machines have you added based on your user ID/account ?

For a computer account created by domain users, the account has ‘ms-DS-CreatorSID’ attribute to indicate the creator user. When a user adds a computer to the domain, a process enumerates the ‘ms-DS-CreatorSID’ attribute on every computer account in the domain and calculates if the sum exceeds the current quota for that user.

The ‘ms-DS-CreatorSID’ and ‘ms-DS-MachineAccountQuota’ with default value 10 are also available in Windows Server 2008 AD DS.

Note: The ‘ms-DS-CreatorSID’ attribute will be unset in the computer account that is pre-created in Active Directory Users and Computers MMC or joined by domain administrators.

http://support.microsoft.com/kb/243327

Where Account Lockouts save us from brute force password attacks and help us standardize our environment for password policies, sometimes it can be painful to troubleshoot and find out why and where it happened. Microsoft does provide us with the ‘Account Lockout Management Tools’ suite which can be very handy to diagnose the root cause of an account lockout.

· AcctInfo.dll. Helps isolate and troubleshoot account lockouts and to change a user’s password on a domain controller in that user’s site. It works by adding new property pages to user objects in the Active Directory Users and Computers Microsoft Management Console (MMC).

· ALockout.dll. On the client computer, helps determine a process or application that is sending wrong credentials.

· ALoInfo.exe. Displays all user account names and the age of their passwords.

· EnableKerbLog.vbs. Used as a startup script, allows Kerberos to log on to all your clients that run Windows 2000 and later.

· EventCombMT.exe. Gathers specific events from event logs of several different machines to one central location.

· LockoutStatus.exe. Determines all the domain controllers that are involved in a lockout of a user in order to assist in gathering the logs. LockoutStatus.exe uses the NLParse.exe tool to parse Netlogon logs for specific Netlogon return status codes. It directs the output to a comma-separated value (.csv) file that you can sort further, if needed. The latest version available is 1.0.0.60.

· NLParse.exe. Used to extract and display desired entries from the Netlogon log files.

Unfortunately, I didn’t find good documentation of how to quickly make good use of these tools when my domain admin account started getting mysteriously locked out after I had changed my password due to the policy in place. From my experience I found Lockout Status and EventComb MT to be most useful from the suite.

I knew the common causes why my account would get locked out due to one of the reasons listed here : See this but I needed to figure out what is the offending machine or service thats providing my old credentials to a DC thats causing the account to be locked out.

I started out launching Lockout Status tool and selected my domain admin account as ‘target’ from the file menu and running it. It gave me list of all the DCs with the status of my account and more importantly the DC the lockout happened on in the ‘Orig Lock’ tab towards the right of the program screen. I then launched the Event CombMT piece and right clicked in the white space in the search area and added the DC the lockout originated at. I choose from ‘Option’ menu where I wanted to output the file as txt or CSV. I chose ‘Security’ as log files search option for all event types and then putting ‘644′ as the event id and clicked on search.

It outputted the CSV file in the area I had specified and I was able to see that it found the event 644 for my ID on 6 different machines across the domain, it was listed under ‘Caller Machines Name’ column, (I know its bad administration on my part to sometimes disconnect my terminal sessions instead of logging off). Sure enough when I logged on to those machines I immediately saw the following notifications.

I had to log off and log back in to clear out the error. After that, I ran the Lockout Status tool again and noticed the lock status for my domain admin account had been cleared out.

Conclusion: Never leave your account logged on somewhere (or have a service run under your user context) and lock the machines or disconnect the remote session without logging off, and when using tools like Remote Desktops (which can be useful and allow you to have a list of machines you remote in frequently during the day), make sure you don’t save your passwords in the session configurations.

More Resources:

Download the Microsoft Account Management Tools

Technet Resource on how to maintain and manage the account lockout

WindowsSecuirty.com-Implementing and Troubleshooting Account lockout

Sometimes you have a task on your hand for your Active Directory environment but it isn’t an easy one, or lets just say that not many people have come across having a need for it (so not a whole lot you can google for). I recently had a situation like this. Basically in our AD environment we failed to realized the importance and fell behind in keeping our reverse lookup zones updated. As we all know that AD infrastructre does not rely on reverse lookups and you can get away with not having all your defined subnets populated in the reverse zones (in-addr.arpa). We began having some random errors of unsuccessful Group policy applications on some machines and also we started being bugged by the SMS group of the failure of SMS clients installation since some applications like SMS do rely on having to lookup machines by their IP addresses.

We are quite a big environment as we have little over 1000 AD defined subnets and only 80 some had been populated in the reverse lookup zones. I was tasked to make sure that all the reverse zones are created in our DNS from the defined subnets. As it could be very tedious task, I wanted to automate the process. I am not a scriptor but I knew that we could not be the only who has had this issue and I tried digging the newsgroups/blogs/forums and the internet in general but I had no or little luck finding any relevant information.

I started off looking into ADSIedit, as I wanted the export the subnet objects and then somehow import them back into the DNS. I knew that there was DNSCMD command line utility that allows you to do various tasks for zones/records creations, deletion and modification. Unfortunately it did not have a very wide syntax that allowed to pipe-in a list from an external source such a CSV file (that would have the subnets I export from AD). As expected the export part went fine and I had the full list of all the AD defined subnets. Now I was struggling to find a VBscript I could wrap this file into and pipe-in thru DNSCMD like utility.

I looked at Joeware free AD utilites, and I saw Joe had a tool called ADfind. I decided to query him and I got a rapid reply back from him with some suggestions, he assured me it is doable using his ADfind utility combined with some other script or utility. In mean time he forwarded my query to Dean Wells of MSEtechnology who emailed me a rather quick solution using Joe’s ADfind tool (see below). I was extremely pleased how my easy attempt to query seasoned scriptors had paid off.

Apart from other great writing and consulting achievements both Joe Richards and Dean Wells are Micrsoft MVPs and their voluntary efforts to help out the community truly exhibited what MVP program is all about.

So here is the command you would run at your DNS server to accomplish this task;

for /f "tokens=1,2,3 delims=." %n in ('adfind -config -rb "CN=Subnets,CN=Sites" -f "objectclass=subnet" name -list') do @dnscmd /zoneadd %p.%o.%n.in-addr.arpa /primary

add ‘ds’ in front of the primary (/dsprimary) if you wish to make the zones AD integrated

NOTES from Dean
-If you place the syntax above within a batch file, please note that any occurrence of a ‘%’ symbol must be replaced with ‘%%’ (two of them)
-ADfind and DNSCMD must both exist within the current directory or the system path
-In its current form, the syntax assumes the subnet is comprised of 3 octets

Maybe the most forgotten password is the one for Directory Services Restore Mode (DSRM) because it’s created only when a DC is built, and used only during critical DC recovery operations, which hopefully does not happen very often. Not knowing this password can prevent a successful recovery.

If you don’t know your DSRM password and haven’t stored them in a safe place, use the following commands for each Domain Controller to reset it to a known value:

ntdsutil
set dsrm password
reset password on server {servername}

Once you do this, write down that password and lock/encrypt it away.

Installing VMAdditions on Windows Server 2008 Core can be tricky. In my virtual lab I have Virtual Server 2005 R2 SP1, I recently decided to test drive the much hyped Server Core from the Windows Server 2008 lineup. For those of you who don’t know what Server Core is and what it will cater to;

Server Core is a minimal server installation option for computers running on the Windows Server 2008 operating system. Server Core provides a low-maintenance server environment with limited functionality. Server Core is an installation option that is capable of five well-known server roles: File Server, DHCP Server, DNS Server, Media Services, and Active Directory. Server Core is not a development platform for new server applications. Although Server Core is not an application platform, it does support the development of management tools, utilities, and agents.

Server Core management tools, utilities, and agents fall into two categories: those that manage a server remotely, and those that run locally to manage the server or return data to a centralized management tool. Remote management tools should not require any changes to support Server Core, as long as the tool uses one of the remote protocols supported in Server Core, such as RPC. Local management agents and utilities may require changes to run properly on Server Core. There is no Windows shell and very limited GUI functionality (the Server Core interface is a command prompt).

The installation of Server Core was pretty straightforward, and GUI based but when it finished I was left with command prompt where the rest of the configuration and setup would be run from. Like in any other Micrsoft VMs, VMAdditions are must as you don’t have a smooth control of your keyboard and mouse, and video is pretty bad.

I started out by mounting the VMadditions ISO from the web interface of VS2005. (Note that this ISO has been updated with the SP1 of VS2005 R2 and provides better results now). But since the Core does not auto-launch the CDs nor does it understand what ISO images are, it failed to kick-off the installation.

The trick was to change the directory to D:\ and by going to Windows\Setup folder and running the Setup.exe file manually, that immediately started the installation and successfully installed the latest Virtual Machine Additions version 13.813 .

Server Core does provide us the ability to run a DC like infrastructure server on a low end machine with the littler foot print on other network resources.

Time to learn the CScripts, WMIC, Netsh etc. to better manage it however !

In my last post, I talked about what FSMO roles are how to retrieve them thru GUI. In this post I am showing you a quick way to tell what DCs are holding which FSMO roles in your forest/domain. It can be done by running NETDOM QUERY FSMO command at one of your DCs.

Notice, that my Schema Master and Domain Naming Master reside in the forest root domain (virtualdomain.com) since they are forest level FSMOs and the PDC Emulator, RID Master and Infrastructure Master are all on one DC (virtualdc3) which is on a separate domain tree (Shq.tech)

Typically NETDOM command-line tool enables administrators to manage Windows Server 2003 and Windows 2000 domains and trust relationships from the command line is available thru the Resource Kit. It has a range of syntax you can do various things with such as,

- Manage computer accounts for domain member workstations and member servers, Establish one-way or two-way trust relationships between domains.

Use NETDOM /? to see the available options or go here to get the list.