Shariq Sheikh | Port 389

One of the exciting features of Windows Server 2008 is Powershell (command-line interactive shell and scripting language). Powershell allows Admins to achieve control over their Active Directory/Servers environment and accomplishes the remote management tasks which used to be done with VB, WMI and ADSI scripts. Where WMI and ADSI calls are still part of Powershell cmdlets pronounced command-lets (commands that trigger the call in the interactive PS shell), the number of lines and the need to know the ‘scripting’ has substanially been lowered.

Powershell v1.0 can be installed as a feature in Windows Server 2008 or can be individually installed on Windows XP SP2 or Windows Server 2003 SP1 from here as RTW. This provides 130 cmdlets that enable easier system administration and accelerated automation. On top of that Quest Software has released ActiveRoles Management Shell for Active Directory (for free) that provides another set QAD (Quest Active Directory) cmdlets that extend the AD specifics management tasks. You can get the Quest Management Shell and subsequent cmdlets from here (http://www.quest.com/powershell/activeroles-server.aspx)

While Quest cmdlets run in their own shell, the quest snap-in can also be registered in the Powershell by running the following command, after installing Quest Management Shell.

Add-PSSnapin Quest.ActiveRoles.ADManagement

You may run Get-PSsnapin to validate

Alternatively you can work directly within the Quest Management Shell where you will have all the native PS cmdlets available to you. To find out all the QAD related cmdlets, run get-commad *-qad*.

And lastly give one of the QAD cmdlets a test drive, for instance to create a new user in AD and to find out how the New-QADuser can be used, run the Get-Command New-QADuser -detail to learn the full syntax and available options.

Here are a couple of great resources to hit the ground running with Powershell and Quest Management Shell (a.k.a QAD Cmdlets).

PowershellPro Tutorials
PowerGUI and QAD Wiki
PowerGUI Forums
Windows Powershell Forums

We are all aware how helpful the repadmin tool has become (available thru Windows Support Tools in Windows Server 2003 and earlier) for troubleshooting the replication issues. In Windows Server 2008, this tool along with others come pre-packaged within the OS. You no longer have to install the Support Tools to rein in the benefits of handy command line tools such as, dcdiag, netdiag, rendom and many others.

Here is one repadmin syntax I have become used to as it gives me a snapshot of source DCs and the Destination DCs and their replication status. The command is repadmin /replsum

In above scenario there are two DCs (both Windows Server 2008) showing their latest largest delta times. The Source DC is one that changes have gone out from, where as Destination DC is one who adopted changes from other DC, hence replicated.

What needs to be noticed here is under normal circumstances both DCs would show up under Source and Destination, but since the VM08-02 is a read-only domain controller it can only grab changes from other DC and can’t replicate changes out from it. It only shows up under Destination DC and shows that it was at the receiving end of applying changes to it in terms of Active Directory replication. While read-write domain controller (RWDC) shows changes replicated out from it i.e VM08-01.

The fail/total %% and error column comes very handy when somewhere out there one of your DC has stopped talking to others or hasn’t been talked to due to an issues such is incorrect firewall settings.

Repadmin is one handy tool that all AD Admins should invest a little time learning. For more information on repadmin /showrepl command, click here.

So its no news that this past Monday VMware released VMware ESXi for FREE, previously sold for $495. As witnessed by many, this is a right move in the right direction in terms of competing with Microsoft, with its free offering of Hyper-V – their flavor or native virtualization product.

However, there are things to keep in mind. While ESXi and ESX (most renowned in the market) match in the core functionality, VMware does not make the VirtuaCenter Server piece free. You would still need a licensed VMware Infrastructure 3 Suite in order to use VirtualCenter to manage multiple hosts, provision VMs easily and most importantly to take advantage of powerful tools such as HA, DRS and consolidated backup for VMs.

Nonetheless, I am excited at this prospect as many SMBs will now really be able to get the true taste of VMware ESX for their virtualization needs. I myself have run my home lab environment previously on VMware Server 1.0 and now on Virtual Server 2005 R2 (both non-native virtualization, running on top of other OS) as the news broke of FREE ESXi, I immediately wanted to know if this will run on my Dell PowerEdge 1800, a dual core Xeon processor machine. As I searched I didn’t find a definitive answer and found the provided HCL list of ESXi of no help.

I decided to give it a try and moved my Virtual Server 2005 VMs over to another storage. Got the ISO for VMware ESXi and ran the installation. It installed painlessly (following the Install Guide that comes in an email when you register for your free copy and includes the license key) and I now had a much better hypervisor performance VMware ESXi machine ready to go. I plan on migrating my Virtual Server 2005 VMs using VM converter which is available in the install when you download the eval. copy of VirtualCenter Server 2.5, and it gives you all previously mentioned features for 60 days. After the trial is over you can continue to use your Virtual Infrastructure Client to manage VMware ESXi and the VMs. I am looking forward to revamping my lab VMs and using the VirtualCenter features. Note, I installed VIC and VirtualCenter Server 2.5 on an XP machine and it works great. In future, I plan on installing the VirtualCenter Server piece on a Vista machine.

Lastly, most companies who have paid thousands of dollars for ESX and VI3 Suite should perhaps look into creating their Dev and QA environment using ESXi while utilizing their already paid license for VirtualCenter to manage multiple ESXi hosts. There is potential cost savings there.

Grab your free copy of VMware ESXi from here.

P.S – After you have installed it, don’t forget to license it with the key received in email from the Configuration tab and License option in VIC.

What is it ?

Windows Server 2003 includes support for a startup switch that lets you tune the allocation of use of memory and memory address space. Regardless of the amount of physical memory in your system, Windows uses a virtual address space of 4 GB, with 2 GB allocated to user-mode processes (for example, applications) and 2 GB allocated to kernel-mode processes (for example, the operating system and kernel-mode drivers). On systems that have 1 GB or more of physical memory, the startup switche can be used to allocate more memory to applications (3 GB) and less memory to the operating system (1 GB). This additional virtual address space helps reduce the amount of memory fragmentation.

How beneficial is it ?

You may have read many articles on this subject before. This discussion has been going on for many years now and at times has almost reached epic proportions due to the conflicting information available from Microsoft. Long story short is that by and large, you should NOT use the /3GB switch unless you meet specific criteria, please read the following article as it demystifies the whole theory. Or read the excerpt below.

http://blogs.technet.com/askperf/archive/2007/03/23/memory-management-demystifying-3gb.aspx

The /3GB option was intended as a short term solution to allow applications such as database servers to maintain more data in memory than a 2GB address space allowed. However, using the /3GB method to increase the user-mode memory space comes at a cost. If we have to allocate an additional 1GB of this address space to the user-mode space, then the System space is cut in half. Drivers, Heap, Paged & NonPaged Memory all have only half the resources to work with now. However, because of the way memory mapping works, cutting the kernel space in half does a lot more than just reducing the address space. Many of the structures within the kernel virtual memory space are cut back by far more than 50%.

For a process to access the full 3GB address space, the image file (application process) must have the IMAGE_FILE_LARGE_ADDRESS_AWARE flag set in the image header.

If the flag is not set in the image header, then the OS reserves the third gigabyte so that the application won’t see virtual addresses greater than 0x7FFFFFFF. You set this flag by specifying the linker flag /LARGEADDRESSAWARE when building the executable. This flag has no effect when running the application on a system with a 2-GB user address space. Therefore if you enable the /3GB switch, then applications that do not have this flag set can only use the standard 2GB of User mode memory, and the Kernel is still limited to the 1GB space – which means that 1GB of virtual memory is basically wasted !

All that is required to make it happen is a switch in the boot.ini file. The switch, /3GB, is placed
at the end of the line that executes the WinNT loading process.

Example:

[operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINNT="Windows NT
Server Version 4.00" /3GB

Or you may add an additional line in your boot.ini as above to have the option to boot into either environment, with or without the switch.

What to keep in mind ?

This topic deals with the the virtual memory address space and has no relevance with the physical memory, it is however a limitation of a 32bit OS if you are running 64bit OS this not applicable. At the end of the day you must decide if your application is capable of handling this switch as an added benefit. Often times, if you are having to up the threshold of your OS handling of things and or things such as over-clocking your processor to keep up, one might worry about the logic behind it. Perhaps go for 64bit OS to begin with.

Sounds like a no-brainer, but there is catch. I installed DHCP role on my Server Core that I had previously set up as Read-only Domain Controller, using this command.

start /w ocsetup DHCPServerCore

And then I went ahead and set the service configuration to “auto” with this command,

sc config dhcpserver start= auto (note the space between the equal sign and auto)

And then finally when I tried to start the DHCP service with the following command, it failed with these errors.

net start dhcpserver

A system error has occured

System error 50 has occured

The request is not supported

So the catch was, that since RODC can’t write back to the AD to create the needed DHCP security groups i.e DHCP Administrators and DHCP Users, the service would fail.

After creating those domain local security groups on another Windows Server 2008 RWDC, the service does run successfully and you can manage the DHCP Server (that is running on Server Core) from another server using RSAT.

Yes there is. Inevitable as it was, we the System Admins like to accomplish easy tasks from the tip of our fingers, and do things in a graphical click-ing environment. You might have heard of this utility, which came out few months back called ‘Server Core Configurator’ by Guy Teverovsky. I had been reading about the bugs and fixes at Guy’s site and hadn’t given a try. I have now downloaded a copy thats has been fixed up and fine tuned per the request of other readers and users who tried out this utility. I installed it on my Server Core copy and I haven’t been disappointed, it lets you do a lot of common tasks such as adding the machine to the domain, running DCPROMO on it, changing NIC settings, changing display and time zone etc. which would otherwise require you know the command line or registry edit.

While this utility will come in very handy (until Microsoft perhaps comes out of their own), remember its Microsoft’s attempt to offer a small footprint OS of Core features with the likes of Linux based DHCP, and DNS system such Infoblox, and they have tried to persuade the System Admins to learn the powerful capabilities of Cscripts, WMI and Netsh. This does take us the other way a little bit. But I sure am happy to see an option that allows to me do all those initial configuration tasks GUI-ily.

You be the judge and give it a try, download it from here,

http://blogs.microsoft.co.il/files/folders/guyt/entry68860.aspx

P.S You can only launch the application from the folder where it was installed, i.e change the directory to the C:\Program Files\Server Core Configurator where it installs by default.

Its pretty simple to turn the automatic updates in Server Core by using scregedit to modify the registry, simply type in this command :

cscript c:\Windows\system32\scregedit.wsf /au 4

After that, you do have to stop and start the Windows Update service

net stop wuauserv
net start wuauserv

The swtich /au 4 sets the time for checking the updates at 3am. It also sets the server to reboot if the updates require it to. You can disable automatic updates by using /au 1 switch or /v to view the current settings. To force an immediate check for updates, run the following command:

wuauclt /detectnow

You can use Windows Remote Shell (WinRS) in Vista and Windows Server 2008 to remotely manage and administer Server Core. The WinRS client passes the commands to a WinRS listener on Server Core, which passes the commands to a prompt, captures the output and returns it to the WinRS client. To do this, you have to enable Windows Remote Managment (WinRM) on Server Core, you will run the following command :

winrm quickconfig

You can then run for example this command to see the license status on the Server Core remotely from Vista or the full installation on Windows Server 2008

winrs -r:NameofServerCore "cscript c:\Windows\System32\slmgr.vbs -dli"

Note that you can also use tools such as Windows Management Instrumentation command line (WMIC) and PowerShell thru WMI calls to manager Server Core. At this time Server Core does not support PowerShell directly since it relies on .NET Framework which is not there in Windows Server without Windows

So In Windows Server 2008, there are roles such as AD Domain Services, DHCP, DNS, the roles services pertaining to roles such as AD Certificate Services, DFS, and finally there are optional features such as .NET Framework Services, Network Load Balancine (NLB), etc. With the exception of the Active Directory Domain Services role, you install server roles and features by using the ocsetup command. The syntax for ocsetup is the same for roles and features. The command is case sensitive, and you need to know the correct capitalization for a server role or feature, you can get that by running oclist command.

For instance, the following command installs Windows Server Backup, which is a feature

start /w ocsetup WindowsServerBackup

Using the /w switch indicates when ocsetup has finished installing the new role of feature. It also stops user from initiating another command while it’s running.

You can also find out what is already installed by running following oclist syntax

oclist | find "installed"

The Windows Server 2008 Server Core installation does support Read Only Domain Controllers (RODC). This support makes Server Core ideal for brance office scenarios. To make a Server Core part of your domain as RODC, you use the unattended answer file with the following text with your settings and passwords

[DCInstall]
InstallDNS=Yes
ConfirmGC=Yes
RebootOnCompletion=Yes
ReplicaDomainDNSName=2008.lab
ReplicaOrNewDomain=readonlyreplica
ReplicationSourceDC=dc3.2008.lab
SafeModeAdminPassword=
SiteName=Default-First-Site-name
UserDomain=2008.lab
UserName=admin08
Password=
CreateDNSDelegation=No

You can place the text file on the root of your C drive on the server core and run the following command

dcpromo /unattend:unattend.txt where unattend.txt is the text file you created above

Later on we will discuss other embedded command line structures and built-in programs such as OCSETUP which will allow you to add roles and features to your server core. Keep in mind that making the domain controller is the only setup you must not use OCSETUP for, and you must utilize DCPROMO for it, otherwise your server may not function properly.

After running the above process, you will notice that from a Windows Server 2008 full installation, using ADUC we can readily confirm that our DC is RODC.

In order to add your Server Core to a domain you must assign an IP and DNS server to the current IP Configuration and you do that using NETSH tool, otherwise using the answer file your setup will fail complaining about its inability to contact the source DC.

Netsh.exe is a tool an administrator can use to configure and monitor Windows-based computers at a command prompt. With the Netsh.exe tool, you can direct the context commands you enter to the appropriate helper, and the helper then carries out the command. A helper is a Dynamic Link Library (.dll) file that extends the functionality of the Netsh.exe tool by providing configuration, monitoring, and support for one or more services, utilities, or protocols. The helper may also be used to extend other helpers.

You will first check the index assigned to your NIC by running this at command line,

netsh interface ipv4 show interfaces

You can then using this syntax to assign your server an IP address. Note that my NIC index ID is 2.

netsh interface ipv4 set address name="2" source=static address=192.168.100.202 mask=255.255.255.0 gateway=192.168.100.1

And then you can use the following NETSH command to add your primary DNS server, in my case also the source DC.

netsh interface ipv4 add dnsserver name="2" address=192.168.100.201 index=1

Run Ipconfig /all to verify your configuration.

In a future post, I will show you how to setup Server Core to be a Read-Only Domain Controller in a Windows Server 2008 domain.

More on NETSH can be found on http://support.microsoft.com/kb/242468

So in Server Core the built-in Windows firewall comes on by default. You can choose to disable it completely to get all the networking components working by using this NETSH command,

netsh firewall set opmode disable

You can use the enable switch to turn it back on. However, completely disabling it may be a bad idea, and you should choose the following commands to specifically open up gates for certian ports and applications. For example to open up port 3389 for RDP use,

netsh firewall set portopening TCP 3389 "AnyNameHereSuchasRDP"

or

netsh firewall set allowedprogram FullPathToExecutable name=AnyNameHere

Note that above commands should be entered in one line, and are overlapped due to the page format in this post.

For more information on advanced firewall functionalty, please go here.

Even though the Server Core option of Windows Server 2008 does not have shell, you can still RDP (Terminal Services) into it by using RDC from a Windows Client. To do that, you have to first enable the RDP on Server Core by using the following cscript command.

Cscript \windows\system32\scregedit.wsf /ar 0

In order to use TS from a pre-vista OS you have to turn off the on by default high security by using the following command

Cscript \windows\system32\scregedit.wsf /cs 0

While terminal serviced into the Server Core, you can logoff.exe command line to terminate your session.

Once again, with no GUI your Windows Server 2008 Server Core can easily be renamed using Windows Management Instrumentation Command-line (WMIC), and here is how,

wmic computersystem where name="%computername%" rename name="new-name"

As result, you will get ‘Method execution successful’ message. However if your machine is domain-joined, you can use NETDOM to accomplish the same task. Here is the query.

Netdom renamecomputer %computername% /NewName:new-name /UserD:domain-username /PasswordD:*

As we know there is no GUI in Windows Server 2008 Server Core option, here is how you can activate your copy. Following was done on an eval. copy, and here is the cscript command to run.

Cscript C:\Windows\System32\slmgr.vbs -ato

You can run -xpr switch to tell how much time you have left, mine shows permanently activated. So these are out-of-box scripts that aid in Licensing Management.

Read my previous post on how to install VM additions in your lab environment (based on VS 2005 R2) to tinker with the Server Core.

In a full version of Windows Server 2008 there is Initial Configuration Tasks that allows you to configure various things after a fresh install. However since Server Core is GUI-less or more like Shell-less and not entirely GUI-less, the various initial configuration tasks are to be done from the command-line or thru the few built-in cpls.

In next few posts, I will be showing you the basic configuration of out-of-box Server Core. Lets start with changing the Administrator’s password which does not happen during the installation. You may use the good-old net command to do that,

net user administrator *

or change it by pressing CTRL+ALT+DEL and click Change Password.

You may also need to set the date, time and time zone, and there is a left-behind GUI cpl available for it.

control timedate.cpl

Above cpl will launch the normal Date and Time control panel for you to change the settings. The only other cpl included in Server Core is intl.cpl which allows you to change the keyboard layouts

Using Uptime utility from Microsoft you can get your server uptime (i.e time since the last reboot) which can come in handy particularly when you are trying to troubleshoot a server’s unexpected reboot and failures.

Uptime.exe can be used to display the current uptime of the local or remote system. Optionally, it can also scan the Event log for key system events such as system restart or computers that are not responding (hanging). Where possible, it also calculates system availability. It is primarily intended for Windows NT Server 4.0 Service Pack 4 or later, though it operates in limited fashion on earlier versions.

You can download it from the link below and drop it on the root of the c:\ or where you wish and the command line to run is simply uptime

http://support.microsoft.com/kb/232243

In a previous post we discussed the FSMO Roles and we know that one of the FSMO Roles is RID Master. What a RID Master does and whats its significant, let’s recap. RID Master – Each object must have a globally unique number (GUID). The RID master makes sure each domain controller issues unique numbers when you create objects such as users or computers. For example DC one is given RIDs 1-4999 and DC two is given RIDs 5000 – 9999.

In this post I will be showing you the command which you can run to check the available Relative Identifiers (RID) pool on one of your DCs.

You should have the Windows Server 2003 Support tools installed and the command to run is as follows:

dcdiag /v /test:ridmanager

/v is for verboselogging and the /test:ridmanager is to define the specific test and to avoid the other dcdiag test runs. Take a look at the attached screenshot above, It shows the current RID Allocation Pool and the Previous Allocation Pool. 500 RIDs are assigned from the RID Master and after 50% of the pool has been consumped, another request for pool refill is made to the RID Master.

Previously you have been able to use RENDOM utility provided by Microsoft to rename your Window 2000 and Windows Server 2003 domains. However in Windows Server 2008 domain you don’t have to separately install Rendom utility. It gets installed as part of “Active Directory Domain Services” role when you promote a server to the DC role. And It can be found here : %windir%\system32\rendom.exe.

I used it to rename a Windows Server 2008 domain in my test lab environment. The process was pretty straightforward but it may require more tasks if you have multiple DCs in a multi domain environment.

The Forest and Domain Functional Level should be Windows Server 2008 to proceed with the following task.

From the command prompt, I started out by running rendom /list which outputs an XML file (Domainlist.xml) to the directory where rendom resides. You edit that file to change your domain configuration to the new domain name. i.e ForestDNSZones, DomainDNSZones, Netbios name. See referenced link for details.

After you have modified the file you can run rendom /showforest which shows you the future configuration, verify and make changes if necessary.

Upload the changes you have made in the XML file: Run rendom /upload

Verify readiness of Domain Controller(s): Run rendom /prepare

Execute domain rename instructions: Run rendom /execute

After thats finishes up successfully, you should also run GPFIXUP tool to fix up GPO references to your old domain name. See Step 12 of this document.

Here is an example :

C:\Users\Administrator>gpfixup /olddns:08r2.lab /newdns:mcts.lab
Group Policy fix up utility Version 1.1 (Microsoft)

Start fixing group policy (GroupPolicyContainer) objects:
……..

Start fixing site group policy links:
.

Start fixing non-site group policy links:
….
gpfixup tool executed with success.

C:\Users\Administrator>gpfixup /oldnb:08r2 /newnb:mcts
Group Policy fix up utility Version 1.1 (Microsoft)

Start fixing group policy (GroupPolicyContainer) objects:
..
gpfixup tool executed with success.

Lastly, run rendom /clean

The identity (domain GUID) of the renamed domain does not change during a domain rename operation. Thus a computer’s domain membership does not change as a result of the holding domain being renamed.

However, every member computer joined to the renamed domain needs to be rebooted twice. Please refer to “How Domain Rename works” technical reference for more info.

How Domain Rename Works : Microsoft Technet

Other References:

http://dsg.port.ac.uk/~hx/rename_domain/index.php

http://www.msexchange.org/tutorials/Domain-Rename.html (for domains with Exchange)

Every domain has a default setting for ms-DS-MachineAccountQuota value 10. This means that any user can add up to 10 machines to a domain. You can modify this object in directory by using ADSIedit tool to prevent this behavior.

Warning: Using ADSIedit can have adverse effects on your Active Directoy environment, if not handled with proper knowledge.

Launch ADSIedit from run command, ADSIedit.msc

Under Domain Configuration, expand and find your domain. Right click and go to the Properties

Look for the following property and modify it to ’0′

Hit OK, Apply and exit

How does it keep track of how many machines have you added based on your user ID/account ?

For a computer account created by domain users, the account has ‘ms-DS-CreatorSID’ attribute to indicate the creator user. When a user adds a computer to the domain, a process enumerates the ‘ms-DS-CreatorSID’ attribute on every computer account in the domain and calculates if the sum exceeds the current quota for that user.

The ‘ms-DS-CreatorSID’ and ‘ms-DS-MachineAccountQuota’ with default value 10 are also available in Windows Server 2008 AD DS.

Note: The ‘ms-DS-CreatorSID’ attribute will be unset in the computer account that is pre-created in Active Directory Users and Computers MMC or joined by domain administrators.

http://support.microsoft.com/kb/243327

Where Account Lockouts save us from brute force password attacks and help us standardize our environment for password policies, sometimes it can be painful to troubleshoot and find out why and where it happened. Microsoft does provide us with the ‘Account Lockout Management Tools’ suite which can be very handy to diagnose the root cause of an account lockout.

· AcctInfo.dll. Helps isolate and troubleshoot account lockouts and to change a user’s password on a domain controller in that user’s site. It works by adding new property pages to user objects in the Active Directory Users and Computers Microsoft Management Console (MMC).

· ALockout.dll. On the client computer, helps determine a process or application that is sending wrong credentials.

· ALoInfo.exe. Displays all user account names and the age of their passwords.

· EnableKerbLog.vbs. Used as a startup script, allows Kerberos to log on to all your clients that run Windows 2000 and later.

· EventCombMT.exe. Gathers specific events from event logs of several different machines to one central location.

· LockoutStatus.exe. Determines all the domain controllers that are involved in a lockout of a user in order to assist in gathering the logs. LockoutStatus.exe uses the NLParse.exe tool to parse Netlogon logs for specific Netlogon return status codes. It directs the output to a comma-separated value (.csv) file that you can sort further, if needed. The latest version available is 1.0.0.60.

· NLParse.exe. Used to extract and display desired entries from the Netlogon log files.

Unfortunately, I didn’t find good documentation of how to quickly make good use of these tools when my domain admin account started getting mysteriously locked out after I had changed my password due to the policy in place. From my experience I found Lockout Status and EventComb MT to be most useful from the suite.

I knew the common causes why my account would get locked out due to one of the reasons listed here : See this but I needed to figure out what is the offending machine or service thats providing my old credentials to a DC thats causing the account to be locked out.

I started out launching Lockout Status tool and selected my domain admin account as ‘target’ from the file menu and running it. It gave me list of all the DCs with the status of my account and more importantly the DC the lockout happened on in the ‘Orig Lock’ tab towards the right of the program screen. I then launched the Event CombMT piece and right clicked in the white space in the search area and added the DC the lockout originated at. I choose from ‘Option’ menu where I wanted to output the file as txt or CSV. I chose ‘Security’ as log files search option for all event types and then putting ’644′ as the event id and clicked on search.

It outputted the CSV file in the area I had specified and I was able to see that it found the event 644 for my ID on 6 different machines across the domain, it was listed under ‘Caller Machines Name’ column, (I know its bad administration on my part to sometimes disconnect my terminal sessions instead of logging off). Sure enough when I logged on to those machines I immediately saw the following notifications.

I had to log off and log back in to clear out the error. After that, I ran the Lockout Status tool again and noticed the lock status for my domain admin account had been cleared out.

Conclusion: Never leave your account logged on somewhere (or have a service run under your user context) and lock the machines or disconnect the remote session without logging off, and when using tools like Remote Desktops (which can be useful and allow you to have a list of machines you remote in frequently during the day), make sure you don’t save your passwords in the session configurations.

More Resources:

Download the Microsoft Account Management Tools

Technet Resource on how to maintain and manage the account lockout

WindowsSecuirty.com-Implementing and Troubleshooting Account lockout

Sometimes you have a task on your hand for your Active Directory environment but it isn’t an easy one, or lets just say that not many people have come across having a need for it (so not a whole lot you can google for). I recently had a situation like this. Basically in our AD environment we failed to realized the importance and fell behind in keeping our reverse lookup zones updated. As we all know that AD infrastructre does not rely on reverse lookups and you can get away with not having all your defined subnets populated in the reverse zones (in-addr.arpa). We began having some random errors of unsuccessful Group policy applications on some machines and also we started being bugged by the SMS group of the failure of SMS clients installation since some applications like SMS do rely on having to lookup machines by their IP addresses.

We are quite a big environment as we have little over 1000 AD defined subnets and only 80 some had been populated in the reverse lookup zones. I was tasked to make sure that all the reverse zones are created in our DNS from the defined subnets. As it could be very tedious task, I wanted to automate the process. I am not a scriptor but I knew that we could not be the only who has had this issue and I tried digging the newsgroups/blogs/forums and the internet in general but I had no or little luck finding any relevant information.

I started off looking into ADSIedit, as I wanted the export the subnet objects and then somehow import them back into the DNS. I knew that there was DNSCMD command line utility that allows you to do various tasks for zones/records creations, deletion and modification. Unfortunately it did not have a very wide syntax that allowed to pipe-in a list from an external source such a CSV file (that would have the subnets I export from AD). As expected the export part went fine and I had the full list of all the AD defined subnets. Now I was struggling to find a VBscript I could wrap this file into and pipe-in thru DNSCMD like utility.

I looked at Joeware free AD utilites, and I saw Joe had a tool called ADfind. I decided to query him and I got a rapid reply back from him with some suggestions, he assured me it is doable using his ADfind utility combined with some other script or utility. In mean time he forwarded my query to Dean Wells of MSEtechnology who emailed me a rather quick solution using Joe’s ADfind tool (see below). I was extremely pleased how my easy attempt to query seasoned scriptors had paid off.

Apart from other great writing and consulting achievements both Joe Richards and Dean Wells are Micrsoft MVPs and their voluntary efforts to help out the community truly exhibited what MVP program is all about.

So here is the command you would run at your DNS server to accomplish this task;

for /f "tokens=1,2,3 delims=." %n in ('adfind -config -rb "CN=Subnets,CN=Sites" -f "objectclass=subnet" name -list') do @dnscmd /zoneadd %p.%o.%n.in-addr.arpa /primary

add ‘ds’ in front of the primary (/dsprimary) if you wish to make the zones AD integrated

NOTES from Dean
-If you place the syntax above within a batch file, please note that any occurrence of a ‘%’ symbol must be replaced with ‘%%’ (two of them)
-ADfind and DNSCMD must both exist within the current directory or the system path
-In its current form, the syntax assumes the subnet is comprised of 3 octets

Maybe the most forgotten password is the one for Directory Services Restore Mode (DSRM) because it’s created only when a DC is built, and used only during critical DC recovery operations, which hopefully does not happen very often. Not knowing this password can prevent a successful recovery.

If you don’t know your DSRM password and haven’t stored them in a safe place, use the following commands for each Domain Controller to reset it to a known value:

ntdsutil
set dsrm password
reset password on server {servername}

Once you do this, write down that password and lock/encrypt it away.

Installing VMAdditions on Windows Server 2008 Core can be tricky. In my virtual lab I have Virtual Server 2005 R2 SP1, I recently decided to test drive the much hyped Server Core from the Windows Server 2008 lineup. For those of you who don’t know what Server Core is and what it will cater to;

Server Core is a minimal server installation option for computers running on the Windows Server 2008 operating system. Server Core provides a low-maintenance server environment with limited functionality. Server Core is an installation option that is capable of five well-known server roles: File Server, DHCP Server, DNS Server, Media Services, and Active Directory. Server Core is not a development platform for new server applications. Although Server Core is not an application platform, it does support the development of management tools, utilities, and agents.

Server Core management tools, utilities, and agents fall into two categories: those that manage a server remotely, and those that run locally to manage the server or return data to a centralized management tool. Remote management tools should not require any changes to support Server Core, as long as the tool uses one of the remote protocols supported in Server Core, such as RPC. Local management agents and utilities may require changes to run properly on Server Core. There is no Windows shell and very limited GUI functionality (the Server Core interface is a command prompt).

The installation of Server Core was pretty straightforward, and GUI based but when it finished I was left with command prompt where the rest of the configuration and setup would be run from. Like in any other Micrsoft VMs, VMAdditions are must as you don’t have a smooth control of your keyboard and mouse, and video is pretty bad.

I started out by mounting the VMadditions ISO from the web interface of VS2005. (Note that this ISO has been updated with the SP1 of VS2005 R2 and provides better results now). But since the Core does not auto-launch the CDs nor does it understand what ISO images are, it failed to kick-off the installation.

The trick was to change the directory to D:\ and by going to Windows\Setup folder and running the Setup.exe file manually, that immediately started the installation and successfully installed the latest Virtual Machine Additions version 13.813 .

Server Core does provide us the ability to run a DC like infrastructure server on a low end machine with the littler foot print on other network resources.

Time to learn the CScripts, WMIC, Netsh etc. to better manage it however !

In my last post, I talked about what FSMO roles are how to retrieve them thru GUI. In this post I am showing you a quick way to tell what DCs are holding which FSMO roles in your forest/domain. It can be done by running NETDOM QUERY FSMO command at one of your DCs.

Notice, that my Schema Master and Domain Naming Master reside in the forest root domain (virtualdomain.com) since they are forest level FSMOs and the PDC Emulator, RID Master and Infrastructure Master are all on one DC (virtualdc3) which is on a separate domain tree (Shq.tech)

Typically NETDOM command-line tool enables administrators to manage Windows Server 2003 and Windows 2000 domains and trust relationships from the command line is available thru the Resource Kit. It has a range of syntax you can do various things with such as,

- Manage computer accounts for domain member workstations and member servers, Establish one-way or two-way trust relationships between domains.

Use NETDOM /? to see the available options or go here to get the list.

FSMO (pronounced – fiz-mo) roles are essentially domain controllers with higher power than their peer DCs hence the name Flexible Single Master Operation, the word flexible is perhaps in there since you do have the flexibility to move these roles around (the word floationg has been referenced at some places as well). From the name you really have to focus on the Single Master Operation part to understand that these roles have a single role attached to them that only one DC can have.

There are total of 5 FSMO roles with two at the Forest level and three at Domain level. And here is what they are.

Forest Level FSMO roles:

1. Domain Naming Master – Ensures that each child domain has a unique name.  How often do child domains get added to the forest?  Not very often I suggest, so the fact that this is a FSMO does not impact on normal domain activity.  My point is it’s worth the price to confine joining and leaving the domain operations to one machine, and save the tiny risk of getting duplicate names or orphaned domains.
2. Schema Master – Operations that involve expanding user properties e.g. Exchange 2003 / forestprep which adds mailbox properties to users.  Rather like the Domain naming master, changing the schema is a rare event.  However if you have a team of Schema Administrators all experimenting with object properties, you would not want there to be a mistake which crippled your forest.  So its a case of Microsoft know best, the Schema Master should be a Single Master Operation and thus a FSMO role.

Domain level FSMO roles: 

1. PDC Emulator - Most famous for backwards compatibility with NT 4.0 BDC’s.  However, there are two other FSMO roles which operate even in Windows 2003 Native Domains, synchronizing the W32Time service and creating group policies.  I admit that it is confusing that these two jobs have little to do with PDCs and BDCs. 
2. RID Master – Each object must have a globally unique number (GUID).  The RID master makes sure each domain controller issues unique numbers when you create objects such as users or computers.  For example DC one is given RIDs 1-4999 and DC two is given RIDs 5000 – 9999.
3. Infrastructure Master – Responsible for checking objects in other other domains.  Universal group membership is the most important example.  To me, it seems as though the operating system is paranoid that, a) You are a member of a Universal Group in another domain and b) that group has been assigned Deny permissions.  So if the Infrastructure master could not check your Universal Groups there could be a security breach.

You can see your Domain level FSMOs from the ADUC (Active Directory Users & Computers) right click on the domain name and click on Operations Roles, from there you have the ability transfer these roles as well. Of Forest level FSMOs, Domain Naming Master can be looked up from the Active Directory Domains and Trusts, you have to right click on the Domains and Trusts at the top in the left pane and click on Operation Roles. And for Schema Master look up you have to register a DLL and add in an snap-in (see here).

As windows system admin you should know the importance of the FSMO roles and have good knowledge of what each one does and how to transfer and sieze them when necessary.

For more detailed reading see this great article, as you may not find a lot of FSMO information in general MS press books targeted towards MS certification (at least for Windows Server 2003 track).

Updating schema for your forest is not something you do very often, however, it is a requirement when you introduce a Windows server 2003 DC in a Windows 2000 domain or when you introduce the first Windows Server 2008 in your Windows Server 2003 domain. (There may be other times when you have to do this such as when adding Exchange to your environment). Nonetheless it is a very simple and easy task.

 I recently added a Windows Server 2008 domain tree to my existing Windows Server 2003 forest in my lab environment and here is how you do it. You start out by putting Windows Server 2008 DVD (in my case it was mounting the ISO image to the VM) on your schema master DC and from the command prompt you go to the (D:\Sources\adprep\) you can run the help option “/?” to know the syntaxes that apply here.

I ran the “adprep /forestprep”, you will have to hit C and ENTER to give assurance that all your DCs are at Windows 2000 SP4 level or above. In my case it imported about 14 new schema files “.ldf” files and successfully finished.

The next step is to run the “domainprep” syntax from within the same location and that is to be done on your infrastructute master FSMO role. (See FSMO). In my case it was a different DC, so same steps from above except for this time we only had to run the “domainprep” part.

In my case I also ran “adprep /domainprep /gpprep” to update the permissions on my existing GPOs. In future I may write a FAQ or memory refresher about FSMO roles as it is imperative to know the importance of these rules and to understand what we did here and why it could only be done on certain FSMO holders.

Long after there have been hundreds of free online space givers have emerged, Microsoft has recently jumped in with their own flavor. Windows Live SkyDrive is a free online space that gives away 5gb space for your music, data, pictures, and videos. Along with that there is also a ‘public folder’ feature available similar to that of Microsoft Outlook. Service over all is good however the limit for file size upload is 50mb which in my opinion isn’t very good. But heck you can’t beat free 5gb of ciber space.

You don’t have to sign-up for the service if you already have an hotmail or msn account. Just go here after you log-in to your hotmail/msn account and reserve your space.

I myself have a public folder space now which I intend to use to publish Microsoft related evals/software and documentation.

You can extend the Windows Server 2008 Evaluation copy you have running for trial/demo/testing purpose for up to 240 days now.

“Evaluating Windows Server 2008 software does not require product activation. Any edition of Windows Server 2008 may be installed without activation, and it may be evaluated for 60 days. Additionally, the 60-day evaluation period may be reset (re-armed) three times. This action extends the original 60-day evaluation period by up to 180 days for a total possible evaluation time of 240 days. Note: Although you can reset the 60-day evaluation period, you cannot extend it beyond 60 days at any time. When you reset the current 60-day evaluation period, you lose whatever time is left on the previous 60-day evaluation period. Therefore, to maximize the total evaluation time, wait until close to the end of the current 60-day evaluation period before you reset the evaluation period.”

Download your Eval Copy here

More info on extending the evaluation period

Apart from great tools such as command line Repadmin and GUI based Replmon, Dsastat (Windows Support Tool) is a command line utility that allows you to check your DCs replications, it compares and detects differences between directory partitions on domain controllers. The tool retrieves capacity statistics such as megabytes per server, objects per server, and megabytes per object class. Then, the tool compares the attributes of replicated objects. You can use the tool to compare two directory trees across replicas in the same domain or, for a global catalog, across different domains.

Following is an end result from the simple command with -s syntax for server names; i.e

dsastat -s:dc1;dc2

For more information, see this

Group Policy has been an extremly handy tool for last few years for System Admins, yet an equally complex topic to digest and you need to know it inside-out in order to effectively troubleshoot the problems that occur from time to time in your environment. Lets start with the basics of Group Policy Mechanism.

A GPO is a virtual object. The policy setting information of a GPO is actually stored in two locations: the Group Policy container (GPC) and the Group Policy template (GPT). The Group Policy container is an Active Directory container that stores GPO properties, including information about version, GPO status, and a list of components that have settings in the GPO. The Group Policy template is a directory structure within the file system that stores Administrative Template-based policy settings, security settings, script files, and information regarding applications that are available for Software Installation. The Group Policy template is located in Sysvol in the \Policies sub-directory for its domain. GPOs are identified by their globally unique identifiers (GUIDs) and stored at the domain level. Replication of a GPO to other domain controllers happens through two different mechanisms. The Group Policy container is replicated by using Active Directory replication (RPC), whereas the Group Policy template is replicated using File Replication service (FRS) in Windows Server 2003 and for Windows Server 2008 (native domain) DFSR. The settings from a GPO are only applied when the Group Policy container and Group Policy template are synchronized.

 More on Group Policy later.

I would highly recommened watching this webcast series by Harold Wong, Micrsosoft on Exchange Server 2007. He starts from the basics, lays down a solid foundation and builds on some of the advanced topics and techniques. I think its worth watching If you are looking to upgrade your current Exchange 2000 or 2003 organization or moving from a Notes environment.

“Learn how you can use the new advanced management tools in the next generation of Exchange to save time. Tune in and see how to install and manage Microsoft Exchange Server 2007 with the Exchange Management Console. Our Exchange experts help you explore the features of Microsoft Exchange Server 2007, such as increased security, unified messaging, performance improvements, and ease of deployment.”

http://www.microsoft.com/events/series/tnexchangeserver.aspx?tab=webcasts&id=42340

I am assuming there are more folks besides me wondering about the new Windows Server 2008 track certifications and roadmaps for the MCSAs and MCSEs. This attached PDF document defines the upgrade paths. Looks like the already known replacement name for MCSA/MCSA – the MCITP (Micrsoft Certified Information Technology Professional) has two flavors i.e Server Administrator and Enterprise Administrator. Current MCSAs/MCSEs can achieve first one by passing two exams and for the latter its four for MCSAs and three for MCSEs.

I would have preferred to keep MCSA and MCSE as titles on Windows Server 2008 certification track, but I guess the change of names was inevitable just like all other things are – in IT.

Windows Server 2008 Transitions Exams for MCSA/MCSE_Roadmaps 

If you are like me and often have to go and look for the command line shortcuts apart from the ones you use on daily basis and are easy to remember (i.e mstsc, dsa.msc, compmgmt.msc) for launching the administrator tools in Windows Server 2003. Here is an handy list you can print out and hang it in behind your computer until you remember them all.

AD Domains and Trusts
domain.msc

Active Directory Management
admgmt.msc

AD Sites and Serrvices
dssite.msc

AD Users and COmputers
dsa.msc

ADSI Edit
adsiedit.msc

Authorization manager
azman.msc

Certification Authority Management
certsrv.msc

Certificate Templates
certtmpl.msc

Cluster Administrator
cluadmin.exe

Computer Management
compmgmt.msc

Component Services
comexp.msc

Configure Your Server
cys.exe

Device Manager
devmgmt.msc

DHCP Managment
dhcpmgmt.msc

Disk Defragmenter
dfrg.msc

Disk Manager
diskmgmt.msc

Distributed File System
dfsgui.msc

DNS Managment
dnsmgmt.msc

Event Viewer
eventvwr.msc

Indexing Service Management
ciadv.msc

IP Address Manage
ipaddrmgmt.msc

Licensing Manager
llsmgr.exe

Local Certificates Management
certmgr.msc

Local Group Policy Editor
gpedit.msc

Local Security Settings Manager
secpol.msc

Local Users and Groups Manager
lusrmgr.msc

Network Load balancing
nlbmgr.exe

Performance Montior
perfmon.msc

PKI Viewer
pkiview.msc

Public Key Managment
pkmgmt.msc

QoS Control Management
acssnap.msc

Remote Desktops
tsmmc.msc

Remote Storage Administration
rsadmin.msc

Removable Storage
ntmsmgr.msc

Removalbe Storage Operator Requests
ntmsoprq.msc

Routing and Remote Access Manager
rrasmgmt.msc

Resultant Set of Policy
rsop.msc

Schema management
schmmgmt.msc

Services Management
services.msc

Shared Folders
fsmgmt.msc

SID Security Migration
sidwalk.msc

Telephony Management
tapimgmt.msc

Terminal Server Configuration
tscc.msc

Terminal Server Licensing
licmgr.exe

Terminal Server Manager
tsadmin.exe

UDDI Services Managment
uddi.msc

Windows Mangement Instumentation
wmimgmt.msc

WINS Server manager
winsmgmt.msc

Enjoy !

Distributed File System Replication was a major improvement over DFS and FRS, and also an intended seller feature of the R2 of Windows Server 2003. I came across a great article that describes what the DFRS does and how easily it can be setup. In domain environment, prior to installing DFSR the schema must be updated to the R2 version with the ADPREP utility from the CD2 of the Windows Server 2003 R2.

“DFSR is a multimaster replication engine used to distribute copies of data across multiple servers. It can run with or without DFS Namespaces, but its most popular use is to ensure that every member of a set of servers—a replica set—contains identical data and that replication is fast and bandwidth-efficient. It has many features, including bandwidth management, replication scheduling, and an innovative compression algorithm, that together dramatically decrease the amount of network bandwidth needed to keep data synchronized across your network. Microsoft reports that using DFSR results in up to a 300 percent improvement in the speed of large-file replication and 40 percent less administrative time spent managing the replication set.”

http://www.windowsitpro.com/Article/ArticleID/95223/95223.html