[email protected]

Forum Replies Created

Viewing 30 posts - 1 through 30 (of 100 total)
  • Author
    Posts
  • in reply to: AWS Directory Service #388195

    Almost a year later… Did you know Amazon.com launched a managed Microsoft AD service?

    in reply to: Can I create conflicting groups in Active Directory? #388194

    This isn’t something that’s built in, but you could certainly have a Powershell task which runs on a tight schedule to monitor memberships. this task can be written to remove people added to conflicting groups, send notification, add an auditing event. The possibilities are limited only by your imagination

    in reply to: CAN’T DCPROMO ON OLD WIN2K8 AD #388193

    If this were my forest, I would do the following:
    1. Take a full backup of the domain controller “AD1” using Windows Server Backup
    2. Seize the remaining role to the AD1: PS C:> Move-ADDirectoryServerOperationMasterRole -Identity “AD1” -OperationMasterRole InfrastructureMaster
    3. Power down AD2 and diskwipe it. (once you seize a role this DC cannot come back online)
    4. Clean up metadata after AD2 has been removed
    5. Rebuild AD2 and promote it as an additional DSA in your forest.

    in reply to: AD Error – FRS Event ID 13568, Journal wrap error #388192

    Re: AD Error – FRS Event ID 13568, Journal wrap error

    Don’t forget to migrate to DFSR when you are done fixing the FRS journal wrap…

    :wink:

    in reply to: Delegating permission to support staff #388191

    Re: Delegating permission to support staff

    Alternately, you can use Powershell and a scheduled task to distribute these automatically.

    I have done that using Get-WMiObject cmdlet to identify the platform and hardware attributes then distribute the objects into whatever OU i need them to be in.

    in reply to: Windows Active Directory Resource assigned to Wrong Identity #388190

    Re: Windows Active Directory Resource assigned to Wrong Identity

    distinguished names are unique. I dont see how you can have a “matching DN”

    It sounds to me like your identity management solution is misconfigured

    Re: create AD 2003 member server without overriding existing DNS entries

    Ive witnessed this myself. it stemmed from an engineer creating an empty zone for the domain name when he installed DNS, which wiped out all the records in the production zone. He was impatient after installing the DNS role because he couldnt see the zone in the mmc. He used the dns.msc to create an empty zone thinking that would allow the records to replicate to the new domain controller…

    What you want to do is run the DC promo first. When it completes and you have verified your three directory partitions are fully replicated (Domain, Schema, Configuration), then you will want to install DNS.

    When you install ADDNS on a directory server, it will automatically replicate the two DNS partitions (DomainDNS, ForestDNS) and populate your zone.

    What you want to avoid is creating an empty zone for your namespace.

    in reply to: Tool to Modify User information in AD #388188

    Re: Tool to Modify User information in AD

    I believe Hyena also support bulk edit.

    Your go-to tool for this should be Powershell though ;)

    in reply to: Replication status #388187

    Re: Replication status

    Odd that the schema partition is replicated but everything else is complaining about the schema mismatch.

    What does your topology look like? What sites and links are involved here?

    in reply to: Replication status #388186

    Re: Replication status

    Have you taken a look at this article?

    http://support.microsoft.com/kb/2734946

    in reply to: SCOM for AD auditing #388185

    Re: SCOM for AD auditing

    You *could* use SCOM for that. Much of it is in the AD management packs already, anything else can be created.

    Now, “should” you use SCOM for it? I wouldnt. Unless you have someone watching the console continuously, you will lose the critical and time sensitive stuff. Also, if you are capturing audit data, you will want a history. SCOM isnt going to be the best way to keep that history. You would need to set your aggregation to such a level your database growth would be a concern.

    You can use something like Splunk to ingest your logs, then create alerts on certain events… Other than that, I dont know what else is out there without knowing exactly what you are trying to accomplish…

    in reply to: Password Policy Issue #388184

    Re: Password Policy Issue

    Just out of curiosity, why would they require changing their password on the first as opposed to the 26th? Convenience?

    in reply to: Upgrading Schema from Server 2003 to Sever 2008R2 #388183

    Re: Upgrading Schema from Server 2003 to Sever 2008R2

    One of the steps I take whenever I update the schema is to disable outbound replication. Much easier and more tolerable than shutting down a DC or airgapping it…

    repadmin /options %computername% +disable_outbound_repl[/CODE][CODE]repadmin /options %computername% +disable_outbound_repl[/CODE]

    Re: DC Tombstone lifetime on a 10 users Branch office, 30 users at HQ. Start scracth

    Straighten out ad before you do anythong with exchange. It sounds like you only have a single functioning dc at the moment. Thats scary. Clean up tje metadata for the missing dc. Disk wipe the canada dc and rebuild it. You will need to clean up metadata theee as well. Do yourself a favor by building a tertiary dc somewhere (hq office is as good a place as any).

    Don’t overlook your unary roles. In tje off chance one of them was on either failed dc, you will need. To seize them before doing anything else.

    I’m on a smartphone so excuse tje brevity

    in reply to: Certificate Authority Issue #388180

    Re: Certificate Authority Issue

    It is easier to remove the templares on the old CA and let it fade away as client/machine certs expire.Then you can simply remove I from the fleet…

    Re: Tracking user Logon and Logoff activity in database (secure)

    I’m sure you could script something that does a timebound deny on inserts.it shouldn’t be that difficult but any timr you allow inserts to a human user you expose yourself to abuse…

    in reply to: force logoff user windows 7 from server #388178

    Re: force logoff user windows 7 from server

    I was correct. using qwinsta and rwinsta, you can query a computer to find what session is associated with a particular logon, then force that session to close:

    c:>qwinsta /server:uPN-laptop
    SESSIONNAME USERNAME ID STATE TYPE DEVICE
    services 0 Disc
    console userPrincipalName 2 Active

    c:>rwinsta 2 /server:uPN-laptop

    c:>qwinsta /server:uPN-laptop
    SESSIONNAME USERNAME ID STATE TYPE DEVICE
    services 0 Disc
    console 2 Conn
    [/CODE]

    This forces a logoff but allows the user to save data. Cool thing is you cant bypass the logoff by clicking “Cancel” to a save your work dialog…

    And yes, this works on workstations, servers, terminal servers, headless servers, multi-user servers, kiosks etc as well.[CODE]
    c:>qwinsta /server:uPN-laptop
    SESSIONNAME USERNAME ID STATE TYPE DEVICE
    services 0 Disc
    console userPrincipalName 2 Active

    c:>rwinsta 2 /server:uPN-laptop

    c:>qwinsta /server:uPN-laptop
    SESSIONNAME USERNAME ID STATE TYPE DEVICE
    services 0 Disc
    console 2 Conn
    [/CODE]

    This forces a logoff but allows the user to save data. Cool thing is you cant bypass the logoff by clicking “Cancel” to a save your work dialog…

    And yes, this works on workstations, servers, terminal servers, headless servers, multi-user servers, kiosks etc as well.

    in reply to: force logoff user windows 7 from server #388177

    Re: force logoff user windows 7 from server

    Check usage on qwinsta.exe and rwinsta.exe. they are for forcing ts sessions closed but I think you might be able to do this with the console session as well. I’m not next to a computer at the moment or I would check myself…

    in reply to: Need help adding more groups to exclusion list #388176

    Re: Need help adding more groups to exclusion list

    First lets clarify what you are trying to accomplish. It appears you simply want to add one user to all the groups a reference user is a member of, with the ability to exclude groups based on a manifest… is this correct?

    That powershell script uses the Quest AD powershell modules, which you have to download and install…

    in reply to: runtime error on wake from sleep #388175

    Re: runtime error on wake from sleep

    Blood;276068 wrote:
    This is what you want to investigate:

    Faulting module path: C:PROGRA~2ThinkPadUTILIT~1PWMIF64V.Dll

    The PWMIF64V.Dll file seems to be part of Lenovo’s power management utility. Find out if there is an update available for it. Failing that, uninstall and reinstall it.

    Bingo – That is indeed your culprit.

    Try going to Lenovo’s site to see if they have any updates for the utility, You could also just uninstall it and allow Window power management to do the needful, but you might lose some functionality specific to Lenovo…

    in reply to: MS SQL Express 2008 R2 Initializing Database error #388174

    Re: MS SQL Express 2008 R2 Initializing Database error

    Hey Pope, the SQL logs I’m talking to are visible using sql server management studio (ssms).

    if you start it up and expand the management node in the tree, you will see a “SQL Server Logs” node. Look at the current log for information on why its not initializing the database.

    To create a blank database, just use SSMS. You can right-click the “Databases” node and create a new one that way. If you want to use tsql, you can do it that way as well but you have to specify a bunch of parameters:

    Something like this should work (Its been a while since I wore my dba hat):

    USE master;
    GO
    CREATE DATABASE onsite
    (
    NAME = onsite,
    FILENAME = ‘E:Dataonsite.mdf’,
    SIZE = 1024MB,
    FILEGROWTH = 1024MB
    ),

    Much easier for your purposes to just use SSMS. I’d be interested if the application error changes if the database exists as well…

    in reply to: runtime error on wake from sleep #388173

    Re: runtime error on wake from sleep

    1000 is a common event I’d. If you post the full event including source maybe someone can help…

    Gotta have more cowbell…

    in reply to: MS SQL Express 2008 R2 Initializing Database error #388172

    Re: MS SQL Express 2008 R2 Initializing Database error

    What happens if you create the database (blank) before installing the software? Maybe the software is expecting a blank database so it can create schema?

    Did you check to make sure the domain account you are using to install the software has a login to the SQL instance and has the db_creator system role (in SQL mgmt studio)?

    What do the SQL logs say? There should be something in there explaining why the db couldnt be created/initialized

    in reply to: Removing a non-replicating DC #388171

    Re: Removing a non-replicating DC

    Just curious, but have you tried rebuilding SYSVOL?

    Whats the forest functional level?

    What errors are you seeing in the FRS logs?

    in reply to: MS SQL Express 2008 R2 Initializing Database error #388170

    Re: MS SQL Express 2008 R2 Initializing Database error

    I’m assuming this ‘onsite’ database is the application specific database you need for your new app…

    its failing during the install when it attempts to create the database or when it attempts to connect to the database (because it already exists)?

    Does the account you are using to install the app have db_creator on the SQL instance?

    is the SQL instance already installed or does the software invoke the installer?

    in reply to: Site replication / Site Links and Bridges … #388169

    Re: Site replication / Site Links and Bridges …

    Its a personal preference more than anything, though there are technical reasons for it as well. It will work and probably suits small static environments just fine. In keeping with simplicity, creating 1:1 site links is a better practice, is easier to manage and removes technical debt.

    From a technical standpoint, when you add multiple sites to a single link, you are marking them all equal, when in almost every case, they aren’t or wont remain equal through their lifecycle. As your company’s network changes/matures/expands, these “equal” sites will create inadvertent full-mesh topology where it shouldn’t be – this I guarantee. Its technical debt that has to be accounted for 3 years down the road when everyone has completely forgotten about it. When 3 years later, things are behaving odd, you will be scratching your head to figure out why ISTG/KCC did what it did. If you have tight SLAs around replication, you will have problems meeting them. Especially if you are using change notification. Keeping links 1:1 will keep this from happening. Its a good habit to get into

    Dont get me wrong, it will work for the most part, it just doesn’t scale well.

    Also, on another note, its not necessary to manage bridges by hand. AD is bridged by default.

    in reply to: Site replication / Site Links and Bridges … #388168

    Re: Site replication / Site Links and Bridges …

    JeremyW;275814 wrote:
    Yes, this might be correct. One thing to note is if there is common and equal connectivity to multiple sites (full mesh) then they can all be part of the same site link.
    e.g. If this is your config:
    A connected via 10MB link to B
    B connected via 10MB link to C
    C connected via 10MB link to A
    Then this could be in a single site link. If you have different connection speeds then you need separate site links with relevant costs configured for each.

    I humbly disagree with this advice. :grin:

    in reply to: Site replication / Site Links and Bridges … #388167

    Re: Site replication / Site Links and Bridges …

    That would in effect create a full mesh topology which may not be what you want. You should sit down and diagram your physical network, paying attention yo bandwith between sites. Lay your ad
    Topology over that with costing/weights dictating primaty links and alternates of you desire them.It may make sense to create a hub/spoke topology with primary links. Whatever you do, avoid creating manual connection objects. Ossian is right, just let kcc manage those. Also avoild manually selecting bridgehead servvers. Kcc will take care of thaht as well

    in reply to: Windows 2008R2 Domain, Account Unlock Tool #388166

    Re: Windows 2008R2 Domain, Account Unlock Tool

    Learn something new evey day!

Viewing 30 posts - 1 through 30 (of 100 total)