stamandster

Forum Replies Created

Viewing 30 posts - 1 through 30 (of 171 total)
  • Author
    Posts
  • Avatar
    stamandster
    Member
    in reply to: Recipient Policy for Users that are Members of a Group #280374

    Re: Recipient Policy for Users that are Members of a Group

    Ahh so it the full object name… gotcha

    Avatar
    stamandster
    Member
    in reply to: Burflag info needed #280373

    Re: Burflag info needed

    I had a similar issue with it being slightly confusing. Think of D4 as a last resort and with D2 (non-authoritative restore) allowing you to stagger the approach to repairing SYSVOL one server at a time. You only need to apply D2 to the server you are repairing SYSVOL for. SYSVOL will obviously be out of commission for about 20 minutes (depending on speed)

    How to rebuild the SYSVOL tree and its content in a domain
    http://support.microsoft.com/kb/319553

    It states to set burflags at
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNtFrsParametersCumulative Replica SetsGUID

    You can find the GUID of the Replica Set via
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNtFrsParametersReplica SetsGUID
    –> Look for the title Domain System Volume (SYSVOL share) < —

    Create a Registry entry here titled “Replica Set Parent” REG_SZ and set it to the partner you want to replicate from (with a good SYSVOL replica)
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNtFrsParametersSysvol Seeding

    Restart NTFRS (net stop ntfrs && net start ntfrs)

    I would probably also run ntfrsutl.exe forcerepl DestinationDC /r “Domain System Volume (SYSVOL share)” /p SourceDC.domain.com

    Please make sure that all your replication issues aren’t first stemming from something else. Because this will negate you configuring Burflags. For instance not having the correct folder structure or reparse points. Perhaps some other issues within AD like a deleted FRS Subscriber object or the like.

    Recovering missing FRS objects and FRS attributes in Active Directory
    http://support.microsoft.com/kb/312862

    Is it only Sysvol not replicating or are you having other AD issues?

    As with all things proceed at your own risk and rep if it helps you :)

    Avatar
    stamandster
    Member
    in reply to: Burflags to Reset SYSVOL Questions #280372

    Re: Burflags to Reset SYSVOL Questions

    Alright, so I figured it out :)

    I used the Burflags D2 value along with “Replica Set Parent” in the “SYSVOL Seeding” (set to the FQDN of the PDC Emulator with correct SYSVOL folder). Then I restarted NTFRS, after about 15-20 minutes it finished processing.

    Avatar
    stamandster
    Member
    in reply to: Roaming User profile issue #280371

    Re: Roaming User profile issue

    The recommended settings can be found at the MS site but we use the following (based on best practices) — Works with XP/Vista/7

    Share on Server:
    \SERVERNAMEPROFILES$ (root folder for user profile; \servernameprofiles$%username%)
    Caching Off

    Share Permissions on Server:
    Authenticated Users – Read
    Domain Admins – Full
    Domain Users – Full

    User Profile Folder Security Privileges on Server:
    Creator Owner – Subfolders and Files Only – Full Control
    Domain Users – This Folder Only – Traverse folder/Execute File, List Folder/Read Data, Read Attributes, Create Folders/Append Data
    System – This Folder, Subfolders and Files – Full Control
    Domain Admins – This Folder, Subfolders and Files = Full Control

    Group Policies:
    Computer ConfigurationAdministrative TemplatesSystemUser Profiles – “Add the Administrators security group to the roaming user profile share” (so you can actually administer the profiles if needed)
    Computer ConfigurationAdministrative TemplatesSystemUser Profiles – “Do not check for user ownership of Roaming Profile Folders” (could alleviate issues with loading profiles to share because security isn’t quite correct)

    As with everything apply at own risk, and rep if you get it working ;)

    Avatar
    stamandster
    Member
    in reply to: Software Restrictions – Install Software from websites #280370

    Re: Software Restrictions – Install Software from websites

    Is it running inside of the context of Iexplore.exe? Or do you have a policy restriction that says “do not allow IE to install software”?

    Also, you probably shouldn’t create two threads with the exact same question in them.

    Avatar
    stamandster
    Member
    in reply to: Giving users access to install printers #280369

    Re: Giving users access to install printers

    How about using a WMI filter for a “printer add policy” which get’s applied only when connecting with a different subnet or some other variable?

    It’s kind of a trade off in security. I mean first you’re not letting them run a possibly harmless executables but you’re allowing them to print from/to anywhere, which could be just as insecure.

    Or why not get them to tell you what printers they have at home and pre-install the drivers for them before they leave. I mean they can’t be changing printers THAT much, right?

    Avatar
    stamandster
    Member
    in reply to: Active Directory users backup. #280368

    Re: Active Directory users backup.

    NTBackup Systemstate

    ntbackup backup systemstate /J “Backup Job 1” /F “C:backup.bkf”

    Avatar
    stamandster
    Member

    Re: Upgrading domain from 2003 R2 x86 to 2008 R2 x64 am I misisng any steps?

    Also, make sure to have sufficient time to let things sync in the domain.

    Avatar
    stamandster
    Member
    in reply to: Active director or dns not working properly #280366

    Re: Active director or dns not working properly

    Multi homing a DC is generally a bad idea.

    Avatar
    stamandster
    Member
    in reply to: User Account Lock Out Oddity #280365

    Re: User Account Lock Out Oddity

    Wow that’s an excellent article. That really helps with understanding what’s going on. I’ll be doing some more testing to make sure that that’s what it is.

    Thanks again everyone.

    Avatar
    stamandster
    Member
    in reply to: User Account Lock Out Oddity #280364

    Re: User Account Lock Out Oddity

    Some more research into this issue…

    So I locked an account out and waited, and waited, waited 3 days. The user account is locked from the domain, the user locks the workstation, the user is able to log back into the workstation. However, thankfully, the user cannot access network shares or exchange.

    I think it has something to do with Computer Configuration > Windows Settings > Security Settings > Kerberos Policy

    Enforce User Logon Restrictions — Enabled
    Maximum lifetime for service ticket — 600 minutes
    Maximum lifetime for user ticket — 10 hours
    Maximum lifetime for user ticket renewal — 7 days
    Maximum tolerance for computer clock synchronization – 5 minutes

    I, however, never set these. This was in place before I got here.

    Also theres, which I don’t think is affecting it but might as well put it out there, Computer Configuration > Windows Settings > Security Settings > Account Lockout Policy

    Account lockout Duration — 99999 minutes
    Account lockout threshold – 3 invalid logon attempts
    Reset account lockout counter after — 30 minutes

    Is this just default behavior that I have never, ever, noticed before?

    Avatar
    stamandster
    Member
    in reply to: User Account Lock Out Oddity #280363

    Re: User Account Lock Out Oddity

    Alrighty so I’ve purged the tickets and I’m still able to do the mentioned above. I’ll be installing the update shortly even though the box is Sp3.

    Avatar
    stamandster
    Member
    in reply to: User Account Lock Out Oddity #280362

    Re: User Account Lock Out Oddity

    Thanks for the pointed information fella’s. I’ll check on their service pack level. I’ll do some more testing shortly.

    Thanks again. I’ll update as soon as I do.

    Avatar
    stamandster
    Member
    in reply to: STILL CAN PING OLD DC name… #280361

    Re: STILL CAN PING OLD DC name…

    It’s cached somewhere. Either in DNS forward/reverse zones, server/workstation dns cache, a host file maybe.

    Avatar
    stamandster
    Member
    in reply to: LDIFDE Import issue #280360

    Re: LDIFDE Import issue

    What about doing an NTBackup instead? Then restoring that?

    Avatar
    stamandster
    Member

    Re: How can I verify LDAP client usesage prior to decommisioning a server?

    dbutch1976;183551 wrote:
    To my knowledge this is how the vast majority of machines are configured within the network, but undoubtedly we’re going to miss a couple of static configs. I guess there’s not much that can be done about that.

    Yeah not really. That’s why it’s so important to document everything. We just had to go through this in a way. I ended up going through and finding all the statically assigned addresses and documenting them. I ended up assigning the static addresses through DHCP by MAC address.

    Avatar
    stamandster
    Member
    in reply to: outbound mail hangs on exchange 2003 #280358

    Re: outbound mail hangs on exchange 2003

    BES Services should be on it’s own server, just as an aside.

    Do you have a virus scanner/mail filter?

    Avatar
    stamandster
    Member
    in reply to: How To Limit Account Login on Workstation???? #280357

    Re: How To Limit Account Login on Workstation????

    You can us ADModify also to select these users and attributes to change

    http://www.codeplex.com/admodify

    Avatar
    stamandster
    Member
    in reply to: list of users in security groups and distribution groups #280356

    Re: list of users in security groups and distribution groups

    Try this

    create a vb script called documentgroups.vbs

    ‘ DocumentGroups.vbs
    ‘ VBScript program to document all groups in Active Directory.
    ‘ Outputs group name, type of group, all members, and types of member.
    ‘ Lists all groups that are members, but does not list the nested group
    ‘ membership.

    ‘ ———————————————————————-
    ‘ Copyright (c) 2002 Richard L. Mueller
    ‘ Hilltop Lab web site – http://www.rlmueller.net
    ‘ Version 1.0 – November 10, 2002
    ‘ Version 1.1 – February 19, 2003 – Standardize Hungarian notation.
    ‘ Version 1.2 – March 11, 2003 – Remove SearchScope property.
    ‘ Version 1.3 – July 6, 2007 – Modify use of Fields collection of
    ‘ Recordset object.
    ‘ Version 1.4 – July 27, 2007 – Bug fix if group name has “/” character
    ‘ Version 1.5 – Sept 2009 – CMS – Edited to used TSV instead of CSV.

    ‘ This script is designed to be run at a command prompt, using the
    ‘ Cscript host. The output can be redirected to a text file.
    ‘ For example:
    ‘ cscript //nologo DocumentGroups.vbs > groups.txt

    ‘ You have a royalty-free right to use, modify, reproduce, and
    ‘ distribute this script file in any way you find useful, provided that
    ‘ you agree that the copyright owner above has no warranty, obligations,
    ‘ or liability for such use.

    Option Explicit

    Dim adoConnection, adoCommand, objRootDSE, strDNSDomain, strQuery
    Dim adoRecordset, strDN, objGroup

    ‘ Use ADO to search Active Directory.
    Set adoConnection = CreateObject(“ADODB.Connection”)
    Set adoCommand = CreateObject(“ADODB.Command”)
    adoConnection.Provider = “ADsDSOObject”
    adoConnection.Open “Active Directory Provider”
    Set adoCommand.ActiveConnection = adoConnection

    ‘ Determine the DNS domain from the RootDSE object.
    Set objRootDSE = GetObject(“LDAP://RootDSE”)
    strDNSDomain = objRootDSE.Get(“defaultNamingContext”)

    ‘ Search for all groups, return the Distinguished Name of each.
    strQuery = “;(objectClass=group);distinguishedName;subtree”
    adoCommand.CommandText = strQuery
    adoCommand.Properties(“Page Size”) = 100
    adoCommand.Properties(“Timeout”) = 30
    adoCommand.Properties(“Cache Results”) = False

    Set adoRecordset = adoCommand.Execute
    If (adoRecordset.EOF = True) Then
    Wscript.Echo “No groups found”
    adoRecordset.Close
    adoConnection.Close
    Set objRootDSE = Nothing
    Set adoConnection = Nothing
    Set adoCommand = Nothing
    Set adoRecordset = Nothing
    Wscript.Quit
    End If

    ‘ Enumerate all groups, bind to each, and document group members.
    Wscript.Echo “Group” & vbTab & vbTab & “Full Name” & vbTab & “Username” & vbTab & “Type” ‘& vbTab & “Description”
    Do Until adoRecordset.EOF
    strDN = adoRecordset.Fields(“distinguishedName”).Value
    ‘ Escape any forward slash characters with backslash.
    strDN = Replace(strDN, “/”, “/”)
    Set objGroup = GetObject(“LDAP://” & strDN)
    Wscript.Echo objGroup.sAMAccountName _
    & vbTab & “Type: ” & GetType(objGroup.groupType) ‘& vbTab & vbTab & vbTab & vbTab & objGroup.description
    Wscript.Echo objGroup.sAMAccountName & vbTab & “Desc: ” & objGroup.description
    Call GetMembers(objGroup)
    ‘Wscript.Echo vbCrLf
    Wscript.Echo vbTab
    adoRecordset.MoveNext
    Loop
    Wscript.Echo vbCrLf & “– Export on ” & DateValue(now) & ” at ” & TimeValue(now) & ” –”
    adoRecordset.Close

    ‘ Clean up.
    adoConnection.Close
    Set objRootDSE = Nothing
    Set objGroup = Nothing
    Set adoConnection = Nothing
    Set adoCommand = Nothing
    Set adoRecordset = Nothing

    Function GetType(ByVal intType)
    ‘ Function to determine group type from the GroupType attribute.
    If ((intType And &h01) 0) Then
    GetType = “Built-in”
    ElseIf ((intType And &h02) 0) Then
    GetType = “Global”
    ElseIf ((intType And &h04) 0) Then
    GetType = “Local”
    ElseIf ((intType And &h08) 0) Then
    GetType = “Universal”
    End If
    If ((intType And &h80000000) 0) Then
    GetType = GetType & “/Security”
    Else
    GetType = GetType & “/Distribution”
    End If
    End Function

    Sub GetMembers(ByVal objADObject)
    ‘ Subroutine to document group membership.
    ‘ Members can be users or groups.
    Dim objMember, strType
    For Each objMember In objADObject.Members
    If (UCase(Left(objMember.objectCategory, 8)) = “CN=GROUP”) Then
    strType = “Group”
    Else
    strType = “User”
    End If
    Wscript.Echo objGroup.sAMAccountName & vbTab & vbTab & objMember.CN & vbTab & objMember.sAMAccountName _
    & vbTab & strType ‘& vbTab & objMember.Description
    Next
    Set objMember = Nothing
    End Sub
    [/CODE]

    Then create a bat called documentgroups.bat
    this file should have

    [CODE]
    @echo off
    cscript.exe //nologo DocumentGroups.vbs > DocumentGroups.tsv
    [/CODE]

    Run the batch script to create documentgroups.tsv. Then you can manipulate it in excel.[CODE]’ DocumentGroups.vbs
    ‘ VBScript program to document all groups in Active Directory.
    ‘ Outputs group name, type of group, all members, and types of member.
    ‘ Lists all groups that are members, but does not list the nested group
    ‘ membership.


    ‘ Copyright (c) 2002 Richard L. Mueller
    ‘ Hilltop Lab web site – http://www.rlmueller.net
    ‘ Version 1.0 – November 10, 2002
    ‘ Version 1.1 – February 19, 2003 – Standardize Hungarian notation.
    ‘ Version 1.2 – March 11, 2003 – Remove SearchScope property.
    ‘ Version 1.3 – July 6, 2007 – Modify use of Fields collection of
    ‘ Recordset object.
    ‘ Version 1.4 – July 27, 2007 – Bug fix if group name has “/” character
    ‘ Version 1.5 – Sept 2009 – CMS – Edited to used TSV instead of CSV.

    ‘ This script is designed to be run at a command prompt, using the
    ‘ Cscript host. The output can be redirected to a text file.
    ‘ For example:
    ‘ cscript //nologo DocumentGroups.vbs > groups.txt

    ‘ You have a royalty-free right to use, modify, reproduce, and
    ‘ distribute this script file in any way you find useful, provided that
    ‘ you agree that the copyright owner above has no warranty, obligations,
    ‘ or liability for such use.

    Option Explicit

    Dim adoConnection, adoCommand, objRootDSE, strDNSDomain, strQuery
    Dim adoRecordset, strDN, objGroup

    ‘ Use ADO to search Active Directory.
    Set adoConnection = CreateObject(“ADODB.Connection”)
    Set adoCommand = CreateObject(“ADODB.Command”)
    adoConnection.Provider = “ADsDSOObject”
    adoConnection.Open “Active Directory Provider”
    Set adoCommand.ActiveConnection = adoConnection

    ‘ Determine the DNS domain from the RootDSE object.
    Set objRootDSE = GetObject(“LDAP://RootDSE”)
    strDNSDomain = objRootDSE.Get(“defaultNamingContext”)

    ‘ Search for all groups, return the Distinguished Name of each.
    strQuery = “<ldap: //" & strDNSDomain _
    & “>;(objectClass=group);distinguishedName;subtree”
    adoCommand.CommandText = strQuery
    adoCommand.Properties(“Page Size”) = 100
    adoCommand.Properties(“Timeout”) = 30
    adoCommand.Properties(“Cache Results”) = False

    Set adoRecordset = adoCommand.Execute
    If (adoRecordset.EOF = True) Then
    Wscript.Echo “No groups found”
    adoRecordset.Close
    adoConnection.Close
    Set objRootDSE = Nothing
    Set adoConnection = Nothing
    Set adoCommand = Nothing
    Set adoRecordset = Nothing
    Wscript.Quit
    End If

    ‘ Enumerate all groups, bind to each, and document group members.
    Wscript.Echo “Group” & vbTab & vbTab & “Full Name” & vbTab & “Username” & vbTab & “Type” ‘& vbTab & “Description”
    Do Until adoRecordset.EOF
    strDN = adoRecordset.Fields(“distinguishedName”).Value
    ‘ Escape any forward slash characters with backslash.
    strDN = Replace(strDN, “/”, “/”)
    Set objGroup = GetObject(“LDAP://” & strDN)
    Wscript.Echo objGroup.sAMAccountName _
    & vbTab & “Type: ” & GetType(objGroup.groupType) ‘& vbTab & vbTab & vbTab & vbTab & objGroup.description
    Wscript.Echo objGroup.sAMAccountName & vbTab & “Desc: ” & objGroup.description
    Call GetMembers(objGroup)
    ‘Wscript.Echo vbCrLf
    Wscript.Echo vbTab
    adoRecordset.MoveNext
    Loop
    Wscript.Echo vbCrLf & “– Export on ” & DateValue(now) & ” at ” & TimeValue(now) & ” –“
    adoRecordset.Close

    ‘ Clean up.
    adoConnection.Close
    Set objRootDSE = Nothing
    Set objGroup = Nothing
    Set adoConnection = Nothing
    Set adoCommand = Nothing
    Set adoRecordset = Nothing

    Function GetType(ByVal intType)
    ‘ Function to determine group type from the GroupType attribute.
    If ((intType And &h01) 0) Then
    GetType = “Built-in”
    ElseIf ((intType And &h02) 0) Then
    GetType = “Global”
    ElseIf ((intType And &h04) 0) Then
    GetType = “Local”
    ElseIf ((intType And &h08) 0) Then
    GetType = “Universal”
    End If
    If ((intType And &h80000000) 0) Then
    GetType = GetType & “/Security”
    Else
    GetType = GetType & “/Distribution”
    End If
    End Function

    Sub GetMembers(ByVal objADObject)
    ‘ Subroutine to document group membership.
    ‘ Members can be users or groups.
    Dim objMember, strType
    For Each objMember In objADObject.Members
    If (UCase(Left(objMember.objectCategory, 8)) = “CN=GROUP”) Then
    strType = “Group”
    Else
    strType = “User”
    End If
    Wscript.Echo objGroup.sAMAccountName & vbTab & vbTab & objMember.CN & vbTab & objMember.sAMAccountName _
    & vbTab & strType ‘& vbTab & objMember.Description
    Next
    Set objMember = Nothing
    End Sub
    [/CODE]

    Then create a bat called documentgroups.bat
    this file should have

    @echo off
    cscript.exe //nologo DocumentGroups.vbs > DocumentGroups.tsv
    [/CODE]

    Run the batch script to create documentgroups.tsv. Then you can manipulate it in excel.[CODE]
    @echo off
    cscript.exe //nologo DocumentGroups.vbs > DocumentGroups.tsv
    [/CODE]

    Run the batch script to create documentgroups.tsv. Then you can manipulate it in excel.

    Avatar
    stamandster
    Member
    in reply to: Active Directory Problems #280355

    Re: Active Directory Problems

    It’s always good to let things settle down and replicate after any major change in AD. I usually wait at least an hour if I can.

    Avatar
    stamandster
    Member
    in reply to: Exchange stops getting mail #280354

    Re: Exchange stops getting mail

    When you’ve reached your mailstore limit Exchange will begin to disconnect the mailstore at times. You should check to see if you’ve hit your limit.

    Avatar
    stamandster
    Member
    in reply to: Replicating System Folder to secondary server #280353

    Re: Replicating System Folder to secondary server

    Thanks that’s exactly what I was looking for! Do you think it’d be safe to add the replication during the business hours?

    Btw, I think I’m following your excellent guide haha

    Avatar
    stamandster
    Member

    Re: Exchange Server 2003 – multiple servers resolving to one name in exchange

    Maybe you could script the login script to check the mail servers quickly for users who aren’t setup yet to see where their located?

    Avatar
    stamandster
    Member
    in reply to: Tidying up AD #280351

    Re: Tidying up AD

    did you happen to put it in the host file for some reason?

    Avatar
    stamandster
    Member
    in reply to: Tidying up AD #280350

    Re: Tidying up AD

    Go into your DNS on that DC and delete all remains of markcoleman

    try this

    ipconfig -flushdns
    net stop dns && net start dns

    Avatar
    stamandster
    Member
    in reply to: Active Directory Not Working #280349

    Re: Active Directory Not Working

    Looking at my own ADUC I don’t see an “Authentication” Group.

    I do see an Administrator user, Domain Admins group and an Enterprise Admins group.

    I’m not aware of and “Authentication” group within ADUC other than maybe you’re referring to the built-in group “Windows Authorization Access Group”. Is that what you’re talking about?

    Perhaps you should try something like

    http://www.petri.com/reset_domain_admin_password_in_windows_server_2003_ad.htm

    Avatar
    stamandster
    Member
    in reply to: AD FSMO role Seizure #280348

    Re: AD FSMO role Seizure

    Let me get this straight

    One DC that held all the roles for the domain failed. You were able to bring the DC back online.

    After you brought the DC back online did you transfer, or seize, all, or some, of the roles to a secondary DC?

    From what I can gather you seized the roles of RID, Infrastructure Master, Domain Naming and PDC. While this failing DC was online. However, you also transferred the role of Schema Master while the DC was also still online.

    I hate to be pedantic but it’s crucial to know.

    A couple of things. You should never seize roles of an online DC. You will have issues. If you seize roles you must never bring the DC online that was once holding this roles. You must always transfer roles of an online DC.

    Please check your event logs for errors. Check for replication errors using replmon and repadmin. Also, make sure that your connections are pointing to the correct DNS server.

    Avatar
    stamandster
    Member
    in reply to: Tidying up AD #280347

    Re: Tidying up AD

    Sometimes it’ll be cached in your local DNS cache

    ipconfig -flushdns

    or

    net stop dnscache && net start dnscache

    or reboot ;)

    Avatar
    stamandster
    Member

    Re: SMTP Protocol Returned a Permanent Error 550 5.7.1 Relaying denied.

    I’m sure there’s someone here that knows what issue you are dealing with. However, this is an Exchange 2000/2003 support sub-forum, not a general mail sub-forum.

    Avatar
    stamandster
    Member
    in reply to: Allowing Domain Users to Install Software on Workstations #280345

    Re: Allowing Domain Users to Install Software on Workstations

    I agree! NEVER let the end user log on directly to a DC.

Viewing 30 posts - 1 through 30 (of 171 total)