Today I tried to split two domain created in one AD forest.
Scenario
I had 1st created domain domain.local which was top-forest root domain. It contained two domain controllers (SRVDC01.domain.local (W2008R2) and SRVDC02.domain.local(WS8)). Second domain I’ve created was domain2.local which was in same AD forest, but in different AD tree. I had little problem when creating new domain domain2.local, because SRVDC02.domain.local was powered off for couple days. DCPromo on SRVXX01.domain2.local was complaining about some replication problems. So I needed to power it on and force replication. It was weird, because SRVDC2.domain.local haven’t hold any of FSMO roles. When it was all done, all looked up and running.
Read more…
Takže po dlhšej dobe pokračujem. Dneska popišem WMI filtre a taktiež Loopback Processing.
WMI Filtre
WMI filtre sa používajú na to, aby sa lepšie špecifikovali podmienky aplikovania GPO politík. Ale najprv si vysvetlime, čo to vlastne WMI je. WMI je skratka od Windows Management Instrumentation, čo predstavuje rozhranie cez ktoré je možné tak vyčítať rôzne údaje z OS ako aj samotné nastavenia OS meniť. WMI si predstavte ako databázu na každom Windows OS. Pomocou podobných príkazov ako sú SQL príkazy je možné vyčítavať rôzne informácie. Napríklad je možné vyčitať informácie o type a modele BIOSu na počítači. Ďalej napríklad informácie o veľkosti RAM pamäte, verzia OS, zoznam hotfixov, rýchlosť otáčok ventilátora na CPU,…
Read more…
At one of our bigger customer we started to have weird problem. When you disabled UAC it was still active even after reboots.
Read more…
Most of you probably already updated Active Directory infrastructure from Windows 2003 to Windows 2008 R2. What I see most is that administrators do not upgrade DFS replication subsystem for SYSVOL shares. Before Windows Server 2008 (also R2) was released FRS (File Replication System) is used. In Windows 2008 R2 there is new version released and it’s called DFSR (Distributed File System Replication).
FSR
FSR uses NTFS volumes’ USN journal to determine when a change has occured to a file and triggers replication. When FSR detects file close it gathers information about file and it’s attributes. It also checks file’s MD5 hash. If MD5 hash changes it will trigger replication. If file has changed whole file is send to FSR replication partners.
DFSR
First benefit of DFSR is that it doesn’t replicate whole file, but just a changed data in the file. To be able to check only changes in files it uses RDC (Remote Differential Compression) compression algorithm.
Read more…
Couple days I installed Windows Server 8 and I started to play 
There is weird desktop in new Windows. It’s not as pretty as it is in Windows Server 2008. It’s kinda forced to use touch screen, but who would use touch screen to administer servers? Not me
Normal stuff
- I couldn’t find any way to restart/shutdown Windows Server 8. Only way I could use is command line (shutdown.exe). But there is a way via Metro…upper right corner…Settings…Power…Restart (http://technet.microsoft.com/library/hh831491.aspx)
- I don’t know how to turn IE ESC off. I couldn’t find any setting to enable/disable it
- It is nice to be able to team network interfaces, but there is no help what each setting means
Active Directory
Nice article about changes http://blogs.technet.com/b/askds/archive/2012/04/06/group-policy-management-improvements-in-windows-server-quot-8-quot-beta.aspx
DNS
They have imported DNSSec into DNS server.
Security tab for DNS server settings is running faster
Windows Update Service
I received errors after installation and I couldn’t run WSUS console.
Read more…
When you are facing slow logons into domain and you also get events 1030 and 1006 you need to look into your network. By default Kerberos uses UDP packets to communicate. You need to force Kerberos to use TCP instead of UDP by changing registry key:
HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\ Kerberos\\Parameters
If it doesn’t exists just create it
Create DWORD key called MaxPacketSize and set it to value 1.
For more infor there is official KB http://support.microsoft.com/kb/244474/en-us
Nowadays I meet couple customers which wanted to implement old school technologies: folders redirection and roaming profiles. When they have implemented features they didn’t do it right way, because they have used default settings which are not really what you might want. I also read couple articles why roaming profiles and folders redirection are bad solutions. They really ain’t that bad.
Read more…
When you start cmd.exe in Windows 2008 or Windows 7 you will get little small tinny window:
Small cmd.exe
This is getting on my nerves to change is on every server/workstation I log in.
Read more…
When I was cheking Remote Desktop configuration on couple Windows 2008 R2 servers I’ve noticed that I cannot access Remote Desktop Session Host Configuration and I get following error:
Read more…
Today I spent half a day of debugging one weird problem. One of my customer just upgraded to Exchange 2010. They wanted to use ouf of office assistant. When they clicked in outlook clients on OOOA they’ve got error:
Out of office assistant error
Read more…
One of our customer migrated his whole IT infrastructure into another datacenter. We powered off virtual machines at production site and powered on cloned versions of virtual machines. Domain Controllers were up all the time. Only member servers’ clones moved into another datacenter. They’ve ran for three days in another datacenter. Active Directory domain was up all the time. After tests we deleted clones in another datacenter and powered on virtual server in primary datacenter – their friday’s copies. And now we had problems on couple of servers.
Read more…
Categories: Security, Windows Tags: accounts, bad password, computer account, ERROR_ACCESS_DENIED, ghost, netdom, netlogon, nltest, relationship, reset password, security database, snapshot, Unauthenticated, vitual
I couldn’t connect via ActiveSync on my account. I’ve checked events on CAS server and I found:
Exchange ActiveSync doesn’t have sufficient permissions to create the “CN=Zilinec Ondrej – testovaci TS uzivatel,OU=TESTUSERS,OU=UZIVATELIA,OU=XXX,DC=XXX,DC=in,DC=XXX,DC=XX” container under Active Directory user “Active Directory operation failed on DCB1.XXX. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
“.
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type “msExchActiveSyncDevices” and doesn’t have any deny permissions that block such operations.
Details:%3
Read more…
This weekend was again migrating for Exchange 2010 And right now other problems and solutions
On one CAS server I logged in via OWA and I’ve got internall error 500 from IIS 7.0.
Read more…
This days I was installing one Exchange 2007 server into existing Exchange organization (two other Exchange 2007 servers). I enabled one new server all features which Exchange 2007 brings to clients: Outlook Anywhere, Autodiscover, ActiveSync. After couple days we discovered that by this setting not only local users were affected, but all clients connecting into Exchange Organization (also those connecting to two old servers).
Read more…
Here is a short script to find out the size of mailboxes in your Exchange 2010 infrastructure. This information is not visible in EMC.
Get-MailboxStatistics -Server 'mailserver' | select DisplayName, TotalItemSize | sort TotalItemSize
Microsoft people should leave good things in GUI consoles and not force admins into powershell.
When I migrate mailboxes between Exchange servers I increase numbers of move requests because two is really limiting in nowadays network and servers speeds.
Read more…
Today I was migrating mailboxes from Exchange 2003 to new server Exchange 2010. Almost all accounts were working fine except couple. I receive following error:
Read more…
Categories: Exchange Tags: access, active directory, AD, error, exchange, exchange 2010, failed, insufficient, INSUFF_ACCESS_RIGHTS, migration, move request, rights
Today I spend about one hour debugging weird problem. When I migrated physical machine into VMWare I couldn’t connect via RDP into it.
Read more…
It’s getting on my nerves to enable telnet client everytime I need to debug something on Windows 2008 or Windows 7.
Read more…
Today I was at one cutomers and they had two Windows 2003 domain controllers. They bought another server and wanted to install domain controller on Windows 2008 R2.
Read more…
Categories: Windows Tags: 2008, adprep, do, does, done, empty, enter, file, forestprep, line, log, nothing, r2, waiting, waits, Windows
Recent Comments