Archive

Archive for November, 2012

Quickie: GetMac.exe

November 30th, 2012 No comments

I was just browsing Internet a looking for built-in utilities in Windows. I found one nice one getmac.exe which can get the list of MAC addresses on local or remote computer. It’s nice utility and it’s better to use it to find out MAC addresses, because looking into ipconfig /all verbose output is very time consuming (look in it when IPv6 is enabled). 🙂

Also ipconfig cannot be run on remote machine without using other utility (for example psexec).

More information here.

 

Quickie: Software Restricion Policy vs AppLocker

November 30th, 2012 No comments

Just a quick image about differences between “old” Software Restricion Policy and “new” AppLocker:

Software Restiction Policy vs AppLocker

Now it’s easy to describe and remember.

 

Exchange not seeing all domain controllers from AD

November 30th, 2012 No comments

I had to solve interesting problem today at one of our customer. Here is a short preview of customer’s environment:

AD Topology

Customer has following 5 sites:

  • Site1 – containing 1 DC
  • Site2 – containing 1 DC (one has PDC FSMO role)
  • Site3 – containing 2 DCs. Let’s call this central site.
  • Site4 – containing 2 DCs. This site represents one datacenter (datacenter 1)
  • Site5 – containing 2 DCs. This site represents one datacenter (datacenter 2)

All domain controllers are Global Catalogs. Replication was set manually. It’s configured to be in star topology with median in Site3. For each connection was defined newInter-Site Transport in AD Sites.

AD Topology

AD Topology

Replication works fine. Exchange servers are able to resolve all domain controler. I have checked this using DNS and also nltest.

Exchange Topology

There are four Exchange 2012 servers. Two are CAS/HUB servers put into CAS Array. CAS Servers and CAS Array IP addresses belong to Site4 IP Subnet. And two Mailbox server that are put into DAG. Both mailbox server and DAG IP addresses are in Site4. Problem is that one CAS/HUB and one Mailbox server are physically located in Site4 and one CAS/HUB and one Mailbox server are located physically in Site5. Between Site4 and Site5 are L2 networks for CAS/HUB and Mailbox server.

Exchange topology

Exchange topology

Everything works fine. All IP subnets are assigned to Site4 which means all Exchange servers use primary Global Catalog functionality from domain controller from Site4. Idea from network/security guys was to allow Exchange servers to use Global Catalog just from domain controllers located in datacenters – Site4 and Site5. So firewalls don’t let Exchange server to use Global Catalog from other domain controller besides those located in Site4 and Site5.

Problem

Problem appeared when domain controllers in Site4 went down. Exchange servers didn’t want to start and mount databases.

When we looked into Events we could see event 2080 which stated that Exchange AD Topology service sees just four domain controllers:

  • Two in-site domain controllers from same site IP subnet are in (Site4)
  • Two out-of-site domain controllers. Controllers only from central site Site3

Exchange didn’t use those out-of-site domain controllers, because firewalls blocked it – regarding network/security guys recomendations. Question was why exchange servers didn’t see and use other domain controllers? It sees and uses only those four domain controllers (two in same AD site and two from central site).

After couple of minutes discusing with my coleague we find out that Exchange copies AD topology and it uses domain controllers in following way:

  • Primary uses domain controllers in same site as Exchange services are located – in-site DC
  • Secondary uses only domain controller which are directly replicating with domain controllers from primary site  – out-of-site DC

My colleague tried to convince me to believe it’s good idea and Exchange tries to protect you from some problems. But I don’t see any point of Exchange not contacting all domain controllers and contacing only domain controllers in the site and contacting domain controlers which replicate with domain controllers in site. I don’t see a poing of Exchange not trying to connect to Global Catalogs in Site1, Site2 and Site5. So this is the way Exchange looks for Global Catalog servers by design.

Proof of problem 🙂

I’ve done couple testing scenarios.

Exchange servers in Site4

  • In-site DCs: DCs from Site4
  • Out-of-site DCs: DCs only from Site3

Exchange servers in Site5

  • In-site DCs: DCs from Site5
  • Out-of-site DCs: DCs only from Site3

Exchange servers in Site1

  • In-site DCs: DC from Site1
  • Out-of-site DCs: DCs only from Site3

Exchange servers in Site3

  • In-site DCs: DCs from Site3
  • Out-of-site DCs: all DCs from all sites

This is really proof of problem with Exchange locating DCs.

 

Solution

To solve this issue we could make two things:

  • Create new AD Site only for all Exchange IP Subnets and add two domain controllers into this new created AD Site. One DC would be located in physical location 1/datacenter 1 (with CAS1 and MBX1 servers) and other DC would be located in physical location 2/datacenter 2 (with CAS2 and MBX2 servers).
  • Create new AD Inter-site Transport between Site4 and Site5.

We decided to create new AD Inter-site Transport.

I still don’t understand why Exchange doesn’t use all domain controllers in AD domain as I would think it would 🙁

Quickie: Couple minutes with Internet Explorer 10.0

November 23rd, 2012 No comments

Three days ago I installed Internet Explore 10.0 on my Windows 7 SP1. I downloaded it from here.

Internet Explorer 10

Internet Explorer 10

After couple seconds I found out only little changes. Design of buttons changes little bit. Also design of check boxes.

After couple minutes I found following new things:

Text box change

Now you can delete content of text box in one click. Clicking by X on the end of the box:

Delete text box

Delete text box

Password box change

On password box you can see what’s under stars:

Password password in box

Hidden password in box

Show password in box

Show password in box

Easy copy and paste

When you select text and pictures in IE 10.0, you can drag and drop it into some application (e.g. Word, Outlook, …). This is very neat and cool.

Faster

My personal feeling is that webpages are displayed much faster than before, but this can be just feeling 🙂

Very very bad support from Meinberg getting better?

November 23rd, 2012 No comments

Last two weeks I had to update some NTP servers from one German company. When I requested new firmware I received following e-mail:

Dear Sir,
 unfortunately, I cannot provide a new firmware since your compact flash card is too small and the action might end up in a system’s inconsistency.
Thus, you are also not the only customer who is affected by this, we offer bigger compact flash cards for 65€ each. Please let me know whether this is of interest for you and if you need an official offer.
Mit freundlichem Gruß / With kind regards
 

So this made my very upset. To be able to upgrade to the newest version of firmware I had to pay 65EUR for new flashcard. So I wrote couple e-mail to this company. I wanted to know the reason why I need to invest more to NTP server. I found out that firmware got big and it cannot be uploaded into flash which came with NTP server. This looked weird to me. Why would I have to invest into device if manufacter’s engineers made a mistake. I already decided not to sell manufacter’s devices. And I though that was end of the story.

Today I received following e-mail:

Dear Ondrej,
 
I just wanted to let you know that we dramatically improved our update procedure and, after an intensive clean-up, released
the new firmware version 5.34h which can be installed on 64MB compact flash cards without any problems. The new release is 4 MB (~25%) smaller (!) than the previous version without removing any features.
 
Although you already expressed your extreme dissatisfaction with our products and decided for yourself to not recommend or
buy Meinberg products in the future, your feedback helped us to improve our software and I sincerely thank you for that.
 
Best Regards,
 Heiko
 

So it’s funny how some angry and mad e-mails can change such a things. Now we can upgrade our devices. But I don’t think we will offer them anymore to customers 🙂

Quickie: How to find out some info about user in AD for free

November 14th, 2012 3 comments

Sometimes you need to find out some basic informations about user in domain when you are regular user. You can use command:

net user USER_name /domain

and you get some informations:

net user /domain

net user /domain

Thanks to my coleague Peter Ivanco 🙂

Categories: Quickie, Windows Tags: ,

Quickie: vShere PowerCLI to change NTP settings

November 8th, 2012 No comments

I had to change NTP servers on 40 ESX servers today. When I started to click this settings via vShere Client I was bored after two pieces 🙂 Then I have decided to use vShere PowerCLI.

Run vShere PowerCLI. Then I had to connect to Virtual Infrastructure server:

Connect-VIServer vCenterSERVER_Name.domain

List all ESX servers and put this list into variable:

$hosts=Get-Cluster Cluster | Get-VMHost

And the last, run couple commands to proceed:

ForEach ($ESX in $hosts)

{

     Remove-VMHostNtpServer -NtpServer “NTP_SERVER_OLD1” -VMHost $ESX | Out-Null;

     Remove-VMHostNtpServer -NtpServer “NTP_SERVER_OLD2” -VMHost $ESX | Out-Null;

     Add-VmHostNtpServer -NtpServer “NTP_SERVER_NEW_01” -VMHost $ESX | Out-Null;

     Add-VmHostNtpServer -NtpServer “NTP_SERVER_NEW_02” -VMHost $ESX | Out-Null;

     Get-VMHostService -VMHost $ESX | Where-Object {$_.key -eq “ntpd” } | Restart-VMHostService -Confirm:$false | Out-Null

}

And everything was set in couple of seconds 🙂

Remove-VMHostNtpServer – removes NTP settings for ESX

Add-VMHostNtpServer – adds NTP settings for ESX

Last command restarted ntpd service.

Have a nice day,

 

Quickie: Add your photo into AD

November 7th, 2012 No comments

More and more are people working with Outlook 2007+, using Lync clients, … all of these applications have ability to show pictures of users in their interface. Let’s look how to implement picture into AD for some users.

Picture in AD is stored in one AD attribute called thumbnailPhoto. We need to put picture into this attribute. Exchange servers and other services use Global Catalog Domain Controllers to resolve attributes for objects in domains. So first of all we need to make sure attribute thumbnailPhoto is propagated into Global Catalog database. We need to modify properties of attribute thumbnailPhoto:

  • Register MMC snap-in for Active Directory Schema running command:

Regsvr32 schmmgmt.dll

  • Open up Active Directory Schema MMC snap-in
  • Under Attributes look for thumbnailPhoto and open its properties
  • Check option “Replicate this attribute to the Global Catalog”

Edit thumbnailPhoto properties

Edit thumbnailPhoto properties

Read more…

Open File – Security Warning

November 7th, 2012 3 comments

Couple days ago something started to bother me. I use Microsoft Windows 7 and Internet Explorer 9.0 to browse on Internet. When you download some application from web, for example my favorite SSH/Telnet/Console client Putty, and you run this application, you get following warning:

Open File - Security Warninig

Open File – Security Warninig

Read more…