Thursday, February 25, 2010

Exchange 2003 with ISA 2006 - Certificate Issue

I have a single ISA 2006 server and a Exchange 2003 Front End server both with a Digicert Root Cert, Intermediate certificate and private key certificate installed.

However when verifying my certificate chain - I got errors about the Intermediate certificate not being installed even though it was!



My mobile devices using active sync or Outlook Mobile Access were not connecting... either was Outlook Anywhere.

To fix this I had to delete the root certificate of both the ISA 2006 and Exchange 2003 front end server "DigiCert High Assurance EV Root CA"



Normally you need the Root CA Certificates however ISA 2006 does some weird caching with certificates. Whenever you have ISA 2006 in play you need to delete the root certificates.

Make sure you reboot the ISA 2006 server after it is rebooted. The Exchange 2003 front end server does not need rebooting.

Fixed:

Wednesday, February 24, 2010

Read Only Domain Controller Prerequisites

Below I'm going to go into the prerequisites for a Read Only Domain Controller:

- The PDC Emulator must be on a Windows Server 2008 Domain Controller

- Must recieve updates from a Windows Server 2008 DC. This means your AD site link with the lowest cost in which the RODC will recieve updates from must have a Windows Server 2008 DC.

- DFL/FFL must be at least Windows Server 2003 functional level.

- Must have run ADPREP /RODCPREP on your domain

- Only one RODC Per Domain, Per Site. In an active directory site you can have only one RODC, however if you have multiple domains you in a forest it breaks this rule as you can have one in each site per domain.

Tuesday, February 23, 2010

Out of Office Not Working - Exchange 2007

A company had Exchange 2007 SP1 installed in their environment. When users went to access out of office via Outlook they received the following message:

Your Out of Office settings cannot be displayed, because the server is currently unavailable. Try again later.



Users were not getting this message via Outlook Web Access. They were able to change their Out of Office settings via OWA however the settings were not "sticking". Although it said it was enabled in OWA, it was not actually working! Users that currently had it set were not able to disable it...

This problem resides on the client access server role - a problem with the availability service.

In this instance we fixed this issue by installing Exchange 2007 SP2. To do this:
• Install the Exchange 2007 SP2 Schema Extensions (Requires Enterprise Admin and Schema Admin permissions)
• Install SP2 on the Client Access Server
• Install SP2 on the Hub Transport Server
• Install SP2 on both mailbox servers
• Install SP2 on unified messaging server
• Install SP2 on edge transport server

This issue is caused by a problem in the package. This problem only occurs when the package that contains the .NET Framework 3.5 with SP1 and the .NET Framework 2.0 with SP2 is installed on an Exchange Client Access server. This problem only occurs if you are running Exchange 2007 SP1. If you do not want to upgrade your Exchange Organisation to SP2 you can get around it by using a hotfix. Please see:

http://support.microsoft.com/kb/958934

Exchange 2007 SP2 Not Supported on Windows Server 2008 R2

Windows Server 2008 R2 supports Exchange 2010 and Exchange 2007 SP1, however it does not support Exchange 2007 SP2.

The computer is running Windows Server 2008 R2 Standard. Exchange Server 2007 is not supported on this operating system.

ERROR_REPLICA_SYNC_FAILED_THE TARGET PRINCIPAL NAME IS INCORRECT

I had an issue with a client's Active Directory environment where Replication was only working one way. They have two sites that run inter site replication. Replication was only working one way:



Users were able to login and access network resources in the site that contained the Orion2 domain controller but users were unable to work in the site that contained OrionCH domain controller.

Below I'm going to go through all the errors received to show you all symptoms that caused this problem so you can relate it to your environment if your having the same issue. I will then provide a fix.

Error recieved in Replmon:



Below are trouble shooting commands I ran and what server I ran them on.

repadmin /showrepl on ORIONCH

repadmin running command /showrepl against server localhost

CastleHill\ORIONCH
DC Options: (none)
Site Options: (none)
DC object GUID: 8e92a542-61f2-4e4a-a06c-b19932d0412e
DC invocationID: 2e3ea760-e835-4050-8386-95c4e29d66bd

==== INBOUND NEIGHBORS =====================================

DC=orion,DC=net,DC=au
Balcatta\ORION2 via RPC
DC object GUID: 1d83042b-1be4-41d1-9e5d-117829335117
Last attempt @ 2010-02-23 17:02:45 was successful.

CN=Configuration,DC=orion,DC=net,DC=au
Balcatta\ORION2 via RPC
DC object GUID: 1d83042b-1be4-41d1-9e5d-117829335117
Last attempt @ 2010-02-23 17:02:45 was successful.

CN=Schema,CN=Configuration,DC=orion,DC=net,DC=au
Balcatta\ORION2 via RPC
DC object GUID: 1d83042b-1be4-41d1-9e5d-117829335117
Last attempt @ 2010-02-23 17:02:46 was successful.

DC=DomainDnsZones,DC=orion,DC=net,DC=au
Balcatta\ORION2 via RPC
DC object GUID: 1d83042b-1be4-41d1-9e5d-117829335117
Last attempt @ 2010-02-23 17:02:46 was successful.

DC=ForestDnsZones,DC=orion,DC=net,DC=au
Balcatta\ORION2 via RPC
DC object GUID: 1d83042b-1be4-41d1-9e5d-117829335117
Last attempt @ 2010-02-23 17:02:46 was successful.


repadmin /showrepl on ORION2

repadmin running command /showrepl against server localhost

Balcatta\ORION2
DC Options: IS_GC
Site Options: (none)
DC object GUID: 1d83042b-1be4-41d1-9e5d-117829335117
DC invocationID: d0e38ce4-9011-4db7-b7e4-efc2738b9074

==== INBOUND NEIGHBORS ======================================

DC=orion,DC=net,DC=au
CastleHill\ORIONCH via RPC
DC object GUID: 8e92a542-61f2-4e4a-a06c-b19932d0412e
Last attempt @ 2010-02-23 13:54:02 failed, result -2146893022 (0x80090322):
Can't retrieve message string -2146893022 (0x80090322), error 1815.
93 consecutive failure(s).
Last success @ 2010-02-22 15:22:01.

CN=Configuration,DC=orion,DC=net,DC=au
CastleHill\ORIONCH via RPC
DC object GUID: 8e92a542-61f2-4e4a-a06c-b19932d0412e
Last attempt @ 2010-02-23 13:54:03 failed, result -2146893022 (0x80090322):
Can't retrieve message string -2146893022 (0x80090322), error 1815.
93 consecutive failure(s).
Last success @ 2010-02-22 15:22:01.

CN=Schema,CN=Configuration,DC=orion,DC=net,DC=au
CastleHill\ORIONCH via RPC
DC object GUID: 8e92a542-61f2-4e4a-a06c-b19932d0412e
Last attempt @ 2010-02-23 13:54:03 failed, result -2146893022 (0x80090322):
Can't retrieve message string -2146893022 (0x80090322), error 1815.
93 consecutive failure(s).
Last success @ 2010-02-22 15:22:01.

DC=DomainDnsZones,DC=orion,DC=net,DC=au
CastleHill\ORIONCH via RPC
DC object GUID: 8e92a542-61f2-4e4a-a06c-b19932d0412e
Last attempt @ 2010-02-23 13:54:04 failed, result -2146893022 (0x80090322):
Can't retrieve message string -2146893022 (0x80090322), error 1815.
93 consecutive failure(s).
Last success @ 2010-02-22 15:22:02.

DC=ForestDnsZones,DC=orion,DC=net,DC=au
CastleHill\ORIONCH via RPC
DC object GUID: 8e92a542-61f2-4e4a-a06c-b19932d0412e
Last attempt @ 2010-02-23 13:54:04 failed, result -2146893022 (0x80090322):
Can't retrieve message string -2146893022 (0x80090322), error 1815.
93 consecutive failure(s).
Last success @ 2010-02-22 15:22:02.

Source: CastleHill\ORIONCH
******* 93 CONSECUTIVE FAILURES since 2010-02-22 15:22:02
Last error: -2146893022 (0x80090322):
Can't retrieve message string -2146893022 (0x80090322), error 1815.


repadmin /replsummary on ORIONCH

Replication Summary Start Time: 2010-02-23 17:12:30

Beginning data collection for replication summary, this may take awhile:
.....

Source DC largest delta fails/total %% error
ORION2 09m:45s 0 / 5 0
ORIONCH 22h:50m:29s 5 / 5 100 (2148074274) Can't retrieve message string -2146893022...

Destination DC largest delta fails/total %% error
ORION2 22h:50m:52s 5 / 5 100 (2148074274) Can't retrieve message string -2146893022...
ORIONCH 09m:46s 0 / 5 0


repadmin /replsummary on ORION2

Replication Summary Start Time: 2010-02-23 14:10:53

Beginning data collection for replication summary, this may take awhile:
.....

Source DC largest delta fails/total %% error
ORIONCH 22h:48m:52s 5 / 5 100 (2148074274) Can't retrieve message string -2146893022 (0x800903...

Destination DC largest delta fails/total %% error
ORION2 22h:48m:52s 5 / 5 100 (2148074274) Can't retrieve message string -2146893022 (0x800903...

Experienced the following operational errors trying to retrieve replication information:
8341 - ORIONCH.orion.net.au


Example of Replication Failing

repadmin /replicate orionch orion2 /force
DsReplicaSync() failed with status 87 (0x57):
Can't retrieve message string 87 (0x57), error 1815.


dcdiag /v on ORIONCH

Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine ORIONCH, is a DC.
* Connecting to directory service on server ORIONCH.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: CastleHill\ORIONCH
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... ORIONCH passed test Connectivity

Doing primary tests

Testing server: CastleHill\ORIONCH
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=orion,DC=net,DC=au
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=orion,DC=net,DC=au
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=orion,DC=net,DC=au
Latency information for 5 entries in the vector were ignored.
5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=orion,DC=net,DC=au
Latency information for 5 entries in the vector were ignored.
5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=orion,DC=net,DC=au
Latency information for 5 entries in the vector were ignored.
5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
* Replication Site Latency Check
......................... ORIONCH passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC ORIONCH.
* Security Permissions Check for
DC=ForestDnsZones,DC=orion,DC=net,DC=au
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=orion,DC=net,DC=au
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=orion,DC=net,DC=au
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=orion,DC=net,DC=au
(Configuration,Version 2)
* Security Permissions Check for
DC=orion,DC=net,DC=au
(Domain,Version 2)
......................... ORIONCH passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\ORIONCH\netlogon)
[ORIONCH] An net use or LsaPolicy operation failed with error 1203, Win32 Error 1203.
......................... ORIONCH failed test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for \\orion2.orion.net.au, when we were trying to reach ORIONCH.
Server is not responding or is not considered suitable.
The DC ORIONCH is advertising itself as a DC and having a DS.
The DC ORIONCH is advertising as an LDAP server
The DC ORIONCH is advertising as having a writeable directory
The DC ORIONCH is advertising as a Key Distribution Center
The DC ORIONCH is advertising as a time server
......................... ORIONCH failed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=ORION2,CN=Servers,CN=Balcatta,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
Role Domain Owner = CN=NTDS Settings,CN=ORION2,CN=Servers,CN=Balcatta,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
Role PDC Owner = CN=NTDS Settings,CN=ORION2,CN=Servers,CN=Balcatta,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
Role Rid Owner = CN=NTDS Settings,CN=ORION2,CN=Servers,CN=Balcatta,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
Role Infrastructure Update Owner = CN=NTDS Settings,CN=ORION2,CN=Servers,CN=Balcatta,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
......................... ORIONCH passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 4804 to 1073741823
* orion2.orion.net.au is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 4304 to 4803
* rIDPreviousAllocationPool is 4304 to 4803
* rIDNextRID: 4305
......................... ORIONCH passed test RidManager
Starting test: MachineAccount
Checking machine account for DC ORIONCH on DC ORIONCH.
* SPN found :LDAP/ORIONCH.orion.net.au/orion.net.au
* SPN found :LDAP/ORIONCH.orion.net.au
* SPN found :LDAP/ORIONCH
* SPN found :LDAP/ORIONCH.orion.net.au/ORION
* SPN found :LDAP/8e92a542-61f2-4e4a-a06c-b19932d0412e._msdcs.orion.net.au
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/8e92a542-61f2-4e4a-a06c-b19932d0412e/orion.net.au
* SPN found :HOST/ORIONCH.orion.net.au/orion.net.au
* SPN found :HOST/ORIONCH.orion.net.au
* SPN found :HOST/ORIONCH
* SPN found :HOST/ORIONCH.orion.net.au/ORION
* SPN found :GC/ORIONCH.orion.net.au/orion.net.au
......................... ORIONCH passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... ORIONCH passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
ORIONCH is in domain DC=orion,DC=net,DC=au
Checking for CN=ORIONCH,OU=Domain Controllers,DC=orion,DC=net,DC=au in domain DC=orion,DC=net,DC=au on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=ORIONCH,CN=Servers,CN=CastleHill,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au in domain CN=Configuration,DC=orion,DC=net,DC=au on 1 servers
Object is up-to-date on all servers.
......................... ORIONCH passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
The registry lookup failed to determine the state of the SYSVOL. The
error returned was 0 (Win32 Error 0). Check the FRS event log to see
if the SYSVOL has successfully been shared.
......................... ORIONCH passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
An Warning Event occured. EventID: 0x800034FD
Time Generated: 02/23/2010 17:34:40
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800034C4
Time Generated: 02/23/2010 17:37:19
(Event String could not be retrieved)
......................... ORIONCH failed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15 minutes.
......................... ORIONCH passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0xC25A001D
Time Generated: 02/23/2010 16:48:08
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC25A001D
Time Generated: 02/23/2010 17:06:53
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC25A001D
Time Generated: 02/23/2010 17:25:38
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000C8A
Time Generated: 02/23/2010 17:34:25
Event String: This computer could not authenticate with
\\orion2.orion.net.au, a Windows domain
controller for domain ORION, and therefore this
computer might deny logon requests. This
inability to authenticate might be caused by
another computer on the same network using the
same name or the password for this computer
account is not recognized. If this message
appears again, contact your system administrator.

......................... ORIONCH failed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=ORIONCH,OU=Domain Controllers,DC=orion,DC=net,DC=au and backlink on
CN=ORIONCH,CN=Servers,CN=CastleHill,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
are correct.
The system object reference (frsComputerReferenceBL)
CN=ORIONCH,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=orion,DC=net,DC=au
and backlink on CN=ORIONCH,OU=Domain Controllers,DC=orion,DC=net,DC=au
are correct.
The system object reference (serverReferenceBL)
CN=ORIONCH,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=orion,DC=net,DC=au
and backlink on
CN=NTDS Settings,CN=ORIONCH,CN=Servers,CN=CastleHill,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
are correct.
......................... ORIONCH passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : orion
Starting test: CrossRefValidation
......................... orion passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... orion passed test CheckSDRefDom

Running enterprise tests on : orion.net.au
Starting test: Intersite
Skipping site CastleHill, this site is outside the scope provided by
the command line arguments provided.
Skipping site Balcatta, this site is outside the scope provided by the
command line arguments provided.
......................... orion.net.au passed test Intersite
Starting test: FsmoCheck
GC Name: \\orion2.orion.net.au
Locator Flags: 0xe00001fd
PDC Name: \\orion2.orion.net.au
Locator Flags: 0xe000017d
Time Server Name: \\orion2.orion.net.au
Locator Flags: 0xe000017d
Preferred Time Server Name: \\orion2.orion.net.au
Locator Flags: 0xe000017d
KDC Name: \\orion2.orion.net.au
Locator Flags: 0xe000017d
......................... orion.net.au passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS

dcdiag /v on ORION2

Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine orion2, is a DC.
* Connecting to directory service on server orion2.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Balcatta\ORION2
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... ORION2 passed test Connectivity

Doing primary tests

Testing server: Balcatta\ORION2
Starting test: Replications
* Replications Check
[Replications Check,ORION2] A recent replication attempt failed:
From ORIONCH to ORION2
Naming Context: DC=ForestDnsZones,DC=orion,DC=net,DC=au
The replication generated an error (1256):
Win32 Error 1256
The failure occurred at 2010-02-23 14:38:16.
The last success occurred at 2010-02-22 15:22:02.
96 failures have occurred since the last success.
[Replications Check,ORION2] A recent replication attempt failed:
From ORIONCH to ORION2
Naming Context: DC=DomainDnsZones,DC=orion,DC=net,DC=au
The replication generated an error (1256):
Win32 Error 1256
The failure occurred at 2010-02-23 14:38:16.
The last success occurred at 2010-02-22 15:22:02.
96 failures have occurred since the last success.
[Replications Check,ORION2] A recent replication attempt failed:
From ORIONCH to ORION2
Naming Context: CN=Schema,CN=Configuration,DC=orion,DC=net,DC=au
The replication generated an error (-2146893022):
Win32 Error -2146893022
The failure occurred at 2010-02-23 14:38:17.
The last success occurred at 2010-02-22 15:22:01.
96 failures have occurred since the last success.
[Replications Check,ORION2] A recent replication attempt failed:
From ORIONCH to ORION2
Naming Context: CN=Configuration,DC=orion,DC=net,DC=au
The replication generated an error (-2146893022):
Win32 Error -2146893022
The failure occurred at 2010-02-23 14:38:17.
The last success occurred at 2010-02-22 15:22:01.
96 failures have occurred since the last success.
[Replications Check,ORION2] A recent replication attempt failed:
From ORIONCH to ORION2
Naming Context: DC=orion,DC=net,DC=au
The replication generated an error (-2146893022):
Win32 Error -2146893022
The failure occurred at 2010-02-23 14:38:16.
The last success occurred at 2010-02-22 15:22:01.
96 failures have occurred since the last success.
* Replication Latency Check
REPLICATION-RECEIVED LATENCY WARNING
ORION2: Current time is 2010-02-23 14:40:10.
DC=ForestDnsZones,DC=orion,DC=net,DC=au
Last replication recieved from ORIONCH at 2010-02-22 15:22:02.
Latency information for 3 entries in the vector were ignored.
3 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=orion,DC=net,DC=au
Last replication recieved from ORIONCH at 2010-02-22 15:22:01.
Latency information for 3 entries in the vector were ignored.
3 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=orion,DC=net,DC=au
Last replication recieved from ORIONCH at 2010-02-22 15:22:01.
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=orion,DC=net,DC=au
Last replication recieved from ORIONCH at 2010-02-22 15:22:01.
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=orion,DC=net,DC=au
Last replication recieved from ORIONCH at 2010-02-22 15:22:01.
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
* Replication Site Latency Check
......................... ORION2 passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC ORION2.
* Security Permissions Check for
DC=ForestDnsZones,DC=orion,DC=net,DC=au
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=orion,DC=net,DC=au
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=orion,DC=net,DC=au
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=orion,DC=net,DC=au
(Configuration,Version 2)
* Security Permissions Check for
DC=orion,DC=net,DC=au
(Domain,Version 2)
......................... ORION2 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\ORION2\netlogon
Verified share \\ORION2\sysvol
......................... ORION2 passed test NetLogons
Starting test: Advertising
The DC ORION2 is advertising itself as a DC and having a DS.
The DC ORION2 is advertising as an LDAP server
The DC ORION2 is advertising as having a writeable directory
The DC ORION2 is advertising as a Key Distribution Center
The DC ORION2 is advertising as a time server
The DS ORION2 is advertising as a GC.
......................... ORION2 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=ORION2,CN=Servers,CN=Balcatta,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
Role Domain Owner = CN=NTDS Settings,CN=ORION2,CN=Servers,CN=Balcatta,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
Role PDC Owner = CN=NTDS Settings,CN=ORION2,CN=Servers,CN=Balcatta,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
Role Rid Owner = CN=NTDS Settings,CN=ORION2,CN=Servers,CN=Balcatta,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
Role Infrastructure Update Owner = CN=NTDS Settings,CN=ORION2,CN=Servers,CN=Balcatta,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
......................... ORION2 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 4804 to 1073741823
* orion2.orion.net.au is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 2804 to 3303
* rIDPreviousAllocationPool is 2304 to 2803
* rIDNextRID: 2759
* Warning :There is less than 9% available RIDs in the current pool
......................... ORION2 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC ORION2 on DC ORION2.
* SPN found :LDAP/orion2.orion.net.au/orion.net.au
* SPN found :LDAP/orion2.orion.net.au
* SPN found :LDAP/ORION2
* SPN found :LDAP/orion2.orion.net.au/ORION
* SPN found :LDAP/1d83042b-1be4-41d1-9e5d-117829335117._msdcs.orion.net.au
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/1d83042b-1be4-41d1-9e5d-117829335117/orion.net.au
* SPN found :HOST/orion2.orion.net.au/orion.net.au
* SPN found :HOST/orion2.orion.net.au
* SPN found :HOST/ORION2
* SPN found :HOST/orion2.orion.net.au/ORION
* SPN found :GC/orion2.orion.net.au/orion.net.au
......................... ORION2 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... ORION2 passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
ORION2 is in domain DC=orion,DC=net,DC=au
Checking for CN=ORION2,OU=Domain Controllers,DC=orion,DC=net,DC=au in domain DC=orion,DC=net,DC=au on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=ORION2,CN=Servers,CN=Balcatta,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au in domain CN=Configuration,DC=orion,DC=net,DC=au on 1 servers
Object is up-to-date on all servers.
......................... ORION2 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... ORION2 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 02/22/2010 19:32:13
(Event String could not be retrieved)
......................... ORION2 failed test frsevent
Starting test: kccevent
* The KCC Event log test
An Warning Event occured. EventID: 0x8000061E
Time Generated: 02/23/2010 14:28:17
Event String: All domain controllers in the following site thatcan replicate the directory partition over thistransport are currently unavailable.
Site: CN=CastleHill,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
Directory partition: DC=orion,DC=net,DC=au
Transport: CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
An Error Event occured. EventID: 0xC000051F
Time Generated: 02/23/2010 14:28:17
Event String: The Knowledge Consistency Checker (KCC) hasdetected problems with the following directorypartition. Directory partition:
DC=orion,DC=net,DC=au
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.
User Action
Use Active Directory Sites and Services to perform one of the following actions:

- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.
If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.

An Warning Event occured. EventID: 0x80000749
Time Generated: 02/23/2010 14:28:17
Event String: The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
Sites:
CN=CastleHill,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
An Warning Event occured. EventID: 0x8000061E
Time Generated: 02/23/2010 14:28:17
Event String: All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable.

Site:
CN=CastleHill,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
Directory partition: DC=ForestDnsZones,DC=orion,DC=net,DC=au
Transport: CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
An Error Event occured. EventID: 0xC000051F
Time Generated: 02/23/2010 14:28:17
Event String: The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition: DC=ForestDnsZones,DC=orion,DC=net,DC=au
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.
User Action
Use Active Directory Sites and Services to perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site. If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.

An Warning Event occured. EventID: 0x80000749
Time Generated: 02/23/2010 14:28:17
Event String: The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
Sites:
CN=CastleHill,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
An Warning Event occured. EventID: 0x8000061E
Time Generated: 02/23/2010 14:28:17
Event String: All domain controllers in the following site thatcan replicate the directory partition over this transport are currently unavailable.

Site: CN=CastleHill,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
Directory partition: DC=DomainDnsZones,DC=orion,DC=net,DC=au
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
An Error Event occured. EventID: 0xC000051F
Time Generated: 02/23/2010 14:28:17
Event String: The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition: DC=DomainDnsZones,DC=orion,DC=net,DC=au
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.
User Action
Use Active Directory Sites and Services to perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.
If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.

An Warning Event occured. EventID: 0x80000749
Time Generated: 02/23/2010 14:28:17
Event String: The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
Sites:
CN=CastleHill,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
An Warning Event occured. EventID: 0x8000061E
Time Generated: 02/23/2010 14:28:17
Event String: All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable.
Site: CN=CastleHill,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
Directory partition: CN=Configuration,DC=orion,DC=net,DC=au
Transport: CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
An Error Event occured. EventID: 0xC000051F
Time Generated: 02/23/2010 14:28:17
Event String: The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition: CN=Configuration,DC=orion,DC=net,DC=au
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.
User Action Use Active Directory Sites and Services to perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site. If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.

Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40000004
Time Generated: 02/23/2010 14:10:54
Event String: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/orionch.orion.net.au. The target name used was ldap/ORIONCH.orion.net.au. This indicates that the password used to encrypt the Kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (ORION.NET.AU), and the client realm.
......................... ORION2 failed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=ORION2,OU=Domain Controllers,DC=orion,DC=net,DC=au and backlink on
CN=ORION2,CN=Servers,CN=Balcatta,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
are correct.
The system object reference (frsComputerReferenceBL)
CN=ORION2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=orion,DC=net,DC=au
and backlink on CN=ORION2,OU=Domain Controllers,DC=orion,DC=net,DC=au
are correct.
The system object reference (serverReferenceBL)
CN=ORION2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=orion,DC=net,DC=au
and backlink on
CN=NTDS Settings,CN=ORION2,CN=Servers,CN=Balcatta,CN=Sites,CN=Configuration,DC=orion,DC=net,DC=au
are correct.
......................... ORION2 passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : orion
Starting test: CrossRefValidation
......................... orion passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... orion passed test CheckSDRefDom

Running enterprise tests on : orion.net.au
Starting test: Intersite
Skipping site Balcatta, this site is outside the scope provided by the
command line arguments provided.
Skipping site CastleHill, this site is outside the scope provided by
the command line arguments provided.
......................... orion.net.au passed test Intersite
Starting test: FsmoCheck
GC Name: \\orion2.orion.net.au
Locator Flags: 0xe00001fd
PDC Name: \\orion2.orion.net.au
Locator Flags: 0xe00001fd
Time Server Name: \\orion2.orion.net.au
Locator Flags: 0xe00001fd
Preferred Time Server Name: \\orion2.orion.net.au
Locator Flags: 0xe00001fd
KDC Name: \\orion2.orion.net.au
Locator Flags: 0xe00001fd
......................... orion.net.au passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS


The Resolution


Perform this resolution only if you are experiancing the above symptoms.

1.On the DC that is broken (the one that when using replmon reports the error above) set the Kerberos Key Distribution Center Service to manual and stop the service.

2.From a command prompt on the broken DC enter the following:
netdom resetpwd /s:name_of_working_DC /ud:domain\user /pd:*
where domain\user is an administrator of the domain in the domain_name\user_name format. You will be prompted to enter your password. This is the DC where users cannot get to network resources (in our case ORIONCH).



3.Upon pressing Enter, if the command fails then restart the broken DC and repeat the above command (this restart clears the Kerberos ticket cache and so clears the broken credential attempts that it has stored).

4.Upon successful completion of the command in step 2 restart the broken DC. You must do this even if done already in step 3.

5.Check that replication is working, and if so restart the Kerberos Key Distribution Center Service and set the service back to automatic.

Once done your domain will now be working correctly, use replmon to verify replication:



For more information about this Netdom command view:

http://support.microsoft.com/kb/325850

Monday, February 22, 2010

NETLOGON and SYSVOL Not Shared

If you have a domain controller and the SYSVOL is missing you will be getting the following error in your logs:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1006
Date: 22/02/2010
Time: 6:01:40 PM
User: NT AUTHORITY\SYSTEM
Computer: ORION2\
Description:
Windows cannot bind to orion.net.au domain. (Local Error). Group Policy processing aborted.


To get this fixed copy the SYSVOL folder of a healthy domain controller manually.

To get the domain controller to re-establish the shares properally and publish it under the domain namespace theres a trick to this which I will show you.

Navigate to the following registry key on the domain controller you just copied the SYSVOL to:

HKLM\SYSTEM\CurrentControlSet\Services\Ntfrs\Parameters\Backup/Restore\Process at Startup

Set the value of the BurFlags registry entry to D4.

Restart the Ntfrs service

The DC will now automatically share the SYSVOL and republish it under the domain namespace. Very handy!

Domain Not Found

I had a client today who was unable to log onto any of his domain controllers as he was recieving the following error:

The system cannot log you on due ot the following error:
The specified domain either does not exist or could not be contacted.

Please try again or consult your systems administrator.




Also users could not get to network shares, print, or even access their email via outlook. Basically their entire domain had fallen over in all locations.

Running a DCDIAG on the domain provided the following output:

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Balcatta\ORION2
Starting test: Connectivity
......................... ORION2 passed test Connectivity

Doing primary tests

Testing server: Balcatta\ORION2
Starting test: Replications
[Replications Check,ORION2] A recent replication attempt failed:
From ORIONCH to ORION2
Naming Context: DC=ForestDnsZones,DC=orion,DC=net,DC=au
The replication generated an error (1256):
Win32 Error 1256
The failure occurred at 2010-02-22 18:07:01.
The last success occurred at 2010-02-22 15:22:02.
11 failures have occurred since the last success.
[Replications Check,ORION2] A recent replication attempt failed:
From ORIONCH to ORION2
Naming Context: DC=DomainDnsZones,DC=orion,DC=net,DC=au
The replication generated an error (1256):
Win32 Error 1256
The failure occurred at 2010-02-22 18:07:01.
The last success occurred at 2010-02-22 15:22:02.
11 failures have occurred since the last success.
[Replications Check,ORION2] A recent replication attempt failed:
From ORIONCH to ORION2
Naming Context: CN=Schema,CN=Configuration,DC=orion,DC=net,DC=au
The replication generated an error (-2146893022):
Win32 Error -2146893022
The failure occurred at 2010-02-22 18:07:02.
The last success occurred at 2010-02-22 15:22:01.
11 failures have occurred since the last success.
[Replications Check,ORION2] A recent replication attempt failed:
From ORIONCH to ORION2
Naming Context: CN=Configuration,DC=orion,DC=net,DC=au
The replication generated an error (-2146893022):
Win32 Error -2146893022
The failure occurred at 2010-02-22 18:07:02.
The last success occurred at 2010-02-22 15:22:01.
11 failures have occurred since the last success.
[Replications Check,ORION2] A recent replication attempt failed:
From ORIONCH to ORION2
Naming Context: DC=orion,DC=net,DC=au
The replication generated an error (-2146893022):
Win32 Error -2146893022
The failure occurred at 2010-02-22 18:07:01.
The last success occurred at 2010-02-22 15:22:01.
11 failures have occurred since the last success.
......................... ORION2 passed test Replications
Starting test: NCSecDesc
......................... ORION2 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\ORION2\netlogon)
[ORION2] An net use or LsaPolicy operation failed with error 1203, Win32 Error 1203.
......................... ORION2 failed test NetLogons
Starting test: Advertising
Fatal Error:DsGetDcName (ORION2) call failed, error 1355
The Locator could not find the server.
......................... ORION2 failed test Advertising
Starting test: KnowsOfRoleHolders
......................... ORION2 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... ORION2 passed test RidManager
Starting test: MachineAccount
......................... ORION2 passed test MachineAccount
Starting test: Services
......................... ORION2 passed test Services
Starting test: ObjectsReplicated
......................... ORION2 passed test ObjectsReplicated
Starting test: frssysvol
......................... ORION2 passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... ORION2 failed test frsevent
Starting test: kccevent
An Warning Event occured. EventID: 0x8000061E
Time Generated: 02/22/2010 17:57:48
Event String: All domain controllers in the following site that
An Error Event occured. EventID: 0xC000051F
Time Generated: 02/22/2010 17:57:48
Event String: The Knowledge Consistency Checker (KCC) has
An Warning Event occured. EventID: 0x80000749
Time Generated: 02/22/2010 17:57:48
Event String: The Knowledge Consistency Checker (KCC) was
An Warning Event occured. EventID: 0x8000061E
Time Generated: 02/22/2010 17:57:48
Event String: All domain controllers in the following site that
An Error Event occured. EventID: 0xC000051F
Time Generated: 02/22/2010 17:57:48
Event String: The Knowledge Consistency Checker (KCC) has
An Warning Event occured. EventID: 0x80000749
Time Generated: 02/22/2010 17:57:48
Event String: The Knowledge Consistency Checker (KCC) was
An Warning Event occured. EventID: 0x8000061E
Time Generated: 02/22/2010 17:57:48
Event String: All domain controllers in the following site that
An Error Event occured. EventID: 0xC000051F
Time Generated: 02/22/2010 17:57:48
Event String: The Knowledge Consistency Checker (KCC) has
An Warning Event occured. EventID: 0x80000749
Time Generated: 02/22/2010 17:57:48
Event String: The Knowledge Consistency Checker (KCC) was
An Warning Event occured. EventID: 0x8000061E
Time Generated: 02/22/2010 17:57:48
Event String: All domain controllers in the following site that
An Error Event occured. EventID: 0xC000051F
Time Generated: 02/22/2010 17:57:48
Event String: The Knowledge Consistency Checker (KCC) has
An Warning Event occured. EventID: 0x80000749
Time Generated: 02/22/2010 17:57:48
Event String: The Knowledge Consistency Checker (KCC) was
......................... ORION2 failed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x40000004
Time Generated: 02/22/2010 17:13:34
Event String: The kerberos client received a
An Error Event occured. EventID: 0x00000457
Time Generated: 02/22/2010 17:27:34
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 02/22/2010 17:52:02
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 02/22/2010 18:01:00
Event String: The kerberos client received a
......................... ORION2 failed test systemlog
Starting test: VerifyReferences
......................... ORION2 passed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : orion
Starting test: CrossRefValidation
......................... orion passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... orion passed test CheckSDRefDom

Running enterprise tests on : orion.net.au
Starting test: Intersite
......................... orion.net.au passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... orion.net.au failed test FsmoCheck


Also the domain controllers were also generating the following error:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1006
Date: 22/02/2010
Time: 6:01:40 PM
User: NT AUTHORITY\SYSTEM
Computer: ORION2\
Description:
Windows cannot bind to orion.net.au domain. (Local Error). Group Policy processing aborted.


After some research I came across microsoft KB 958804

http://support.microsoft.com/kb/958804

I resolved the problem by:

1. Copy the contents from Ntfrs_Preexisting folder to the %Windows%Sysvol\Sysvol\Domain Name folder.

2. Start Registry Editor. Locate to the following subkey:
HKLM\SYSTEM\CurrentControlSet\Services\Ntfrs\Parameters\Backup/Restore\Process at Startup

3. Set the value of the BurFlags registry entry to D4.

4. Restart the Ntfrs service, and then wait until the Sysvol and the Netlogon folders are shared.

I hope this has been helpful if you find yourself running into the same problem!

Wednesday, February 17, 2010

Active Directory DNS Zone Locations

In this post I'm going to show you where the DNS zone files are stored in Active Directory. This may be required for trouble shooting problems with DNS.

In the Change Zone Replication Scope screen there is three places you can store a zone file:



When you select To all DNS servers in this forest: kbomb.local it stores it under:

CN=MicrosoftDNS,DC=ForestDNSZones,DC=kbomb,DC=local

You can get to this in ADSIEdit by going to this:

DC=ForestDNSZones,DC=kbomb,DC=local





When you select To all DNS servers in this domain: kbomb.local it stores it under:

CN=MicrosoftDNS,DC=DomainDNSZones,DC=kbomb,DC=local

You can get to this in ADSIEdit by going to this:

DC=DomainDNSZones,DC=kbomb,DC=local





When you select To all domain controllers in this domain (for Windows 2000 compatibility): kbomb.local it stores it under:

CN=MicrosoftDNS,CN=System,DC=kbomb,DC=local

You can get to this in ADSIEdit by going to this:

DC=kbomb,DC=local



Sunday, February 14, 2010

Exchange Unified Messaging Setup Guide

This post covers Exchange 2010 Unified Messaging and can be seen as a beginners guide to help administrators understand the various components that make Unified Messaging work along with a step by step guide on getting it up and running. This post also applies to many of the components of Exchange 2007 Unified Messaging as well as they work the same in many ways.

What is a UM Dial Plan?

A UM Dial Plan establishes a link from the telephone extension number of a Microsoft Exchange recipient in Active Directory to a UM-enabled mailbox.

Dial Plans is an organization-wide configuration meaning it applies to every domain in your exchange organisation (active directory forest).

When you setup a dial plan you need to configure:
- Number of digits in the extension numbers
- the Uniform Resource Identifier (URI) type
- the VoIP security settings for the dial plan.

When you create a UM Dial Plan, a UM mailbox policy is also created by called DialPlanName Default Policy.

The Dial Plans represent sets or groupings of IP PBXs that share a common user extension. All user extensions on a PBX must contain the same number of digits. A UM dial plan mirrors a telephony dial plan. A telephony dial plan is configured on PBXs or IP PBXs.

In these telephony networks, there could be two users in Active Directory who have the same telephone extension number. UM dial plans resolve this situation. You can put the two users into two separate UM dial plans. This makes their extensions unique. A user can be a member of only one UM dial plan. You can also use a UM dial plan to establish a common set of policies for a group of users. For example, you can enable different languages for different UM dial plans, or you can enable different features for different UM dial plans.

So what is the Uniform Resource Identifier Type?

A Uniform Resource Identifier (URI) is a string of character's that's used to identify the person. A URI defines the naming and numbering format used for calling people contained within a Session Initation Protocol (SIP) header for the incoming and outgoing call. As mensioned above you configure this on the dial plan. Exchange Unified Messaging has three format types or (URI types) that can be used when configuring dial plans:
- Telephone Extension
- SIP URI
- E.164

Telephone extension is the most common format used... ie a company may own the phone numbers for 099431xxxx where each user inside the organisation is given a 4 digit extension. Your users would then each have an extension such as 4931. If your Voice Gateway or IP PBX talks with just "Telephone Extensions" inside the SIP protocol then this would be the choice to pick.

However your Voice Gateway or IP PBX may talk something such as E.164 which is the full phone number internally such as "+61 9 9431 4931". With E.164 your voice gateway would be throwing "+61 9 9431 4931" at the Unified Messaging dial plan instead of "4931".

You just need to ensure your Uniform Resource Identifier matches the configuration of your Voice Gateway.

What is the UM Mailbox Policy?

At least one UM Mailbox Policy is required to enable users for unified messaging. UM Mailbox Policies are used to set Unified Messaging settings for UM-enabled users such as:
- PIN Policies
- Dialing Restrictions
- Other general UM policies you want applied to your users.

As mentioned above when you create your first dial plan a UM mailbox policy is also created by called DialPlanName Default Policy. Every UM Mailbox Policy must be linked to only one Dial Plan. Dial Plans get applied to mailbox users through the mailbox policy. However multiple mailbox policies can be linked to a single dial plan in a one to many relationship if you wish to have different PIN policies, dialing restrictions etc for different users.

Each UM-enabled user MUST be linked to a single mailbox policy. When you enable a user for unified messaging it asks you which mailbox policy you wish to use.

What are UM IP Gateways?

An IP Gateway in unified messaging establishes a logical link between unified messaging and the IP gateawy or IP PBX. It is an object that sites in Active Directory that contains one or more Hunt Groups and other UM IP Gateway configuration settings.

Each UM IP Gateway object "Represent" one physical device, an IP Gateway or an IP PBX.

It is the UM IP Gateway object and UM Hunt Groups that establish the link between the hardware IP gateay device and the UM dial plans... so it looks like this:

Hardware IP Gateway Device --> UM IP Gateway --> UM Hunt Groups --> UM Dial Plan --> UM Mailbox Policies

It is possible to associate a single IP Gateway with multiple Dial Plans.

After you create a UM IP Gateway object, the Unified Messaging server associated with the UM IP gateway will send a SIP OPTIONS request to the IP gateway to ensure that the IP gateway is responsive. If the IP gateway doesn't respond to the SIP OPTIONS request from the Unified Messaging server, the Unified Messaging server will log an event with ID 1088 stating that the request failed.

Before an IP gateway can be used to process calls, a UM IP gateway must be associated with at least one UM dial plan. Also, at least one Unified Messaging server must be associated with at least one UM dial plan.

A Unified Messaging server communicates only with IP gateways or IP PBXs listed as a trusted SIP peer.

By default, IP gateways are left in an enabled state after they're created. However, the UM IP gateway can be enabled or disabled. If you disable a UM IP gateway, it can be in one of two disabled modes. The first disabled mode forces all associated Unified Messaging servers to drop existing calls. The second disabled mode forces the Unified Messaging server associated with the UM IP gateway to stop handling any new calls presented by the IP gateway.

What are Hunt Groups? Then how do they apply to Unified Messaging?

Before we relate to Unified Messaging lets clarify what a hunt group is.

Hunt group is a term used to describe a group of Private Branch eXchange (PBX) or IP PBX resources or extension numbers that are shared by users. Hunt groups are used to efficiently distribute calls into or out of a specific business unit. For example, a PBX or IP PBX might be configured to have 10 extension numbers for the sales department. The 10 sales extension numbers would be configured as one hunt group. In a PBX or IP PBX, hunt groups are used to efficiently locate an open line, extension, or channel when an incoming call is received.

In a telephony network, a hunt group is defined as a set of extension numbers grouped as a single logical unit. When an incoming call is received, the PBX or IP PBX uses the hunt group or group of extensions that are defined to hunt for an available or open line, extension, or channel that can be used to receive the call.

There are multiple algorithms or methods that have been created to be used by a PBX or IP PBX to define how the open line, extension, or channel will be located. These include:
- Round robin
- Most idle
- Start with lowest number

Creating and defining a hunt group in a PBX or IP PBX minimizes the chance that a caller who places an incoming call will receive a busy signal when the call is received.

Hunt groups are contacted by things called "Pilot Numbers".

In a telephony network, a PBX can be configured to have a single hunt group or multiple hunt groups. Each hunt group created on a PBX must have an associated pilot number. The PBX uses the pilot number to locate the hunt group and in turn locate the telephone extension number on which the incoming call was recieved. Without a defined pilot number, the PBX cannot locate where the incoming call was recieved.

A Pilot number is the address or location of the hunt group inside the PBX. A pilot number is generally defined as a blank extension number or one of the extensinos inside the hunt group that doesn't have a person or telephone associated with it. For example you configure a hunt group on a PBX that contain extension numbers 4100, 4101, 4102, 4103, 4104 and 4105. The pilot number for the hunt group is configured as extensions 4100. When a call is recieved on the extension number 4100, the PBX looks for the next number to determine where to deliver the call - in this case one of the following 4101, 4102, 4103, 4104 and 4105.

Using a pilot number helps eliminate busy signals and helps route incoming calls to the circuits that are available. The pilot number is used as the target for Exchange Unified Messaging. So on the PBX when a call is recieved for a hunt group of numbers that "unified messaging users" it will have a pilot number that directs the request to a Unified Messaging server's IP address or UM cluster IP address.

So now we know what hunt groups are and how they work, what needs to be configured in UM?

The UM hunt group is a logical representation of an existing PBX or IP PBX hunt group, so you need to make sure these match up exactly.

UM hunt groups act as a connection or link between the UM IP gateway and the UM dial plan as shown above.

Hardware IP Gateway Device --> UM IP Gateway --> UM Hunt Groups --> UM Dial Plan --> UM Mailbox Policies

Unified Messaging hunt groups are used to locate the PBX or IP PBX hunt group from which the incoming call was received. A pilot number defined for a hunt group in the PBX or IP PBX must also be defined within the UM hunt group. The pilot number is used to match the information presented for incoming calls through the Session Initiation Protocol (SIP) signaling message information on the message. The pilot number enables the Unified Messaging server to interpret the call together with the correct dial plan so that the call can be routed correctly. The absence of a hunt group prevents the Unified Messaging server from knowing the origin or location of the incoming call. It is very important to configure the UM hunt groups correctly, because incoming calls that don't correctly match the pilot number defined on the UM hunt group will not be answered, and incoming call routing will fail.

When you create a Unified Messaging hunt group, you are enabling all Unified Messaging servers that are specified within the UM dial plan to communicate with an IP gateway. If you delete the UM hunt group, the associated IP gateway will no longer service calls with the specified pilot number. If the IP gateway is left without remaining UM hunt groups, the IP gateway will be unable to handle incoming calls.

What are Auto Attendants?

Auto attendants help internal and external callers locate users or departments that exist in an organization and transfer calls to them - they basically route calls to the correct location. Think of an auto attendant as a receptionist.

Unlike other Unified Messaging objects, such as UM dial plans and UM IP gateways, you aren't required to create UM auto attendants.

I generally do not like dealing with Auto Attendants. As an end user I prefer speaking to a receptionist instead of listening to a computer saying press 1 for claims, press 2 for billing enquiries, press 3 for technical support. I find it very annoying! However if your company does want to cut costs and implement an auto attendant in unified messaging instead of hiring a receptionist(s) please see this Microsoft technet link for more information how this works:

http://technet.microsoft.com/en-us/library/bb124724.aspx

What order do I setup the Unified Messaging Components?

Setup the unified messaging components in this order:

- Dial Plans
- Mailbox Policies
- IP Gateways
- Hunt Groups
- Auto Attendants
- Add the UM Servers
- Enable Users for UM

Can you show me how to setup Unified Messaging?

Sure - below we will go through the setup of a stand alone (non clustered) unified messaging server using powershell. I am not going to go through the actual installation of the unified messaging role on a server as this is just next... next... next etc.

For all the commands below you can view all the syntax by typing get-help command -detailed. For example:

Get-Help New-UMIPGateway -Detailed

Step 1

Setup the UM Dial Plan:

New-UMDialPlan -Name "Corporate Dial Plan" -NumberOfDigitsInExtension 4 -GenerateUMMailboxPolicy $true -UriType TelExtn



Step 2

Setup the UM Mailbox Policy. Above we specified "Generate UM Mailbox Policy" with true. This creates a default mailbox policy. We can view this by running:

Get-UMMailboxPolicy | fl



If you wish to change any of these values you can use:

Set-UMMailboxPolicy -AttributeName "value"

Remember if you want help on what all these attributes mean you can use:

Get-Help Set-UMMailboxPolicy -Detailed"

Additionally you can create new mailbox policies and link them to your Dial Plan by using:

New-UMMailboxPolicy

Step 3

Create the IP Gateway. Remember we mensioned above that the IP Gateway needs to be linked to a Dial Plan... so we need to link it to "Corporate Dial Plan".

New-UMIPGateway -Name "Cisco Unified Communications Manager 7.1.3" -UMDialPlan "Corporate Dial Plan" -Address 10.10.10.3



Step 4

Create the hunt group(s):

New-UMHuntGroup -Name "Corporate Hunt Group" -PilotIdentifier "1000" -UMDialPlan "Corporate Dial Plan" -UMIPGateway "Cisco Unified Communications Manager 7.1.3"



Step 5

Add the Unified Messaging Server to the Dial Plan. I set a MaxCallsAllowed to 20 in this instance.

Set-UMServer -Identity servername -DialPlans "Corporate Dial Plan" -MaxCallsAllowed 20



Step 6

The last step is to enable users for unified messaging. You can use power shell or the console for this. To use powershell use:

Enable-UMMailbox to enable

Disable-UMMailbox to disable

However service desk are generally going to be doing this so I will show you how to use the Exchange Management Console:

Open the management console, expand recipient configuration --> mailbox. Right click the user you wish to enable unified messaging for and click "Enable Unified Messaging":



Specify the Unified Messaging Mailbox Policy we created above. I suggest Automatically generating the PIN. Unified Messaging sends an email to the user giving them their PIN.



"Automatically Generated Mailbox Extension" grabs it from the IP Phone attribute on the users user account in AD.

Alternatively you can "Manually entered mailbox extension" which is what we are going to do here.



Step 7

Set your UMDialPlan Audio Codec. This could have been done when creating the dial plan but I didnt set it... so by default it made it WMA. However the Cisco Unified Communications Manager 7.1.3 uses G711 so you can simply change it by typing:

Set-UMDialPlan "Corporate Dial Plan" -AudioCodec G711

Wednesday, February 10, 2010

Dynamically Set SPN's for SQL Service Accounts

For SQL Services Accounts they must have a SPN (service principal name) set. If the service account is also a Domain Admin this will be done automatically. If your SQL service account is not a Domain Admin it will not be able to set the SPN automatically. Usually a way to get around this is to use a program called setspn.exe and set the SPN on behalf of the user account as an Administrator. setspn.exe is part of the windows resource kit.

I am going to show you another way how to do this - to allow a non-Domain Admin SQL service account to dynamically register its own SPN without having to use setspn.exe.

1. Click Start, click Run, type Adsiedit.msc, and then click OK.

2. In the ADSI Edit snap-in, expand Domain [DomainName], expand DC= RootDomainName, expand CN=Users, right-click CN= AccountName, and then click Properties.

3. In the CN= AccountName Properties dialog box, click the Security tab.

4. On the Security tab, click Advanced.

5. In the Advanced Security Settings dialog box, make sure that SELF is listed under Permission entries. If SELF is not listed, click Add, and then add SELF.

6. Under Permission entries, click SELF, and then click Edit.

7. In the Permission Entry dialog box, click the Properties tab

8. On the Properties tab, click This object only in the Apply onto list, and then make sure that the check boxes for the following permissions are selected under Permissions:
- Read servicePrincipalName
- Write servicePrincipalName

9. Click OK three times, and then exit the ADSI Edit snap-in.

Below is a screenshot of the configuration required:



This will allow the SQL Serive Account to automatically set its own SPN so you do not have to worry about using setspn.exe anymore.

Cannot generate SSPI context. (Microsoft SQL Server)

When logging into an SQL 2005 server you may experiance the following error:

Cannot generate SSPI context. (Microsoft SQL Server)



The "Cannot generate SSPI context" error is generated when SSPI uses Kerberos to delegate over TCP/IP and Kerberos cannot complete the necessary operations to successfully delegate the user security token to the destination computer that is running SQL Server.

There is a number of causes for this error, they can be found here:

http://support.microsoft.com/kb/811889

In my case I am currently doing a domain migration to a new forest. As part of the ADMT Migration process you need to migrate service accounts. When the ADMT Agent replaced the service account for my SQL services to use the domain in the other forest, this error started occuring.

The reason is SSPI (Security Support Provider Interface) requires that its service accounts be located in the same active directory forest. It doesnt matter if they are in other domains, it just must be the same forest. To get around this I just set all the SQL services to "Local System" instead of using the service account for the migration. When the SQL server gets migrated to the new domain, these accounts can be set back to service accounts.



If you are having this issue I highly recommend a full read of Microsoft KB811889 as it explains this in great detail.

Wednesday, February 3, 2010

Understanding Microsoft's Trust Vocabulary

In windows server operating systems prior to server 2008 Microsoft had two terms for distinguishing domain trust directions, trusted and trusting. Now in server 2008 they are called "incoming" and "outgoing"

An "incoming trust" means its a "trusting" trust.

An "outgoing trust" means its a "trusted" trust.

Ok how does this relate to my network?

Well the easiest way to explain this is with a diagram.



If we want users in Domain 3 to access network resources in Domain 1 we create a "Trusted" or now known as "Outgoing" trust to domain 3. Users in Domain 3 are able to print on Domain 1's printers and access Domain 1's files, sharepoint and other network resources. However Domain 1 users cannot access Domain 3. One thing I use to find confusing was the arrow. The arrow represents the trust, not what users have access to. For a long time I use to always draw it the wrong away around as I thought of it as "users in Domain 3 have access to resources in Domain 1 so I'd draw the arrow FROM domain 3 TO domain 1" ... not the case so be careful with this.