To find out which domain controller your PC is talking to, use the following command:
nltest /dsgetdc:domainname.local
This is very handy when testing your active directory sites and services topology to ensure it is setup correctly. If you want to understand the process in which a client computer locates its domain controller please see this post:
http://clintboessen.blogspot.com/2010/05/how-clients-locate-domain-controllers.html
Wednesday, May 26, 2010
Thursday, May 20, 2010
Application Management Error Event ID 102
I ran into the following problem when deploying managed software via group policy today. I received the following error in my event logs.
Event Type: Error
Event Source: Application Management
Event Category: None
Event ID: 102
Date: 5/21/2010
Time: 12:09:05 PM
User: NT AUTHORITY\SYSTEM
Computer: CITRIX2
Description:
The install of application Microsoft Office Professional Edition 2003 from policy Terminal Services Software Installation failed. The error was : This installation is forbidden by system policy. Contact your system administrator.
This error will occur if Windows Installer is not able to run. In my case what was preventing it is I had a group policy computer setting called "Disable Microsoft Windows Installer" set to "Enabled - Always". This policy is under:
Computer Configuration --> Administrative Templates --> Windows Components --> Windows Installer
After setting this to disabled temporarily, my group policy software deployment worked.
Event Type: Error
Event Source: Application Management
Event Category: None
Event ID: 102
Date: 5/21/2010
Time: 12:09:05 PM
User: NT AUTHORITY\SYSTEM
Computer: CITRIX2
Description:
The install of application Microsoft Office Professional Edition 2003 from policy Terminal Services Software Installation failed. The error was : This installation is forbidden by system policy. Contact your system administrator.
This error will occur if Windows Installer is not able to run. In my case what was preventing it is I had a group policy computer setting called "Disable Microsoft Windows Installer" set to "Enabled - Always". This policy is under:
Computer Configuration --> Administrative Templates --> Windows Components --> Windows Installer
After setting this to disabled temporarily, my group policy software deployment worked.
How Clients Locate Domain Controllers
When a computer attempts to locate a domain controller, a process called the domain controller locator (Locator) is initiated so the appropriate Active Directory domain controller can be located. Locator uses information that is stored in Active Directory and DNS to attempt to find a domain controller with the desired roles and that is located in a site closest to the client.
The Locator uses information that is defined in the Configuration container in the forest root domain, which is replicated to every domain controller in the forest. Site objects, subnet objects, and domain controller server objects are all imperative for the Locator to find the closest domain controller for a client computer. Site objects are used to represent Active Directory sites. Subnet objects are used to represent IP address segments and are associated with the appropriate site object. Domain controller server objects are used to represent domain controllers and are associated with a site object.
Active Directory domain controllers register DNS records that specify the site in which the DC resides. The number of DNS records that each domain controller registers depends on the roles the DC has. For example, a DC that is a Global Catalog server will register an additional DNS record that advertises itself as such. Similarly, a domain controller that holds an Operations Master role will register a DNS record that advertises itself as this.
The process for a client computer to locate a domain controller is as follows:
1. The Locator is initiated on the client computer as a remote procedure call (RPC) to the local Net Logon service.
2. The client collects the information that is needed to select a domain controller and passes the information to the Net Logon service.
3. The Net Logon service on the client computer uses the collected information to build a query to send to DNS to identify the appropriate domain controller.
4. The Net Logon service on the client computer sends a datagram to the discovered domain controllers.
5. The directory service intercepts the query and passes it to the Net Logon service on the domain controller.
6. The Net Logon service on the domain controller looks up the client IP address in its subnet-to-site mapping table by finding the subnet object that most closely matches the client IP address and then returns the following information to the client: the name of the site in which the client is located, or the site that most closely matches the client IP address; the name of the site in which the current domain controller is located; and a bit that indicates whether the found DC is located in the site closest to the client.
7. The client inspects the information to determine whether it should try to find a better domain controller. The decision is made as follows: If the returned domain controller is in the closest site, the client uses this domain controller; If the client has found a DC in the site in which the DC claims the client is located, the client uses this domain controller; If the DC is not in the closest site, the client updates its site information and sends a new DNS query to find a new DC in the site. If the second query is successful, the new DC is used. If the second query fails, the original DC is used.
8. If the domain that is being queried by the client is the same as the domain to which the computer is joined, the site in which the computer resides is stored in the registry on the client computer.
9. After the client locates a DC, the domain controller entry is cached. If the domain controller is not in the optimal site, the client flushes the cache after fifteen minutes and discards the cache entry. It then attempts to find an optimal domain controller in the same site as the client.
In the case where a client computer uses an IP address that is not represented in the subnet-to-site mapping table, the DC returns a NULL site name and the client uses the returned domain controller, which may reside in any Active Directory site.
To find out which domain controller your PC is talking which is handy for trouble shooting purposes visit this blog post:
http://clintboessen.blogspot.com/2010/05/how-to-find-out-which-domain-controller.html
Please note that the contents of this blog post was written by John Policelli as part of the article "Using Catch-All Subnets in Active Directory". John Policelli reserves all rights to the content posted above. Please view the original article posted here:
http://technet.microsoft.com/en-us/magazine/2009.06.subnets.aspx
The Locator uses information that is defined in the Configuration container in the forest root domain, which is replicated to every domain controller in the forest. Site objects, subnet objects, and domain controller server objects are all imperative for the Locator to find the closest domain controller for a client computer. Site objects are used to represent Active Directory sites. Subnet objects are used to represent IP address segments and are associated with the appropriate site object. Domain controller server objects are used to represent domain controllers and are associated with a site object.
Active Directory domain controllers register DNS records that specify the site in which the DC resides. The number of DNS records that each domain controller registers depends on the roles the DC has. For example, a DC that is a Global Catalog server will register an additional DNS record that advertises itself as such. Similarly, a domain controller that holds an Operations Master role will register a DNS record that advertises itself as this.
The process for a client computer to locate a domain controller is as follows:
1. The Locator is initiated on the client computer as a remote procedure call (RPC) to the local Net Logon service.
2. The client collects the information that is needed to select a domain controller and passes the information to the Net Logon service.
3. The Net Logon service on the client computer uses the collected information to build a query to send to DNS to identify the appropriate domain controller.
4. The Net Logon service on the client computer sends a datagram to the discovered domain controllers.
5. The directory service intercepts the query and passes it to the Net Logon service on the domain controller.
6. The Net Logon service on the domain controller looks up the client IP address in its subnet-to-site mapping table by finding the subnet object that most closely matches the client IP address and then returns the following information to the client: the name of the site in which the client is located, or the site that most closely matches the client IP address; the name of the site in which the current domain controller is located; and a bit that indicates whether the found DC is located in the site closest to the client.
7. The client inspects the information to determine whether it should try to find a better domain controller. The decision is made as follows: If the returned domain controller is in the closest site, the client uses this domain controller; If the client has found a DC in the site in which the DC claims the client is located, the client uses this domain controller; If the DC is not in the closest site, the client updates its site information and sends a new DNS query to find a new DC in the site. If the second query is successful, the new DC is used. If the second query fails, the original DC is used.
8. If the domain that is being queried by the client is the same as the domain to which the computer is joined, the site in which the computer resides is stored in the registry on the client computer.
9. After the client locates a DC, the domain controller entry is cached. If the domain controller is not in the optimal site, the client flushes the cache after fifteen minutes and discards the cache entry. It then attempts to find an optimal domain controller in the same site as the client.
In the case where a client computer uses an IP address that is not represented in the subnet-to-site mapping table, the DC returns a NULL site name and the client uses the returned domain controller, which may reside in any Active Directory site.
To find out which domain controller your PC is talking which is handy for trouble shooting purposes visit this blog post:
http://clintboessen.blogspot.com/2010/05/how-to-find-out-which-domain-controller.html
Please note that the contents of this blog post was written by John Policelli as part of the article "Using Catch-All Subnets in Active Directory". John Policelli reserves all rights to the content posted above. Please view the original article posted here:
http://technet.microsoft.com/en-us/magazine/2009.06.subnets.aspx
Wednesday, May 19, 2010
How to import NK2 Files into Outlook 2010 Suggested Contacts
To import contacts from your old outlook.nk2 file into Exchange 2010 Suggested contacts follow this procedure:
To import .nk2 files into Outlook 2010, follow these steps:
1. Make sure that the .nk2 file is in the following folder:
%appdata%\Microsoft\Outlook
Note The .nk2 file must have the same name as your current Outlook 2010 profile. By default, the profile name is "Outlook." To check the profile name, follow these steps:
a. Click Start, and then click Control Panel.
b. Double-click Mail.
c. In the Mail Setup dialog box, click Show Profiles.
2. Click Start, and then click Run.
3. In the Open box, type outlook.exe /importnk2, and then click OK. This should import the .nk2 file into the Outlook 2010 profile.
Note After you import the .nk2 file, the contents of the file are merged into the existing nickname cache that is currently stored in your mailbox.
After the import is finished the .nk2 gets renamed with an . file name extension on the first start of Outlook 2010. Therefore, if you try to re-import the .nk2 file, remove the . file name extension.
To import .nk2 files into Outlook 2010, follow these steps:
1. Make sure that the .nk2 file is in the following folder:
%appdata%\Microsoft\Outlook
Note The .nk2 file must have the same name as your current Outlook 2010 profile. By default, the profile name is "Outlook." To check the profile name, follow these steps:
a. Click Start, and then click Control Panel.
b. Double-click Mail.
c. In the Mail Setup dialog box, click Show Profiles.
2. Click Start, and then click Run.
3. In the Open box, type outlook.exe /importnk2, and then click OK. This should import the .nk2 file into the Outlook 2010 profile.
Note After you import the .nk2 file, the contents of the file are merged into the existing nickname cache that is currently stored in your mailbox.
After the import is finished the .nk2 gets renamed with an . file name extension on the first start of Outlook 2010. Therefore, if you try to re-import the .nk2 file, remove the . file name extension.
Monday, May 17, 2010
msExchMasterAccountSid For Disabled Accounts
I moved all exchange mailboxes from one Exchange 2003 server to another Exchange 2003 server. After the migration of these user mailboxes I received the following errors only for disabled accounts.
Event Type: Warning
Event Source: MSExchangeIS
Event Category: General
Event ID: 9548
Date: 5/18/2010
Time: 9:15:46 AM
User: N/A
Computer: MAIL1
Description:
Disabled user /o=Company Organisation Name/ou=First Administrative Group/cn=Recipients/cn=User Name does not have a master account SID. Please use Active Directory MMC to set an active account as this user's master account.
Event Type: Error
Event Source: MSExchangeIS Mailbox Store
Event Category: Logons
Event ID: 1022
Date: 5/18/2010
Time: 9:15:49 AM
User: N/A
Computer: MAIL1
Description:
Logon Failure on database "Storage Group 01\Mailbox Database" - Windows 2000 account NT AUTHORITY\SYSTEM; mailbox /o=Company Organisation Name/ou=First Administrative Group/cn=Recipients/cn=User Name.
Error: -2147221231
To resolve this issue I had to give the account "SELF" permissions for "Associated external account". If the user does not have these permissions to its own account it is unable to set the msExchMasterAccountSID attribute for the disabled account causing the error. By setting this permission on the disabled account, it allows it to mark the msExchMasterAccountSID attribute.
To do this follow this procedure:
1. In the Active Directory Users and Computers snap-in, on the View menu, click Advanced Features.
2. In the Exchange Advanced properties of the disabled user object that owns the mailbox, click Mailbox Rights, and then search the list of accounts for one that has the Associated External Account permission.
4. If no account has this permission, grant the SELF account Associated External Account and Full Mailbox Access permissions.
For further information on this issue please see the below Microsoft knowledge base article.
http://support.microsoft.com/kb/278966
Event Type: Warning
Event Source: MSExchangeIS
Event Category: General
Event ID: 9548
Date: 5/18/2010
Time: 9:15:46 AM
User: N/A
Computer: MAIL1
Description:
Disabled user /o=Company Organisation Name/ou=First Administrative Group/cn=Recipients/cn=User Name does not have a master account SID. Please use Active Directory MMC to set an active account as this user's master account.
Event Type: Error
Event Source: MSExchangeIS Mailbox Store
Event Category: Logons
Event ID: 1022
Date: 5/18/2010
Time: 9:15:49 AM
User: N/A
Computer: MAIL1
Description:
Logon Failure on database "Storage Group 01\Mailbox Database" - Windows 2000 account NT AUTHORITY\SYSTEM; mailbox /o=Company Organisation Name/ou=First Administrative Group/cn=Recipients/cn=User Name.
Error: -2147221231
To resolve this issue I had to give the account "SELF" permissions for "Associated external account". If the user does not have these permissions to its own account it is unable to set the msExchMasterAccountSID attribute for the disabled account causing the error. By setting this permission on the disabled account, it allows it to mark the msExchMasterAccountSID attribute.
To do this follow this procedure:
1. In the Active Directory Users and Computers snap-in, on the View menu, click Advanced Features.
2. In the Exchange Advanced properties of the disabled user object that owns the mailbox, click Mailbox Rights, and then search the list of accounts for one that has the Associated External Account permission.
4. If no account has this permission, grant the SELF account Associated External Account and Full Mailbox Access permissions.
For further information on this issue please see the below Microsoft knowledge base article.
http://support.microsoft.com/kb/278966
Sunday, May 16, 2010
SQL 2008 Licensing
I just found a very handy site worth blogging. Please check this site out if your looking to purchase SQL 2008 as you will need to understand how the licensing works.
http://www.microsoft.com/sqlserver/2008/en/us/licensing-faq.aspx
http://www.microsoft.com/sqlserver/2008/en/us/licensing-faq.aspx
Sunday, May 9, 2010
Desktop not Refreshing with Folder Redirection
I have a Windows 2003 terminal server with the desktop being redirected to network share. Whenever users modify or change files on the terminal server, it does not refresh. If a user presses F5 the desktop then updates.
The following registry key from microsoft KB823291 fixes this problem bust must be done per user profile.
1. Locate and then click the following key in the registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
2. On the Edit menu, point to New, and then click DWORD Value.
Type NoSimpleNetIDList, and then press ENTER.
3. On the Edit menu, click Modify.
4. Type 1, and then click OK.
To apply this to all user profiles I created an ADM file by exporting the registry key and using RegtoAdm from NUTS admin tools which I then applied with a loopback policy to the terminal servers.
You can download the NUTS admin tools from here:
http://yizhar.mvps.org/
The following registry key from microsoft KB823291 fixes this problem bust must be done per user profile.
1. Locate and then click the following key in the registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
2. On the Edit menu, point to New, and then click DWORD Value.
Type NoSimpleNetIDList, and then press ENTER.
3. On the Edit menu, click Modify.
4. Type 1, and then click OK.
To apply this to all user profiles I created an ADM file by exporting the registry key and using RegtoAdm from NUTS admin tools which I then applied with a loopback policy to the terminal servers.
You can download the NUTS admin tools from here:
http://yizhar.mvps.org/
Wednesday, May 5, 2010
VB Script - Delete Files Older then X Days
I whipped up handy VB Script that will delete files older then X days in any particular folder. In this case any files that are older then 3 days will be deleted.
Dim Fso, Directory, Modified, Files
Set Fso = CreateObject("Scripting.FileSystemObject")
Set Directory = Fso.GetFolder("C:\FolderContainingFiles")
Set Files = Directory.Files
For Each Modified in Files
If DateDiff("D", Modified.DateLastModified, Now) > 3 Then Modified.Delete
Next
Dim Fso, Directory, Modified, Files
Set Fso = CreateObject("Scripting.FileSystemObject")
Set Directory = Fso.GetFolder("C:\FolderContainingFiles")
Set Files = Directory.Files
For Each Modified in Files
If DateDiff("D", Modified.DateLastModified, Now) > 3 Then Modified.Delete
Next
View MPSReports
Microsoft have a tool called Microsoft Product Support Reports also known as MPSReports. If you have done a support call to Microsoft in the past, you would have used MPSReports. What MPS Reports does is grab all the config about how your system is setup that is relevant to diagnosing issues, ZIP them up and allow the user to send the information to an IT professional (normally Microsoft).
I personally have been using MPSReports for years. I'd get a client to run MPSReports on their server experiencing problems, then send me the MPSReports results. I'd then dig through all the log files that came packaged up and diagnose the problem. This was very painful however as its hard to know what file contains what information.
The Microsoft support guys have a tool that lets them easily dig through the data generated by MPSReports, a "viewer" tool. I have been asking them on the phone for some time to give us a copy. The response was always "It's a tool designated to Microsoft Support Employee's". I'd be like pleaseeeeeeeeee!!!
Today I saw that as of the 30th of March 2010 Microsoft has made this viewer tool available to the public. It is called Microsoft Product Support Reports Viewer 2.0. Download it from:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=fb414a72-ccef-4f14-8c76-b846a0f2182d
I personally have been using MPSReports for years. I'd get a client to run MPSReports on their server experiencing problems, then send me the MPSReports results. I'd then dig through all the log files that came packaged up and diagnose the problem. This was very painful however as its hard to know what file contains what information.
The Microsoft support guys have a tool that lets them easily dig through the data generated by MPSReports, a "viewer" tool. I have been asking them on the phone for some time to give us a copy. The response was always "It's a tool designated to Microsoft Support Employee's". I'd be like pleaseeeeeeeeee!!!
Today I saw that as of the 30th of March 2010 Microsoft has made this viewer tool available to the public. It is called Microsoft Product Support Reports Viewer 2.0. Download it from:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=fb414a72-ccef-4f14-8c76-b846a0f2182d
Tuesday, May 4, 2010
Cross-File DFS in Windows Server
A colleague of mine taught me something new about the RDC (Remote Differential Compression) cross-file feature DFS-R technology in Windows Server. Cross-file is not available in all version of windows server.
Cross-File RDC is available in:
- Windows Server 2003 R2 Enterprise Edition
- Windows Server 2008 Enterprise Edition
- Windows Server 2008 R2 Enterprise Edition
- Windows Server 2008 R2 Datacenter Edition
Cross-File RDC is not available in:
- Windows Server 2008 R2 Standard Edition
- Windows Server 2008 Standard Edition
- Windows Server 2003 R2 Standard Edition
- Windows Server 2008 Datacenter Edition
- Windows Server 2003 R2 Datacenter Edition
DFS Cross-File is a part of the RDC technology in DFS-R technology. What Cross-File does is instead of replicating the entire file, DFS Replication can use portions from files that are similar to the replicating file to minimize the amount of data transferred over the WAN. If you are planning to use this, ensure to use Enterprise Edition of windows server!
This information about what flavours of windows server cross file is available under is documented here:
http://technet.microsoft.com/en-us/library/cc773238.aspx
Cross-File RDC is available in:
- Windows Server 2003 R2 Enterprise Edition
- Windows Server 2008 Enterprise Edition
- Windows Server 2008 R2 Enterprise Edition
- Windows Server 2008 R2 Datacenter Edition
Cross-File RDC is not available in:
- Windows Server 2008 R2 Standard Edition
- Windows Server 2008 Standard Edition
- Windows Server 2003 R2 Standard Edition
- Windows Server 2008 Datacenter Edition
- Windows Server 2003 R2 Datacenter Edition
DFS Cross-File is a part of the RDC technology in DFS-R technology. What Cross-File does is instead of replicating the entire file, DFS Replication can use portions from files that are similar to the replicating file to minimize the amount of data transferred over the WAN. If you are planning to use this, ensure to use Enterprise Edition of windows server!
This information about what flavours of windows server cross file is available under is documented here:
http://technet.microsoft.com/en-us/library/cc773238.aspx
Subscribe to:
Posts (Atom)