Sunday, August 29, 2010

Unable to resolve WPAD

I had a problem where I wanted to configure WPAD DNS lookups for a company however when I added the WPAD record to my primary dns zone I was unable to resolve it on Windows Server 2003.

I found out that the any host A records containing "WPAD" or "ISATAP" are blacklisted by default on Windows Server 2003 DNS. To remove the blacklist on every DNS server in your organisation navigate to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\GlobalQueryBlockList



Remove where it says WPAD from this registry key and then restart the DNS service. Repeat this for every DNS server in your organisation.

Friday, August 27, 2010

Exchange 2007/2010 Maximum Databases

In Exchange 2007 Standard Edition a mailbox server can only hold 5 databases (public folder or mailbox).

In Exchange 2010 Standard Edition a mailbox server can only hold 5 databases (public folder or mailbox).

In Exchange 2007 Enterprise Edition a mailbox server can hold 50 databases (public folder or mailbox).

In Exchange 2010 Enterprise Edition a mailbox server can hold 100 databases (public folder or mailbox).

Monday, August 23, 2010

Get All Users in Group

In this post I will be showing you three easy ways to get all users in an Active Directory group.

Method 1 - dsget

Using "dsget" with the following syntax.

dsget group "DN_of_group" -members -expand > userlist.txt

for example:

dsget group "CN=My Group,OU=Security Groups,DC=domain,DC=local" -members -expand > c:\usersingroup.txt

This method shows all users with their full distinguishedName attribute in the results.

Method 2 - net group

Use the "net group" command.

net group "groupname" /domain > c:\usersingroup.txt

This method will show the user logon name for each member of the labelled group. This method does not need you to specify the distinguished name of the group.

Method 3 - vbs

The third method I will be showing you is by using a simple VBS script. Enter the following text into notepad and save it as a vbs file. Make sure you correct the domain name to your domain and enter the group name next to it.

Set oGroup = getobject("WinNT://domain.local/" & "group name")
For Each oMember in oGroup.Members
WScript.Echo oMember.FullName
Next


To run the script open a command prompt, navigate to the script. Run the following command:

cscript scriptname.vbs > c:\usersingroup.txt

This script above displays the users display name. If you want the script to show the users username change oMember.FullName to oMember.Name.

Sunday, August 22, 2010

Websense v10000 SQL Error

I was in the process of setting up a Websense v10000 appliance. The Websense v10000 appliance needs a Windows Server to run a Log Server that keeps statistical information about users web activity. When entering the SQL details into the Websense Log Server setup the following error was experianced:

Websense reporting tools do not work with this version of SQL you have installed. Upgrade to SQL Server 2000 or MSDE 2000.



I know for a fact that both SQL 2005 and 2008 are supported. The Websense documentation states that the Websense setup creates the SQL Websense database automatically. Because of this I gave my SQL Websense account "dbcreator" permissions. As a test I attempted giving my Websense account "sysadmin" permissions instead of "dbcreator". "sysadmin" is like "Domain Admin" rights in the world of SQL, usually a very bad thing to do as it compromises the security of your SQL server.



After giving the account sysadmin all was fine.

Find out what version of SQL I'm running?

To find out what version of SQL is running along with the service pack run the following SQL Query:

SELECT SERVERPROPERTY('productversion'), SERVERPROPERTY ('productlevel'), SERVERPROPERTY ('edition')

Diagnosing SQL Logon Failures

Today I had problems logging on to MSSQL 2008 R2 through SQL Server Management Studio. I read this really good blog post from the Microsoft SQL Product Manager Il-Sung Lee:

http://blogs.msdn.com/b/sql_protocols/archive/2006/02/21/536201.aspx

He said that the error state you receive is always 1 to prevent information disclosure to unauthenticated clients. To get the real error state you must go to the SQL "ERRORLOG" file located:

C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log

On Il-Sung Lee blog post he has a list of all error states to do with authentication and a description of what the error state is.

In the ERRORLOG file it showed me what my problem was, so I installed the SQL Authentication component.

2010-08-23 09:52:29.05 Logon Error: 18456, Severity: 14, State: 58.
2010-08-23 09:52:29.05 Logon Login failed for user 'websense'. Reason: An attempt to login using SQL authentication failed. Server is configured for Windows authentication only. [CLIENT: 172.16.1.14]

Very handy post by Il-Sung Lee

Monday, August 2, 2010

pushprinterconnections.exe Installs Old Printers

There is a bug with pushprinterconnections.exe when using group policy printer deployment to Windows XP and Windows Server 2003 servers. It installs printers fine however it has an issue removing printers.

I experienced this bug performing the following steps:

1. Create a GPO called Printer Deployment and linking it to some workstations.

2. Adding pushprinterconnections.exe as a startup script to the Printer Deployment GPO.

3. Published printers to the computer policy under the Printer Deployment GPO in print management console on the print server.

4. Performed a group policy update on the target workstations and rebooted them to ensure they would install the new printers.

5. Removed all printers from the Printer Deployment GPO.

6. Performed a GP Update on all workstations and rebooted them to ensure they would remove all printers - they did.

7. Unlink the Printer Deployment GPO from the organisational unit containing the workstations.

8. Created a new GPO called New Printer Deployment GPO and linked it to the organisational unit containing the workstations.

9. Published just one printer in print management console to the new GPO.

10. Performed a gpupdate and rebooted all workstations under the New Printer Deployment GPO.

11. When the PC's rebooted they received all printers. They should only receive the one printer I published to New Printer Deployment GPO. There is no policy stating these extra printers should be reinstalled.

How do I resolve this error?

On XP and 2003 pushprinterconnections.exe stores the machine printer connection data in the following regkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PPC

Go to this reg key and delete all printer connection data.

Go to control panel --> printers and remove all printers

Also navigate to the following registry keys and clean up all printer connections that are no longer needed:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Connections
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Connections
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Connections

Now that you have cleaned up the registry link the new policy containing your new printers you wish to deploy to the organisational unit.

Sunday, August 1, 2010

Exchange 2010 SP1 ECP Improvements

In Exchange 2010 SP1 the Microsoft Exchange team has added in much more UI functionality to the web based Exchange Control Panel. Some of these additional features include:

Create/configure Retention Tags + Retention Policies in EMC

Configure Transport Rules in ECP

Configure Journal Rules in ECP

Configure MailTips in ECP

Provision and configure the Personal Archive in ECP

Configure Litigation Hold in ECP & EMC

Configure Allow/Block/Quarantine mobile device policies in ECP

RBAC role management in ECP

Configure Database Availability Group (DAG) IP Addresses and Alternate Witness Server in EMC

Recursive public folder settings management (including permissions) in EMC