Skip to main content

Posts

Showing posts from February, 2011

How to use AD Schema snap-in to manage an AD LDS Schema

You will need to be logged in as an administrator (or elevate your privilege level) to complete this task. First you need to register your Schema snap in before we can use it. Click Start. Type cmd and press Enter . Type regsvr32 schmmgmt.dll and press Enter . Click OK when prompted. Type Exit and press Enter . Click Start , type MMC and press Enter . Click File and then click Add\Remove Snap-ins Click Active Directory Schema and then click Add Click OK Right click Active Directory Schema and then click Change Active Directory Domain Controller… Click  Type a Directory Server name[:port]here; Type the DNS name, NetBIOS name, or IP address of the server hosting the AD LDS instance.  In this example, the server name is MCT-1 . Now click on the enter you just made in the Change Directory Server window and then click OK . You can now view the classes and attributes of your AD LDS instance.

Does Windows Server 2008 R2 allow you to rejoin a disjoin client to the domain with the same SID?

To test this theory, I created a Snapshot in Hyper-V of a Windows 7 Client. Once I completed this I had Active Directory reset the password to the client. Next I applied the snapshot that I just took to create a disjointed account. When an attempt to log in is made, this is the error: The question from class is if I put this client in a workgroup, and then back in a domain, will it have the same SID? First off, I went into Active Directory and recorded the SID for the clients computer object. Next I logged in as the local administrator on the client and first put the client in a workgroup, and then back in the domain.  One thing that I did notice during this process.  Even though the computer could not create a secure channel to the domain controller, when I took it off the network, the computers object was disabled. Once the client was joined to the network, its account re-enabled. Also, the SID was reused. On a side note.  This client was used previou...

How to reallocate RAM resources in Hyper-V

It never fails.  I need to start up a new VM only to find out that I do not have enough RAM (see the error below). From the last line of the error, you can see “Fail to create partition: Insufficient resources exist to complete the requested service.”   Ok, but I really need to start this VM.  We cannot dynamically change the amount of RAM that is allocated to a VM while it is running.  One option that we have is to take a VM that is in a Paused state, and change it to a saved state.  Since the VM was already paused, you were not using its functionality anyway.  Right click the paused VM and click Save If this cleared up enough resources, you can now start that other VM. Should I need to run both VMs, I will still need to shut the paused virtual machine down and reallocate less resources from it while it is offline.

How many users can the internal Windows database support in AD RMS

According to Microsoft documentation, the internal windows database can be used to support Active Directory Rights Management Services (AD RMS).  However, Microsoft recommends the use of the internal database for a test lab only.  For a production environment, you need to utilized an external database.  I have not been able to find exact figures on the number of users it can support.  Considering a test environment usually has less users than a production environment, this should not be an issue. Reference: http://technet.microsoft.com/en-us/library/dd772659(WS.10).aspx

Install Wireless Networking on Server 2008 R2

Recently I installed a couple of new servers in my test lab.  They had both wired and wireless NICs installed on them.  I configured the wired NIC without any issues.  The wireless takes a few extra steps. To get wireless functionality on a server, you need to enable the Wireless feature. On your Server 2008 R2 server, open Server Manager.  You can do this in your Administrative Tools or by clicking the icon in the quick launch bar . Once the Server Manager has open, click Features. With Features open, click Add Features to the right. Once the Select Features window opens scroll to the bottom of the list and check that feature called  Wireless LAN Service . Click Next Click Install . Click Close . Close Server Manager . Click Start . Right click Network and select Properties . In the upper right corner of the Network and Sharing Center , click Change Adapter Settings . If your wireless adapter is Disabled , right click it and select E...

How to list all the AD LDS instances on a server

AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.

Set up Active Directory Recycle Bin for AD LDS

You can expand the functionality of the AD Recycle Bin to your Active Directory Lightweight Directory Services (AD LDS) deployments.  This example assumes that we have an AD LDS instance called ‘ App1 ’. It will be on a server called ‘ MCT-1 ’ in a domain called ‘ MCTNET.com ’. We can attach to it on port 53414.  The application partition is ‘ CN=App1,DC=MCTNET,DC=COM ’ On the server hosting the AD LDS instance, open PowerShell. First verify that your Forest functional level is Windows Server 2008 R2. Type Get AD-Forest and press enter.  You can see from the results below that we are at the correct forest functional level. Open a command prompt with administrative credentials. Change your directory to c:\Windows\Adam . Type Ldifde.exe –i –f MS-ADAM-Upgrade-2.ldf –s MCT-1:53414 –b administrator MCTNET Pa$$w0rd –j . –$ adamschema.cat For your environment replace:   MCT-1 with the name of your server. 53414 with the port number of the AD LDS instance ...

How to configure start up delays for Virtual Machines in Hyper-V

In any medium to large network environment, there are undoubtedly certain servers that need to be fully online before others.  Generally the IT staff would have some type of restart procedure that will bring these servers back up in the correct order should they ever go down for some reason.  When working with virtualized machines, you still have this same capability using Hyper-V. To configure a startup delay, open the Hyper-V Manager . Right click the VM that you want to configure the delay on and click Settings . Click on Automatic Start Action . You need to select Automatically start if it was running when the service stopped or Always start this virtual machine automatically You than need to specify the number of seconds until the VM starts. You may have to take some time with a stop watch to get an idea of how long to make the delay.

Backup and Restore AD LDS with DSDBUTIL.exe

Active Directory Lightweight Directory Services allow you to create a directory service that allows applications to have access to user accounts, groups, and authentication similar to Active Directory Domain Services.  The big advantage here is that the schema of the directory service will not be bound by the rules of an Active Directory database.  Exchange 2007/2010, for example, use an instance of AD LDS on the Edge Transport Server to provide for user authentication from the internet.  Because your Active Directory database is not exposed to the internet, this is more secure. Applications will handle most of the dirty work should they require AD LDS.  You may want to make sure the database is being backed up and also have a restore plan in place.  Should the database become corrupt, the application that uses that database will fail.  This document will walk you through backing up and restoring an instance of AD LDS using the dsdbutil.exe command. Fi...

Can you use a non Microsoft DHCP and DNS Server with WDS?

Windows Deployment Services relies on both DNS and DHCP for its functionality. DNS is used to help located the WDS server in your network. DHCP is used to hand out IP addresses to your clients and the address of a DNS server so they can locate resources, in this case WDS, and communicate with it. According to Microsoft’s documentation, you can utilize non Microsoft products to provide DNS and DHCP services to your WDS environment. Something to note is that you must select the following two options during the WDS configuration: If the non-Microsoft DHCP server is located on the same server as WDS, you will need to configure the server to listen on port 67 and also to add Option 60 to your DHCP scopes. If the DHCP server is installed on a different subnet, you will need to configure your router to forward broadcast packets to both the DHCP and the WDS server. You will also need to route traffic from UDP port 4011 from the client to the WDS server. http://technet.microsoft.com...

Change Server Core’s Background

Many Network Administrators prefer to manage the roles and features of Server Core remotely using a graphical interface provided by RSAT.  However, you may be at an organization that requires you to either be at a Server Core console, or to Remote Desktop into the server itself. If you have one or two Server Cores, this may not be a big deal.  But what if you have 5, 10, or more?  While working with a software development company I noticed that the screen background and text color was used to denote the set of code being used.  I thought this would be a good idea to flag which Core you were working on. To change the background color: Expand HKEY_Current_User\Control Panel\Color . You will see the Background setting is at 29 95 122. These are the RGB values (Red, Green, Blue) for the background color.  The number determines the brightness of each color component for each pixel.  Setting a value to 0 turns it off.  Setting it to 255 makes it as br...

What cmdlets are imported with new PowerShell Modules

I call PowerShell the “never ending beast.”  I do not say that in a bad way, but in a good way.  PowerShell is designed to be continually added to.  One way this is accomplished is through the addition of modules.   Modules can come from Microsoft, or you.  They are a collections of new cmdlets, functions, and scripts that allow you to add functionality to PowerShell.  The question is, what cmdlets are added when I import a module? To determine the modules that are available on the client/server you are on, type Get-Modules –ListAvailable and press Enter . The list returned will vary depending on what is installed on the client/server you are working on.  When you run the Import-Module command, you only know that command completed.  To see what was imported, use the – verbose switch. For example, type Get-Module AppLocker –Verbose and press Enter . The output is listed below. Here you can see each cmdlet that is imported into ...

What is the limit on the number of Group Policy Objects that can be applied to an object?

According to Microsoft, the limit of the number of GPOs that you can apply to an object is 999.  The article listed below did not give a limit on the total number of GPOs that you can have, but only a limit on how many that can be applied to a single object. Reference: http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(WS.10).aspx#BKMK_GPO

How much does the ImageX /Compress Maximum setting save you on disk space?

Compression is a funny thing.  You cannot accurately predict the exact compression ratio without knowing what the files are and the algorithms being used.  Some files, like MP3s are already compressed.  Text files compress a lot, JPG files do not. By using the /Compress Maximum switch in the ImageX command line will put a lot of work on the capturing of the image, and less on the transfer of that image.  For this reason, I make sure that I am absolutely satisfied with the image that I am about to make.  We are going to have an upfront cost of more time to create the image, but we will make it up if this image is going to be sent across the network many times. I decided to do an experiment with a new Windows 7 Home Premium edition client that I just picked up at the store today.  I only ran the basic configuration and loaded the Anti-virus software.  Only imaging the C: drive and using the default compression, the image file size was 20,949,078 KB....

How to alter the Kerberos time synchronization tolerance

Kerberos is a time sensitive authentication system.  This is good.  The time tolerance helps to prevent a replay attack.  You can make this tolerance more or less stricter then the default of 5 minutes.  Network packets for Kerberos authentication that have a time stamp within the tolerance value, as compared to the domain controllers clock, is considered valid. For a local computer, you would open the local security policy. For a domain joined computer, open a GPO that applies to the client. For a Domain Controller, open the Default Domain Policy GPO. Expand: Computer Configuration / Policies / Windows Settings / Security Settings / Account Policies Open Maximum tolerance for computer clock synchronization Check Define this policy setting . Enter in the number of minutes you will allow clocks to be out of sync and click OK

How many VMs can Hyper-V support?

In Windows Server 2008 R2, Hyper-V can support up to 384 virtual machines (VMs) as long as the number of virtual processors assigned to those VMs do not exceed 512.  These numbers change a bit if you are running Hyper-V in a Failover Cluster.  You can only support 64 VMs per node of the cluster.  Since all business critical applications and services need to have a fault-tolerant solution, you will more than likely be running your VMs on a Failover Cluster.  So, for the production environment, I would say 64 VMs is the limit.

Mount an image with ImageX

ImageX is a versatile tool that helps us work with Windows Image files (.wim). One of the neat things that you can do with ImageX is to mount an image file and then be able to copy and paste files and folders into it using Windows Explore.  You can obtain a copy of ImageX when you download the Windows Automated Installation Kit (WAIK) and install the WAIK on your system. Once WAIK is installed and you have an image file to work with, follow this procedure. First create a folder on your hard drive to mount the image in. For this demonstration, I created a folder called ImageMount on my D: drive. Click Start \ All Programs \ Microsoft Windows AIK \ Windows PE Tools Command Prompt . This will launch a special command prompt that is aware of the tools that were installed with the WAIK. You will need to know the location where you stored an image file. Our image is stored at D:\Data.wim   The folder we will be mounting this image in is D:\ImageMount .  The folder that...

Disable SMB signing

It never fails.  Once ever couple of months I have a delegate in my class that has to keep a Windows NT4 box running.  There is nothing wrong with that.  Many applications build on Windows NT4 are solid.  Why upgrade and incur cost when no upgrade is really required?  That is generally the reason why Windows NT4 is being used.  Another reason is the vender went out of business, but the application that is required is really good and paid for. Two things to take note of.  If these Windows NT4 clients are going to be authenticating on a Windows Sever 2008 DC, then you may have a problem.  For WinNT 4.0 SP2 and earlier, SMB signing was not supported.  For WinNT4.0 SP3 and earlier, secure channel was not supported. SMB signing helps to prevent Man-in-the-middle attacks.  To open GPMC, click Start , click Run , type gpmc.msc , and then click OK . In the console tree, right-click Default Domain Controllers Policy in Domains\ Current Do...

Configure the Default VM Paths in VMM

You can configure Virtual Machine Manager with the default paths for new VMs on each host the VMM manages. To do this, first created a folder on each host that will store the VM files. Next open System Center Virtual Machine Manager If not already visible, go to the Host screen by clicking Go \ Hosts on the menu bar. Right click the host that you want to configure the default path on and select Properties . Click the Placement tab. Click Add . Browse to the folder you created and click OK . Click OK again.