Skip to main content


Showing posts from January, 2011

Prevent DNS Cache Corruptions

DNS Cache corruptions occurs when a malformed query is accepted from a remote name server.  To make sure your DNS servers are protected, follow this procedure:

Open DNS Manager.

Right click the DNS server and then select Properties.

Click the Advanced tab.

Make sure to check Secure cache against pollution and click OK.

How to find out which clients in your domain were added by an Authenticated User

In a Windows domain, all Authenticated Users have the ability to add up to 10 clients to the domain without contacting a Domain Admin. Here is how to find out which computers were added to your domain by your users.

On the Windows Server 2008 R2 Domain Controller, open PowerShell

Type Import-Module ActiveDirectory and press Enter

Type get-ADComputer –filter * –property ms-DS-CreatorSID where {‘$’ –like ‘*’} and press Enter.

Each computer that is listed has a value in the ms-DS-CreatorSID attribute. If the computer account was pre-created in Active Directory Users and Computers or manually joined by a Domain Administrator, a SID would not be present here. The SID is the SID of the user account that joined the computer to the domain.

OK, that was informative. You may be asking “How do I find out who added what?” The answer is in PowerShell. Sure, you could manually search each Computer account in Active Directory and record any ms-DS-CreatorSID attributes that you fin…

How to deploy an ACT Data Collection Package to a large number of clients.

Microsoft’s Application Compatibility Toolkit (ACT) Allows you to collect hardware and software inventory information in your domain to help assist you in preparing for client upgrades.  The idea is for you to be able to collect the types of software that are running on your clients so you can test and mitigate any compatibility issues before deploying the images of Windows 7.  This is a very nice, useful, and free application
In using the ACT, I needed to manually install the Data Collection Package on each client using administrative permissions.  For a small organization, this may be acceptable. In larger organizations, you may need a more automated deployment method.

An easy way to deploy these packages to your clients is through Group Policy.  Before we begin, I need to point out a drawback of a GPO software deployment.  You have no idea if it worked or not.  System Center Operations Manager allows you to do software deployments and provide reports so you know if all went well.  …

How to change what is stored in the Global Catalog

The Global Catalog (GC) is used for searching objects in other domains in your forest.  Also some applications, like Exchange, use the Global Catalog to help provide their services.  The Global Catalog contains a Partial Attribute Set (PAS) of all the objects in a domain that users generally search for.  The GC is configurable in that you can choose to add properties of objects to be replicated in the GC.  Below is the step by step procedure to do so.

Step 1 – Locate the Schema Operations Master
You should perform this step on the Domain Controller that holds the Schema Operations Master Role.  It is true that Windows Domain Controllers are multi-master.  This means that a change on one will replicate to all.  However, there are certain functionalities that can only be performed by one DC at a time.  To get a list of the current FSMO (Flexible Single Master Operation) role holders:

Click Start.

Type CMD and press Enter.

Type netdom query fsmo and press Enter.  You will get a list like…

Can you copy and paste the Active Directory Database from one DC to another to recover it?

Warning!!! Do not do this.

This is an interesting question from class.  To set this up I added a second Domain Controller into virtual network.  I then stopped the AD DS server on the new DC and deleted the contents of c:\Windows\NTDS.
The next step was to copy the contents of the database folder from the good DC to the target DC.  To do this, I also had to stop the NDTS service on the source DC.

Once the copy was completed, I restarted the AD DS service on the source DC. I then attempted to restart the AD DS service of the target DC.  It did not like it very well.  As a matter of fact, while attempting to restart the AD DS service, the DC went into reboot. As a matter of fact, the system was not able to boot after that. 
This is a good example of why we test these ideas on virtual machines with snapshots, and not actual production servers.

Can you both audit a file screen and enforce another one on the same folder?

This question came about when a student was wondering about enforcing a file screen for one type of file, but auditing for another type. I first tested this by attempting to apply two separate file screens to the same folder. I received the following error:

Can't create file screen in the given path as a file screen already exists for that path.

I then created a child folder inside the original one and then apply a different file screen to it. In this configuration, I was able to get FSRM to block one type of file, and audit the other. Set up your share on the child folder. This one will have both screens being applied to it and is the one that we want users to store their data in.

Prevent Authenticated Users from adding Computers to the domain.

I never really understood the logic behind this one. By default, members of the Authenticated Users group can add up to 10 clients to your domain. I’ve tested this and it is true. I created a new user in my domain without given the user any special privileges and added a client to the domain without any issues. This is why it is so important to make sure you have redirected your default computer container to an OU that is heavily locked down.

Another avenue to think about is if you are deploying software by user account. The user will be able to steal company software. Also, any malware on this rogue client will now be on your network.
To change the default computer container that new computer objects will be placed, log into your Domain Controller and type this:

Redircmp container-dn contain-dc

For example
redircmp OU=MyComputers,DC=Contoso,DC=com

The burning question here is how to stop this from happening. On your Windows Server 2008 Domain controller, click Start.

Type ADSI…

Configure IPv6 for DHCP in your entire domain

The network adapters on a Windows 7 client are configured for router discovery for automatic IP addressing for the IPv6 protocol.  To configure your clients to for DHCPv6, you need to disable the router discovery and enable the Managed Address flag on the NIC.  To do this, you must log into each client and execute the following commands.

netsh int ipv6 set int Interface_Index RouterDiscovery=Disabled
netsh int ipv6 set int Interface_Index ManagedAddress=Enable

Scale this for domains with thousands of clients of multiple NICs and you have a management problem.  This clearly presents a challenge.  The set of tasks below will help you to set this configuration across your entire domain in a much more time efficient manner.

To accomplish this, we are going to use a combination of Group Policy and PowerShell V2. What this task entails is to configure your servers to allow you to utilize the PowerShell remoting features to connect to each client, and then run the necessary commands to configu…

MCTExpert Blog is now on your Kindle

Today, MCTExpert is announcing that our blog site is now available for subscription to users of Amazon's Kindle electronic book.  The MCTExpert blog contains the more detailed questions that get asked in my classes that I want to provide a more in depth response to.  These are real questions from real Network Administrators in the field.  I've had comments from former students that my responses to their questions have helped them pass the Microsoft certification exams.  There is a 14 day free trail subscription.  Get your daily dose of what other IT professionals are asking about.  Click here to go to the Kindle Store.

How to add a shared printer on a server using Group Policy Preferences

Group Policy Preferences is a great place to add a printer to your clients.  The question here is how to do it for a printer that is shared on a server.  For this example, I created a printer on my server called Network Printer 1.  I also shared this printer and then made it searchable by listing it in Active Directory.  To list your printer in Active Directory:
Open the Control Panel \ Hardware \ Devices and Printers.
Right click the printer and click Printer Preferences.
Click the Sharing tab.

Check the box for List in the directory.
You can test the publishing in Active Directory by going to your client (Windows 7 client in this case).
Click Start \ Devices and Printers.
Click Add a Printer on the menu bar.
Select Add a network, wireless, or Bluetooth printer.
The printer that you published should appear.
That is nice, but the objective here is to be able to share this printer using group policy.
We are going to create a new Group Policy Object for this deployment.  On your Window…

My 2010 report card

One thing that I look forward to is the evaluations from my classes.  Microsoft utilizes Metrics That Matter to allow students to provide feedback about the course, content, training provider and yours truly.  Below is the summary data of my performance as compared to other MCTs for 2010.  As you can all see below, I am well above average.

Statistically speaking, that is a 96% approval from my students.

Student comments from 2010:
“Jason has presented classes I have attended in the past and he is a good instructor and knows his material well.”

“I don't know how he could have improved. He really was great at providing examples, and his understanding was excellent.”

“If Jason doesn't know the answer to any of my questions he will find out and I will get "the email". I am always happy with his answers.”

“I appreciated Jason's control in a trying environment. He was able to walk us through keeping the Hyper-V environment working for these labs. Jason also brought rea…

How to Combine WIM images

One of the neat features of Microsoft WIM format is Single Instancing and the ability to hold more than 1 image in a single WIM file.  In Single Instancing, you only need to have one copy of a file for multiple images.  Let’s say I have 3 Windows 7 images.  Each one has 3 different configurations.  They all have windows in common.  Why keep a single copy of Notepad.exe?  The first image will contain every file that it needs.  Each additional image will contain a reference to identical files in the first image. Anything the previous images do not have will be contained in the image.  This will greatly reduce your image storage requirements.

This blog article looks at combining two separate images into one.  For this example, I have two images.  One called Lab1.wim, which is my base image for a Windows Server 2008 R2. The second is the setup for course 10215 called Lab1-10215.wim.  The base image is 2.90 GB and the class setup is 64.6 GB.  OK, we will not see much of a space savings he…

How to add a user to the Local Administrators group in Server Core 2008 R2

Here is an easy way to add a new user into the Local Administrators group on your Windows Server 2008 R2 box.
Log in as a member of the Local Administrators group.
Type Sconfig and press Enter.
Press 3 for Add Local Administrator

In the example above, you can see the two ways to define a user account depending if this Server Core is in a domain, or a workgroup.  This particular one is in a workgroup.
Type the new of the new user and press Enter.

You will be prompted for a password and then to confirm it.

You will see the prompt above informing you of the accounts creation.
Type 10  to log off the server core.
You should now be able to log on with the new user account.

Set Directory Access Changes through Group Policy

Directory Access Changes allows your servers to record (when possible) both the old and the new values of an object after a change.  This means that if a value was incorrectly changed, the old value may be record in your audit log.  To configure this, you would have to log into each server and type:Auditpol /set /subcategory:”Directory Service Changes” /Success:EnableFor one or two servers, this is OK.  For hundreds, this is a problem.  You can utilize Group Policy to configure this on each of your servers/clients.Either create a new GPO, or use an existing one that is scoped to your requirements.Expand Computer Configuration \ Policies \ Windows Settings \ Advanced Audit Policy Configuration \ Audit Policies \ DS AccessDouble click Audit Directory Service Changes.Check Configure the following audit events.Check Success and/or FailureClick OK.Once this policy is applied and your clients/servers refresh their Group Policies, you can test this GPO.On a client/server that had this policy…

How to use PowerShell to scan a server for a specific file type?

This is an easy one liner:Get-WMIObject Win32_LogicalDisk -filter "DriveType = 3" | Select-Object DeviceID | ForEach-Object {Get-Childitem ($_.DeviceID + "\") -include *.wav -recurse}Let’s break this one down into its individual parts.

Get-WMIObject Win32_LogicalDisk –filter “DriveType = 3”

In the above line, we are using WMI to access all the logical drives on the server. We are using logical drives because we do not know how the drives are partitioned. We are also looking for Drive type #3. Here is a list of the different drive types:

1 - Drive could not be determined

2 - Removable drive

3 - Local hard disk

4 - Network disk

5 - Compact disk (CD)

6 - RAM disk

Select-Object DeviceID

The Select-Object cmdlet allows us to focus just the DeviceID. The DeviceID is the drive letter.

ForEach-Object {Get-Childitem ($_.DeviceID + "\") -include *.wav -recurse}

The ForEach-Object cmdlet allows us to examine one object at a time in an array of objects.  The Get-Childitem is f…

In PowerShell, can you have the disk size reported in MB or GB?

In PowerShell V2, you can have data values returned as KB, MB, GB, etc… In the example below, the information is going to be returned in bytes:GWMI Win32_LogicalDisk | Select DeviceID, Freespace | FLThe output will look like this:The first section will call the WMI object to enumerate the properties of all the logical disks on the system. The second portion will select ot display only the DeviceID (Drive letter), and how much free space is left. The third section is just for controlling the format of the output.In PowerShell V2, you can have PowerShell reformat the data to reflect MB or GB.GWMI win32_logicaldisk | Select deviceID, @{Label=’Freespace(GB)’;Expression={$_.freespace/1GB}} | FLIn the above example, we slightly changed what we entered.  First we changed the label that was going to be displayed for the data.  The default is Freespace.  We changed it to Freespace(GB) to better represent the format that data was going to be in.  Next we did the math to convert the value from b…

Boot from a VHD file

Windows 7 and Windows Server 2008 R2 has a really neat testing feature.  It is called boot from VHD.  A VHD stands for Virtual Had Disk.  It is the file type that is used in Hyper-V virtual machines.  What this boot option does for you is it allows you to test an image on the actual hardware, before you deploy an image of the VHD to your clients and servers.  Here is how you set up a Boot from VHD on Server 2008 R2.

First, open Server Manager.

Expand Storage and click Disk Management. Give it a few seconds to load.

Right click Disk Management and select Attach VHD.

In the Attach Virtual Hard Disk window, click Browse.

In the Browse Virtual Disk files window, browse the the VHD file and click it.

Click Open.

Click OK.

Take note of the drive letter the VHD mounted as. In my example, the drive letter is W.  You will also notice that its icon is a light blue as opposed to a light grey for actual physical drives.

Close Server Manager.

Open a command prompt as an Administrator.  To do this …

How to move a Server Core 2008 R2 from a Domain to a Workgroup

From time to time you may need to remove a server from your domain.  For what ever the reason may be, now you have a much simplified way for doing it in Server 2008 R2.  This procedure assumes this is a member server and not a domain controller.Log into your server core with credentials that will allow you to remove a server from the domain.  Type sconfig and press enter.Press 1 for Domain/Workgroup.Press W for Workgroup.You will get a confirmation prompt.  Click Yes.You will be asked for a user account that can perform this operation.  Enter the user name and press Enter.Next you will be prompted, in a new window, for this users password.  Enter it and press Enter.Click Yes to restart your computer.  Your server core will now be in a Workgroup.

Reset Internet Explorer Settings (REIS) Feature

As our users, or us, browse the Internet and freely click away, we may inadvertently install many different add-ons into Internet Explorer.  I was volunteering for an organization this past weekend that provided the volunteer with a desktop.  This desktop had:
Bing SearchGoogle SearchYahoo SearchLexmark SearchAnd something else that I never heard of.With all these add-ons (and what else I did not see) performance of IE can start to become an issue.  One way to get a clean slat for IE to work on is to use the REIS feature.  REIS will reset the following IE components to their default settings:
Home PagesSearch scopesBrowsing historyForm dataPasswordAppearance settingsToolbarsActiveX controls.Doing this procedure will help provide a more stable browsing experience for your users and prevent messages such as “Internet Explorer has encountered a problem and needs to close.”  Here is who you do it.
Exit all programs
Launch just one instance of Internet Explorer
In Internet E…

Why is the “User Must Change Password at next Login” box grayed out?

When you are trying to change the password of a user account in Active Directory Users and Computers, you might see a situation like the one below:In this case, you cannot tell the user to reset their password at their next login.  This is not a good situation for a network administrator.  At no time should both you and the user know the users password.  At this point, you have lost accountability for the actions taken with this users account. This is a simple fix though.  Open the properties of the user in Active Directory Users and Computers.Click the Account tab.Uncheck Password Never Expires and then click OK.Now you should be able to reset the users password and force them to change it the next time they log in.