I had an interesting challenge last month and figured that this is a great one for my blog. Being based in England, I had never come across this issue before so it was very interesting.
I arrived on a customer site to help perform a Windows Server 2008 schema update and make sure that all was well and fix any challenges, should they arise. We started by following Microsoft best practice to update the schema and when we started to run ADPREP /Forestprep, we found the following error in the event log:
Event Type: Error
Event Source: NTDS General
Event Category: DS Schema
Event ID: 1136
Date: 23/01/2009
Time: 1:02:38 p.m.
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC1
Description:
Active Directory failed to create an index for the following attribute.
Attribute identifier:
591789
Attribute name:
msFVE-RecoveryGuid
A schema cache update will occur 5 minutes after the logging of this event and will attempt to create an index for the attribute.
Additional Data
Error value:
-1403 JET_errIndexDuplicate, Index is already defined
The error appeared every 5 minutes in the event log, so I started to look around for this issue on the internet. As it turns out, this is a known issue and I found the solution via KB932962 (http://support.microsoft.com/kb/932862/)
Basically if you are located at any of the following countries with the locale set to one of the following:
Arabic - Libya, Chinese - Singapore, German - Luxembourg, English - Canada, Arabic - Algeria, Chinese - Macao SAR, German - Liechtenstein, English - New Zealand, Arabic - Morocco, English - Ireland, Arabic - Oman, English - Jamaica, Arabic - Yemen, English - Caribbean, Arabic - Syria, English - Belize, Arabic - Lebanon, English - Zimbabwe, Arabic - Kuwait, English - Philippines, Arabic - U.A.E., English - Indonesia, Arabic - Qatar, English - India, English - Malaysia, English - Singapore, Spanish - Guatemala, French - Switzerland, Croatian (Bosnia/Herzegovina), Spanish - Costa Rica, French - Luxembourg, Bosnian (Bosnia/Herzegovina), Spanish - Panama, French - Monaco, Arabic - Tunisia, English - South Africa, Spanish - Dominican Republic, French - West Indies, Spanish - Venezuela, French - Reunion, Spanish - Colombia, French - Democratic Rep. of Congo, Spanish - Peru, French - Senegal, Arabic - Jordan, English - Trinidad, Spanish - Argentina, French - Cameroon, Spanish - Ecuador, French - Cote d'Ivoire, Spanish - Chile, French - Mali, Spanish - Uruguay, French - Morocco, Arabic - Bahrain, English - Hong Kong SAR, Spanish - Paraguay, French - Haiti, Spanish - Bolivia, Spanish - El Salvador, Spanish - Honduras, Spanish - Nicaragua, Spanish - Puerto Rico, Spanish - United States, Spanish - Latin America, French - North Africa
You will more than likely run into this issue, so the fix is simple in most cases, just follow the KB article http://support.microsoft.com/kb/932862 and you will be fine :)
M
Hi all,
This month, I ran into an interesting challenge to do with group policies. Specifically, I was trying to figure out why a client was not getting a specific setting. While it is was the Group Policy Object (GPO) and it the version of the GPT.ini in SYSVOL was in sync, the client was still not getting the setting.
One of my collegues suggested that I use this tool:
http://www.gpoguy.com/FreeTools/FreeToolsLibrary/tabid/67/agentType/View/PropertyID/87/Default.aspx
Which enabled me to see inside the registry.pol file and sure enough the option was in there so it was a client side specific issue. For any of you with challenges around Group Policies of this type of nature, I would have a look at this tool :)
M
Hi All,
I have been working on some servers recently with my good friend Mohnish and we came across an interesting error with the Group Policy Management Console (GPMC) Service Pack 1 (specifically). It seems that every time the administrator tries to click on the settings tab of ANY Group Policy Object (GPO), we see the following error:
The error “An error occurred while generating report: Error text not available. Error code = 8013150a” does not seem to be referenced anywhere on the internet which corresponds directly to the Group Policy Management Console (GPMC). The only things that I could find were on the MSDN site with a programming spin.
After playing with this issue for a while, I figured out that it pertains to a .net framework issue rather than a connectivity issue, it appears that specific aspect of the locally installed .Net framework has failed or is no longer registered.
Since the version on this server was 2, we uninstalled .Net framework 2 and then tried to re-install it. Subsequently we had the following error during re-install:
![clip_image002[5]](http://blogs.technet.com/blogfiles/mempson/WindowsLiveWriter/GPMCError_C43A/clip_image002%5B5%5D_thumb.jpg "clip_image002[5]")
This was a very interesting error, stating “Error 25015. Failed to install assembly ‘C:\windows\Microsoft.Net\Framework\v2.0.50727\system.drawing.dll’ because of the system error 0x80131018”. Not quite knowing where to go from here, we decided to exit and just install .NET framework 3.5.
That installation went straight through without error and also fixed our original GPMC error!
Proof that the latest version of .NET framework is fantastic!
Hi all,
I have been playing with Network Access Protection (NAP) recently and have a few pointers that may help you all out :)
Event ID 204 on the NAP server is raised when clients do not meet policy requirements
Event ID 201 on NAP server is raised when clients do not meet the requirements of CAP
To see if nap is enabled on the client:
Netsh nap client show stat
To see if nap is enabled via GPO on the client:
Netsh nap client show grouppolicy
I know it is short and sweet but it was interesting for me :)
I was looking into AGPM v3 recently and thought that it would be good to put a reference to it on my Blog. The challenging thing is, this is a great tool but you have to know about it first to then realise it!.
If you like Group Policies, then you will love this tool. In brief, this will enable you to take group policy management out of Active Directory and into a separate database that you can strictly control. This gives you the ability to have change control, historical version control, group policy comparison reports and a recycle bin for group polices too. This is not a new tool, we are now on version 3 and it is rock solid.
New features in AGPM 3.0 are:
Description
Full x64 support
Both the client and server components fully support x64 architecture and operating systems. There is a 64 & 32 bit version of both the client and server. Wow64 is not be supported. This means that a 64-bit version of AGPM must be installed on a 64-bit version of the host Operating System and a 32-bit version of AGPM must be installed on a 32-bit version of AGPM. Communication between different bitness client and server is fully supported. This means that a 64-bit AGPM client can communicate with a 32-bit AGPM server and a 32-bit AGPM client can communicate with a 64-bit AGPM server.
Windows Vista SP1 & Windows Server 2008
Significant changes have been made to the GPMC in these OSs and AGPM depends on the GPMC interfaces extensively. Therefore this version of AGPM is only installable on Windows Vista SP1 with Remote Server Administration Toolkit (RSAT) or Windows Server 2008. Windows Vista SP1 does not have the GPMC integrated into the operating system. The GPMC needs to be installed on Windows Vista SP1 through an optional tool called RSAT prior to installing either the client or server.
Note: Although version 2.5 will still be available for customers who do not plan to upgrade to these operating systems, version 3.0 client or service will not communicate with the version 2.5 client or service.
Customizable permissions
Version 3.0 allows the permissions deployed to a GPO in production to be customized. The default permissions are the same as version 2.5, however, custom permissions can be configured for each domain. The permissions configured on the “Production Delegation” tab will replace any permission already on a production GPO when it is controlled or deployed from the AGPM server. Applying the above permissions to the production GPO when taken into AGPM control will prevent changes to production GPOs from outside of AGPM as soon as a GPO is controlled.
More robust change tracking
The AGPM history has been changed to track more changes made to GPOs such as when/who made a request, when/who Approved/Rejected the request, when/who made changes to AGPM delegation, etc.
Purge Historical data
This version gives the AGPM administrator the ability to purge old data by specifying on the AGPM Server tab how many historical versions to retain. Purging old data deletes the data (GPO backup) from the archive so this data is no longer be accessible. The information about the historical action is, however, retained in the history and an entry is recorded in the history that data was purged. This means that if a checked in GPO from 6 months ago was purged, reports, etc. cannot be run against it but the history view still shows that a check-in was performed.
Group Policy Preferences Support
This version fully supports the new Group Policy Preferences (GPP) functionality added to Windows Server 2008.
General UI improvements
Changes have been made to field names and ordering to better describe the information contained in the field. Additionally the order in which the fields are displayed has been changed to make more pertinent information easier to find.
Localization
Localized in 11 additional languages.
The above feature list was taken from Micheal Kieef’s blog (project manager for AGPM) I highly recommend reading more from him :) and the other PM’s on Group Polices. Check out: http://blogs.technet.com/grouppolicy/
Hi,
Having played with FGPP's recently at Teched, I figured that it would be good to publish the attributes that are required to create one and their value types.
The attributes required for creating a fine grain password policy.
msDS-PasswordSettingsPrecendence
This is just a number you can make up (make sure you leave some space in the numbering for future use)
msDS-PasswordReversibleEncryptionEnabled
This attribute is boolean and defines if you want to store the passwords of the accounts (to whom the Password Settings Object applies) in reversible encryption or not. The default and best practice is "FALSE"
msDS-PasswordHistoryLength
This setting defines how many old passwords the user cannot reuse again (to prevent the user from changing the password back and forward to the same one, or changing it multiple times until he's able to reuse his old password).
The domain default is not to allow the last 24 passwords of that user.
msDS-PasswordComplexityEnabled
This attribute is a boolean, and defines if the password needs to be complex (does have at least three of the following character sets applied: lower letters, captial letters, numbers, symbols, unicode characters).
The domain default and best practice would be to turn it on (TRUE).
msDS-MinimumPasswordLength
This attribute defines the minimum lenght of a Password in characters. The domain default would be 7 characters long.
msDS-MinimumPasswordAge
Defining the minimum age for Passwords. This is a negative number which you can compile/decompile using the scripts at http://msdn2.microsoft.com/en-us/library/ms974598.... as a guideline.
(domain default: 1 day = -864000000000)
msDS-MaximumPasswordAge
Defining the maximum age for Passwords.
This is a negative number.
(domain default: 42 days = -36288000000000)
msDS-LockoutThreshold
Defines after how many failed attempts entering a password the user-object will be locked.
(domain default: 0 = don't lockout accounts after invalid passwords)
msDS-LockoutObservationWindow
After which time should the "bad password counter" been reset?
(domain default: 6 min = -18000000000)
msDS-LockoutDuration
How long should a password being locked?
(domain default: 6 min = -18000000000)
I hope you find this useful :)
Hi,
I was installing WSUS v3.1.6001.65 and the installation kept failing just as it was copying files, the error I was getting was quite a strange one in the installation logs:
An exception occurred during the Install phase.
System.FormatException: Input string was not in a correct format.
at System.Number.StringToNumber(String str, NumberStyles options, NumberBuffer& number, NumberFormatInfo info, Boolean parseDecimal)
After many hours of research it turned out to be an issue with the performance counter names/drivers that caused the stange issue, I uncovered white paper talking about WSUS and mentioned that re-registering the counters may help. It linked me to the MS web page: http://technet2.microsoft.com/windowsserver/en/library/8ca82333-eca8-413b-b8c8-c6defad6de3e1033.mspx?mfr=true
Which gives a command of LODCTR (found in the system32 folder, using the following syntax seems to have fixed my issue:
C:\WINDOWS\system32> lodctr /R
The command does take a little time but once completed, I just tried to install WSUS again and it went straight through!.
I figured that it may help someone
Hi all, I know this is an old tip but I needed it last week and figured that I should keep it on my blog. I was trying to change the default port of my terminal services so that I could make it a little harder for my users if they try and bypass my web site.
To change the default RDP port number:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Terminal Server\WinStations\RDP-Tcp set the value to the HEX of whatever port you want, for example: 10cc is port 4300
I hope you will find it useful!
Hi all,
My good friend and colleague Jane is off to Madagascar for a charity cycle ride, please support here by clicking on the following link:
https://secure.justgiving.com/rss/GetFundraisingBadge.asp?eventgivinggroupid=1336885&from=UKSponsorExit
Thanks :)
If you are feeling a little limited in information about Windows 2008, check out the following featured components:
· AD DS: Restartable Active Directory Domain Services
Windows 2008 introduced new capabilities to start or stop directory services running on a domain controller without having to shut it down, allowing administrators to perform maintenance (offline defragmentation, security updates ,etc..) or recovery on the AD database without having to reboot into Directory Services Restore Mode
Click Me
· AD DS: Fine-Grained Password Policies
One very significant change with Windows 2008 AD DS is the ability to implement granular password polices in a single domain. Fine-grained password polices always win over domain password policy and they can be applied to groups or users. For fine-grained password polices to be implemented, all DCs must be running windows 2008 and the domain must in windows 2008 functional mode.
Click Me
· AD DS: Auditing
In Microsoft® Windows® 2000 Server and Windows Server 2003, Active Directory audit logs can show you who made changes to what object attributes, but the events do not display the old and new values. In Windows Server 2008 you can now set up AD DS auditing with a new audit subcategory (Directory Service Changes) to log old and new values when changes are made to objects and their attributes.
Click Me
· AD DS: Read-Only Domain Controllers (RODC)
Windows 2008 includes the ability to deploy domain controllers that hosts read-only partitions of the Active Directory® Domain Services (AD DS) database. To deploy an RODC, at least one writable domain controller in the domain must be running Windows Server 2008. In addition, the functional level for the domain and forest must be Windows Server 2003 or higher.
Click Me
· AD DS: Database Mounting Tool (Dsamain)
The active directory database mount tool (Dsamain.exe) is a command line tool that allows administrators to view snapshots of data within an AD DS database (can be used with AD Lightweight Directory Services databases also). The tool can improve recovery processes for your organization by providing means to compare data as it exists in snapshots or backups that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain.
Click Me
Hi All,
I have started collecting a list of whitepapers based upon virtualisation of domain controllers and services, I just figured that you may find these of use!
KB897615 Support policy for Microsoft software running in non-Microsoft hardware virtualization software
http://support.microsoft.com/default.aspx?scid=kb;EN-US;897615
KB: 897613 Microsoft Virtual Server support policy
http://www.support.microsoft.com/kb/897613
KB: 897614 Windows Server System software not supported within a Microsoft Virtual Server environment
http://www.support.microsoft.com/kb/897614
KB888794 Considerations when hosting Active Directory domain controller in virtual hosting environments
http://support.microsoft.com/default.aspx?scid=kb;EN-US;888794
KB320220 Support policy for Exchange Server 2003 running on hardware virtualization software
http://support.microsoft.com/default.aspx?scid=kb;EN-US;320220
KB909840 Hardware virtualization support for SharePoint products and technologies
http://support.microsoft.com/default.aspx?scid=kb;EN-US;909840
KB953797 Time Synchronization issue in Windows Server 2003 systems running as VMware Guests
http://support.microsoft.com/default.aspx?scid=kb;EN-US;953797
KB888746 You may experience time-related issues with programs that run in a virtual machine in Virtual Server 2005
http://support.microsoft.com/default.aspx?scid=kb;EN-US;888746
KB887727 Time synchronization settings in Virtual Server 2005
http://support.microsoft.com/default.aspx?scid=kb;EN-US;887727
KBVMware Time Sync and Windows Time Service
http://kb.vmware.com/selfservice/viewContent.do?language=en_US&externalId=1318
KB888794 Considerations when hosting Active Directory domain controller in virtual hosting environments
http://support.microsoft.com/default.aspx?scid=kb;EN-US;888794
Running Domain Controllers in Virtual Server 2005
http://www.microsoft.com/downloads/details.aspx?familyid=64db845d-f7a3-4209-8ed2-e261a117fc6b&displaylang=en
For pre-deployment of virtualized DCs, you can try the MAP 3.0 tool at;
www.microsoft.com/map
Hi all,
I manage a local schools infrastructure in my spare time and they had this strange little issue:
After a power outage, the information store on my Exchange 07 SP1 server (running Windows 2008) would not start. All other services were running ok and running the following command:
SC Query MSExchangeIS
I could see the following:
State : 0 Stopped
Win32_Exit_Code : 1066 (0x42a)
Service_Exit_Code : 0 (0x0)
Checkpoint : (0x0)
Wait_Hint : (0x0)
I did some research and it appeared that it may have been AV orientated, so I went into the following registry key:
The key is HKEY_LOCAL_MACHINE\SYSTEM\Current Control Set\Services\MSExchangeIS\VirusScan\Enabled
Current value 1 changed to 0
This allowed the service to start and all email was fine.
I have now re-installed my AV and it all appears to be back to normal and the enabled is now back at 1.
Very interesting!
Hi All,
I had a question today that I wanted to get to the bottom of, it is an old question but as I obviously forgot the answer in detail, I had to find it. :)
The queston was "How can I tell if a connection object is manual or not?"
The first obvious place to look is the name, if it is called <automatically Generated> then it is KCC generated and therefor automatic. If it is manual, then it should be easy to tell because most sane people would call them something else. If not, then how can you tell?
Well, the way to do it is using ADSI edit, via the configuration NC, from here go into sites, <site name>, Servers, <server name>, NTDS Settings, and then the properties of the connection object. In here check out the options attribute on the connection object. Now comes the tricky part:
If this value ( value BITWISE-AND 1) equals 1, the KCC owns the connection. If you modify a KCC-generated connection, the options value changes. If you create a new connection object, the value of the options attribute is set to 0."
I hope this helps someone else..
Hi all,
I have installed a Windows 2008 server into my Windows 2003 domain, I then enabled RDP on my Windows 2008 server verified that I could connect from my Vista client on the network. While working from home, I quickly found out that I could not RDP onto my Windows 2008 server from my 2003/XP clients. Very annoying.
The reason for this is that when I enabled RDP on the 2008 servers, I selected "Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)" Thinking that it was not a problem as I would only manage the server using Vista.
The problem was that when I took my laptop home, I was only left with 2003 and XP clients to manage the new 2008 servers. doh!
This setting means that the server requires Network Level Authentication that is only currently installed on Windows Vista or Windows sevrer 2008. You can verify that your RDP client does not support NLA, simply by running MSTSC, then on the top left hand corner, click about and then in the text you should see the section "Network Level Authentication not supported"
In this case, if you still want to RDP to the Windows 2008 server and you do not have a Vista/2008 server, then you can change the Userauthentication value to 0. This setting enables legacy support for Windows 2008 by disabling the requirement for NLA.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp
Data Type: DWORD
Value Name: UserAuthentication
Value: 1
Now you should be able to RDP to a WIndows 2008\Vista host.
I hope this helps! it helped me.
This month I have been setting up my first Windows 2008 core server to go into a production environment. It has been a very interesting experience as I was expecting a straight forward process but ran into a few challenges. What with some vendor specific hardware and a bizarre WSUS issue, I have certainly had some fun.
Therefore I thought that I would share with you my cheat sheet that has a few basic commands that got me through this build and some commands seemed to be harder to find than expected. Now they are in no particular order from a technical point but are in the order that I found them/needed them. J
Set the computer name
Netdom computername [origcomputername] /add Core.contoso.com
Netdom computername [origcomputername] /makeprimary core.contoso.com
Configure IP address
Netsh int ipv4 set address “Local Area Connection” static 192.168.1.200 255.255.255.0 192.168.1.1
Netsh int ipv4 set address “Local Area Connection” source=dhcp
Netsh int ipv4 set dnsserver “Local Area Connection” static 192.168.1.200 primary
Netsh int ipv4 set winsserver “Local Area Connection” static 192.168.1.200 primary
Change the name of the network interface
Netsh int set interface name = “Local Area Connection” newname = “LAN”
Manage Firewall
Netsh firewall set opmode enable
Netsh firewall set opmode disable
Enable Remote Administration
Netsh firewall set service remoteadmin enable
To set up the registry for remote admin
Cscript C:\Windows\System32\Scregedit.wsf /ar 0
If you are using an older version of TS client, then you need to drop the security levels on core
cscript C:\Windows\System32\Scregedit.wsf /cs 0
To enable automatic updates
cscript C:\Windows\System32\Scregedit.wsf /AU 4
To use the Disk Management MMC snap-in remotely
Net start vds
To view main hardware/software details of core
Systeminfo.exe
Reset the administrator password
Net use administrator *
To activate the server
Slmgr.vbs –ato
To join the domain
Netdom join <computer name. /domain:<domainname> /userd:<username> /password:<password>
Restart core
Shutdown /r
To remotely find out if this server a core build using WMI
wmic path win32_operatingsystem get OperatingSystemSKU /value
To list installed drivers:
Sc query type= driver
Installing a driver that is not included:
Copy the driver files to Server Core
Pnputil –i –a <path>\<driver>.inf
List of installed patches:
wmic qfe list
To List the installed roles
OCList
To install a role
Start /w ocsetup <name of role>
Hopefully you will find this useful too :)
