Premkumar Yogeswaran's Blog

Active Directory | PowerShell | DNS | DHCP | Exchange Server | VM Ware

Archive for April, 2012

unknown object in AD – “The Active Directory object could not be displayed.”

Posted by Premkumar Yogeswaran on April 30, 2012


Issue:

User object as been displayed as unknown object.

"The Active Directory object could not be displayed."

"Unable to view attribute or value. You may not have permissions to view this object."

Cause:

Open User account property -> Security permission, -> advanced

In the Access control list.

You can see deny permission for self and everyone.

This might be added automatically or someone. (No Idea)

Resolution:

Open User account property -> Security permission, -> advanced

In the Access control list.

You can see deny permission for self and everyone.

Remove the deny permission from the ACE (self and everyone)

Now the issue will be fixed.

Advertisements

Posted in Active Directory | Leave a Comment »

Excellent quotes by Warren Buffet

Posted by Premkumar Yogeswaran on April 30, 2012


On Earning: “Never Depend on single income. Make investment to create a second source”.

On Spending: “If you buy things you do not need, soon you will have to sell things you need”.

On Savings: “Do not save what is left after spending, but spend what is left after saving”.

On Taking Risk: “Never teat the depth of river with both the feet”.

On Investment: “Do not put all eggs in one basket”.

On Expectations: “Honesty is very expensive gift. Do not except it from the cheap people”.

Posted in Active Directory | Leave a Comment »

Domain and Forest Trusts Technical Reference

Posted by Premkumar Yogeswaran on April 23, 2012


  • What Are Domain and Forest Trusts?
  • How Domain and Forest Trusts Work
  • Domain and Forest Trust Tools and Settings
  • Security Considerations for Trusts

http://technet.microsoft.com/en-us/library/cc738955%28v=ws.10%29.aspx

Posted in Active Directory | Leave a Comment »

Group Policy Search

Posted by Premkumar Yogeswaran on April 23, 2012


If you are ever wanting to find out specific information on Group Policy settings, http://gps.cloudapp.net/ makes a great resource!

Posted in Active Directory, Group Policy | Leave a Comment »

How to create an external trust between two seperate domains/forests

Posted by Premkumar Yogeswaran on April 17, 2012


A trust is a relationship established between domains that enables users in one domain to be authenticated by a domain controller in the other domain. There are different type of trust like External, Realm, Forest and shortcut. In this article, I am going to talk about external trust. This can be applied in windows 2003 and windows 2008 also using same principle. External trust is necessary when users from two different domain wants to access resources such as printers and file server of two domains. There are few requirements to fulfill this goal.

Both domain controller must ping each other IP. If both domain controller sits in different subnet then proper routing required.

DNS records of both domain controller must be added in both server (Example: DNS record of bollywood.com must be added in desibaba.com and vice versa).

FQDN must be added in both DC (Example: FQDN of dns1.bollywood.com must be added in dc1.desibaba.com and vice versa).

Now dc1 will be able to ping dns1 by name and FQDN. Now ready to create an external trust. However, you still can’t ping by FQDN then type IP of PDC of forest A as secondary/alternative DNS in the TCP/IP property of PDC of forest B. Do vice versa. Now you will be able to ping by FQDN.

One way Trust between two DC. Example: One way trust allows users from dc1 (outgoing) get access to dns1 (incoming) but dns1 doesn’t get access to dc1).

Creating incoming trust in dns1

1. Open Active Directory Domains and Trusts.

2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.

3. On the Trusts tab, click New Trust, and then click Next.

4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next.

5. On the Trust Type page, click External trust, and then click Next.

6. On the Direction of Trust page, click One-way: incoming, and then click Next.

7. On the Sides of Trust page, click This domain only, and then click Next.

8. On the Trust Password page, type the trust password twice, and then click Next.

With the administrator of the other domain, agree on a secure channel password to be used in establishing the trust.

9. On the Trust Selections Complete page, review the results, and then click Next.

10. On the Trust Creation Complete page, review the results, and then click Next.

11. On the Confirm Incoming Trust page, do one of the following:

· If you do not want to confirm this trust, click No, do not confirm the incoming trust.

· If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain.

12. On the Completing the New Trust Wizard page, click Finish.

Creating outgoing trust in dc1

1. Open Active Directory Domains and Trusts.

2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.

3. On the Trusts tab, click New Trust, and then click Next.

4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next.

5. On the Trust Type page, click External trust, and then click Next.

6. On the Direction of Trust page, click One-way: outgoing, and then click Next.

7. On the Sides of Trust page, click This domain only, and then click Next.

8. On the Outgoing Trust Authentication Level page, do one of the following, and then click Next:

· Click Domain-wide authentication.

· Click Selective authentication.

9. On the Trust Password page, type the trust password twice, and then click Next.

10. On the Trust Selections Complete page, review the results, and then click Next.

11. On the Trust Creation Complete page, review the results, and then click Next.

12. On the Confirm Outgoing Trust page, do one of the following:

· If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users.

· If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain.

13. On the Completing the New Trust Wizard page, click Finish.

Note : if you want both sides get access to both sides then change that config to two way and set incoming and outgoing in both sides.

Refer the below Link:

http://araihan.wordpress.com/2009/08/05/how-to-create-an-external-trust-between-two-domains/

Posted in Active Directory, DNS | Tagged: , , | Leave a Comment »

How to migrate Windows 2003 Active Directory to Windows 2008 Active Directory–Step by Step guide

Posted by Premkumar Yogeswaran on April 17, 2012


Microsoft’s new baby in their server family is Windows Server 2008. The Windows Server® 2008 operating system ease operation of IT administrator and enterprise IT planner and designer. Windows 2008 Active Directory got improved roles, AD domain services, federation services, AD rights management services, compliances and BPA. Its time to shift to Windows 2008 Active Directory. In this article, I will show how to migrate from windows 2003 AD to windows 2008 AD.

On Windows Server 2003 DC, insert the Windows Server 2008 DVD, then open command prompt and change directory to d:sourcesadprerp directory. Here D: is my dvd rom drive. In your case do as appropriate. note: you need to log on to windows 2003 domain controller as enterprise admin to run these command.

Now run following command adprep/ forestprep

After finishing forestprep run adprep/ domainprep

adprep/ rodcprep (Optional)

Install windows 2008 server and promote windows 2008 server as additional domain controller in windows 2003 forest

This is a trial version of windows 2008, I do not find any necessity to mention any cd key for this article. If you have proper cd key, you can mention here.

Windows 2008 will ask you to reset password for the first time. note: password complexity is enabled by default.

Now you have completed installing Windows 2008 machine. Log on as an administrator. Add active directory role in windows 2008 server. follow the screenshot as shown below

Mention your existing domain name, provide domain admin credentials to add this server to domain.

A restore password is required in case you need to restore AD.

Now restart windows 2008 server. It takes few minutes to replicate all AD container, AD object and DNS records. I would prefer to wait more then hours and see all the records are available in windows 2008 active directory. or you can force replicate all record if necessary.

Now transfer all the FSMO roles from windows 2003 AD domain controller to windows 2008 AD domain controller. Log on to windows 2003 domain controller as enterprise admin. open command prompt type as follows:

ntdsutil

roles

connections

connect to server WIN2008SERVERNAME

q

Transfer domain naming master

Transfer PDC

Transfer Schema Master

Transfer RID master

Transfer infrastructure master

Now you are ready to demod windows 2003 domain controller. log on to windows 2003 domain controller as domain admin . Open AD sites and services from administrative tools, expand default first site name, expand windows 2003 domain controller, right click on NTDS settings and go to properties. uncheck global catalog, click ok.

open run from start menu type dcpromo

LEAVE THIS ABOVE BOX UNCHECKED, this will enable windows 2003 domain controller transfer all AD database to windows 2008 domain controller.

Click next, provide password and follow next prompt, wait until demotion completed. Restart…. That’s all.

Refer Below Link:

http://araihan.wordpress.com/2009/08/25/migrate-from-windows-2003-active-directory-to-windows-2008-active-directory-step-by-step/

Posted in Active Directory, DNS | Tagged: , , | 1 Comment »

DHCP console icons reference

Posted by Premkumar Yogeswaran on April 16, 2012


Please find the DHCP console icons reference below.

Posted in DHCP | Tagged: | Leave a Comment »

Exchange Server Version and Features

Posted by Premkumar Yogeswaran on April 13, 2012


Exchange Server Version and Features
Feature: Exchange 2003 Exchange 2007 Exchange 2010
64-Bit Architecture No Yes Yes
Administrative Groups Yes No – Uses Universal Security Groups No – Uses Universal Security Groups
Anti-Span agents on Hub Transport Server and Edge Role No Yes Yes
Calendar Repair Assistant No No Yes
Cluster Continuous Replication (CCR) No Yes No – use DAG and Mailbox Database Copies
Clustered Mailbox Server Yes Yes (Improved) No – use DAG and Mailbox Database Copies
Continuous Background Online Defragmentation No No Yes
Database Availability Groups (DAG) No No Yes
Disclaimers No Yes Yes (Improved)
End User End-To-End Message Tracking No No Yes
Event Service Yes No No
Exchange Certificate wizards No No Yes
Exchange extensions in Active Directory Users and Computers Yes No No
Exchange Installable File System (ExIFS) Yes No No
Exchange Management Shell No Yes Yes
Exchange Management Shell Command Log No No Yes
Federated Sharing No No – Requires at least one Exchange 2010 CAS in org Yes
Incremental Deployment No No Yes
Incremental Resync No No Yes
Intelligent Message Filter Yes No – replaced by Content Filter Agent No – replaced by Content Filter Agent
iSCSI support No Yes Yes
Larger and Sequential I/O No No Yes
Larger Page Size (32 KB) No No Yes
Legal Hold No No Yes
Link State Routing Yes No No
Local Continuous Replication (LCR) No Yes No
Mailbox Database Copies No No Yes
Mailbox Folder Permissions Management No No Yes
Mailbox Management Service Yes No – Use Messaging Records Management No – Use MRM or Retention Policies
Mailbox Merge Wizard (Exmerge.exe) Yes No (not tested/supported Exchange team) No (not tested/supported Exchange team)
Mailbox Recovery Center Yes Use Exchange Server Disaster Recovery Analyzer Use Exchange Server Disaster Recovery Analyzer
MailTips No No Yes
Message Tracking Center Yes Use Exchange Server Mail Flow Analyzer Use Exchange Server Mail Flow Analyzer
Messaging Records Management No Yes Yes
Moderated Distribution Groups No No Yes
Moderated Transport No No Yes
Monitoring and Status Node Yes No No
Multi-Mailbox Search No No Yes
Network-Attached Storage Yes No No
NNTP Yes No No
Online Background Database Scanning (check-summing) No No Yes
Online Move Mailbox No No Yes
Optimize for Commodity Storage (SATA) No No Yes
Personal Archive No No Yes
Property Dialog Command Exposure No No Yes
Public folder access using IMAP4 Yes No No
Public folder access using NNTP Yes No No
Recipient Update Service (RUS) Yes No (but.. E-mail policy) No (but..)
Recovery Storage Group Yes Yes No – use Recovery Database
Role Based Access Control No No Yes
Routing Group based Mailflow Yes No – Uses Active Directory site-based routing No – Uses Active Directory site-based routing
Routing Objects Yes No No
Send mail to Recipients from Exchange Management Console No No Yes
Shadow Redundancy No No Yes
Standby Continuous Replication (SCR) No Yes No – use DAG and Mailbox Database Copies
Storage Groups Yes Yes No
Transport Rules No Yes Yes (Improved)
Transport Rules Integration with AD RMS No No Yes
IOPS Required by each user 0.4 IOPS 0.3 IOPS 0.1 IOPS

Refer: http://social.technet.microsoft.com/wiki/contents/articles/exchange-server-version-and-features.aspx

Posted in Exchange Server | Tagged: | Leave a Comment »

DCDIAG – Advertising DC in Domain error

Posted by Premkumar Yogeswaran on April 4, 2012


Find the error below for the DC advertising error.

C:\>dcdiag /test:Advertising

Domain Controller Diagnosis

Performing initial setup:

Done gathering initial info.

Doing initial required tests

Testing server: APAC-SITE\DC1

Starting test: Connectivity

……………………. DC1 passed test Connectivity

Doing primary tests

Testing server: APAC-SITE\DC1

Starting test: Advertising

Warning: DC1 is not advertising as a time server.

……………………. DC1 failed test Advertising

Resolution:

Try each of these solutions one step at a time, re-testing after completing each step until the problem is resolved.

  1. Ensure the Windows Time service is running. On a DC it is part of the core AD functonality and should be runing even if synchronised time is not essential.

net start w32time

  1. Restart the Windows time service

net stop w32time && net start w32time

  1. Check that Network problems are not stopping NTP form functioning. Note that Windows clients do not synchronise with the DCs via NTP, this only tests the ability for DC themselves to check an external time source:

w32tm /stripchart /computer:time.windows.com /samples:2 /dataonly

Error 0x800705B4 is a network timeout on the port – 123. Time.winfows.com should be replaced with the external time server you are using for a more complete test.

Try:

netdiag /fix

Netdiag is part of Windows Server 2003 Service Pack 1 Support Tools. This can also be used on Server 2008.

  1. If you received the error message: The service name is invalid earlier the Windows Time service is not even registered. Re-registering the W32time service can also fix some issues so perform these steps anyway: Re-registering the Windows Time Service
  2. Try:

w32tm /resync /redisscover

  1. Check that the DC has the PDC role:

netdom query fsmo

If it is run the following command:

w32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update

Microsoft’s own free NTP server can be used as shown here, but I would recommend using one in your country if not in thr US. For the UK I can recommend ntp2d.mcc.ac.uk but there are many others.

  1. Ensure that the DC is announcing itself correctly through changing the AnnounceFlags are set correctly in the Registry. Edit the [HKLM\SYSTEM\CurrentControlSet\Services\w32time\Config\AnnounceFlags] key to a (the letter a) in hexadecimal. To allow the w32time service read the config change:

w32tm /config /update

Re-registering the Windows Time Service

w32tm /unregister
rem Ignore Access denied message if it appears and repeat
w32tm /unregister
w32tm /register
rem Before the re-register command will work you may have to reboot.

This gives a vanilla set of settings, after which the service can be restarted:

net start w32time

If you receive an error message regarding SIDs then DC will need to be rebooted again.

Posted in Active Directory | Tagged: | 1 Comment »

Active Directory components process screenshot

Posted by Premkumar Yogeswaran on April 2, 2012


Posted in Active Directory | Tagged: | Leave a Comment »