Awinish's Technical Blog

Lets continue the journey of learning & Share.!!

Archive for February, 2011

Awarded MS Community Contributor 2011

Posted by Awinish on February 26, 2011


Thank you Microsoft & all for your motivation & support.

Dear Awinish,

Congratulations! We’re pleased to inform you that your contributions to Microsoft online technical communities have been recognized with the Microsoft Community Contributor Award.

The Microsoft Community Contributor Award is reserved for participants who have made notable contributions in Microsoft online community forums such as TechNet, MSDN and Answers. The value of these resources is greatly enhanced by participants like you, who voluntarily contribute your time and energy to improve the online community experience for others.

Becoming a Microsoft Community Contributor Award recipient includes access to important benefits, such as complimentary resources to support you in your commitment to Microsoft online communities. To find out more about the Microsoft Community Contributor Award and to claim your recognition, please visit this site: http://www.microsoftcommunitycontributor.com/

 

 

Advertisements

Posted in Exchange | 2 Comments »

Impact of Cloning and Virtualization on Active Directory Domain Services

Posted by Awinish on February 16, 2011


The best AD seminar on TechEd, fundamental concepts within Active Directory and the impact of cloning & virtualization upon domain controllers, domain members and Windows in general. Dean Wells (Program Manager in MS)also discuss how to best leverage virtualization, and how to both mitigate problems and to avoid occurrences in the first place.

The below session is been presented by Dean Wells, Sr. Program Manager in Microsoft.

http://www.msteched.com/2010/Europe/SIA320

 

Posted in Directory Services | Tagged: , | Leave a Comment »

Password Filter

Posted by Awinish on February 14, 2011


Do you know password filter, if not take a look.

http://msdn.microsoft.com/en-us/library/ms721766%28v=vs.85%29.aspx

 

Posted in Directory Services | Tagged: | Leave a Comment »

How do I restore security settings back to default.

Posted by Awinish on February 11, 2011


Few times, it is mandatory to reset the security permission on the all the files & folder after messing around with ACL or with GPO to set an ACL, restraining users from making any changes. Even though machine is disjoint from the domain, but same settings of ACL still remain & we get access denied while doing the changes or creating installation.

I would recommend taking backup of the system, prior to doing reset of security settings,so in case things don’t go as expected, making it more troublesome than easy, system state backup is always handy.

Take a look at below KB, which applies almost all the version of windows except all versions of 2000 & below.

http://support.microsoft.com/kb/313222

 

Posted in OS/Certificates | Tagged: , | Leave a Comment »

Migrating FRS to DFSR

Posted by Awinish on February 10, 2011


Due to numerous benefits of DFSR over FRS, its time to move to DFSR, considering the acurate steps are followed else things can become awry to your environment.

The issue with FRS was like Journal wrap error, blotting, inconsistent change notification etc, where as these issues has been fixed & greatly improved into DFSR. You can find more justification and benefits moving from FRS to DFSR in the below link.

The Case for Migrating SYSVOL to DFSR

http://blogs.technet.com/b/askds/archive/2010/04/22/the-case-for-migrating-sysvol-to-dfsr.aspx

DFSR can only be implemented when DFL is at 2008, FFL can be windows 2003, but the domain which should use DFSR required all the dc in 2008.

Follow the link below to perform migration of the FRS to DFSR.

http://blogs.technet.com/b/filecab/archive/2008/02/08/sysvol-migration-series-part-1-introduction-to-the-sysvol-migration-process.aspx

 

Posted in Directory Services | Tagged: | Leave a Comment »

Windows 7/2008 R2 SP1 is on the way.

Posted by Awinish on February 9, 2011


Windows Server 2008 R2 and Windows 7 SP1 is on the way & it is known that all the testing of bugs has been completed.

TechNet/MSDN customers get access to the download on Feb 16th. For others the date is set to be 22nd Feb not far.

Take a look at the enhancements in SP1.

http://www.aidanfinn.com/?p=10740

 

Posted in OS/Certificates | Tagged: , | Leave a Comment »

Restructuring Active Directory Domains Between Forests

Posted by Awinish on February 9, 2011


When a company is acquired by another company or the two gets  merged, then two different business units come together to function. After acquiring the company, your boss asks  to rename the acquired infrastructure(Domain/Website etc.) according to the current company standard, but renaming the internal AD domain is not as easy as it looks. When number of in-house and 3rd party applications are involved, it is difficult to rename the AD domain according to your choice. Few more impossible  scenario exist where you can’t rename the  domain such as environment running Exchange 2007 and above or CA services. The viable approach is migrating complete environment using migration tools like ADMT/Quest/Netiq etc. which is safe and recommended approach. Migration is a complex process, but it is a better approach then  jeopardizing the whole environment by performing domain rename.

Domain rename is not a full proof option. After reading across various forum and posts, i found that people faced various issues or completely broken their environment after performing domain rename. So, whats next after domain rename disaster. The only option available to them is to recreate the new forest & start everything from scratch.

The best way to handle acquisitions or merger is to migrate everything from the newly acquired company to your own domain or in new forest. The chances of breakdown is less in comparison to the domain rename success rate. Migration itself is not easy, but careful planning & consultant can make it a better option.

Take a look at below guide from MS on Restructuring Active Directory Domains Between Forests.

http://technet.microsoft.com/en-us/library/mergers_acquisitions_active_directory_prune_and_graft_restructuring_support_limitations%28WS.10%29.aspx

http://download.microsoft.com/download/5/2/f/52f23d76-7d56-44d6-ad25-a95bf0be5516/14_CHAPTER_11_Restructuring_Active_Directory_Domains_Between_Forests.doc

 

Posted in Directory Services | Tagged: | Leave a Comment »

DNS Scavenging And Auditing concepts

Posted by Awinish on February 8, 2011


Scavenging is the important process for removal of stale records from DNS to keep it healthy & fit. Lot of people have doubts, whether it has to be enabled or not & find themselves in confused situation what is exactly scavenging & how it works.

I have seen a question, if i create a  static records(created a record manually) will the static record is also be eligible for scavenging, the answer is no. The reason is when you create a static record the box in front to Delete this record when it becomes stale is unchecked(shown in figure), which is not the case with automatic record creation process.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

When any machine is disjoint from domain, its record is not been deleted instantly, but the  dnsTombstoned attribute is changed to TRUE & it is deleted from the DNS server in-memory cache. The scavenging process starts at 2AM everyday & compares the dnsTombstoned value is set for deletion or not.

DNS Scavenging internals (or what is the dnsTombstoned attribute) for AD Integrated zones

http://blogs.technet.com/b/isrpfeplat/archive/2010/09/23/dns-scavenging-internals-or-what-is-the-dnstombstoned-attribute-for-ad-integrated-zones-dstombstoneinterval-dnstombstoned.aspx

Don’t be afraid of DNS Scavenging. Just be patient

http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

It Takes Two–DNS scavenging

http://blogs.technet.com/b/dougga/archive/2012/02/09/it-takes-two-dns-scavenging.aspx

How to enable auditing of records creation, modification or deletion in DNS?

The above reason will suffice, the dns records are not deleted immediately, but dnsTombstoned attribute is changed either True or False for later deletion. So, if you plan to join the system into domain which is immediately been removed, you need to delete the records manually along with manually deleting computer object from ADUC to join the system into domain or wait for few hours to be done.Take a look at below link to know more.

http://blogs.msdn.com/b/anthonw/archive/2006/08/23/715983.aspx

I wanted to point out this wonderful article explaining duplicate dns zones, well written by Greg. I was pointed to this article by Mike Kline.

Am I Seeing Double? The case of “Multiple copies of the same DNS zone”

http://blogs.technet.com/b/askpfeplat/archive/2012/02/05/am-i-seeing-double-the-case-of-quot-multiple-copies-of-the-same-dns-zone-quot.aspx

 

Posted in DNS/DHCP | Tagged: , , | Leave a Comment »

Exchange 2010 – Database Availability Group(DAG)

Posted by Awinish on February 6, 2011


Exchange 2010 offers HA using DAG(Database Availability Group). Configuring the DAG alone will not provide HA availability if its not supported by proper planning & design. The different DAG design have been discussed. Take a look at below link to know more. The network latency shouldn’t be more than 25 0ms. You can find more references in the below mentioned articles.

Database Availability Group Design Examples

http://technet.microsoft.com/en-us/library/dd979781%28printer%29.aspx

Exchange 2010 High Availability Misconceptions Addressed

http://blogs.technet.com/b/exchange/archive/2011/05/31/exchange-2010-high-availability-misconceptions-addressed.aspx

Exchange 2010 Notes from the Field – Multi-Site DAG Design

http://blogs.kraftkennedy.com/index.php/2010/09/07/exchange-2010-notes-from-the-field-multi-site-dag-design/

Understanding Database Availability Groups

http://technet.microsoft.com/en-us/library/dd979799.aspx

Step by Step Create a Database Availability Group (DAG)

http://blogs.technet.com/b/winde76/archive/2011/03/23/step-by-step-create-a-database-availability-group-dag.aspx

 

Posted in Exchange | Tagged: , | Leave a Comment »

Normal Domain Users Can Join default 10 machines to a domain

Posted by Awinish on February 6, 2011


By default, any domain users can add up to 10 machines to a domain, the reason is Every domain has a default setting for ms-DS-MachineAccountQuota value 10. You can modify this object in directory to prevent the domain user from joining the machine into domain by using ADSIedit tool to prevent this behavior.

WARNING Using Adsiedit incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Adsiedit can be solved. Use Adsiedit at your own risk.

  1. Install the Windows 2000/2003(2008/R2, adsiedit is pre-installed) Support tools if they have not already been installed. Run Setup.exe from the Support\Tools folder on the Windows 2000/2003 Server or Professional CD-ROM.
  2. Run Adsiedit.msc as an administrator of the domain. Expand the Domain NC node. This node contains an object that begins with “DC=” and reflects the correct domain name. Right-click this object and then click Properties.
  3. In the Select which properties to view box, click Both. In the Select a property to view box, click ms-DS-MachineAccountQuota.
  4. In the Edit Attribute box, type the number of workstations that you want users to be able to maintain concurrently.
  5. Click Set, and then click OK.

Once above steps are done, if user tried to add machine new machine into domain, he will encounter below error message.

Domain Error

Domain Error

Reference

Default limit to number of workstations a user can join to the domain

http://support.microsoft.com/kb/243327

 

Default limit to number of workstations a user can join to the domain

Posted in Directory Services, OS/Certificates | Tagged: | 4 Comments »