Windows 2008 : Export Event Log Using wevtutil

Windows 2008 : Export Event Log Using wevtutil

Use the following command to quickly export the SYSTEM event log from your server, this can also be used in a scheduled task to archive event logs:

wevtutil epl SYSTEM C:\ApplicationLog.evt

To export the APPLICATION event log use the command:

wevtutil epl APPLICATION C:\ApplicationLog.evt

Windows 2008 : Renaming the Local Administrator Account

Windows 2008 : Renaming the Local Administrator Account

Recently I was looking into an issue where a Group Policy Preferences setting to rename the administrator (buil-tin) account was generating the following error message:

Log Name:      Application
Source:        Group Policy Local Users and Groups
Date:          13/02/2012 11:23:34
Event ID:      4098

Description:
The computer ‘Administrator (built-in)’ preference item in the ‘Member_Server_Policy {AF5D1786-0EBF-4C78-BEAA-581F35735016}’ Group Policy object did not apply because it failed with error code ‘0x80070524 The specified account already exists.’ This error was suppressed.

After some initial troubleshooting I opted to modify the way the rename policy was setup by using a more traditional method for changing the administrator user account name

Open Group Policy Object Editor for the policy you want to use to rename the Administrator account, click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click Security Options. Change the setting titled ‘Accounts: Rename administrator account.’

AD DS : Sysvol Replication Optimistaions (DFSR and Central Store)

AD DS : Sysvol Replication Optimistaions (DFSR and Central Store)

You may not be aware that new functionality is built-in to Windows 2008 and Windows 2008 R2 that can help optimise SYSVOL replication in your environment. These technologies are DFSR repliction and the PolicyDefinitions Central Store.

Implementing the PolicyDefinitions Central Store

This change is a simple quick-win, tim implement follow these steps:

  1. Create a PolicyDefinitions folder under \\<domain_controller_fqdn>\SYSVOL\<domain_fqdn>\Policies (for example \\DC1.domain.local\domain.local\Policies\PolicyDefinitions)
  2. Copy the contents of C:\Windows\PolicyDefinitions to this new folder
  3. Verfy the Central Store in now in use in a Group Policy editor window, select the Administartive Templates tree, you should see “Administrative Templates: Policy definitions (ADMX files) retrieved from the central store.

Implementing DFSR Replication

  1. Check SYSVOL status on all Domain Controllers (check the value of the following registry key: Reg Query HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /s (SysvolReady should be set to ‘1’)
  2. Check that Domain Controllers are replicating properly; repadmin /showreps and repadmin /replsum
  3. From the PDC FSMO role holder execute: dfsrmig /SetGlobalState 1
  4. Wait for all domain controllers to report they have reach the ‘PREPARED’ state: dfsrmig /getMigrationState
  5. Again, check replication; repadmin /showreps and repadmin /replsum
  6. From the PDC FSMO role holder execute: dfsrmig /setGlobalState 2
  7. Wait for all domain controllers to report they have reach the ‘REDIRECTED’ state: dfsrmig /getMigrationState
  8. Again, check replication; repadmin /showreps and repadmin /replsum
  9. From the PDC FSMO role holder execute: dfsrmig /setGlobalState 3 (NOTE from here-on-in you can’t roll-back this change)
  10. Wait for all domain controllers to report they have reach the ‘ELIMINATED’ state: dfsrmig /getMigrationState

More information about the process available here: http://technet.microsoft.com/en-us/library/dd640019(v=ws.10).aspx

Exchange 2010 : Useful Logs

Exchange 2010 : Useful Logs

The following logs on Exchnage 2010 CAS/HT and Mailbox Servers (logs vary between role division) are available to aid troubleshooting:

C:\Program Files\Microsoft\Exchange Server\V14\Logging\AddressBook Service\AddressBook*
C:\Program Files\Microsoft\Exchange Server\V14\Logging\Imap4\IMAP4*
C:\Program Files\Microsoft\Exchange Server\V14\Logging\Pop3\POP3*
C:\Program Files\Microsoft\Exchange Server\V14\Logging\RPC Client Access\RCA*
C:\inetpub\logs\LogFiles\W3SVC1\u_ex*