Category: Windows Server 2003

If, like many, you have configured your Windows Firewall / any other 3rd party firewall to block all outgoing traffic you will find that Windows defender will be unable to update unless you allow port 80/443 (HTTP/HTTPS) for executable svchost.exe. However, this is a core Windows executable, and therefore you may wish to block this as it isn’t used by Windows Defender alone.

The solution therefore is to manually update your windows defender definitions using the following URLs:

 

The latest x86 / 32bit Windows Defender Updates are always available using this URL:

http://go.microsoft.com/fwlink/?linkid=70631

For x64 versions of Windows, use the following URL:

http://go.microsoft.com/fwlink/?linkid=70632

Finally, for Itanium version of Windows use the following URL:

http://go.microsoft.com/fwlink/?linkid=70633

The script below will list all members of a particular group within AD.

The script should be called as follows from a  command window: cscript.exe script_name.vbs > Group-Members.txt

This will ‘pipe’ the results into a text file in the same folder as the vbs file.

 

‘—————————- Begin Copy Here

Dim arrNames()

intSize = 0

Set objGroup = GetObject(“LDAP://CN=Merchandising,OU=Security Groups,OU=UK,DC=mydom,DC=com”)

For Each strUser in objGroup.Member
    Set objUser =  GetObject(“LDAP://” & strUser)
    ReDim Preserve arrNames(intSize)
    arrNames(intSize) = objUser.CN
    intSize = intSize + 1
Next

For i = (UBound(arrNames) – 1) to 0 Step -1
    For j= 0 to i
        If UCase(arrNames(j)) > UCase(arrNames(j+1)) Then
            strHolder = arrNames(j+1)
            arrNames(j+1) = arrNames(j)
            arrNames(j) = strHolder
        End If
    Next
Next

For Each strName in arrNames
    Wscript.Echo strName
Next
‘—————————- End Copy Here

This simple, but very useful task is handy for testing kerberos and machine account permissions. From a command prompt run the following command:

at 17:00 /interactive cmd

Where 17:00 is the time now +1 minute. Wait 1 minute and then the command prompt will pop-up.

When using the Windows XP Firewall several of our users encountered the following error when using ftp.exe:

 

> Netout :Connection reset by peer Connection closed by remote host.

 

Initially we tried creating exceptions for this application, but this proved inaffective.

 

The solution was to increase the  FTP Buffer window using the follwoing command:

 

ftp.exe -w:12288

 

This increases the FTP buffer from 4MB to 12MB – the FTP process is significantly faster and does not drop out with the above error.

 

Event Type:    Warning
Event Source:    MSDTC
Event Category:    MSDTC Proxy
Event ID:    53258
Date:        19/11/2008
Time:        11:35:49
User:        N/A
Computer:    ESDC02
Description:
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: d:\nt\com\complus\dtc\dtc\adme\uiname.cpp:9351, Pid: 1252
No Callstack,
 CmdLine: C:\WINDOWS\system32\msdtc.exe

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 05 00 07 80               …?   

 

 

Event Type:    Warning
Event Source:    MSDTC
Event Category:    SVC
Event ID:    53258
Date:        19/11/2008
Time:        11:35:49
User:        N/A
Computer:    ESDC02
Description:
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: %1

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

To resolve this issue modifiy the following registry key as detailed below:

HKLM\Software\Microsoft\MSDTC

Grant Advanced Permissions of Set Value and Create Subkey to the ‘NETWORK SERVICE’ account.

Performing an Unattended Installation of Active Directory

 

Automating Domain Controller Deployment (read Active Directory Services and DNS) couldn’t be simlper; allowing you to install and configure AD remotely with virtually no interaction with the server at all.

First, you will need an unattend file that provides Windows Setup with the desired settings for NTDS installation. The Contents of this file should look similar to this:

 

[DCINSTALL]
CreateOrJoin=Create
ReplicaOrNewDomain=NewDomain
NewDomainDNSName=newdomain.com
DomainNetBiosName=newdomain
SetForestVersion=Yes
AutoConfigDNS=Yes
DatabasePath=%systemroot%\ntds
LogPath=%systemroot%\ntds
SYSVOLPath=%systemroot%\ntds
SafeModeAdminPassword=Password
SiteName=UK

 

Save the above into a new file named ad-auto.txt.

Use the above file to create a new forest – set using the CreateOrJoin and ReplicaOrNewDomain options.

The DC will be placed into a new AD site named UK – set using the SiteName option.

The forest root domain will be ‘newdomain.com’ with a NETBios name of newdomain – set using the NewDomainDNSName and DomainNetBiosName options.

SYSVOL and NTDS directories will be installed to their default paths (%systemroot%\) – set using the SYSVOLPath, DatabasePath and LogPath options.

The DSRM password will be set to ‘password’ – using the SafeModeAdminPassword option.

DNS will be automatically installed and configured appropriately – set using the AutoConfigDNS option.

Finally, the forest functionality level will set as Windows Server 2003 native rather than mixed mode – set using the SetForestVersion option.

 

To install Active Directory services using this unattended file simply run this command: dcpromo /answer:ad-auto.txt

Performing a Complete Authoritative Restore of Active Directory

Restart in Directory Services Restore Mode

Simply reboot the server and press F8 during the boot procedures. Select Directory Services Restore Mode. You will require your DSRM password for this procedure. This can be reset as detailed in this guide.

Restore from backup media for authoritative restore

Click the Restore Wizard button, and then click Next.Select the appropriate backup location and ensure that at least the System disk and System State containers are selected.Click the Advanced button and ensure you are restoring junction points. If you do not go through the advanced menu, the restore process will not be successful.Select Original Location in the Restore Files to list.In the Advanced Restore Options window, check the boxes for:Restore security.Restore junction points, and restore file and folder data under junction points to the original location.Preserve existing volume mount points.For a primary restore of SYSVOL, also check the following box. A primary restore is only required if the domain controller you are restoring is the only domain controller in the domain.When restoring replicated data sets, mark the restored data as the primary data for all replicas.Click OK and continue through the restore process. A visual progress indicator is displayed.When asked to restart the computer, do not restart.

Restore system state to an alternate location

Copy the contents of the scripts directory from:

c:sysvolc_winntSysvolDomainscripts and add it to:c:WinntSYSVOLSysvoldomainscripts

Copy the contents of the policies directory from:

c:sysvolc_winntSysvolDomainpolicies And add it to:c:WinntSYSVOLSysvoldomainpolicies

Restore the database

Open a command prompt and type ntdsutil and then press ENTER.Type authoritative restore and then press ENTER.Type restore database and press ENTER.At the Authoritative Restore Confirmation dialog box, click OK.Type quit and press ENTER until you have exited Ntdsutil.exe.

Restart in normal mode

Restart the server. It is now authoritative for the domain, and changes will be replicated to the other domain controllers in the enterprise.

Verify Active Directory restore

When the computer is restarted in normal mode, Active Directory automatically detects that it has been recovered from a backup and performs an integrity check and re-indexes the database. After you are able to log on to the system, browse the directory and verify that all user and group objects that were present in the directory prior to backup are restored.

Renaming a Windows Server 2003 Active Directory Domain Controller using the ‘netdom’ tool’

Whilst not an everyday occurrence, I would recommend deploying a new machine and running dcpromo on it in order to achieve this result. However, a native Windows 2003 Active Directory environment will permit name changes on Domain Controllers.

Please note that this is NOT possible in a Windows 2000 Server Active Directory Domain.

This guide illustrates the required commands for renaming the server ‘vm-dc1.home.net’ to ‘vm-dc.home.net’ (notice no ‘1’ in the name anymore)

Step One; add the additional name to the computer object.

Open a command prompt window and type:

netdom computername vm-dc1.home.net /add:vm-dc.home.net

Successfully added vm-dc.home.net as an alternate name for the computer.

The command completed successfully.

Service Principal Name (SPN) attributes will be updated using the netdom command and DNS records will be created for the new computer name.

After allowing sufficeient replication time I would suggest you verify the secondary name has been registered correct in Active Directory using adsiedit.msc. Simply find the original Computer Object and check the msDS-AdditionalDnsHostName attiribute has been populated with the new name.

Step Two; make the new name the primary name for the computer object.

Next, run the following command:

netdom computername vm-dc1.home.net /makeprimary:vm-dc.home.net

Successfully made vm-dc.home.net the primary name for the computer.

The computer must be rebooted for this name change to take effect. Until then this computer may not be able to authenticate users and other computers, and may not be authenticated by other computers in the forest. The specified new name was removed from the list of alternate computer names. The primary computer name will be set to the specified new name after the reboot.

The command completed successfully.

Using ADSI edit you will now see that the msDS-AdditionalDnsHostName attribute for the Computer Account is now populated with the old name.

Step Three; reboot the server.

Proceed with a reboot of the server.

Step Four; remove the old name.

Finally, run the command:

netdom computername vm-dc.home.net /remove:vm-dc1.home.net

Successfully removed vm-dc1.home.net as an alternate name for the computer.

The command completed successfully.

And that’s it!

How to reset the Directory Services Restore Mode (DSRM) Password

The importance of the DSRM password is often forgotten; many administrators will have never used Directory Services Restore Mode.

There is a simple procedure for resetting this crucial password using ntdsutil; from a command prompt window run the following commands:

C:\>ntdsutil

nntdsutil: set dsrm password
Reset DSRM Administrator Password: reset password on server domainController1
Please type password for DS Restore Mode Administrator Account: ********
Please confirm new password: ********
Password has been set successfully.
Reset DSRM Administrator Password: quit
nntdsutil: quit

C:\>

If you\\”ve forgotten your DSRM password, or you have any doubts I’d seriously reccomend changing the password so you know exactly what it is.

Identify / Determine / Find FSMO role holders in Active Directory

Illustrates how to use the ‘netdom‘ tool in order to find the FSMO role holders within your environment. These days the process for identification of FSMO role holders seems to be described in the most complex and long-winded of ways. Yes yes yes, this process can be done using the MMC snap-ins; Active Directoryy Users and Computers, Active Directory Domains and Trusts and Active Directory Schema. However, using the netdom utility supplied with the Windows Server 2000 / 2003 support tools it is possible to display this information almost instantly, in a single command window.

Simply run the following command form a command window.

netdom query fsmo

The output you recieve should look something like:

Schema owner vm-dc1.home.net

Domain role owner vm-dc1.home.net

PDC role vm-dc1.home.net

RID pool manager vm-dc1.home.net

Infrastructure owner vm-dc1.home.net

The command completed successfully