Performing an Unattended Installation of Active Directory

Performing an Unattended Installation of Active Directory

 

Automating Domain Controller Deployment (read Active Directory Services and DNS) couldn’t be simlper; allowing you to install and configure AD remotely with virtually no interaction with the server at all.

First, you will need an unattend file that provides Windows Setup with the desired settings for NTDS installation. The Contents of this file should look similar to this:

 

[DCINSTALL]
CreateOrJoin=Create
ReplicaOrNewDomain=NewDomain
NewDomainDNSName=newdomain.com
DomainNetBiosName=newdomain
SetForestVersion=Yes
AutoConfigDNS=Yes
DatabasePath=%systemroot%\ntds
LogPath=%systemroot%\ntds
SYSVOLPath=%systemroot%\ntds
SafeModeAdminPassword=Password
SiteName=UK

 

Save the above into a new file named ad-auto.txt.

Use the above file to create a new forest – set using the CreateOrJoin and ReplicaOrNewDomain options.

The DC will be placed into a new AD site named UK – set using the SiteName option.

The forest root domain will be ‘newdomain.com’ with a NETBios name of newdomain – set using the NewDomainDNSName and DomainNetBiosName options.

SYSVOL and NTDS directories will be installed to their default paths (%systemroot%\) – set using the SYSVOLPath, DatabasePath and LogPath options.

The DSRM password will be set to ‘password’ – using the SafeModeAdminPassword option.

DNS will be automatically installed and configured appropriately – set using the AutoConfigDNS option.

Finally, the forest functionality level will set as Windows Server 2003 native rather than mixed mode – set using the SetForestVersion option.

 

To install Active Directory services using this unattended file simply run this command: dcpromo /answer:ad-auto.txt

VBScript ; Check Operating System Service Pack Level

VBScript ; Check Op Save erating System Service Pack Level

The script below will output the current service pack of any Windows 2000+ Operating System. This is very useful if you are deploying software via logon script.

Const Impersonate = “winmgmts:{impersonationLevel=impersonate}!\\”
computer = “.”
Set oWMI = GetObject(Impersonate & computer & “\root\cimv2”)
Set QueryWMI = oWMI.ExecQuery(“SELECT * FROM Win32_OperatingSystem”)
For Each oItem In QueryWMI
spVer = oItem.ServicePackMajorVersion
Next

MsgBox “This computer has Service Pack ” & spVer & ” is installed.”

 

 

 

 

 

 

 

 

 

 

Troubleshooting Citrix Session Poor Response / High Latency

Troubleshooting Citrix Session Poor Response / High Latency

I was recently tasked with troubleshooting very poor performance on a Citrix Presentation Server 4.5 Advanced Edition Farm.

Hardware Requirements

Your first port of call should be server specification: is the server ‘man’ enough for the task being asked of it? Use the built-in Windows Performance Counters to troubleshoot here.

Check you CPU usage and troubleshoot specific processes if your CPU utilisation is very high. For my environment CPU usage was at < 5%; this was not the governing performance issue.

Memory utilisation can also hinder performance. As a Citrix server runs out of RAM the number of pages /second dramatically increase. Memory usage was circa 50% and the number of pages /second was low.

Network utilisation; whilst ICA is a low-bandwidth application other applications on your environment may be increasing network latency due to saturation of the network link. Use the built-in Windows Performance counters and your switch management tools to ascertain if this is your governing issue. For my environment network usage was < 5% on a 100MB Full-Duplex link.

Network Problems

Are there specific problems with your network that are causing peaks in latency and dropped packets?

Using the Metaframe Servers SDK (MFCOMSDK) v2.3 tool; smcconsole.exe I was able to monitor individual user sessions.

 

Using this tool you can view individual sessions bandwidth utilisation and latency. This tool is incredibly useful when troubleshooting issues regarding session performance. Session latency can also be viewed using the WMI performance counters for ICA Session that are installed when Citrix is installed on a Windows Server.

 

The Metaframe Server SDK version 2.3 is available from here

 

The image above shows a latency figure of 32ms. This equates to 0.03 seconds – a more than acceptable latency figure for an ICA session. When troubleshooting my issues I was receiving figures of 27000ms (yes, 27 seconds!).

Common causes of high latency are:

Ø Network topology issues including port mismatches

Ø MTU issues

Ø Link saturation / QoS

 

A quick and easy check, which should identify any serious network issues, is to conduct what I call a ‘loaded ICMP echo request’ from a network that is experiencing the latency issues to a server in the Citrix farm. A normal ICMP echo request is 32 bytes; we are able to load the packet with up to 1500 bytes. This is achieved using the following command:

> ping ctxserver1 –t –l 1472 -f

 

Let me explain the command. The ‘-t’ option forces the ping to repeat until instructed otherwise (i.e. cancelled with Ctrl-C). The ‘-l 1472’ option sets a packet length of 1472 bytes; there is a 28byte packet overhead therefore, the total packet size is 1500.Finally, the ‘-f’ option forces the packet to not fragment over multiple packets.

 

First, verify that the MTU for your network is in fact 1500 bytes. You can verify this by using the same test to other servers and devices across your network. If you see many dropped packets you know there is a network fault, which may well be the cause of your performance woes.

 

Using this test I identified that there was a fault. The next step is to identify where this fault is occurring.

 

Use ‘tracert’ to identify the path that your packets travel in order to reach your citrix server. Then perform this loaded ping test to each of these addresses one at a time.

 

Configuring & Replicating SpeedScreen in Citrix PS 4.5

Configuring & Replicating SpeedScreen in Citrix PS 4.5

‘Speedscreen’ is a very useful feature built in to all versions of Citrix Presentation Server 4.. Configuring this feature is remarkably easy, but it is also remarkably easy to overlook.

For more information regarding speedscreen functionality and benifits see the ‘Presentation Server 4.5 Bandwidth & Usability Study in Graphics-Rich Scenarios’ whitepaper at the following URL: http://www.citrix.com/English/ps2/products/documents_onecat.asp?contentid=186&cid=White+Papers

To configure SpeedScreen log into a Citrix Server which has the Citrix Toolbar / Administration Tools installed. From the Administrative Toolbar select the following Icon:

 

You will then be presented with the following window:

You can see that this server has been configured for SpeedScreen on all of the listed executables. To add SpeedScreen functionality to another application simply click ‘New… ‘ you will then be presented with a Wizard which will ask you to browse for the desired executable to utilise SpeedScreen with.

Replicating Configuration Between Servers

If you have more than a couple of Citrix Servers in your environment the last thing you want to do is set this up manually on all servers. There is a very simple and quick way of replicating your SpeedScreen configuration between all servers.

Browse the filesystem of a server which has been configured to utilise SpeedScreen, copy the follwoing folder: %Citrix-Install-Dir%\ss3config to all servers under the Citrix Installation Directory. Note this folder may also be under %windir%\system32\ss3config

Provided you have enabled Speed Screen at the Farm level via the Access Management Console you’re good to go!

 

 

 

Temporarily Increase Exchange 2000 / 2003 16gb DB Limit

Temporarily Increase Exchange 2000 / 2003 16gb Database Limit

This article covers the necessary stps to increase your Exchange 2000 / 2003 SP1 Database limit from 16GB to 17GB to allow you to perform database maintenence.

Temporarily Increase the Exchange 2000/2003 Mailbox Database Size Limit

Locate the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\\Private-

Add a new REG_DWORD Value: ‘Temporary DB Size Limit Extension‘ set it to 1.This can only be used on servers running Exchange 2000 with the September 2003 Post-Service Pack 3 Roll up or Exchange Server 2003 SP1.Once the database is mounted remove unnecessary database content and then perform a defragmentation of the database in order to reclaim the database space.

In order to permanently resolve this issue on Exchange Server 2003 SP2:

First, verify that sufficient hard disk space is available for the larger database.

Always ensure you have 120% of the desired database size in free space for database maintenence.

For a mailbox store, click the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\Server name\Private-Mailbox Store GUID

For a public folder store, click the following registry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\Server name\Public-Public Store GUID

Create a new DWORD Value; ‘Database Size Limit in Gb’ set the value as Decimal, and then an integer from 1 to 75.Note These integer values represent the maximum size of the database in gigabytes (GB). For example, a value of 75 represents a database that has a maximum size of 75 GB.

Restart the Microsoft Exchange Information Store service. To do this, follow these steps:

net stop msexchangeis

net start msexchangeis

In the Event Viewer tool, click Application event ID 1216 to verify that the database size has been set successfully.

Complete Authoritative Restore of Active Directory

Performing a Complete Authoritative Restore of Active Directory

Restart in Directory Services Restore Mode

Simply reboot the server and press F8 during the boot procedures. Select Directory Services Restore Mode. You will require your DSRM password for this procedure. This can be reset as detailed in this guide.

Restore from backup media for authoritative restore

Click the Restore Wizard button, and then click Next.Select the appropriate backup location and ensure that at least the System disk and System State containers are selected.Click the Advanced button and ensure you are restoring junction points. If you do not go through the advanced menu, the restore process will not be successful.Select Original Location in the Restore Files to list.In the Advanced Restore Options window, check the boxes for:Restore security.Restore junction points, and restore file and folder data under junction points to the original location.Preserve existing volume mount points.For a primary restore of SYSVOL, also check the following box. A primary restore is only required if the domain controller you are restoring is the only domain controller in the domain.When restoring replicated data sets, mark the restored data as the primary data for all replicas.Click OK and continue through the restore process. A visual progress indicator is displayed.When asked to restart the computer, do not restart.

Restore system state to an alternate location

Copy the contents of the scripts directory from:

c:sysvolc_winntSysvolDomainscripts and add it to:c:WinntSYSVOLSysvoldomainscripts

Copy the contents of the policies directory from:

c:sysvolc_winntSysvolDomainpolicies And add it to:c:WinntSYSVOLSysvoldomainpolicies

Restore the database

Open a command prompt and type ntdsutil and then press ENTER.Type authoritative restore and then press ENTER.Type restore database and press ENTER.At the Authoritative Restore Confirmation dialog box, click OK.Type quit and press ENTER until you have exited Ntdsutil.exe.

Restart in normal mode

Restart the server. It is now authoritative for the domain, and changes will be replicated to the other domain controllers in the enterprise.

Verify Active Directory restore

When the computer is restarted in normal mode, Active Directory automatically detects that it has been recovered from a backup and performs an integrity check and re-indexes the database. After you are able to log on to the system, browse the directory and verify that all user and group objects that were present in the directory prior to backup are restored.

Renaming a Windows 2003 Domain Controller

Renaming a Windows Server 2003 Active Directory Domain Controller using the ‘netdom’ tool’

Whilst not an everyday occurrence, I would recommend deploying a new machine and running dcpromo on it in order to achieve this result. However, a native Windows 2003 Active Directory environment will permit name changes on Domain Controllers.

Please note that this is NOT possible in a Windows 2000 Server Active Directory Domain.

This guide illustrates the required commands for renaming the server ‘vm-dc1.home.net’ to ‘vm-dc.home.net’ (notice no ‘1’ in the name anymore)

Step One; add the additional name to the computer object.

Open a command prompt window and type:

netdom computername vm-dc1.home.net /add:vm-dc.home.net

Successfully added vm-dc.home.net as an alternate name for the computer.

The command completed successfully.

Service Principal Name (SPN) attributes will be updated using the netdom command and DNS records will be created for the new computer name.

After allowing sufficeient replication time I would suggest you verify the secondary name has been registered correct in Active Directory using adsiedit.msc. Simply find the original Computer Object and check the msDS-AdditionalDnsHostName attiribute has been populated with the new name.

Step Two; make the new name the primary name for the computer object.

Next, run the following command:

netdom computername vm-dc1.home.net /makeprimary:vm-dc.home.net

Successfully made vm-dc.home.net the primary name for the computer.

The computer must be rebooted for this name change to take effect. Until then this computer may not be able to authenticate users and other computers, and may not be authenticated by other computers in the forest. The specified new name was removed from the list of alternate computer names. The primary computer name will be set to the specified new name after the reboot.

The command completed successfully.

Using ADSI edit you will now see that the msDS-AdditionalDnsHostName attribute for the Computer Account is now populated with the old name.

Step Three; reboot the server.

Proceed with a reboot of the server.

Step Four; remove the old name.

Finally, run the command:

netdom computername vm-dc.home.net /remove:vm-dc1.home.net

Successfully removed vm-dc1.home.net as an alternate name for the computer.

The command completed successfully.

And that’s it!

Reset the DSRM Password

How to reset the Directory Services Restore Mode (DSRM) Password

The importance of the DSRM password is often forgotten; many administrators will have never used Directory Services Restore Mode.

There is a simple procedure for resetting this crucial password using ntdsutil; from a command prompt window run the following commands:

C:\>ntdsutil

nntdsutil: set dsrm password
Reset DSRM Administrator Password: reset password on server domainController1
Please type password for DS Restore Mode Administrator Account: ********
Please confirm new password: ********
Password has been set successfully.
Reset DSRM Administrator Password: quit
nntdsutil: quit

C:\>

If you\\”ve forgotten your DSRM password, or you have any doubts I’d seriously reccomend changing the password so you know exactly what it is.

Identify / Determine FSMO role holders in Active Directory

Identify / Determine / Find FSMO role holders in Active Directory

Illustrates how to use the ‘netdom‘ tool in order to find the FSMO role holders within your environment. These days the process for identification of FSMO role holders seems to be described in the most complex and long-winded of ways. Yes yes yes, this process can be done using the MMC snap-ins; Active Directoryy Users and Computers, Active Directory Domains and Trusts and Active Directory Schema. However, using the netdom utility supplied with the Windows Server 2000 / 2003 support tools it is possible to display this information almost instantly, in a single command window.

Simply run the following command form a command window.

netdom query fsmo

The output you recieve should look something like:

Schema owner vm-dc1.home.net
Domain role owner vm-dc1.home.net
PDC role vm-dc1.home.net
RID pool manager vm-dc1.home.net
Infrastructure owner vm-dc1.home.net

The command completed successfully

VBScript ; Montior Exchange DB Size

VBScript ; Montior Exchange 2000/2003 Standard DB Size

Aimed at the SMB users running with the 16GB limit, this customisable vb script will warn you when the Microsoft Exchange Database size exceeds a certain size in GB.\r\n\r\nThe script could easily be modified for use with all versions of Exchange depending on what limit you’re worried about, be it software or hardware restricted.’, ‘Simply copy the following code into notepad and save it as a ‘.vbs’ file. The script needs to run from the mailserver itself, I run it as a scheduled task at start-up.

In order to avoid excessive notifications the script quits upon notification, you must re-run the script in order to continue monitoring.

You need to modify the areas highlighted in bold. I have configured the script to alert me via when the DB size reaches 15GB.

The script is called using a batch file which contains the following line:

cscript.exe c:\scripts\script_name.vbs

Dim fileSize, fileSize2, totalSize, checkFile, strComputer, objWMIService
Dim setFormat, MessageTitle, messageBody, SizeFormat

Set WshShell = CreateObject(“WScript.Shell”)
Set objNetwork = CreateObject(“Wscript.Network”)
Set fso = CreateObject(“Scripting.FileSystemObject”)

strComputer = “.”
Set objWMIService = GetObject(“winmgmts:” _
& “{impersonationLevel=impersonate}!\\” & _
strComputer & “\root\cimv2”)

Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
(“SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE ” _
& “TargetInstance ISA ‘CIM_DataFile’ and ” _
& “TargetInstance.Name=’e:\\ExchangeDB\\MDBDATA\\priv1.edb'”)

Do
Set objLatestEvent = colMonitoredEvents.NextEvent
filesize = 0
filesize2 = 0
totalSize = 0

target = “e:\ExchangeDB\MDBDATA\priv1.stm”
Set checkFile = fso.GetFile(target)

fileSize = SetBytes(checkFile.size)
filesize2 = SetBytes(objLatestEvent.TargetInstance.FileSize)

totalSize = filesize + filesize2
Wscript.Echo “Exchange DB size is” & totalSize & SizeFormat

If (filesize + filesize2 ) > 15 Then
messageBody = “Danger Will Robinson! Exchange DB size at ” & totalSize & SizeFormat & vbCrlf & vbCrlf _
& “Please restart this script on the server.”
SendEmail()
WScript.Quit()
End If
Loop

‘————————-
Function SetBytes(Bytes)
If Bytes >= 1073741824 Then
SetBytes = Round(FormatNumber(Bytes / 1024 / 1024 / 1024, 2), 2)
SizeFortmat = “GB”
ElseIf Bytes >= 1048576 Then
SetBytes = Round(FormatNumber(Bytes / 1024 / 1024, 2), 2)
SizeFortmat = “MB”
ElseIf Bytes >= 1024 Then
SetBytes = Round(FormatNumber(Bytes / 1024, 2), 2)
SizeFortmat = “KB”
ElseIf Bytes < 1024 Then
SetBytes = Bytes
SizeFortmat = “Bytes”
Else
SetBytes = “0 Bytes”
End If
End Function

‘————————————————
Sub SendEmail
Set objMessage = CreateObject(“CDO.Message”)

objMessage.Configuration.Fields.Item _
(“http://schemas.microsoft.com/cdo/configuration/sendusing”) = 2

‘FQDN / IP Of SMTP Server
objMessage.Configuration.Fields.Item _
(“http://schemas.microsoft.com/cdo/configuration/smtpserver”) = strComputer

‘SMTP Port
objMessage.Configuration.Fields.Item _
(“http://schemas.microsoft.com/cdo/configuration/smtpserverport”) = 25

objMessage.Configuration.Fields.Update

objMessage.Subject = strComputer & “: Exchange Database Size”
objMessage.From = “[email protected]
objMessage.To = “[email protected]
objMessage.TextBody = messageBody
objMessage.Send
End Sub