| mvl1973's profileThe Systems Management C...PhotosBlogLists |  Tools  Help |
|
|
March 26 Optimizing Group Policy PerformanceNow, that's a good article Group Policy: Optimizing Group Policy Performance September 11 Printer Management in 2003 R2Printer management has always been a challenge in most environments.
Solutions range from complex logon scripts (checking in which groups your account is...) to self-service portals.
Windows 2003 R2 expands GPOs in a very interesting way. Trust me: if, like me, you would like to centrally manage how printers are distributed to clients, you will enjoy this solution.
May 04 Deregistering Domain Controllers from DNS using nltest
But if you have a domain controller that crashed and you do not plan on bringing it back online, you'll need to remove the records manually or wait for scavenging. nltest /dsderegdns:<DomainControllerName> /dom:<DomainDNSName> ex: nltest /dsderegdns:sv01.zoo.be /dom:zoo.be Cheers MV February 28 Finding "stale" computer accounts in ADThis is from the Windows Mag Tips&Tricks Update Q&A:
Q. How can I determine which computer accounts haven't had their passwords changed?
A. By default computers have a password (which originally is the name of the computer account!) that's changed every 30 days. If a computer's password isn't changed (e.g., its been offline), then 60 days after its last password change the computer account won't be able to authenticate to the domain until its password is reset.
You can check for computers that haven't changed their password for more than 60 days (and could therefore be considered "stale") using the dsquery command on Windows Server 2003 and later systems. Here's a sample command execution and output:
C:\dsquery computer -stalepwd 60
"CN=THANOS,CN=Computers,DC=savilltech,DC=com"
"CN=WKSSAVD810,CN=Computers,DC=savilltech,DC=com"
"CN=KEVINLITTLE,CN=Computers,DC=savilltech,DC=com"
"CN=SAVDALWKS02,CN=Computers,DC=savilltech,DC=com"
"CN=SAVDALMOM01,CN=Computers,DC=savilltech,DC=com"
This output shows I have five machines that haven't changed their passwords for more than 60 days and are therefore unable to connect to the domain. February 16 Resetting the default permissions on ADDid you know that the adminsdholder process, running on the PDC Emulator every hour, resets the permissions on specific AD objects? Mmmm... did you? Well, I didn't, but this guy surely did:
This could really waste all your efforts to secure AD...
Cheers
MV December 09 NetBIOS needed for 2003 Forests trustsWell, apparently, one still needs NetBIOS on a Windows 2003 DC to create Forest trusts:
When will Msoft finally liberate us from NetBIOS? 2010, I guess... December 01 How to find users that did not logon since...This good tip demonstrates how to use "LastLogonTimeStamp" attribute with dsquery.
Thank you Mister Jones!
http://mcpmag.com/columns/article.asp?EditorialsID=1161 and look for the "Return to the Last Logon" article.
Mapping AD Users and Computers to Schema attributes namesHey which attribute did I modify when using AD Users & Computers?
this table will tell you... Thanks Microsoft!
November 24 adprep /gprepThe adprep /domainprep procedure modifies existing security descriptors on existing objects and attributes in Active Directory. It also modifies security descriptors to group policy objects on the file system (SYSVOL). For a full list of changes, see KB 309628.
The adprep utility has been enhanced by msoft with W2K3 SP1. Before SP1, adprep /domainprep was used to modify the schema and the Sysvol.
Now you can use the /gprep switch to update the Sysvol separately from the Schema. This is useful if you wish to control your sysvol/replication traffic.
If you still want to update both at the same time, simply run adprep /domainprep /gprep.
From W2K3 SP1 on, adprep /domainprep only makes changes to Active Directory objects and attributes. It does not make any changes to the security of files in SYSVOL.
Please note you should use the adprep.exe from the “slipstreamed” version of Windows 2003 SP1. November 21 Good explanation about AD/IIFP/MIISMany friends (you?) are still a little bit confused about IIFP/MIIS and their use.
Here is a nice article that will help them:
See, mom, I don't copy/paste, promise...
BTW I am delivering the MOM 2005 course this week. I just love it. November 14 Link to a good, free management tool for Windows NetworksLooking for a free but performant management tool?
Here it is: http://www.jffnms.org/ October 31 ADM files by Msoftcan be found here:
You should also check KB 816662 which describes how to update your adm files. Troubleshooting the FRS/DFS SysvolTroubleshooting the FRS/DFS is one of the most complex subject in Windows Server. And that Sysvol folder is soooo critical... Here are the best resources I've found on this subject.
Start by reading this MCP Mag article:
Then, these 2 posts will give you a good troubleshooting overview.
This Msoft page is quite useful. It features all the links to the different tools you need, including Ultrasound, FRSDiag and Sonar. http://www.microsoft.com/windowsserver2003/technologies/storage/dfs/tshootfrs.mspx
Finally, check out the FRS tech guide by Msoft:
C'mon, keep your Sysvol healthy!
August 05 Monitoring AD Replication with repadminThe other day I stumbled into this TechNet article detailing the use of the Repadmin.
A good introduction, indeed.
August 01 Users Logon Scripts in an Active Directory Environment - Beginners onlyHello and welcome back!
It's Monday morning and i feel like writing an answer to a FAQ: how do you assign Logon Scripts to Users in an AD environment?
There are 2 ways to do so:
1. The "classical" way. This will work with all Windows (2K3, 2K,
XP, NT 4.0) platforms. This is the only way I know of to assign logon
scripts to users loggin on an NT 4.0 WK.
2. By using GPOs; this will target the objects linked to your GPO (OU, Site,Domain)
July 27 Finding GPOs W2K3Hey how do you easily find the GPO you need?
Well, you can use the built-in filtering available while editing any GPO (Admin Templates, then Filtering in the View menu).
But the easiest way is to download the Excel Spreadsheet "Group Policy Settings Reference for .adm files included with Windows XP Professional Service Pack 2". You will find it at go.microsoft.com/fwlink/?linkid=15165.
July 13 Sysvol et KCC W2K3: une question épineuseUne question m'a toujours turlupiné: la fréquence de réplication du Sysvol (y compris le GPT) sous AD.
Bon, tout le monde s'acorde pour reconnaître que le Sysvol est répliqué par le FRS.
Mais ensuite, ben ils sont pas d'accord chez Microsoft. Quelle est l'horaire de réplication? Le FRS interroge-t-il le KCC?
Windows 2003 Resource Kit, Group Policy Guide, p. 644 semble indiquer que non: "These two replication services do not rely on each other in any way. Therefore they replicate on different intervals and at different times." Et le Rkit d'embrayer sur les problèmes causés par les différents horaires de réplication du GPC (AD) et du GPT (Sysvol).
Windows 2003 Server Inside Out, p. 1175 semble indiquer que oui: "FRS is used to transfer the physical files themselves. The replication topology used is the one implemented by AD. The way this works is that FRS checks with the KCC to determine the replication topology (...) and then uses this topology to replicate the SYSVOL to all the domain controllers (...)"
Alors, qui a raison? Peut-être faut-il ici distinguer l'horaire de réplication et les "connection objects" eux-mêmes? Le FRS trouve avec quels DC il faut répliquer en interrogeant le KCC et possède son propre horaire de réplication.
Peut-être? June 27 Active Directory Wars. Episode I: The Return of the Crash.Les trilogies sont à la mode, j'ai décidé d'écrire la mienne. Alors, voilà le scénario de l'épisode 1. C'est un geek qui administre une grosse Active Directory. Un jour il efface des objets très critiques (genre: le user account de son boss). Que peut-il faire? Et bien, il eut fallu lire le très bon article de Windows 2003 magazine qui détaille comment mettre en place un "delayed-replication AD recovery site". normalement, l'article sera accessible gratuitement d'ici quelques jours... voir le lien ci-après. Ce qu'il y a de génial avec Internet, c'est que je dois juste vous signaler que c'est VRAIMENT une très bonne idée et que l'article est excellent. Voilà, les plus courtes sont les meilleures. June 23 Undocumented repadmin optionsEt oui, Microsoft ne documente pas toutes les commandes de ses OS... Par exemple essayez repadmin /experthelp sur un Server W2K3 SP1, vous m'en direz des nouvelles! Comparez cela à la commande repadmin /help. Réservé aux fans de la réplication AD (ou au product Support de M$oft).
|
|
|
