Thursday, January 31, 2008

FSMO ROLES & How to seize them



We talked a lot about FSMO roles and their purpose on previous articles in my blog. The FSMO roles, I used to ask this question all the times

Which FSMO role is the most important considering one single domain / Forest. Or the opposite one, which FSMO role is the less important one considering one domain.

Answer of course will vary from person to another. The reality is that PDC emulator is the mostly, heavy used FSMO roles among others.

Another FSMO question is how to see FSMO roles? Those of you who have hands on experience will know ADUC is the first place to go and look for Domain wide FSMO roles

When a right clicks on ADUC and select Operations masters

  • RID
  • PDC
  • Infrastructure

Seizing is kid stuff, fist connect to DC you wish to transfer these roles too, by opening ADUC and choosing connect to domain controller. Once you connect to the domain controller now open up the operation masters and start seizing them one by one

The forest ones requires same type of afford, only schema master needs a DLL file to be registered

Register Schmmgmt.dll

Go to command line or run menu copy or paste below and hit enter

regsvr32 schmmgmt.dll

Now we will seize the domain wide FSMO roles

Click start, run, and mmc, add snap in and select Active directory Schema snap in and select Active directory domains and trust snap in, click ok.

Same technique will apply here, first make a right click all the way top and select connect to domain controller ( this is the DC you are trying to transfer the FSMO role too) , once you connect to selected DC all you need to do is , another right click and "Operations Masters) and click change

Same applies for the Domain Naming Master Role.

Now, how to see all the FSMO roles one at the time is the question. Several different ways, including GUI and third party tools available to achieve this mission.

The easiest one I can think of would be Download support tools, and install it. Go to CMD and type following command


Netdom query fsmo

C:\>netdom query fsmo

Schema owner vdc1.nwtraders.msft

Domain role owner vdc1.nwtraders.msft

PDC role vdc1.nwtraders.msft

RID pool manager vdc1.nwtraders.msft

Infrastructure owner vdc1.nwtraders.msft

The command completed successfully.


Seize FSMO roles from command line


Schema master

Domain naming master

RID master

PDC

Infrastructure master

Forest wide and one per forest.

Forest wide and one per forest.

Domain specific and one for each domain.

PDC Emulator is domain specific and one for each domain.

Domain specific and one for each domain.


  • Log on the DC open CMD
  • Type following
  • Ntdsutil, hit enter
  • Roles ( you can use ? to see the available commands)
  • Fsmo maintenance
  • Connections
  • Connect to server <Server name goes here>
  • q
  • Seize domain naming master

A windows will open up and will ask you sure you want to do this , click yes

All roles can be seized as below table

Seize domain naming master

Seize infrastructure master

Seize PDC

Seize RID master

Seize schema master


Each time you will get the same warning

Best,

Oz ozugurlu

MCITP (EMA) ,MCITP(SA),

MCSE (M+,S+) MCDST

Security+, Server +,Project+

Monday, January 28, 2008

Exchange White Space Script 1221



There are many scripts available to determine the whitespace on exchange server. Here is another one very simple. All you need to do it to copy and paste below code into notepad, and save it as any name you want, I renamed it "ExchangeWhiteSpaceReport.vbs" and save it to anywhere you want and just run it by double clicking on it. The Script will create a folder on your C drive as follows

Const TEMP_FILE = "C:\scripts\whitespace.txt

Only thing need to be changed it the server name, my server name is as follows rcoevschi001, change this to your own server name

arrComputers = Array("rcoevschi001")

Const TEMP_FILE = "C:\scripts\whitespace.txt"

Const ForWriting = 2

Dim strInput, fso

Set fso = CreateObject("Scripting.FileSystemObject")

Set filDest = fso.OpenTextFile(TEMP_FILE, ForWriting, True)

For Each strComputer In arrComputers

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")

Set colItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent Where Logfile='Application' and Eventcode = '1221'")

For each objEvent in colItems

strMessage = objEvent.Message

StartWhiteSpaceDBName = Instr(1,strMessage,"database",1)

EndWhiteSpaceDBName = Instr(1,strMessage,"has",1)

ReturnDBNameLength = ((EndWhiteSpaceDBName-1)-(StartWhiteSpaceDBName+9))

strWSDB = Mid(strMessage,(StartWhiteSpaceDBName+9),(ReturnDBNameLength))

StartWhiteSpaceSize = Instr(1,strMessage,"has",1)

EndWhiteSpaceSize = Instr(1,strMessage,"megabytes",1)

ReturnSizeLength = ((EndWhiteSpaceSize-1)-(StartWhiteSpaceSize+4))+10

strWSSize = Mid(strMessage,(StartWhiteSpaceSize+4),(ReturnSizeLength))

dtmEventDate = objEvent.TimeWritten

strWSTime = WMIDateStringToDate(dtmEventDate)

strOutput = strWSTime & "," & strComputer & "," & strWSDB & "," & strWSSize

filDest.WriteLine strOutput

Next

Next

filDest.Close

Function WMIDateStringToDate(dtmEventDate)

WMIDateStringToDate = CDate(Mid(dtmEventDate, 5, 2) & "/" & Mid(dtmEventDate, 7, 2) & "/" & Left(dtmEventDate, 4) )

End Function


 

Thanks,

Oz ozugurlu

MCITP (EMA), MCITP (SA),

MCSE (M+, S+) MCDST

Security+, Server +, Project+

Tuesday, January 22, 2008

DNS BACKUP



Question:

I have two DNS servers, one is a primary and the other is a secondary. Primary is AD integrated and a DC. Randomly and at random intervals things just up and disappear from the DNS records, even if I manually
input them into the records. I can't seem to figure out why. All servers are Win2k3 Any and all help is appreciated.

Answer:

I agree, your dilemma might be related to scavenging turned on from one of the DC's. I have seen very similar issue in a large enterprise environment where replication is a problem (KCC) and a DC which has scavenging turned on
thinks some records are stale and decides to purge them and advertise the changes in multimaster replication AD ( integrated DNS).it is kind of chasing a cat tale.
Have a second look on the DNS servers for scavenging In my case finding out
the DC causing problem and turning scavenging off did the trick. So here is a nice hint, how to backup DNS ( Thanks to Joe Nagy AD Expert
for simple smart solution)


It might not be a bad idea to run a scheduled task a couple times a day on DC that a good DNS server. Using DNSCMD.

dnscnd /zoneexport SMTP25.org SMTP25.org.bak

This will create a copy of the zone with the filename SMTP25.org.bak in the windows\system32\dns directory. If someone blows away DNS or something happens with replication or
scavenging.....

  • Go into the DNS mmc on that DNS server. Convert the zone from Active Directory Integrated to Primary.
  • Stop the DNS service.
  • Go to the windows\system32\dns directory, delete the
  • SMTP25.org.dns file and THEN...
  • Rename the SMTP25.org.bak file that you've been exporting to
  • SMTP25.org.dns


Start the DNS service and you have fully restored DNS zone.

Now simply go back in to the DNS mmc and convert the zone from Primary to Active Directory Integrated and it will replicate the good DNS around to all the DCs/DNS servers.

Best Regards,

Oz ozugurlu


Monday, January 21, 2008

How DHCP Discovery works

Question:

Hi,
My question is how to communicate the DHCP client to DHCP Server? Because
The client system doesn't have any ip to communicate the DHCP server how to
Broad cast the message to the DHCP Server.
any help me....
Answer
Hi there, as you have indicated in TCP IP world a node who does not have an IP address cannot talk to anyone. So how come a client who does not have any IP address yet can even talk to DHCP server an initiate the DHCP lease process, even more complicated how come DHCP server ever could talk back to client who has no IP address yet.
The question is very logical and the answer is simple
The process called DHCP Discovery involved 4 steps as below

  • DHCP discovery
  • DHCP Lease offer
  • DHCP lease request
  • DHCP Lease acknowledgment

Client uses the IP 0.0.0.0 as its address and the server's uses address 255.255.255.255 and the DHCP Discovery possible to begin. (DHCP discover message on UDP port 68 and destination port 67. )

Read more

http://smtp25.blogspot.com/2007/04/discovering-dhcp-discovery-in-smtp25.html


Best
Oz ozugurlu


Tuesday, January 15, 2008

FSMO ROLES

One of the most asked interview question is the FSMO roles. I remember in ach interview I walk into last coupe year I have asked every single time the FSMO roles. Operation masters no doughty is very important and curtail for every MCSE to understand and use it whenever is needed. I have already blogged about FSMO roles, why we needed them and how to keep memorize this role. I most offend ask to my students following question about FSMO roles.

If you have 12 Domain, and considering one Forest how many FSMO roles in total exist? I get multiple answers including 1 and 12 domains. Of course those of you understand would say 38 domains without thinking a second. Knowing FSMO roles are very important, indentifying these roles in AD (Active directory) is fairly easy. The Domain wide FSMO roles can be easily seen from ADUC (active directory users and computer, which are

  • RID
  • PDC
  • Infrastructure

The Forest ones can be seen with multiple utilities, such as NetDom

C:\>netdom query fsmo

Schema owner nhqdtcdc1.ri.SMTP25.org

Domain role owner nhqdtcdc1.ri.SMTP25.org

PDC role nhqdtcdc4.archq.ri.SMTP25.org

RID pool manager nhqdtcdc4.archq.ri.SMTP25.org

Infrastructure owner nhqdtcdc3.archq.ri.SMTP25.org

The command completed successfully.

Other command question I have seen is related the AD maintenance

Ntdsutil

Authoritative restore

Authoritatively restore the DIT database

Configurable Settings

Manage configurable settings

Domain management

Prepare for new domain creation

Files

Manage NTDS database files

Help

Show this help information

LDAP policies

Manage LDAP protocol policies

Metadata cleanup

Clean up objects of decommissioned servers

Popups %s

(en/dis)able popups with "on" or "off"

Quit

Quit the utility

Roles

Manage NTDS role owner tokens

Security account management

Manage Security Account Database

Duplicate SID Cleanup

Semantic database analysis

Semantic Checker

Set DSRM Password

Reset directory service restore mode administrator account password


  • Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory.
  • Seize FSMO roles using Ntdsutil.exe
  • The partition for each FSMO role is in the following list:

FSMO role

Partition

Schema

CN=Schema,CN=configuration,DC=<forest root domain>

Domain Naming Master

CN=configuration,DC=<forest root domain>

PDC

DC=<domain>

RID

DC=<domain>

Infrastructure

DC=<domain>


Directory Services Restore Mode
Regards
Oz ozugurlu

Tuesday, January 1, 2008

Public folders adding a dedicated public folder server into Public folder tree



Here is the scenario we will build dedicated public folder server and we will add it into existing PF replica list. While adding the new server into replica list we will delete the one of the dedicated PF server and decommission it eventually. Ideally when it comes to PF design it is a good idea to have the PF folder replica on the local exchange server as well as on the dedicated PF server.

The PFDEVAdmin comes into rescue of course. Doing bulk operation with PFDEVAdmin is real easy.

  • Click Tolls
  • Click Custom bulk operations
  • Click Add
  • Replica list click ok

The new menu will appear, and click on "select" under replicas

Here is the trick first window opens up ask you which server you wish to add into PF replica list, if you don't select any server you are leaving it blank, and go to second window (second window ask you which server needs to be removed from replica list) and select the server needs to be removed from PF replica list. Vice versa, if you only want to add without removing existing server when window opens up click okay without selecting any server to accomplish adding and removing PF server into PF tree.

Click ok and start performing bulk operations. PFDEVAdmin is great tool to perform bulk operations in large enterprise environment, altering the PF replica list manually would take up to days.

  • There is only one MAPI public folder hierarchy that a single Exchange organization can support.

Another important part of the client public folder experience is the actual Public Folders tree that you can expand to see the public folder hierarchy. The Public Folders object is an Active Directory object that lives under the Administrative Group's Folders object. There is only one MAPI public folder hierarchy that a single Exchange organization can support. This tree object is located in the administrative group that had Exchange 200x installed into it first. The Public Folders object has an attribute that points to every public folder store that is associated with it. You can move this specific object between administrative groups by just dragging and dropping it in Exchange System Manager

Exchange 2007 is still supporting PF architecture; next version of exchange will support it as well (if Microsoft won't change their mind). There is serious intention from Exchange team to drop the PF architecture and use more robust (Share point), type of solution. Eventually PF structure won't be part of exchange, this is the intention and I do support it. In my opinion, the PF folders more of a headache and we need to move away it.

Best Regards,

Oz ozugurlu