All about Information Technology infrastructure and system. Helpdesk & support issue, deployment guide, and daily activity in managing an information technology operation.
Search This Blog
Monday, May 18, 2009
Event ID 9321 logged when running Exchange Offline Address Book (OAB) generator
You notice that there are a couple of event ids 9321 being logged at your exchange server. All function seems to run normally. The error message shown something likes “OALGen could not generate full details for entry person name in address list '\Global Address List' because the total size of the details information is greater than 64 kilobytes.”
Resolution:
The most common cause for this is a large number of certificates published for the user, causing their details to be over the 64kb limitation for the details in the OAB. There is no way to increase this limit, so the solution is to remove any unneeded certificates from the users so that we get the details under 64kb.
To clean out the certificates:
- In ADUC, make sure View, Advanced Features is checked.
- Go to the properties of the user.
- Published Certificates tab.
- Remove any unneeded/expire certificates.
Exchange Server - Cannot Generate Offline Address Book (OAB) error 8004010e
Exchange server cannot generate offline address book. Newly created email address doesn’t appear at the Global Address List. At the event viewer you see error logged with event id 9338, 9330, and 9126. You’ve try changing the server generating OAB to other, but the same error occurs.
Resolution:
The most common reason for failure to generate the OAB with error 8004010e is a mangled attribute in Active Directory.
Use Nspitool.exe to identify which user has the mangled attribute.
1. Save and unzip the attachment to your Exchange server.
2. Click Start, click Run, type in cmd and click Ok.
3. Navigate the directory which you save the nspitool.exe in and run the following command: nspitool -WalkAddressList
You should see something like “QueryRows failed 0x8004010e on entry personname, WalkAddressList ended with 0x8004010e” on the output text.
Next step is to use adsiedit.msc to connect to GC partition to check the attribute value. Go to the user properties and check the manager attribute value. Is it the same with the Active Directory User and Computer (ADUC) version? If not, change the value at ADUC to something else, wait for the replication to occur, and change it back to the correct value.
The attribute value shown through ADUC and through adsiedit.msc should have the same result.
Run the nspitool.exe again and do the necessary fix until there’s no “queryrows” error anymore.
Tuesday, May 12, 2009
Checklists when promoting a Windows Domain Controller
Here are some of the things that you must configure when promoting a domain controller at a forest with multi sites and multi domains topology.
If this is a new Domain Controller at new site:
a. At Active Directory Sites and Services, create a new site.
b. Create a new subnet and link it to the newly created site.
c. Configure the IP site link for Active Directory replication.
· Promote the Windows Server to become Domain Controller.
· Configure the Domain Controller to become a DNS server – Active Directory Integrated (Domaindnszones).
· Configure the Domain Controller to become a Global Catalog server.
· Configure DNS Forwarders.
· Configure the Domain Controller to be the Authoritative Name Servers in the domain.
· Enable Strict Replication Consistency. (more)
· Disable Windows Scalable Networking Pack Components. (more)
· Change Windows Time Service MaxNegPhaseCorrection and MaxPosPhaseCorrection value to 48 hours. (more)
How to disable Windows Scalable Networking Pack Components
Scalable Networking Pack (SNP) is enabled by default as part of installing Windows Server 2003 Service Pack 2. SNP can be used, under specific circumstances, to improve network performance. Most environments, however, do not have SNP capable network adapters/drivers. This can result in unexpected network problem which is why it is recommended to disable SNP unless a server can benefit from it. For Domain Controller, it is recommended to disable this feature.
Resolution
To disable SNP, modify certain this registry values:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: EnableTCPChimney
Value: EnableRSS
Value: EnableTCPA
Data: 0 or 1
Each component can be individually enabled or disabled. Set the value to "0" to disable it.
Windows Time Service time correction setting
The Windows Time service by default in Windows 2000 and 2003 allows for a positive or negative time correction of any amount for domain controllers. This can cause serious problems in a forest should a dramatic time shift occur. This can even occur when synchronizing with other authoritative sources as hardware problems, software problems or human error can cause them to provide the wrong time. Some of the problems that can occur from a dramatic time change are Windows Server 2003 based domain controllers may be quarantined, deleted objects may be prematurely purged before end-to-end replication of the deletion is fully replicated (causing lingering objects), user and computer passwords may expire unexpectedly, and trust passwords becoming out of sync.
Resolution
Modify the default value on the following registry.
The registry key(s) are different depending upon the operating system version.
Windows 2003/2008
Path: HKLM\System\CurrentControlSet\Services\W32Time\Config
Value: MaxNegPhaseCorrection
Default data: 0xFFFFFFFF (4,294,967,295)
(Note: there is an accompanying MaxPosPhaseCorrection value to control positive time changes.)
Windows 2000
Path: HKLM\System\CurrentControlSet\Services\W32Time\Parameters
Value: MaxAllowedClockErrInSecs
Default data: 0xFFFFFFFF (4,294,967,295)
(Note: Windows 2000 has a single value to control both positive and negative time changes.)
Change them to a positive/negative value of 48 hours (0x2A300 or 172,800 seconds).