DNS Tombstones in Windows 2003 and 2008

When DNS records are deleted from AD integrated zones, they are not immediately tombstoned in the way normal AD object deletions are. Instead, they go through a DNS tombstone process. This includes setting dnsTombstoned=True for the object.

When set to True, the DNS console and tools will ignore the presence of the record. You will still see the objects through LDP/ADSIEDIT/LDIFDE alongside the other DNS records. Each DNS server is hard coded to perform a cleanup process every morning at 2 a.m. to delete any dnsTombstoned=True records that are seven days old or older.

It is at this time that the objects are tombstoned like normal AD deletions (isDeleted=True) and moved to the Deleted Objects container. This is important to know in case someone deletes records, such as enabling scavenging for the first time, and wants to know why they still see the objects in Active Directory. The reason for the seven days of dnsTombstoned=True is to prevent frequent database churn. This is because workstation records may get de-registered or scavenged and then re-created within a short period of time.

Prevent Registration of Certain Domain Controller DNS Records

There are times when you want to restrict a Domain Controller from registering certain resource records in the DNS. One of the scenario is when you have hub - spoke topology, it is preferable that if all domain controllers/global catalogs in a satellite site become unavailable, a client that is searching for a domain controller/global catalog in that site will fail over to a domain controller/global catalog in a central hub and not in another satellite site.
To achieve this behavior, the domain controllers/global catalogs in the satellite offices should not register generic (non-site-specific) domain controller locator DNS records

To restrict the DNS resource records that are updated by NetlLogon

1. Open Registry Editor.
2. In Registry Editor, navigate to the following registry key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. Add the following multistring value (REG_MULTI_SZ) value:
   DnsAvoidRegisterRecords
4. In this value, specify the list of data corresponding to the DNS resource records that should not be registered for this domain controller by the Net Logon service. The following table contains the list of data.

<>

<>

Domain Controller -Specific Records

Mnemonic	Type	DNS Record
LdapIpAddress	A
Ldap	SRV	_ldap._tcp.
DcByGuid	SRV	_ldap._tcp..domains._msdcs.
Kdc	SRV	_kerberos._tcp.dc._msdcs.
Dc	SRV	_ldap._tcp.dc._msdcs.
Rfc1510Kdc	SRV	_kerberos._tcp.
Rfc1510UdpKdc	SRV	_kerberos._udp.
Rfc1510Kpwd	SRV	_kpasswd._tcp.
Rfc1510UdpKpwd	SRV	_kpasswd._udp.

Global Catalog-Specific Records

Mnemonic	Type	DNS Record
Gc	SRV	_ldap._tcp.gc._msdcs.
GcIpAddress	A	gc._msdcs.
GenericGc	SRV	_gc._tcp.

Infrastructure Master & Global Catalog placement

Infrastructure Master (IM) is FSMO role that responsible to updates cross-domain references and phantoms from the global catalog. It is comparing objects of the local domain against objects in other domains of the same forest.

Single domain forest:

In a forest that contains a single Active Directory domain, there are no phantoms. Therefore, the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.

Multidomain forest:

If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, IM won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. So there are no phantoms or work for the infrastructure master to do.

In this case, the infrastructure master may be put on any domain controller in that domain. In practical terms, most administrators host the global catalog on every domain controller in the forest.

When do you require a Global Catalog?

There are certain time when you would need Global Catalog role available instead of just Domain Controller role.

The following events require a global catalog server:

• Forest-wide searches. The global catalog provides a resource for searching an AD DS forest. Forest-wide searches are identified by the LDAP port that they use. If the search query uses port 3268, the query is sent to a global catalog server.
  
• User logon. In a forest that has more than one domain (multidomain), two conditions require the global catalog during user authentication:
  
  • In a domain that operates at the Windows 2000 native domain functional level or higher, domain controllers must request universal group membership enumeration from a global catalog server.
    
  • When a user principal name (UPN) is used at logon and the forest has more than one domain, a global catalog server is required to resolve the name.
    
• Universal Group Membership Caching: In a forest that has more than one domain, in sites that have domain users but no global catalog server, Universal Group Membership Caching can be used to enable caching of logon credentials so that the global catalog does not have to be contacted for subsequent user logons. This feature eliminates the need to retrieve universal group memberships across a WAN link from a global catalog server in a different site.
  

  Note
  Universal groups are available only in a domain that operates at the Windows 2000 native domain functional level or higher.

• Exchange Address Book lookups. Servers running Microsoft Exchange Server rely on access to the global catalog for address information. Users use global catalog servers to access the global address list (GAL).

Active Directory Replication Terminology - Part II

Automatic Site Coverage:
To ensure that clients can locate a domain controller in the nearest available site, domain controller advertises itself (registers a site-related SRV record in DNS) in any site that does not have a domain controller for that domain and for which its site has the lowest-cost connections. This functionality is commonly known as "automatic site coverage."

To disable automatic site coverage on a domain controller:

1. Click Start, click Run, type regedit, and then click OK.
2. Navigate to the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. Click Edit, point to New, and then click DWORD Value.
4. Type AutoSiteCoverage as the name of the new entry, and then press ENTER.
5. Double-click the new AutoSiteCoverage registry entry.
6. Under Value data, type 0 to disable automatic site coverage or type 1 to enable it.

Automatic Site Link Bridge
By default, all site links are bridged, or transitive. This allows any two sites that are not connected by an explicit site link to communicate directly, through a chain of intermediary site links and sites. One advantage to bridging all site links is that your network is easier to maintain because you do not need to create a site link to describe every possible path between pairs of sites.

Bridge All Site Link
The setting inside AD Sites and Services to enable or disable site link bridges. If you disable site link bridging and you are using File Replication Service (FRS) to replicate DFS replicas, which include the SYSVOL share, the DFS site-costing ability is also disabled.

To turn off automatic site link bridging for KCC operation without hampering the ability of DFS to use Intersite Messaging to calculate the cost matrix. This site option is set by running the command repadmin /siteoptions +W2K3_BRIDGES_REQUIRED. This option is applied to the NTDS Site Settings object (CN=NTDS Site Settings,CN=SiteName,CN=Sites,CN=Configuration,DC=ForestRootDomain). When this method is used to disable automatic site link bridging (as opposed to turning off Bridge all site links), default Intersite Messaging options enable the site-costing calculation to occur for DFS

Site Costed Referall,
Defining the SiteCostedReferrals Registry value on the domain controllers will alter the DFS referrals so that all local domain controllers are listed first, randomly ordered, then the “next best” site’s domain controllers, and then all others. The “next best” logic is based on site link costs where the lower cost is preferred.

Active Directory Replication Terminology - Part I

Following is some of the day to day Active Directory terminology.

> BridgeHeads Servers,
A bridgehead is a point at which a connection leaves or enters a site.

> ISTG (Intersite Topology Generator),
The single KCC in a site that manages intersite connection objects for the site.

> KCC (Knowledege Consistency Checker),
The Knowledge Consistency Checker (KCC) is an Active Directory component that is responsible for the generation of the replication topology between domain controllers.

So what is the relation between those three?

Knowledge Consistency Checker (KCC), runs as an application on every domain controller and communicates through the distributed Active Directory database. KCC reads configuration data and reads and writes connection objects.
One domain controller in each site is selected as the Intersite Topology Generator (ISTG). To enable replication across site links, the ISTG automatically designates one or more servers to perform site-to-site replication. These servers are called bridgehead servers.

The ISTG creates a view of the replication topology for all sites, including existing connection objects between all domain controllers that are acting as bridgehead servers. The ISTG then creates inbound connection objects for those servers in its site that it determines will act as bridgehead servers and for which connection objects do not already exist. Thus, the scope of operation for the KCC is the local server only, and the scope of operation for the ISTG is a single site.

For more information please see:
http://technet.microsoft.com/en-us/library/cc755994(WS.10).aspx

How to lock Internet Explorer setting through GPO

To lock changes in Proxy settings using GPO check the following GPO option:
User configuration->Administrative Templates->Windows Components->Internet Explorer->"Disable changing proxy settings"

Set the option ->"Disable changing proxy settings" to enable.

Useful command in managing Active Directory

Here's some of the list that common to use on day to day administration and troubleshooting of Active Directory:

> To summarizes the replication state and health of a forest:
Repadmin /Replsum /BySrc /ByDst

> To show the state of the last inbound replication for specified domain controller:
Repadmin /Showreps
Repadmin /Showrepl

> To show the state of the last inbound and outbound replication (change notification) for specified domain controller:
Repadmin /Showrepl /repsto

> To display the replication queue list:
Repadmin /queue
> To display all the Domain Controller in the forest:
Repadmin /Viewlist *
> To display the Intersite Topology Generator (ISTG) server for specified site:
Repadmin /ISTG
> To display the Bridgeheads servers for specified site:
Repadmin / Bridgeheads

> To synchronize a sepecified domain controller with all of the replication partners
Repadmin /syncall (DC_name) /A /e

> To list the name of Domain Contollers in a domain:
Nltest /dclist:(domainname)

> To verify if we can locate a domain controller:
Nltest /dsgetdc:(domainname)

> To display the servers that hold FSMO role:
Netdom query FSMO

> To chek the health of DNS settings:
DCdiag /test:DNS

> To query the tombstonelifetime setting in a forest:
dsquery * "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=contoso,dc=com" -scope base -attr tombstonelifetime

Site Costed Referrals

Windows Server 2003 and above supports the ability to provide finer control over how DFS referrals are returned for the SYSVOL and NETLOGON shares.

By default, in Windows Server 2003 the DFS referral list will contain all local domain controllers of the client’s domain in the local site, randomly ordered, and then all other domain controllers in the domain randomly ordered.
Defining the SiteCostedReferrals Registry value on the domain controllers will alter the DFS referrals so that all local domain controllers are listed first, randomly ordered, then the “next best” site’s domain controllers, and then all others. The “next best” logic is based on site link costs where the lower cost is preferred.

Windows Server 2008 uses the SiteCostedReferrals behavior by default and does not require the Registry value to be set. Windows 2000 Server does not support this feature.

The SiteCostedReferrals Registry value should be defined across all domain controllers in a domain to ensure consistent behavior. The DFS service must be restarted or the domain controllers rebooted for the change to take effect.

This behavior is controlled via the following Registry value:

HKLM\System\CurrentControlSet\Services\Dfs\Parameters

Value: SiteCostedReferrals

Type: REG_DWORD

Data:

• Windows 2003

= Disabled

0 = Disabled

1 = Enabled

• Windows 2008

= Enabled
0 = Disabled
1 = Enabled

Automatic Site Coverage

For various reasons, it is possible that no domain controller exists for a particular domain at the local site.
To ensure that clients can locate a domain controller in the nearest available site, domain controllers attempt to register their DNS service location (SRV) resource records. These resource records pertain to sites that contain no domain controller for the domain of which they are a member. This functionality is commonly known as "automatic site coverage."

Automatic site coverage factors in the cost associated with the site links of a site without a domain controller. This cost helps determine which domain controller registers its SRV resource records for that site. The SRV resource records are registered by domain controllers from the site that has the lowest cost between its site link and the site that has no domain controller. This makes it possible for clients in the site without a domain controller to use the least expensive network connection to contact a domain controller in another site.

Source:
http://technet.microsoft.com/en-us/library/cc732322(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc978016.aspx

How to Clean Up Lingering Object in Active Directory

Quote from: http://blogs.technet.com//b/glennl/archive/2007/07/26/clean-that-active-directory-forest-of-lingering-objects.aspx

Consider the following illustration that explains how the above methodology is the most efficient and thorough approach possible with repadmin /removelingeringobjects.
DC1,2,3 all host a writable copy of domain A. DC5,6,7 host a read only copy of domain A.

DC1 will be chosen as an initial target for this illustration. DC1 may be clean or dirty with respect to lingering objects.
1) Clean a target DC.

• Repadmin /removelingeringobjects
• Repadmin /removelingeringobjects

DC1 is now clean as compared to DC2,3.
DC1 now becomes the source to be used to clean DC2,3.

2) Clean remaining DCs using the target in 1) above as the source DC.

• Repadmin /removelingeringobjects
• Repadmin /removelingeringobjects   

DC2,3 are now clean with respect to DC1. This approach makes DC1,2,3 consistent with each other.
At this point any writable DC for domain A can be used as a source to clean the DCs hosting a read only copy of domain A. DC1 will be chosen as the source DC for cleaning the DCs hosting read only copies of domain A.

3) Clean all DCs hosting a read only copy of domain A.

• Repadmin /removelingeringobjects
• Repadmin /removelingeringobjects
• Repadmin /removelingeringobjects

At this point all DCs hosting a read only copy of domain A are consistent with each other and are consistent* with the writable DCs for domain A.

Cannot Publish Post to Blogger using Internet Explorer 9

Description:

You can edit/create your post in blogger.com, however you cannot click the publish post button. You are using Internet Explorer 9.

Resolution:

There are two options:

• First, you can enable Compatibility View as a workaround. At Internet Explorer 9, please go to Tools > Compatibility View Settings. Add blogger.com to the list. Click Close and restart your IE 9. Open your post again and you should be able to publish it now. However you may still encounter issue with font sizes, etc.
• Second is to change the setting at the blogger site. Please go to Settings > Select Post Editor > choose Updated Editor > click save settings. Open your post again and you should be able to create/edit/post to your blog again. You will also gain new editing feature such us improved image handling and new preview window.

Blank Live Communication Server (LCS) 2005 MMC Snap-In

Description

You have successfully install your Live Communication Server (LCS) 2005 or LCS 2005 with SP1. However when you start the Live Communication Server Administration tool you got blank page only.
There's nothing appear at the left hand side of the mmc window. The account that you are using already have the correct permission.

Resolution

Create a new MMC snap-in to manage the Live Communication Server 2005.

> Click Start, click Run, type mmc, and then click OK.
> In the Console1 MMC snap-in, click Add/Remove Snap-in on the File menu.
> In the Add/remove Snap-in dialog box, click Add, click Live Communications Server 2005 in the Add Standalone Snap-in dialog box, click Add, click Close, and then click OK.
> On the File menu, click Save As.
> In the Save As dialog box, locate the %WINDIR%\System32 folder.
> In the File name box, type wrtcsnap2.msc, and then click Save.
> Click Yes when you are prompted to overwrite the existing wrtcsnap2.msc file.

For details, please see http://support.microsoft.com/kb/926921

Email being block by att.net

Description:

Users are having issue when sending email to certain domain. From the undeliverable message, you could see, " is blocked. For information see http://att.net/blocks'>". You've check with known blacklist provider and none of them have your IP listed.

Resolution:

To remove your IP from their list is through their website http://att.net/blocks. Choose Tools for administrators of mail systems whose messages have been blocked. Fill in your IP address, name, contact number, and the error message that you received. After that click submit. It would take a couple of days for them to remove your IP.

Email being block by 88.blackzap.net – Frontbridge

Description:

Users are having problem sending email to some domain. From the error message you could see “smtp; 550 Service unavailable; Client host [xxx.xxx.xxx.xxx] blocked using 88.blacklist.zap; Mail From IP Banned To request removal from this list please forward this message to delist@frontbridge.com>”. You’ve check with known blacklist provider and none of them have your public IP listed.

Resolution:

The only way to get your public IP remove from their blacklist is through email. The list is proprietary and not open for public. You need to send them email asking for delisting and they will reply back to you in one business day. This is the case if you get listed the first time. But if you IP get listed again, the process would be more difficult and take much longer time.

Frontbridge is owned by Microsoft and its part of their Exchange Hosted Services. However the support seems only available on US working hour’s time. Other than that, there’re some false positive that could make good legitimate email being blocked.

Cannot start IPSEC service error. The system cannot find the file specified.

Description:
Suddenly you cannot logon to the domain from a server. You cannot ping it, even though the network card is connected to the network and functioning normally. You can ping to self from the server. No firewall blocks the connection. When looking through event viewer, you notice 2 errors were log; Event ID 7023 and Event ID 4292 (IPSec driver has entered Block mode). Both are related to IPSEC. You check the IPSEC services and found that you cannot start it. There’s “The system cannot find the file specified” error.

Resolution:
The problem occurs when there’s corrupted file in the policy store. The file may become corrupted if an interruption occurs when the policy being written to the disk. To solve it, please go to HKEY_LOKAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local. Delete this subkey (if exist). After that, rebuild the new local policies store. To do that, click Start > Run > type regsvr32 polstore.dll. Try starting the IPSEC services again. All issue should work well now.

Event ID 9325 logged when running Exchange Offline Address Book (OAB) generator

Description:
You notice that there are a couple of event ids 9325 being logged at your exchange server. All function seems to run normally. The error message shown something like “OALGen will skip user entry person name in address list '\Global Address List' because the SMTP address is invalid”.

Resolution:
Using Adsiedit.msc console, go to the SMTP proxy address attribute and proxyaddresses attribute. Check the value and correct or remove any invalid SMTP address. You can refer to the Microsoft KB 926206 (http://support.microsoft.com/?id=926206) for detail info for how to resolve these errors.

Event ID 9321 logged when running Exchange Offline Address Book (OAB) generator

Description:
You notice that there are a couple of event ids 9321 being logged at your exchange server. All function seems to run normally. The error message shown something likes “OALGen could not generate full details for entry person name in address list '\Global Address List' because the total size of the details information is greater than 64 kilobytes.”

Resolution:
The most common cause for this is a large number of certificates published for the user, causing their details to be over the 64kb limitation for the details in the OAB. There is no way to increase this limit, so the solution is to remove any unneeded certificates from the users so that we get the details under 64kb.
To clean out the certificates:
- In ADUC, make sure View, Advanced Features is checked.
- Go to the properties of the user.
- Published Certificates tab.
- Remove any unneeded/expire certificates.

Exchange Server - Cannot Generate Offline Address Book (OAB) error 8004010e

Description:
Exchange server cannot generate offline address book. Newly created email address doesn’t appear at the Global Address List. At the event viewer you see error logged with event id 9338, 9330, and 9126. You’ve try changing the server generating OAB to other, but the same error occurs.

Resolution:
The most common reason for failure to generate the OAB with error 8004010e is a mangled attribute in Active Directory.
Use Nspitool.exe to identify which user has the mangled attribute.
1. Save and unzip the attachment to your Exchange server.
2. Click Start, click Run, type in cmd and click Ok.
3. Navigate the directory which you save the nspitool.exe in and run the following command: nspitool -WalkAddressList >c:\nspioutput.txt
You should see something like “QueryRows failed 0x8004010e on entry personname, WalkAddressList ended with 0x8004010e” on the output text.
Next step is to use adsiedit.msc to connect to GC partition to check the attribute value. Go to the user properties and check the manager attribute value. Is it the same with the Active Directory User and Computer (ADUC) version? If not, change the value at ADUC to something else, wait for the replication to occur, and change it back to the correct value.
The attribute value shown through ADUC and through adsiedit.msc should have the same result.
Run the nspitool.exe again and do the necessary fix until there’s no “queryrows” error anymore.

Checklists when promoting a Windows Domain Controller

Here are some of the things that you must configure when promoting a domain controller at a forest with multi sites and multi domains topology. 

If this is a new Domain Controller at new site: 

a. At Active Directory Sites and Services, create a new site. 

b. Create a new subnet and link it to the newly created site. 

c. Configure the IP site link for Active Directory replication. 

· Promote the Windows Server to become Domain Controller. 

· Configure the Domain Controller to become a DNS server – Active Directory Integrated (Domaindnszones). 

· Configure the Domain Controller to become a Global Catalog server. 

· Configure DNS Forwarders. 

· Configure the Domain Controller to be the Authoritative Name Servers in the domain. 

· Enable Strict Replication Consistency. (more) 

· Disable Windows Scalable Networking Pack Components. (more) 

· Change Windows Time Service MaxNegPhaseCorrection and MaxPosPhaseCorrection value to 48 hours. (more)

How to disable Windows Scalable Networking Pack Components

Description
Scalable Networking Pack (SNP) is enabled by default as part of installing Windows Server 2003 Service Pack 2. SNP can be used, under specific circumstances, to improve network performance. Most environments, however, do not have SNP capable network adapters/drivers. This can result in unexpected network problem which is why it is recommended to disable SNP unless a server can benefit from it. For Domain Controller, it is recommended to disable this feature.

Resolution
To disable SNP, modify certain this registry values:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: EnableTCPChimney
Value: EnableRSS
Value: EnableTCPA
Data: 0 or 1
Each component can be individually enabled or disabled. Set the value to "0" to disable it.

Windows Time Service time correction setting

Description
The Windows Time service by default in Windows 2000 and 2003 allows for a positive or negative time correction of any amount for domain controllers. This can cause serious problems in a forest should a dramatic time shift occur. This can even occur when synchronizing with other authoritative sources as hardware problems, software problems or human error can cause them to provide the wrong time. Some of the problems that can occur from a dramatic time change are Windows Server 2003 based domain controllers may be quarantined, deleted objects may be prematurely purged before end-to-end replication of the deletion is fully replicated (causing lingering objects), user and computer passwords may expire unexpectedly, and trust passwords becoming out of sync.

Resolution
Modify the default value on the following registry.
The registry key(s) are different depending upon the operating system version.
Windows 2003/2008
Path: HKLM\System\CurrentControlSet\Services\W32Time\Config
Value: MaxNegPhaseCorrection
Default data: 0xFFFFFFFF (4,294,967,295)
(Note: there is an accompanying MaxPosPhaseCorrection value to control positive time changes.)
Windows 2000
Path: HKLM\System\CurrentControlSet\Services\W32Time\Parameters
Value: MaxAllowedClockErrInSecs
Default data: 0xFFFFFFFF (4,294,967,295)
(Note: Windows 2000 has a single value to control both positive and negative time changes.)
Change them to a positive/negative value of 48 hours (0x2A300 or 172,800 seconds).

Could not start DHCP Client Services

Description:
One day you discover that DHCP client services on some of your server cannot be started. It gives you “access is denied” error message. The DHCP client services already use network service account to logon. You suspect that one of the recent windows patch that causes the issue.

Resolution:
The Network Service requires permissions to open the‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters’ registry keys for the DHCP Client service to start. Some updates can remove the Network Service permissions to these registry keys. Please check and re-add them if necessary.
1) Open Regedit.
2) Navigate to ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp' and click on Parameters.
3) Click on Edit menu then go to Permissions.
4) In the 'Permissions for Parameters' window, click on Add.
5) In the 'Select Users, Computers and Groups' window, type in "Network Service" (without the quotes) and click 'Check Names'. You may need to change the Location to "System".
6) Click OK.
7) In the 'Permissions for Parameters' window, highlight the Network Service group and give it Full Control and Read permission by selecting the check boxes.
8) Click OK
Try starting the DHCP client service again.

Cannot Upgrade from Windows 2003 Service Pack 1 to Windows 2003 Service Pack 2

Description:
You are having an issue when trying to upgrade your Windows 2003 Service Pack 1 server to Windows 2003 Service Pack 2. The upgrade process runs for a while and stops in the middle because of WMI error. You cannot do the upgrade from Add/Remove program too.

Resolution:
The issue cause by some corrupt files inside %windir%\system32\wbem\repository. Files in this folder is the database of WMI, if the files in this folder are corrupt, the WMI service will not work correctly. Delete the files in the folder %windir%\system32\wbem\repository. After restart the WMI service again, the files in this folder will be rebuilt again.
Below is the script to do it automatically:
################
sc config winmgmt start= disabled
net stop winmgmt /y
%systemdrive%
cd %windir%\system32\wbem
if exist repository.old rmdir /s/q repository.old
rename repository repository.old
for /f %%s in ('dir /b /s %windir%\system32\wbem\*.dll') do regsvr32 /s %%s
regsvr32 /s %windir%\system32\tscfgwmi.dll
wmiprvse /regserver
winmgmt /regserver
sc config winmgmt start= auto
net start winmgmt
for /f %%s in ('dir /b *.mof') do mofcomp %%s
for /f %%s in ('dir /b *.mfl') do mofcomp %%s

Invalid FSMO Role Owner for Application Partition

Description:
When running the ADRAP program you found the following warning/error.
The following application partition contains an invalid FSMO role owner:
Partition: cn=infrastructure,dc=forestdnszones,dc=corp,dc=com
FSMO:CN=NTDS Settings\0ADEL:97d…,CN=Server01\0ADEL:67…,CN=Servers,CN=SITEA,CN=Sites,CN=Configuration,DC=corp,DC=com

Resolution:
Use adsiedit.msc and reset the fSMORoleOwner attribute on the infrastructure master of your root domain. Use the value from Distinguished Name (DN) attribute of the corresponding application partition as the new value. You may need to use an account which has Enterprise Admin permission.

Exchange 2007 High Level Sample Design

Design I:
· Role separation
· No redundancy

Design II:
· Local Continuous Replication (LCR)

Design III:
· Single Copy Cluster (SCC)

Design IV:
· Cluster Continuous Replication (CCR)

Group Policy for safe sender lists in Outlook 2007 does not work

Description:
You have set Outlook 2007 safe sender list through GPO however it isn’t applying to users. You’ve check that the GPO was applied successfully.

Resolution:
Change the safe sender list path to \\servername\sharefolder\filename. It cannot use the %logonserver%\sharefolder syntax.

Proxy Exception at Internet Explorer does not work

Description:
You have set proxy exception for IE through Group Policy (GPO). For some reason the setting won’t apply to user’s computer. You verified that the GPO has the right setting and has no conflict with other GPO. You also confirmed that the GPO was applied to user’s computer, but the computer registry contains different data.

Resolution:
Please check the exception list content. Make sure there’s no invalid character or value. If the http address in Proxy Exception list contains more than two “/” characters, the IE Branding extension would accept this setting. You should remove the rest of the “/” from the http address in proxy exception list.

Exchange SMTP Internet Connector frequently down

Description:
You have Exchange 2003 Front-End server configure to route emails to third party appliance smart host. One day the Exchange Internet connector frequently converted to down state causing mail queue when sending to external address. No issue when the connector is configures to use DNS instead of smart host to dispatch email. You have check for possible Antivirus or SMTP Protocol issue using Winroute and Regtrace but everything looks ok.
On the Netmon trace result, you can see that Exchange didn’t receive ACK for certain packet from the smart host and it terminates the connection after some times.

Resolution:
Make sure that the network speed and duplex setting at the smart host is the same with the connection setting at core switch. Running manual setup might be required to eliminate the issue.

Missing PTR Record in DNS

Description

You create a PTR record on your Active Directory Integrated DNS Server. After a while the PTR record suddenly missing. Your Active Directory and your DNS server are working fine. Replication between Domain Controller also working normally.

Resolution

Be sure the "register this connection's addresses to the DNS" checkbox option is enable, the server than will automatically register its ptr record to the DNS server.

Enable Strict Replication Consistency

Description
Supposed a domain controller get disconnected from the replication topology for an extended period and then later on reconnect it. You need to make sure that no outdated Active Directory objects can be replicated within the forest.

Resolution
Use regedit command and go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Create a Strict Replication Consistency with REG_DWORD data type. Set 1 as the value.

This setting ensures that no outdated objects are reintroduced into Active Directory Domain Services (AD DS).
You need to set it on all of the Domain Controller within the Forest.

Error when burning CD

Have you ever get an issue when trying to burn some files to a CD/DVD?
In my case I got error writing Lead-In when trying to burn some file using UltraISO on my IBM T42 CD ROM (HL-DT-ST RW/DVD GCC-4242N). I can use it to read any CD/DVD with no issue.
I try to change the burner software to Nero but got similar error too. Try to lower the burning speed with no luck.
Previously I remember that I can burn a CD with that CD ROM, somehow it's just stop working.
I try to search for a driver update but cannot find any. A firmware update maybe available but I think that's too much for the issue.
Finally I try to clean the lenses. Just wipe it with a clean tissue, try to burn, and it works.

AD Modify

If you ever need to change an attribute for a lot of user in Active Directory, you might want to use ADModify.Net tools. It is available free.

Following is the example for querying any user that has empty mobile phone number field in Active Directory.

(&(&(objectcategory=person)(objectclass=user))(!mobile=*))