Jan 17 2011

MSExchange ActiveSync EventID 1053

In this article we will fix a problem we had with Exchange 2010 when synchronising mail on a mobile device using ActiveSync. When attempting the synchronisation we had the following error message (Source MSExchange ActiveSync, ID 1053) on the CAS server’s eventlog.

Exchange ActiveSync doesn’t have sufficient permissions to create the “CN=<user name>,OU=<OU Name>,DC=ldap389,DC=info” container under Active Directory user “Active Directory operation failed on <dc-name>.ldap389.info. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
“.
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type “msExchangeActiveSyncDevices” and doesn’t have any deny permissions that block such operations.

Read more »

Jan 10 2011

AD schema extension: Exchange 2010

In this post we will troubleshoot a problem you can encounter when you are extending the Active Directory schema for Exchange 2010. You can read this technet article for the steps to prepare the AD schema for Exchange 2010.

We encountered some problems when launching the command line:”setup.com /PrepareAD /OrganizationName:<Organization Name>”. First an error occurred and the setup process exited, after fixing this we had a warning when running the command.
Read more »

Jan 06 2011

Powershell: Edit GPO security settings

In order to edit GPO permissions with Powershell you can use the Set-GPPermissions CmdLet shipped with the RSAT (import-module grouppolicy). This Cmdlet does not have a replace permission option, nor does it let you set up a deny ACE on a GPO. In this post we will explain how to replace permissions on a GPO object thanks to the Security Descriptor Definition Language. This language is used to edit permissions in string format on all kind of objects (file system, registry, AD objects…). For a better understanding of the SDDL and a tool that translates a SDDL string you can read this post.

When do you need to replace permissions on a GPO? When an “OU administrator” account which is a member of the “OU administrators” group creates a GPO (and links it to an OU of his site), he is the owner of this object, members of the “domain admins” group can edit this GPO, but members of  the“OU administrators” group cannot. So you might want to edit your GPO’s security settings by replacing the “OU administrator” account which created the GPO with the group that includes all the “OU administrators”. In our example, the domain has two sites, each one represented by an OU, we have two types of GPOs: Read more »

Nov 19 2010

Powershell: AD replication

Repadmin monitors the replication in your Active Directory Forest, you can read this AskDs post about this tool. The command line “repadmin /replsum” helps you retrieve the global forest replication status. The data retrieved for a given Domain Controller is:

  • Largest Delta: longest time since he successfully replicated all the Naming Contexts with his replication partners.
  • Number of failed replications that occured for all the Naming Contexts (aka Directory Partitions) with his replication partners.

The purpose of the powershell script is to analyse DC’s inbound replication thanks to the command line “repadmin /replsum /bydest”. If there are RODCs in your domain they do not show up if you use the /bysrc switch. You can read this post if you need to know more about running the repadmin /replsum command in a domain with RODCs.

If for a given DC the “largest delta” exceeds a given threshold (in minutes), or there are replication failures, we will read on the RootDSE object the msDS-ReplAllInboundNeighbors attribute. With that information we will retrieve which replication partners and “Naming Contexts” that are having trouble to replicate. You can retrieve the same type of information with the “replsum /showrepl %dc_name% /csv” command line, but the data stored in the msDS-ReplAllInboundNeighbors attribute is in XML format, which easy and convenient to manipulate with Powershell.

Read more »

Sep 17 2010

Powershell: Search setting in GPOs

In this article we will describe how to search for a GPO matching several settings with Powershell. In this post and this one Lindsay Harris describes how to achieve this by exporting GPO reports in XML format and parsing the output. The principal advantage of her method is that you can input very precise search critera, but the disadvantage is that the script time processing can be very long because you need to export XML reports for every GPO in your domain. The method I will describe is more efficient in terms of script time processing but your search critera will be limited.

Read more »

Sep 06 2010

Domain Controller certificates: Kerberos Authentication template

When you install Windows 2008 Certification Authority a new domain controller certificate template named Kerberos Authentication is available. It replaces the Domain Controller Authentication template. If you need more information about the new certificate templates shipped with a Windows 2008 CA you can read this article.

Here is a tab that outlines the specific attributes of the Domain Controller Authentication and Kerberos Authentication templates:

  Domain Controller Authentication Kerberos Authentication
Key Usage Client Authentication

Server Authentication

Smart Card Logon

Client Authentication

Server Authentication

Smart Card Logon

KDC Authentication.

Subject Alternate Name DNS Name : Domain Controller FQDN. DNS Name : Domain FQDN.

DNS Name : Domain NetBios name.

Read more »

Aug 07 2010

GPO WMI filtering: KB2286198 workaround

You might already know that Windows 2000 and XP SP2 are not supported by MS since the 13th of july 2010. As a consequence you cannot install new security patches released by MS on these platforms. A critical security vulnerability MS10-46 is corrected by the KB2286198 patch which was released the 3rd of august. This patch applies at least to Windows XP SP3 (for workstation versions) and Windows 2003 SP2 (for server versions). The KB article explains a workaround for the security patch, you need to edit two registry keys and disable a service.

You can apply this workaround on earlier version of Windows, if all your computers are not up to date. The disavdantage of this method is that icon images will disappear on some of your *.lnk files. So my advice is to upgrade as soon as possible your computers to a version which is supported by MS and apply the official security patch. Use the workaround only as last resort, the purpose of this post is to show you how to deploy this workaround with a GPO and play with WMI filtering. The Group Policy Center already wrote an article on how to deploy this workaround with GPO. We will just show you in this post how to target more precisely your computers which need the workaround by using WMI filers. We will achieve this under Windows 2008 by using Group Policy Preferences and activate the GPO workaround on the computers which have not the KB2286198 security patch installed. And we will show you how to achieve the same thing under AD 2003, without using Group Policy Preferences.
Read more »

Aug 05 2010

Powershell: restore AD object with group membership

The purpose of this article is to show how to restore deleted objects with their group membership using Powershell. In order to achieve this you will need to set up a lag site in your domain. If your domain functional level is Windows 2008R2 and you have turned on the recycle bin, you can simply restore an object with its group membership using Microsoft Powershell 2.0 Cmdlets without any lag site.

The method we will describe to achieve practically the same result works starting Windows 2003 server and later versions. We will restore objects from the Tombstone using Quest AD Cmdlets, your administration console should be at least running Windows XP, you do not need to install the RSAT (running on Windows 7 and 2008 server). You might have noticed on the latest AD news sidebar that QAD Cmdlets version 1.4 was released a few days ago. The disadvantage of the method described is that it might be not supported by MS, for best practices regarding deleted objects restore you can read this KB article, you will also need to modify your Active Directory schema. Use this method if a few accounts are deleted, if have you deleted an entire OU use a proper authoritative restore. The advantage of using the powershell script is that the restore process is really quick.

Read more »

Jul 26 2010

GPMC hangs connected to one domain controller

I will describe in this post an incident we had in our production environment and the different troubleshooting steps to resolve this issue. When we launched a GPMC, the console froze when we clicked on an OU in order to display the Policy Objects linked to it. The problem occurred only when the GPMC was connected to a particular Domain Controller (PDC emulator in our case), if we switched to another DC the GPMC was OK.

There was no problem with GPOs in our domain: Replication was ok and GPOs were applied correctly on our computers/users objects. But we could not edit anymore GPOs connected to this DC. While the GPMC was hanging there was a lsass.exe CPU overload on the DC until the console was killed. Therefore we had to edit GPOs connected to any other DC, so the production environment was working near normal during the resolution of the incident.

Read more »

Jul 05 2010

Sidebar add-on: Latest AD news

A new category has been added to the blog sidebar called “Latest AD news”. This add-on gives you access to all the latest posts I have found on the web that are relevant and related to Active Directory. You will notice the release of GPS a few days ago, this application is a search engine dedicated to GPOs. Input a keyword and it gives you the right parameters to edit under your GPMC. For more information about this tool, read this AskDS post.

WordPress Themes

Blossom Icon Set

Software Top Blogs