How to enable strict replication consistency in AD

I know it's one from the past, but today I just couldn't found instructions quick enough. So I decided to write instructions by my own and poste them.

There are few ways (links are at the bottom of this page) how to enable strict replication consistency in AD but this one will solve this issue permanently :)

How can we do that you're thinking. By using Group Policy (GPO) of course :)

And how do we do that? Well, here you have it.

Step 01: Open Group Policy Management console

Step 02: Create new Group Policy for Domain Controllers OU

Step 03: Give name to new Group Policy (for example EnableStrictReplicationConsistency)

Step 04: Edit new Group policy

Step 05: Browse to Computer Configuration - Preferences - Windows Settings and right click on Registry. Select New - Registry Item

Step 06: Under Key path browse to registry path HKEY_LOCAL_MACHINE\SYSTEM\Current Control Set\Services\NTDS\Parameters and click Select

Step 07: Under Value Name type "Strict replication consistency". Under Value Type select REG_DWORD and under Value Data enter 1 (select Base decimal). Confirm new settings by clicking on OK button















Step 08: Stop editing new Group Policy by closing Group Policy Management Editor window

Step 09: Force applying group policies by typing "gpupdate /force" in Command Prompt















Step 10: Open registry editor and check that new registry key (Strict replication consistency) was created under HKEY_LOCAL_MACHINE\SYSTEM\Current Control Set\Services\NTDS\Parameters with value 1.

So from now on all of your DC's will have strict replication consistency setting enabled :)

Few links to help you understand and configure this setting:
- Enable Strict Replication Consistency
- AD DS: Strict replication consistency should be enabled on all domain controllers in this forest
- Event ID 1388 or 1988: A lingering object is detected
- Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)

This is it for today and have fun! 

DirectAccess asking for proxy credentials

I just love DirectAccess. It enables me to connect to my company network from any location and any internet provider.

But lately, since I started using Windows 8, I encountered a problem. If there was no problem then I wouldn't be writing this, would I ;)

The problem is related to proxy servers. Whenever I go to the place, where I need to enter proxy server to get access to the internet and then later remove this proxy, DirectAccess client starts to prompt me to enter proxy credentials!? The final result of this problem is that I can't connect to my company’s network using DirectAccess.

So I started digging and found this workaround. I tested it on my notebook and it worked. I cannot guaranty that this solution is universal and that it will work for all. I also can’t guarantee that by doing this we don’t “brake” something else. This is my finding, I don't say it's correct one but it makes my DirectAccess work again?

I found registry key under which few latest proxy addresses are stored:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\ProxyMgr

And now my solution:
- Export registry key ProxyMgr in case we need it later (link: How to export registry key).
- Remove (delete) all registry keys under registry key ProxyMgr (see on the picture below).

- All I needed to do next was to restart the computer and my DirectAccess started working again.

This is it for today and have fun!

Internal URL's instead of IE Searches

A day or two ago I tried to reach our company's internal web site using short name in Internet Explorer 10 and was constantly diverted to my favorite search engine site.

By short name I mean that I entered InternalWebSiteName (without http:// in-front of it) in the address bar like shown in example below.

After entering InternalWebSiteName, I hit enter and was always diverted to my favorite search engine search results :(

Now here are two tips how to avoid this and reach internal web sites by it's short names. Quick and easy :)

Tip 1:
Enable setting in IE. Setting is hidden under:
IE \ Tools \ Internet Options \ Advanced.
Enable 'Go to an intranet site for a single word entry in the Address bar'.

Tip 2:
Just type a forward slash '/' after the InternalWebSiteName. That will send it out as an URL.

This is it for today and it's so easy.

Have fun!


 

Active Directory Delegation

It's been a while since my last post and now is time to add new one :)

Today I was at the customer with a task to delegate some Active Directory permissions for Help Desk users.

My task was to create a "script" for:
- Delegate Unlock user account.
- Delegate Reset password to user account.
- Delegate Move computer account from default folder to designated OU.
- Delegate Add or remove users from security or distribution group.
- Delegate Change some of user object attributes (Telephone number, Mobile phone number, Office, Department, ...).

Of course you can do all of this with GUI but we're a bit lazy, we don't want to click a lot and the most important reason we sure want to look smart, so that's why we use command line.

If you still decide to use GUI you'll probably need to edit DSSEC.DAT (under Users add pwdLastSet=0), to display some attributes.

For this task I used command dsacls.exe, and here you can find more about it.

We also used two security groups approach. Resource security group (Change password, Unlock user account, ...) and Users security group (Help Desk). At the end we added Users security group into all Resource security groups. With this we achieved that members of Users security group are able to do all the necessary tasks regarding users and computers management.

So let's get to business :)

To delegate password reset and unlock user you can use this command lines:

dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:ca;reset password;user

dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:rpwp;pwdlastset;user

dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:rpwp;lockouttime;user

Explanation:
"ou=ou_name,dc=domain,dc=com" is OU where users are located
"domain\SecGroupName" is Resource security group to which we delegate permissions

To delegate add/remove group membership you can use this command lines:

dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupNam:rpwp;member;group

Explanation:
"ou=ou_name,dc=domain,dc=com" is OU where groups are located
"domain\SecGroupName" is Resource security group to which we delegate permissions

To delegate moving computers between OU's you can use this command lines:

dsacls ou=ou_name,dc=domain,dc=com /i:t /g domain\SecGroupName:cc;computer;

dsacls cn=computers,dc=domain,dc=com /g domain\SecGroupName:dc;computer;

dsacls cn=computers,dc=domain,dc=com /i:s /g domain\SecGroupName:wp;;computer

Explanation:
"ou=ou_name,dc=domain,dc=com" is OU to where you want to move computers
"cn=computers,dc=domain,dc=com" is folder from where you want to move computers
"domain\SecGroupName" is Resource security group to which we delegate permissions

To delegate changing user attributes you can use this command lines:

dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:rpwp;telephonenumber;user

dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:rpwp;company;user

dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:rpwp;mobile;user

dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:rpwp;physicaldeliveryofficename;user

dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:rpwp;roomnumber;user

Explanation:
"ou=ou_name,dc=domain,dc=com" is OU to where users are located
"domain\SecGroupName" is Resource security group to which we delegate permissions

There are at least two approaches that can be used in bigger productions instead using command lines below. First is to use Excel (concatenate) and the second is to use batch scripts like in the sample below.

In this sample we'll delegate add/remove group membership with a batch script.

1. Create Delegate-AdRights.bat
2. Edit Delegate-AdRights.bat and copy paste code below into it.

dsacls %1 /i:s /g %2:rpwp;member;group

3. Run batch file in command prompt with additional variables as shown below

Delegate-AdRights.bat ou=ou_name,dc=domain,dc=com domain\SecGroupName

Explanation:
"ou=ou_name,dc=domain,dc=com" is OU where users are located
"domain\SecGroupName" is Resource security group to which we delegate permissions

This is it for today. Have fun!

Extended Windows Volume

Extending Volume on virtualized Windows server is so easy this days. You just go to your virtual host server and extend virtual disk. After this is done login to your Windows server and open Disk Management then right-click Disk Management and select Refresh.

After this you'll see some Unallocated space.

Now right-click on Volume that you want to extend (in-front of unallocated space) and select Extend Volume ...

Extend Volume Wizard opens and by clicking Next you'll arrive to the part where you need to specify for how much you'll extend selected Volume. In my case I'll use all available space.

Click Next and Finish. After this your Volume will be extended and you'll have additional space on your server that you can use :)


But it's not always that easy. Sometimes can happen that you'll get an error: "The parameter is incorrect."

After that Disk Management shows different size of extended disk as if you check disk properties.

Solution for this problem is simple. Open Command Line (CMD) as Administrator and type DISKPART.

Diskpart
List Volume
Select Volume # (this is the number of the volume listed by the above ‘List Volume’ command)
Extend Filesystem
Exit

All good and now you can recheck disk properties for just in case.

Disk properties also show that disk was successfully extended :)

Few useful links:
http://support.microsoft.com/kb/325590
http://www.jonathanmedd.net/2010/10/windows-server-2008-extend-system-volume-error-the-parameter-is-incorrect.html

This is it for today. Have fun!

Blocking P2P programs with Group Policy

Some time ago I needed to block as many as possible torrent and other P2P clients with Windows Group Policy. To do this I needed to find as many as possible names of torrent clients executables and prepare a list. The result of all this is this list:

ABC.exe
Ares.exe
Azerues.exe
BitComet.exe
BitLord.exe
BitThief.exe
BitTornado.exe
BitTorrent.exe
Btdownloadgui.exe
Deluge.exe
Emule.exe
Fdm.exe
FlashGet.exe
Giftl.exe
Imesh.exe
KGet.exe
KTorrent.exe
LimeWire.exe
Mediaget.exe
Miro.exe
MLDonkey.exe
Mp3rocket.exe
Msohtmed.exe
µTorrent.exe
Utorrent-2-0-beta.exe
Utorrentportable.exe
OneSwarm.exe
Opera.exe
qBittorrent.exe
Shareaza.exe
Tonido.exe
Swapper.exe
Tribler.exe
Vuze.exe
Wyzo.exe

I hope you'll find this list useful and I'd also like to invite all of you to post me names of the executables that I missed. This way we'll keep this list up-to-date :)

Here are two articles that describe how to block applications with Windows Group Policy:
http://www.technipages.com/prevent-users-from-running-certain-programs.html
http://www.windowsnetworking.com/articles_tutorials/Software-Restriction-Policies.html

This is it for today. Have fun!

Remove Receive Connector permissions

Few days ago I started playing with permissions on our Exchange 2010 Receive Connector. I wanted to achieve that one of my service accounts users could send emails. During this testing I added all sorts of permissions to this Receive Connector. After I finished testing I wanted to get rid of all permissions I gave to this user. And how did I do it?

First I wanted to see all permissions that I gave to this user:

Get-ReceiveConnector "Server\Full Connector Name" | Get-ADPermission -User "Domain\Username"  |? {$_.extendedrights} | select identity,user,extendedrights | Format-List

Second I got rid of all permissions that I got from previous command:

Get-ReceiveConnector "Server\Full Connector Name" | Remove-ADPermission -User "Domain\Username" -ExtendedRights ms-Exch-SMTP-Accept-Any-Recipient,ms-Exch-SMTP-Accept-Authoritative-Domain-Sender,ms-Exch-Accept-Headers-Routing,ms-Exch-SMTP-Accept-Any-Sender

At the end I run first command set again just to check if I really got rid of everything.

I hope this will help you clean up your Exchange server as it helped me.

This is it for this year. Have fun!