Thursday, October 30, 2008

NLtest to see the local PC trust within the Domain

One of the frequent asked questions is that, suddenly the server or workstation drops out the domain and cannot establish successful logon. I have seen such scenarios even on Exchange servers, where administrator goes to AD finds the computer account for the exchange server and clicks on "reset" by mistake, don't ask me how but seriously I have seen this happen at client side.

I have also seen after P2V (Physical to virtual) computer secret is broken and they could not log on to domain. The fix for all these were taking these computers out the domain and adding them back to the domain and re-establish the secure channel between PC, or server to Domain controllers.

The security channel's password is stored along with the computer account on all domain controllers. For Windows 2000 or Windows XP, the default computer account password change period is every 30 days

Below is some very useful information in regards to how windows based computing works with local secret and how this can be reset ?

Each Windows-based computer maintains a machine account password history that contains the current and previous passwords that are used for the account. When two computers try to authenticate with each other and a change to the current password is not yet received, Windows relies on the previous password. If the sequence of password changes exceeds two changes, the computers involved may not be able to communicate, and you may receive error messages. For example, you may receive "Access Denied" error messages when Active Directory replication occurs.

You cannot change the machine account password by using the Active Directory Users and Computers snap-in, but you can reset the password by using the Netdom.exe tool

The Netdom.exe tool resets the account password on the computer locally (known as a "local secret") and writes this change to the computer's computer account object on a Windows domain controller that resides in the same domain. Simultaneously writing the new password to both places ensures that at least the two computers involved in the operation are synchronized, and starts Active Directory replication so that other domain controllers receive the change.

Now the question is, is there any way to find out if the trust is broken or in place, to answer this question follow the below examples and investigate each output.

The utility called nttest is used for to test trust relationships

The workstation that is a member of the TESTD domain has an implicit trust with a domain controller

  • C:\>nltest /server:vmdc2 /sc_query:smtp25
  • To determine if a domain controller can authenticate a user account:
  • C:\>nltest /Whowill:smtp25 zz-oozugurlu
  • NLTEST can be used to find a trusted domain that has a given user account.
  • C:\>nltest /finduser: zz-oozugurlu
  • To determine the domain controllers in the ESS domain:
  • C:\>nltest /dclist:smtp25
  • To determine the user
  • C:\>nltest /user: zz-oozugurlu


KB 325850

Oz ozugurlu

MVP (Exchange)


MCSE (M+,S+) MCDST, Security+, Server +,Project+


Tuesday, October 28, 2008

Microsoft TechDays Event in Arlington, VA

Today I attended Microsoft TechDays event is Arlington VA, and had an opportunity to meet with MS folks. I was surprise and exited to meet with Harold Wong (24 Hours of Exchange 2007 webcast series) and also met with Blain Barton. Here is Harold website for all of you one more time, check it out, exchange webcast series, Harold has done incredible work by providing us new futures in exchange 2007 on this video and MP3 series.

The TechDays Event was very interesting, especially Forefront

"Stirling" which is integrated security system which delivers comprehensive solutions. It seems to be Microsoft is going to provide great security system will be doing pretty impressing task. If you want to read more about it here is the link

Oz ozugurlu

MVP (Exchange)


MCSE (M+,S+) MCDST, Security+, Server +,Project+


Thursday, October 23, 2008

Cluster network name resource 'Cluster Name' failed registration of one or more associated DNS name event ID 1196 and Event ID 1119


After setting up windows 2008 Cluster with SQL and Exchange 2007, the following event logs are showing on the event log of the both clusters. The errors are not causing any fail over or operational issues but interesting to investigate and needs resolution

Inside technical info:

Below errors indicating that, the Active cluster node is not able to register the "Cluster name resource" into its own configured DNS server. Basically this is what is happening. The Cluster does have resource called Cluster network name resource. This is one of the resources must be created prior to setting up a cluster and it is being created manually in the DNS database. The cluster active node will own this resource and the active node production network interface will go to its configured DNS and will try to register the cluster name resource record to the DNS database itself. In this example the DNS is refusing the registration, because DNS knows the server does not own the resource name, and hence it is not allowing the active role node to register it.

What does cluster network name resource do?

"The name of the SQL Server is defined by the network name cluster resource, and that name will be used by applications and end users to connect to the failover instance; together these resources represent a logical Windows Server on the network, while running across one or more real Windows Server computers. A failover instance of SQL Server is an item that is created during SQL Server setup; it is not provided by Windows Server."

Root Cause:

When static record got created the option "allow any authenticated user to update DNS records with the same owner" was not selected. Therefore the Cluster nodes (active node) who will own the cluster name resource won't be able to register this resource record to the DNS database behalf of the resource records itself.


Go to DNS, find the record ( A & Pointer record) for the cluster name resource.

  • Make a right click
  • Go to properties
  • In the security make sure the "Authenticated users" are included
  • Make sure it has "Write: rights and Special permissions
  • Click Advance, locate authenticated users, and click edit
  • Make sure, Write all properties, Read permissions, All Validated Writes selected
  • Click okay tree times to exit

After investigating further, you will notice there are no more errors on the System logs in this regard

Log Name: System

Source: Microsoft-Windows-FailoverClustering

Date: 10/23/2008 9:30:35 PM

Event ID: 1196

Task Category: Network Name Resource

Level: Error





Cluster network name resource 'Cluster Name' failed registration of one or more associated DNS name(s) for the following reason:

DNS operation refused.

Ensure that the network adapters associated with dependent IP address resources are configured with at least one accessible DNS server.

Event Xml:

<Event xmlns="">


<Provider Name="Microsoft-Windows-FailoverClustering" Guid="{baf908ea-3421-4ca9-9b84-6689b8c6f85f}" />




<TimeCreated SystemTime="2008-10-24T01:30:35.648Z" />


<Correlation />

<Execution ProcessID="1956" ThreadID="20004" />



<Security UserID="S-1-5-18" />

<Data Name="ResourceName">Cluster Name</Data>

<Data Name="StatusString">DNS operation refused.



Oz ozugurlu

MVP (Exchange)


MCSE (M+,S+) MCDST, Security+, Server +,Project+


Friday, October 17, 2008

Creating Bulk Users in Exchange 2007 part two

Hi everyone, this is oz and in this video session we will learn how to create bulk yours in exchange 2007 with very little afford. So just follow me and you will realize how easy this will be.Creating mailbox users has never been easy, especially if you have exchange 2007 and I am going to demo you this easy task in just seconds.

Okay let's get the ball rolling, Log into your exchange 2007 server first and open internet explorer , Go to my Blog on the top search for

"Creating BULK Users in Exchange 2007 for testing

part 2 "

Now you found the article. Open your notepad and copy and paste the following string into your notepad. Now we need to open EMC (exchange management console), before we copy and paste the string below we need to make sure the Exchange is ready. Let's find out the name of the storage group

I am going to type Get-MailboxDatabase and find out the name of the Storage group, and here it is I have several of them in my case

  • SG1-MB1
  • SG2-MB1
  • SG3-MB1
  • SG4-MB1
  • SG5-MB1

I am going to pick one, let's say SG4-MB1 and create users in that Storage group and I am going to name these users "Security"

1..100 | ForEach { Net User "User$_" MyPassword=01 /ADD /Domain; Enable-Mailbox "User$_" -Database SG1-MB1 }

We will go back and verify the users present on our exchange server. Now you can change the number of users and the name for the users as you wish

Oz ozugurlu

MVP (Exchange)


MCSE (M+,S+) MCDST, Security+, Server +,Project+


Thursday, October 16, 2008

Directory Database Mounting AD 2008

Directory Database Mounting is one of the new cool futures active directory windows 2008, being able to take snapshot and using it with LDAP tool, such ADUC and looking into offline read only .DIT database.

How cool is that can you imagine. We will do this right now right here together. Why in the world we would ever need to do this Anyway, Imagine you are going to perform security audit and you capture the state of active directory .dit READ ONLY database and you will work on it.

You don't want helpdesk or domain admins to make changes while you are auditing .dit database or you will export Active directory information and wish to plan or design active directory OU structure and so on Whatever reason you have, you will learn how to do this in just seconds and you will see how easy this will be.

What toll or tools we are going to use to accomplish the mission here? We will use build in AD tools such as

  • Ntdsutil
  • Dsamain.exe


Log onto ADDS Server windows 2008

Click on Start go to run , and type the following

  • Ntdsutil
  • Snapshot
  • activate instance ntds
  • create (uses volume shadow copy)
  • mount {GUID}
  • list mounted ( will list the snapshot )
  • dsamain /dbpath <path_to_database_file> /ldapport <port_#>
  • dsamain -dbpath C:\$SNAP_200810160916_VOLUMEC$\Windows\NTDS\ntds.dit -LdapPort 10000

  • The video will show you how to accomplish this step by step. This is my first video and I do appreciate any feed back if you find it useful and like it or not would be appreciated

--Oz Ozugurlu

MVP (Exchange) MCITP (EMA),

MCITP (SA) MCSE 2003, M+, S+,

MCDST, Security+, Project +, Server +


Monday, October 13, 2008

How to Deal with Exchange White Space


I am looking to provide some free space and white space numbers to mgmt for capacity planning. Currently running 2003sp2 in 6/2 cluster. Can you recommend some scripts or free apps that you use? Currently we have mom and i have been getting some data but have to manually enter into spreadsheets for trending etc.

Since you have cluster you do have enterprise version of Exchange 2003. I won't recommend taking the exchange database offline for defragmentation to gain white space and I would not even bother to do that. Simple reason is that no need for it.

You can simply create new mail store and move users onto this new mail store. It would be better to create two new databases if you can and move users evenly cross these two databases and simply delete the old one when there is no mailbox left onto it

Here are the rules.

1. There is no need for offline defrag if you are running exchange enterprise version
2. Simply create new databases and use "Move mailbox wizard" to move the mailboxes
3. Delete the original database when there is no mailbox on it
4. Move users in the night, you can schedule mailbox move, don't forget exchange uses 4 treats one at the time, meaning if you schedule 20 user to be moved exchange will start dealing with 4 mailbox first one at the time as soon as one is done, the next one in the list will be moved.
5. The smaller the exchange database the happier the exchange will be. This is true for most of the databases exchange will like to deal with smaller databases, so be on top of the game and don't let the databases grow too much.
6. Communicate with your users and make sure the users are aware of the move and they won't be able to use the mailboxes during move (exchange will lock the mailbox)
7. Doing things in smart way will avoid mistakes so the white space is calculated event id 1221 on the application log of your exchange server, if you really curious about it calculate the white space simply adding all 1221 estimated usable space.
8. I have this mailbox count script will dump all your mailboxes their size and etc onto nice excel spreadsheet so this will give you nice map and help you plan your mailbox move (
9. Seriously look into moving into exchange 2007, there is huge difference 64 BIT servers with right memory and CPU and correct RAID for the OS and Exchange will make huge difference. I start migrating some of our client's results are fantastic.
10. Move AD into AD 2008 if it is possible this will speed things a lot from my experience
11. MOM will keep an eye on your exchange server and let you know ahead of time most of the issues
--Oz Ozugurlu
MVP (Exchange) MCITP (EMA),
MCITP (SA) MCSE 2003, M+, S+, MCDST, Security+, Project +, Server +


Jiu-Jitsu and Exchange 2007

Well I am not going to blah blah this time, there really isn't any connection with Exchange 2007 and Jiu-Jitsu as far as I concern so far (-:

It has been a year and I have been practicing Jiu-Jitsu and one of my dreams to spar with Royce Gracie since I start practicing. Well my dream came true and I had an honor to roll with him last Friday, beside sparring with master I asked him to chock me out and he was kind enough to make it happen.

Those of you who do not know Royce or Jiu-Jitsu here is the link

--Oz Ozugurlu

MVP (Exchange) MCITP (EMA),

MCITP (SA) MCSE 2003, M+, S+,

MCDST, Security+, Project +, Server +


Saturday, October 11, 2008

WINDOWS 2008 DNS improvements

Active directory integrated DNS is not required for AD to run properly ????, in fact I have heard people claming, UNIX based DNS works faster and better for the active directory. AS we all know if DNS is not working regardless it is integrated AD or UNIX the life will be very difficult for ADDS and Exchange admins, and the fact it you cannot run a network unless and unless you have DNS in place. Over years working with AD and DNS, I found AD integrated DNS is to way to go and never had any type of problems as long as it is set and maintained correctly.

Every version of windows comes out, I look for GUI or command line improvements on the DNS console and unfortunately I am not yet so successful to find what I was expecting, in term of the DNS GUI and its functionality.

Critics, Why is it not easy to add CNAME record, why we have to dig down and down on the little window which is not expendable and very much inconvenient to work with. Doing a search in the DNS console is not efficient in my opinion and why it was not made with MMC 3.0? as some other futures looks incredibly useful? Anyway I guess we just need to wait and hope to see we get better and smart GUI and command line to work with.

Let's take a look at some of the functionality in DNS and some of the new futures.

Background zone loading

The DNS data is retrieved from the directory service and this might have caused delay in especially large environments. So the result is the client is waiting DNS service is unable to use it while waiting DNS to come up.

Windows Server 2008 now loads zone data from AD DS in the background, when it restarts so that it can respond to requests for data from other zones

The DNS server can use background zone loading to begin responding to queries almost immediately when it restarts, instead of waiting until its zones are fully loaded

The zone data is stored in AD DS rather than in a file: AD DS can be accessed asynchronously and immediately when a query is received, while file-based zone data can be accessed only through a sequential read of the file

  • Enumerates all zones to be loaded.
  • Loads root hints from files or AD DS storage.
  • Loads all file-backed zones, that is, zones that are stored in files rather than in AD DS.
  • Begins responding to queries and remote procedure calls (RPCs).
  • Spawns one or more threads to load the zones that are stored in AD DS


DNS client computers can use link-local multicast name resolution (LLMNR), also known as multicast DNS or mDNS, to resolve names on a local network segment when a DNS server is not available. For example, if a router fails, cutting a subnet off from all DNS servers on the network, clients on the subnet that supports LLMNR can continue to resolve names on a peer-to-peer basis until the network connection is restored.

The DC Locator component of a client computer running Windows Vista or Windows Server 2008 periodically searches for a domain controller in the domain to which it belongs. This functionality helps avoid performance problems that might occur when a client locates its domain controller during a period of network failure, thereby associating the client with a distant domain controller located on a slow link. Previously, this association continued until the client was forced to seek a new domain controller, for example, when the client computer was disconnected from the network for a long period of time. By periodically renewing its association with a domain controller, a client can now reduce the probability that it will be associated with an inappropriate domain controller.

A client computer running Windows Vista or Windows Server 2008 can be configured (programmatically, with a registry setting, or by Group Policy) to locate the nearest domain controller instead of searching randomly. This functionality can improve network performance in networks containing domains that exist across slow links. However, because locating the nearest domain controller can itself have a negative impact on network performance, this functionality is not enabled by default.

Read more

--Oz Ozugurlu

MVP (Exchange) MCITP (EMA),

MCITP (SA) MCSE 2003, M+, S+,

MCDST, Security+, Project +, Server +


Wednesday, October 8, 2008

Server 2008 Metadata Cleanup

After failed DCPromo we always had to perform metadata cleanup, meaning go to .DIT database and take out the information related to failed DC and let it rep0licated to all other DC's within the Forest/Domain

Remember Steps below (-: from old version of Windows

  1. Open a command prompt.
  2. Type the following command, and then press ENTER:
  3. ntdsutil
  4. At the ntdsutil: prompt, type:
  5. metadata cleanup
  6. Perform metadata cleanup as follows
  7. At the metadata cleanup: prompt, type:
  8. At the server connections: prompt, type:
    connect to server Server
  9. At the server connections: prompt, type:
  10. At the metadata cleanup: prompt, type:
    select operation target
  11. At the select operation target: prompt, type:
    list sites
    A numbered list of sites appears.
  12. At the select operation target: prompt, type:
    select site SiteNumber
  13. At the select operation target: prompt, type:
    list domains in site
    A numbered list of domains in the selected site appears.
  14. At the select operation target: prompt, type:
    select domain DomainNumber
  15. At the select operation target: prompt, type:
    list servers in site
    A numbered list of servers in a domain and site appears.
  16. At the select operation target: prompt, type:
    select server ServerNumber
  17. At the select operation target: prompt, type:
  18. At the metadata cleanup: prompt, type:
    remove selected server

Now much afford involved getting the same work done in windows 2008?

  • Find the domain controller
  • Right-click on the DC, and then select Delete.
  • The checkbox on the bottom will forcefully delete the domain controller from Active Directory, which is same as metadata cleanup.

Dont you love windows 2008 (-:

--Oz Ozugurlu

MVP (Exchange) MCITP (EMA),

MCITP (SA) MCSE 2003, M+, S+,

MCDST, Security+, Project +, Server +


Monday, October 6, 2008

RPC over HTTPS Script

This script will help you to configure your outlook (2003 and 2007) for RPC over HTTPS. It is very easy and requires no scripting knowledge at all. This is one of most asked question, how to make the RPC/HTTP configuration transparent to user?

So I asked one of my friends to write/Modify a script for this purpose. Here is the script below if works like a charm and very easy to modify and I will walk you through step by step.

Complements and credits goes to Gene Strickland, rest is for me (-: , I took the article out , just e-mail me I will send you the script and the notes showing how to mdify it, real simple

--Oz Ozugurlu

MVP (Exchange) MCITP (EMA),

MCITP (SA) MCSE 2003, M+, S+,

MCDST, Security+, Project +, Server +


What are lingered objects?

LingeringObjects are introduced by DCs/GCs that have been offline or failed to replicate for the tombstone lifetime.

Tombstone, when object is deleted in active directory it becomes tombstone, the tombstone is used to replicate the deletion throughout the Active Directory environment

Let's say we have DC1 and DC1 and they are replication partners. Because AD is multimaster replication model when any objects gets created in DC1 has to replicate DC2 and .DIT database on both DC become consistent (KCC is the process makes the replication among domain controllers)

On DC1 I created user account and KCC-----à replicated this information to the DC2. I have taken DC2 offline, let's say about 2 weeks and there were 50 users got deleted on DC1. The DC1 will mark these users as deleted users. The object attribute is "IsDeleted" set to "true". This indicated object has been marked for deletion and will be removed from Active directory database.

The DC2 is offline more than 180 Days; the server must not brought back to production network. At this point the server needs to be re-baseline and active directory needs to be uninstalled from the Domain controller.

The DC promo must be run with /forceRemoval switch and after uninstalling AD from the domain controllers, the NTFSUTIL must be used to clean up (meta data cleanup)the production domain and allow replication to occur the changes and DCPromo in the DC2 if you still need it, would be the process.

Why wouldn't AD delete them right away? Because if there is no information about deletion of the object how would the other domain controllers would know what to do with same object? How about recovery, be possible if there was a need for this object to be recovered and it is not there.


  • Object got deleted
  • The directory service moves tombstoned objects to the Deleted Objects container
  •  they remain until the garbage collection process removes the objects
  • The garbage collection process by default runs every 12 hours on a DC
  • Tombstone life time is set to 60 days windows 2000/2003
  • 180 days windows 2003 SP1
  • The tombstone lifetime must be significantly longer than the garbage collection frequency to ensure that deletion of objects is replicated to other DCs.

One of the nice futures with windows 2008 is to ability to turn the future on "Protect object from accidental deletion", you need to click on View and turn on the advance futures to see the option.

This is a great and smart option in my opinion, and will prevent mistakes if this attribute is turned on. If administrator is still deleting an object while this attribute is turned on (unselecting this prevention) this will be no more mistake and will be intentional afford in my opinion

Before this if we have to achieve same results we needs to go to top of the domain and add everyone into security permissions for this object and all child objects and deny delete and delete subtree as it is explained in the article below.



--Oz Ozugurlu

MVP (Exchange) MCITP (EMA),

MCITP (SA) MCSE 2003, M+, S+,

MCDST, Security+, Project +, Server +


Sunday, October 5, 2008

What is change in Windows 2008 with DC PROMO?

DCPROMO is the process of promoting a Sever to become domain controller and can be run from GUI or CMD window. The question is, what is change in windows 2008 when we perform DCPromo, and here is little summary. The .DIT database is still the partitioned database and seeing .DIT with MMC 3.0 looks nice but there are not big/Major changes to the structure of database.

The making DC is GC is integrated with the Wizard, as well, old days we had to go to site and services, find the DC, NTDS settings properties and checkmark was hidden there, this is no longer the case with new DCPromo.Replication is over the network or from media (IFM) this can reduce the network traffic (the network connectivity still is needed)

The new ntdsutil ifm subcommand is also recommended because you can use it to remove secrets, such as passwords, from the AD DS database so that you can install a read-only domain controller (RODC). When you remove these secrets, the RODC installation media is more secure if it must be transported to a branch office for an RODC installation

Finally the installation path for .DIT database ,t he best practice will be keep the .Dit and SysVol together and place Logs on separate hard disk spindles most likely RAID 0 + 1 fashion.

When you install Active Directory Domain Services (AD DS), you specify where the Active Directory database, log files, and the SYSVOL shared folder will be placed on the server. The database stores information about the users, computers, and other objects on the network. The log files record activities that are related to AD DS, such as information about an object being updated. SYSVOL stores Group Policy objects and scripts. By default, SYSVOL is part of the operating system files in the %windir% directory

Finally export settings, very nice future, can be used to automate the future installations.

What is new in ADDS

--Oz Ozugurlu

MVP (Exchange) MCITP (EMA),

MCITP (SA) MCSE 2003, M+, S+,

MCDST, Security+, Project +, Server +


Friday, October 3, 2008

Task Scheduler in windows 2008

Windows 2008 has brought and introduced many new futures making the administration easy. Very first time in the windows history getting some of the necessary basic administration task is not complicated anymore. I am sure many of you always wanted to know or notified if there are changed been made on your Exchange server or domain controller. The way we have been finding these out so far if someone another domain admin breaks certain stuff and we get the notice after damage is done. Consider this is a big environment and many people have domain admin rights due to some unknown reason.

Anyway the shot story is windows 2008 is very smart and I am sure you will enjoy more you get to know it.


Domain administrators logging on to Active directory domain controllers and Exchange servers and any other application server and they might be making changes. We have no way of knowing when they log in or if they are using service account to log in to do certain things which is not acceptable by corporate security policy.

Domain administrator user name: zz-JTucker is keep logging onto servers ( because he is domain admin (-:, ) and we don't want him to change things on our server or we want to know as soon as he logs on to one of our server.


We would like to take smart approach and we want to know if either certain user / Group etc, logging on to critical windows 2008 servers.

We want to receive automatic e-mail being sent to us, when this event occurs and we want to run certain script to run at the same time based on our needs

Once we establish some basic configuration we can extend this based on our needs.


User names Mike (or a group) is one of the domain admins and we don't want Mike to log onto out servers. Or when Mike logs in we want to get notified.

We want to monitor some of activities or even event logs, such as, NTFRS issues, any SYSvol replication issues, any DNS issues, any other event logs it might be useful for you.


Log into one of your windows 2008 server

  • Click on start go to run
  • Type, "taskschd.msc"

  • Expend, Task Scheduler, expend Microsoft, windows and , on the right pane we will click on new folder and name the folder as "AD Alert"

Now we have the folder and we will create schedule job. Click on Create task name it "AD-Alert user logged in"

When running the task, you may want to change this to user account going to be used for this purpose, I have creates user account in my domain and named it as "svc-Alert" for all scheduled task I will be creating going forward for all my needs.

Click on Triggers and click on new, click on begin task and pick "At logon" choose "Specific user or group and click on change user and pick the account for " zz-JTucker" ( John Tucker is domain administrator) and click on okay.

Click on actions, click new and actions menu pick send e-mail , from address to ( this is DL I created and I am member of this DL), fill out all required spaces, such as from to address and the relay server FQDN. Make sure you can open telnet from this server to the relay server and able to see 220.

Click okay the lst thing you want to do is make a right click and go to properties and select, "Hidden" for this task.

Now whenever the user " zz-JTacker" you will get an warning e-mail letting you know. You can also make a right click and select run to test the scheduled job.

Second part we will look into how to prompt a disclaimer to the user on the logon process

--Oz Ozugurlu

MVP (Exchange) MCITP (EMA),

MCITP (SA) MCSE 2003, M+, S+,
MCDST, Security+, Project +, Server +