Saturday, April 16, 2011

Cannot remove Mail Box, receiving, Active Directory operation failed on VMdc2.smtp25.internal. This error is not retriable. Additional information: Access is denied.

 

Problem :

Unable to remove user mailbox, when you have sufficient enough rights.                                                                                    

Microsoft Exchange Error
Action 'Remove' could not be performed on object 'Jeff Bakin'.

Jeff Bakin                                                                             
Failed
Error:
Active Directory operation failed on VMdc2.smtp25.internal. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031520B2, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

The user has insufficient access rights.

OK                                                                                         

image

Solution:

  • Log into your Domain controller and fallow the steps below
  • Click Start type ADUC.msc
  • On the View Click on Advance futures , click on object tab and clear the check mark where it says “Protect object from accidental deletion”
  • Try to delete again, you should be fine.

image

Respectfully,
Oz Casey, Dedeal

MVP Exchange Server
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Tuesday, April 12, 2011

Microsoft.PowerShell_profile.ps1 cannot be loaded….

If you have lunched PS and receiving fallowing  errors , here is quick tip how to fix it
Problem: After lunching PS , receiving errors as fallows , Microsoft.PowerShell_profile.ps1 cannot be loaded….
Solution: Open PS and insert fallowing PS commands
image
PS C:\Windows\System32> Get-ExecutionPolicy        
Run the below command with Elevated Privileges ( Administrator)
Set-Executionpolicy -ExecutionPolicy Unrestricted      
image
image
Get-ExecutionPolicy –List                            

imageRunning Scripts From Within Windows PowerShell
http://technet.microsoft.com/en-us/library/ee176949.aspx

Respectfully,
Oz Casey, Dedeal

MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/(Blog)

Thursday, April 7, 2011

Login Failed for user The user associated with a trusted SQL Server connection ( Microsoft SQL Server Errors : 18452)

 

Issues: SP servers are recovering fallowing error “Login Failed for user The user associated with a trusted SQL Server connection ( Microsoft SQL Server Errors : 18452)”

Postmortem:

The SPN record in DNS for the Share point service account had issues, and for some reason the SP server could not get the SPN record for authentication thus below errors were generated.

 

image

Possible Solution: there might be multiple different scenarios why above generic event occurs the tools used in this example ( list is below) important to capture any authentication issues maybe causing problem.

Find out which DC is not honoring the mentioned SPN record. Run SSPIClient.exe and check the output see below

image

You may have to fire up ADSIedit and check the SPN entry for the SP service account , if you do remove the SPN entrees the authentications should fall back to NTLM and things should work fine. If so add the SPN value back and check to make sure the Domain controller SP is complaining about does have valid Kerberos and CName record, under DNS _msdtc . Remember these records are dynamically created records when DC reboots it registers these records into DNS database, so that DC can offer such services to its clients. Check TPC/IP configuration on the DC to make sure which DNS server the DC is configured to talk too. If DC is configured to point itself and running AD integrated DNS, try to point it to another DC on different  AD Site and FlushDNS and register via fallowing commands…….

  • IPconfig /FlushDNS
  • IPConfig /RegisterDNS
  • Also re-start Netlogon service on the domain controller and try to authenticate once more.

Tools used:
SSPIClient.exe:  Security Support Provider Interface.  Tracks the authentication process and generates a log.

Kerblist.exe: CLI tool.  Reset the Kerberos cache (purge) and list the cached Kerberos (tickets).   Reboot of any server effectively execute the purge on all servers.

Adsiedit.msc: Standard AD tool.  Used to edit the SPN record of svc-intra.sql account.

Eventlogs Windows standard tool for log analysis.
Network Monitor or NetMon: Capturing network packets on Windows platform (not used).

Respectfully,
Oz Casey, Dedeal

MVP Exchange Server
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/(Blog)

Monday, April 4, 2011

Rename Local Admin account and Reset password on your Domain.

 

Issue: Let’s suppose there has been some security concerns in your company and  you are asked to re-name local administrator account and change its password on all your workstation. We will get the work done VIA GPO.

Solution : Create GPO and apply to all workstation in your forest /Domain.

On the domain controller , click on start type gpmc.msc

image

Expand Group policy objects , new GPO and give it a name in this example we will use “Rename_Local_Admin_reset Password”

image

Click edit

image

  • User Configuration
  • Preferences
  • Control Panel

image

new local user  and modify the options the way you want it. We are updating existing local administrator account with our selection

image

Now apply the GPO to all computers

image

image

here is the result from local PC

Before GPO

image

After GPO

from workstation if you like to see the results right away

gpupdate /force

image

image

Respectfully,
Oz Casey, Dedeal

MVP Exchange Server
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Friday, April 1, 2011

OFFICE 365 first look to Admin Console

Office 365 is coming up soon many futures seems to be looking pretty good.

The admin overview on top left cornet listing , important task to set your company going. Under setup clicking overview is getting you real nice page with so many useful links. As an Administrator I believe you will find the console user friendly and it is easy to navigate.

The entire idea behind office 365 is make admins forget worrying about their Servers as far as server maintenance goes and provide them useful GUI to get their daily work done to manage their environment. At the same time user experience is expected to be very enjoyable, same services offered today on premises are moved into cloud base usage.

I truly believe most of business , where they have enough bandwidth and stability will enjoy , such services being offered by the cloud base systems.

 

image

The entire cloud experience armed with many resources this includes videos and articles and they are clicks always from admin after they log into their company management page.

image

I will post more as I get more information about office 365 here in my blog, If you have any questions please post it here I be glad to get them answered for you…..

Respectfully,
Oz Casey, Dedeal

MVP Exchange Server
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Raise the Forest & Domain functional level Win2008

If you need to raise FFL & DFL and you worries about breaking things here are couple suggestions and bit more break down to make better understanding about Domain and forest functional levels.

Problems may raise up : make sure you do not have any NT4.0 , Win 2000 and 2003 Domain controllers in your environment. If you do the worst case you can move the services on these DC’s to Win08 DC’s and get them out peacefully or forcefully from your active directory.

image

Remember : Raising the domain and forest functional levels are one-way task once it has been done going back not supported except Rebuild the domain or forest or restore it from a backup !!!!!!!!!!!!!!!!!!!!!!

image

What to watch out: In reality raising DFL FFL is DC to DC task and there should be none or rare application dependency performing such task. As always if you are concern big time and yet you are not sure, build LAB environment with problem application and test your scenario to make sure you are not going to introduce additional problem. Remember  if you need to go back , you have to restore your entire Forest/Domain from backup which will be biggest nightmare ever (-:

image

Upgrading functional levels in a new Windows Server 2008 forest

When you install the first domain controller in a new Windows Server 2008 forest, functional levels are set by default to the following levels, and they remain at these levels until you raise them manually:

  • Windows 2000 native domain functional level
  • Windows 2000 forest functional level

Functional levels are set at these default levels to give you the option of adding Windows Server 2003–based domain controllers to your new Windows Server 2008 R2 forest. After you create a forest root domain, the domain functional level for each domain that you add to the Windows Server 2008 R2 forest is set to Windows Server 2003. However, if you want all domain controllers in your new Windows Server 2008 R2 environment to run Windows Server 2008 R2, set the forest functional level, and then the domain functional level, to Windows Server 2008 R2 when you install the first domain controller in your forest. Doing this saves time and enables all forest-level and domain-level features in Windows Server 2008 R2.

 

Windows Server 2008

All of the default AD DS features, all of the features from the Windows Server 2003 domain functional level, and the following features are available:

  • Distributed File System (DFS) replication support for the Windows Server 2003 System Volume (SYSVOL)
    DFS replication support provides more robust and detailed replication of SYSVOL contents.
  • Some Access Based Enumeration (ABE) functionality on DFS File servers that run Windows Server 2008.
    AD DS is not required for standalone DFS namespaces to support ABE. But for domain-based namespaces, use the Windows Server 2008 mode namespace, which requires the following:
    • Windows Server 2003 forest functional level
    • Windows Server 2008 domain functional level
    For more information, see Choose a Namespace Type (http://go.microsoft.com/fwlink/?LinkId=180400).
  • Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol
  • Last Interactive Logon Information
    Last Interactive Logon Information displays the following information:
    • The total number of failed logon attempts at a domain-joined Windows Server 2008 server or a Windows Vista workstation
    • The total number of failed logon attempts after a successful logon to a Windows Server 2008 server or a Windows Vista workstation
    • The time of the last failed logon attempt at a Windows Server 2008 or a Windows Vista workstation
    • The time of the last successful logon attempt at a Windows Server 2008 server or a Windows Vista workstation
    For more information, see Active Directory Domain Services: Last Interactive Logon (http://go.microsoft.com/fwlink/?LinkId=180387).
  • Fine-grained password policies
    Fine-grained password policies make it possible for you to specify password and account lockout policies for users and global security groups in a domain. For more information, see Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration (
    http://go.microsoft.com/fwlink/?LinkID=91477).
  • Personal Virtual Desktops
    To use the added functionality provided by the Personal Virtual Desktop tab in the User Account Properties dialog box in Active Directory Users and Computers, your AD DS schema must be extended for Windows Server 2008 R2 (schema object version = 47). For more information, see
    Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=183552).

 

Windows Server 2008 R2

All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus the following features:

  • Authentication mechanism assurance, which packages information about the type of logon method (smart card or user name/password) that is used to authenticate domain users inside each user’s Kerberos token. When this feature is enabled in a network environment that has deployed a federated identity management infrastructure, such as Active Directory Federation Services (AD FS), the information in the token can then be extracted whenever a user attempts to access any claims-aware application that has been developed to determine authorization based on a user’s logon method.
  • Automatic SPN management for services running on a particular computer under the context of a Managed Service Account when the name or DNS host name of the machine account changes. For more information about Managed Service Accounts, see Service Accounts Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=180401).

Respectfully,
Oz Casey, Dedeal

MVP Exchange Server
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

The Network operation failed because active directory domain service could not configure the computer account ServerName$ on the remote active directory domain controller RemoteDCName.yourDomain.local “Access Denied”

 

Problem: When you ran DCPromo you are receiving fallowing errors, The Network operation failed because active directory domain service could not configure the computer account ServerName$ on the remote active directory domain controller RemoteDCName.yourDomain.local “Access Denied”

image

Solution:

Open ADUC.msc on the remote DC where the complain is coming from, on the find objects snap in click drop down menu and change the query to “computers”

 

image

Find the computer object, , click on object tab and take out the option says “Protect object from accidental deletion”

image

Respectfully,
Oz Casey, Dedeal

MVP Exchange Server
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog
http://telnet25.wordpress.com/ (Blog

Exchange 2010 some new cool futures

Exchange team has published an article announcing some cool futures coming soon. In nutshell the futures are……………….

image

  • OWA Automobile Edition: Exchange team and a major US automaker will soon announce OWA integration into new line of cars to maximize end-user productivity. Car windshields are to be replaced with LCDs (who needs windshields anyway?) Additionally, when it's time for oil change, you will get a reminder popup.
  • Exchange Configuration: Due to long-lasting popularity of public folders, we are making required engineering changes to store Exchange configuration data in public folders, rather than Active Directory. We are now working through seemingly paradox fact that in order to read that configuration, public folder database needs to be mounted; which requires configuration to be read in the first place. From public folders... which are not mounted... because configuration is not accessible, as the folders are not up at the time. Anyway, we are sure we'll figure it out by SP2 RU1

Read more

Respectfully,
Oz Casey, Dedeal

MVP Exchange Server
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog
http://telnet25.wordpress.com/ (Blog