How to lookup a user’s current Active-Directory site

Posted on March 13, 2013

Curious what site you're in?

nltest /dsgetsite

Windows Domain DFS namespace – access is denied using domain FQDN, access allowed using server UNC paths directly

Posted on November 5, 2012

This was easily one of the most frustrating and ridiculous fun times I've had working with DFS.

The issue: At several client locations we run file server redundancy by offering (2) DFSR servers. A shared domain namespace with replicated folders to ensure they stay online if a server is offline for planned or unplanned good times. Within group-policy, we map folder redirection to a namespace path:

  • "documents" -> "\\domain.com\users\username\documents"
  • "desktop" -> "\\domain.com\users\username\desktop"
  • ......

By referencing the namespace, it will redirect when server A or B is offline. This should NOT be used in WAN deployments, LAN is fast and therefore replication is fast. Initially the DFS issue was identified when drives mapped to the namespace were missing. Within the client event logs, we saw "access denied" errors associated with these drive-letters.

What we checked and verified:

  • Problematic client stations could not connect to "\\domain.com\dfsroot"  (access denied)
  • Problematic client stations could not connect to "\\domain\dfsroot" (access denied)
  • Problematic client stations could connect to "\\serverA\dfsroot"
  • Problematic client stations could connect to "\\serverB\dfsroot"
  • Permissions on the shares for the DFS Root folder were correctly set to "everyone" with read/write
  • Each of these systems was removed and rejoined to the domain [no success]
  • The local profiles were completely removed from the local systems (file system and registry) and logged back in [no success]
  • Security suites were removed [no success]
  • Each user was tested on working machines and had no issues obtaining the right drives

The culprit: 

  • When we disabled the 'offline files' component and rebooted -> "\\domain.com\dfsroot" was immediately accessible
We ultimately came to this conclusion: 

The offline file cache was corrupt. When offline files are disabled, the system accesses the namespace location directly without issue. This confirms a reference to the namespace is clearly saved within offline file cache. If the cache is corrupt you end up with "Access is Denied". Another quick way to determine if the issue is corrupt cache is to simply try and access the DFS root UNC paths on each server. If you can browse the contents when bypassing the shared namespace path, and this user has no issues on other domain PCs, then it's not permissions.
...........
The Fix:
..........
1) Disable offline files

Control Panel -> Sync Center -> Manage Offline Files -> Disable Offline Files

2) Clear the offline file cache

This sets a temporary registry entry which is read on start-up and runs the cache wipe.
Elevated Command Prompt -> "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Csc\Parameters /v FormatDatabase /t REG_DWORD /d 1 /f "

3) Reboot

You must reboot to successfully wipe the offline file cache

4) Test the namespace path -> "\\domain.com\dfsroot"

If you can now browse the namespace contents, you can optionally re-enable Offline Files.
We understand the Offline Files component is critical to road warriors. You should be safe to re-enable it and reboot.

Control Panel -> Sync Center -> Manage Offline Files -> Enable Offline Files -> Reboot

After you log back in, check that you can still access the namespace path "\\domain.com\dfsroot" after you run a forced sync. If there are still issues, I recommend you follow the steps we initially took "What we checked and verified:" and repeat this fix.

Good luck!

Windows backed up failed with following error code ‘2155348129’ – Hyper-V VSS Writer – [5] Waiting For Completion – Unexpected Error

Posted on October 15, 2012

We've run into several instances where this error presents itself on Windows 2008R2 servers running Hyper-V. When you see this error in the event log around the time your backup fails, it will look similar to:

Event ID: 521
The backup operation that started at '‎2012‎-‎10‎-‎15T01:44:31.444000000Z' has failed because the Volume Shadow Copy Service operation to create a shadow copy of the volumes being backed up failed with following error code '2155348129'. Please review the event details for a solution, and then rerun the backup operation once the issue is resolved.

There are numerous issues that will cause this error. The most interesting was relating to virtual machine drive-space. In our case, we found a few virtual machines with little or no free drive space were the cause.

First determine if the issue is related to the Hyper-V Writer:

1) Load a command prompt
2) vssadmin list writers

look for the:

Writer name: 'Microsoft Hyper-V VSS Writer'
Writer Id: {66841cd4-6ded-4f4b-8f17-fd23f8ddc3de}
Writer Instance Id: {c73cdd59-f1d2-40be-b1b4-0c11449528a3}
State: [1] Stable
Last error: Unexpected Error

** Definitely related to the Hyper-V VSS writer ***

3) net stop vmms 
4) net start vmms
5) Check that the "last error:" has cleared itself:

vssadmin list writers

look for the:

Writer name: 'Microsoft Hyper-V VSS Writer'
Writer Id: {66841cd4-6ded-4f4b-8f17-fd23f8ddc3de}
Writer Instance Id: {c73cdd59-f1d2-40be-b1b4-0c11449528a3}
State: [1] Stable
Last error: No Error

6) Ensure you have at least 15% free diskspace on all Hyper-V Virtual Machines drives. 
7) Re-run your backup and monitor

If it repeats itself, I suggest looking at alternative solutions found online including resetting folder permissions.

Why is w3wp.exe CPU utilization is high – Exchange is slow – Active-Sync 2010 and iOS diagnostic tools

Posted on August 28, 2012

Microsoft is aware and working on a known issue relating to iOS devices causing high CPU utilization on Exchange Servers. The exact cause seems to bounce all over the place, in general is related to Active-Sync and how the iPhone communicates with the Exchange Server. The issue is challenging. Their direct recommendation is to ensure all devices are up-to-date. A single remote active-sync device can each up 90+% of your system resources.

The good news is there are now scripts available to help you isolate the specific device(s) causing the issue.

I suggest you read this article thoroughly:
http://blogs.technet.com/b/exchange/archive/2012/01/31/a-script-to-troubleshoot-issues-with-exchange-activesync.aspx

To make life a bit easier, use the following steps.

1) If you find that your CPU utilization is rammed, verify that you see the following process causing the issue:

By default some of these columns are not shown.
To load them, head to the "View -> Select Columns"  

Make sure both items in RED match your own process list.
If they are not identical, you are not dealing with the same issue.

2) Download the PowersShell Script: http://gallery.technet.microsoft.com/scriptcenter/ActiveSyncReport-script-a2417a84

Save the script with your other exchange scripts located under "c:\program files\microsoft\exchange servers\v14\scripts" 

3) Download and Install the LogParser: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=24659

4) Load the Exchange Management Shell and change directory to "c:\program files\microsoft\exchange servers\v14\scripts" 

Now that you're in the scripts folder ([PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>), we can start hunting down the source of your issue. Before we do, you should be aware that the script you are about to run can take 2-5 minutes to complete (depending on the size of your IIS logs). It will count the number of 'hits' a device has sent to your server. Anything over 1000 hits is high, anything over 1500 is very high.

Let's start by checking EVERY log against every device. This should give us a general idea of those who have excessively high hits over a long period of time. The following line will save the report to "C:\EASReports", the minimum hits we are looking for is => 1000, and the result should be saved to and HTML viewable report.

.\ActiveSyncReport.ps1 -IISLog "C:\inetpub\logs\LogFiles\W3SVC1" -LogparserExec "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -ActiveSyncOutputFolder c:\EASReports -Minimum Hits 1000 -HTMLReport

Building Log Parser Query...

Found time-taken in the IIS Log, adding this column.
Gathering Statistical data
Running Log Parser Command against the IIS Log(s): C:\inetpub\logs\LogFiles\W3SVC1\*.log

Statistics:
-----------
Elements processed: 24083868
Elements output: 1342
Execution time: 402.31 seconds (00:06:42.31)

Generating the Minimum Hits Report.
Building Log Parser Query...
Running Log Parser Command against the CSV results to determine Minimum hits of 1000

Statistics:
-----------
Elements processed: 1342
Elements output: 566
Execution time: 0.02 seconds

LogParser Command finished CSV, File location: c:\EASReports\EASyncOutputReport-Multiple_Files_Minimum_Hits_of_1000.csv
Creating HTML Output...
HTML File location: c:\EASReports\EASyncOutputReport-Multiple_Files_Minimum_Hits_of_1000.html

 If you open this log for review (c:\EASReports\EASyncOutputReport-Multiple_Files_Minimum_Hits_of_1000.html) you will see something similar to:

Take note to the DeviceID and Hits columns. In this particular example, I see 5 very devices that are clearly communicating with the exchange server excessively. Using the device ID, we can drill down further into that specific device and find out how many hits per hour. Make sure to use the DeviceID from the table above in the line below.

.\ActiveSyncReport.ps1 -IISLog "C:\inetpub\logs\LogFiles\W3SVC1" -LogparserExec "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -ActiveSyncOutputFolder c:\EASReports -deviceID <DEVICEIDHERE> -hourly -htmlreport
Building Log Parser Query...
Found time-taken in the IIS Log, adding this column.
Gathering Statistical data for device: <DEVICEID>
On a per hourly basis.
Running Log Parser Command against the IIS Log(s): C:\inetpub\logs\LogFiles\W3SVC1\*.log

Statistics:
-----------
Elements processed: 24087512
Elements output: 3083
Execution time: 154.74 seconds (00:02:34.74)

LogParser Command finished CSV, File location: c:\EASReports\EASyncOutputReport-Multiple_Files_Hourly_<DEVICEID>.csv
Creating HTML Output...
HTML File location: c:\EASReports\EASyncOutputReport-Multiple_Files_Hourly_<DEVICEID>.html

If you open this log for review (c:\EASReports\EASyncOutputReport-Multiple_Files_Hourly_<DEVICEID>.html) you will see something similar to:

That's a lot of hits! This post was made on August 28th, and we can see on the 26th they were clearing 6000+ hits per day from this device. At this point, you should contact the user and update the iOS device to the latest version. After it's updated, watch it closely. Don't forget to check the other 5 devices on this list with high hits. It could be more than one device causing the issue.

5) The odd exception 

The first report we ran includes hits from all logs. What about recently added devices (say 1 week ago) that haven't had time to register huge numbers? For example, in the first report we saw 100,000+ hits on the first 6 devices. What if we added a new device 1 week ago that was registering 5,000 hits per day? It would only show up as 30,000-40,000 hits.

While checking the highest hits is always a good idea, you should also check the last few days individually. The example below includes a date variable (8-28-2012), modify as necessary.

.\ActiveSyncReport.ps1 -IISLog "C:\inetpub\logs\LogFiles\W3SVC1" -LogparserExec "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -ActiveSyncOutputFolder c:\EASReports -MinimumHits 1000 -date 8-28-2012 -HTMLReport

The resulting report will show you devices on the specified date that have hit over 1000 hits. This will help you isolate a more accurate daily breakdown.

 

Happy hunting!

Active Directory Login failure on Blackberry Administration Server (BAS) – The username, password, or domain is not correct. Please correct the entry.

Posted on July 24, 2012

Logging into BAS can fail if DNS records are incorrect or stale.
Before we get into that, I highly recommend you look through your BAS logs to analyse the error.

1) Try to login to the BAS admin service using your LDAP/Active-Directory credentials several times. This will register a few errors in your logs that you can track down.
2) Head to: C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\Logs\(TODAYS DATE)\
3) Open the log file that starts with "SERVERNAME_BBAS-AS-" (Make sure it's the most recently modified version!)
4) Scroll to the bottom and look for lines that start with "(XX/XX XX:XX:XX:XXX):{http-"

(XX/XX XX:XX:XX:XXX):{http-URL.COM%2F10.100.1.36-3443-5} [com.rim.bes.basplugin.activedirectory.LDAPSearch] [INFO] [ADAU-1001] {u=SystemUser, t=30847} performPagedLDAPSearch problem performing LDAP operation: url=ldap://ldapserver.domain.com:3268 base= filter=(&(objectClass=user)(objectCategory=person)(|(sAMAccountName=besadmin)(userPrincipalName=besadmin))) scope=2

If you see a message similar to this, BAS is trying to grab a Kerberos ticket and your DNS is causing errors.

Resolution:

1) Load your Active-Directory DNS management console.
2) Verify that you have reverse DNS setup for the entire domain. You require PTR records (reverse dns records) for each of your domain controllers. If you don't have them, FIX THIS!
3) Verify that you have no stale records pointed to decommissioned or retired domain controllers. Drill down into each DNS folder and confirm the hostname and IP match your current infrastructure. It's amazing how many stale records we find.
4) Once repairs are made to the DNS settings, right click the server name in the DNS management and "clear cache"

Reboot your BES server just for fun, and try to login.

HP System Management HomePage – Processor none – No Hardware Listed

Posted on July 15, 2012

If you recently installed the HP System Management Homepage on a new or existing HP server and you're missing the actual content when you login, you could be missing a quick community setting on your SNMP Service.

1) Goto start -> run/search -> Services.smc
2) Scroll down the list and find "SNMP Service" -> Right Click -> Properties -> Security Tab
3)  Under "Accepted Community Names" look for a "Public" community name. If it's missing, you need to add it. Click "add". Choose "ReadOnly" and enter community name "public".
4) Click Add and then OK to close the windows.

You should now have this:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

5) Right click the "SNMP Service" and choose "Restart". This will require it's HP dependencies to restart as well, click ok and let it finish

Log back into the HSM Homepage and you should now see everything:

Adding 64bit print drivers to 32bit Windows Servers

Posted on May 18, 2012

There has been a lot of confusion on this topic, so let's clear it up!

If you intend on sharing your printer from a 32-bit server to 64-bit clients, you will need to ensure both 32 and 64-bit drivers are installed at the server. The issue however is that the server will not allow you to install 64-bit drivers.  There is a really quick and simple solution.

1) Download the 32 and 64-bit Universal Printer Drivers from the manufacturer's site. DO NOT try and fiddle around with anything else.

2) Log into an as a domain administrator on a 64-bit PC or Server located in the same domain

3) From the command prompt run "printmanagement.msc" 

---- Right Click "Print Servers" -> "Add/Remove Servers"
---- Enter the hostname of your server and click "Add to List"
---- Click "Apply" and "OK"

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

---- Expand the server you entered and load the "Drivers" child object
---- Right click the centre pane and  choose "Add Driver"
---- Choose "x64" and "x86"
---- Complete the driver installation by assisting the installer to the INF files located in your 32 and 64-bit driver downloads you already completed
---- If you successfully installed the drivers, you should see both 32 and 64-bit listed under the drivers pane

4)  It's now time to install and share the printer!

Browse to "Printer Management Console" ->  "Printer Servers" -> "Server Name" -> "Printers"  -> right click "Add Printer"

 Complete the printer installation and select the drivers you installed when it asks.

5) Check the driver options 

Select the printer you installed -> right click "properties" -> "Sharing" -> "Additional Drivers"

You should see both x64 and x86 drivers checked off; you're ready to roll!

If you do not see both checked off:

Select the printer you installed -> right click "properties" -> "advanced tab"
Choose the correct driver from the drop down list under "Driver: " and recheck the additional drivers options to verify.

 

 

Sending vCard – “You can’t send a message on behalf of this user unless you have permission to do so … ” – Outlook 2010

Posted on December 12, 2011

If you run into this message while trying to forward a vCard using Outlook 2010 (likely 2007 as well), you are dealing with a hidden x400 "FROM" address inside the contact metadata. When a contact is created, outlook will cache the "from" address and reference it instead of the actual account being used to send. You will see this when contacts are imported and exported between exchange services, and apparently POP3 as well.

Sadly, there are only 2 resolutions and neither of them are global.

1) When you see the “FROM” field appear while forwarding a contact, manually click "From" -> "other e-mail address" -> and choose your name from the list.
This will change the “from” address to your correct address, hit send, and life is good.

2) You can manually create new contacts and copy the information from the old to the new.
DO NOT right click and copy a contact, you need to make a new contact and copy each field over individually.
If you copy a contact, it will transfer the x400 metadata.
I strongly feel this is a bug and Microsoft should look at removing the reference to the old address.

 

How to find all users in active directory with the “password expires” setting enabled or disabled

Posted on October 12, 2011

Just quick tip for those running into the need to query users who's passwords are set to expire, or vice versa.
Open up the Windows PowerShell and use the two following commands:

1) To show your list of users and their settings
dsquery user "ou=someOU,dc=yourdomain,dc=ca" -limit 0 | dsget user -email -pwdneverexpires

2) To update all users to yes or no
dsquery user "ou=someOU,dc=yourdomain,dc=ca" -limit 0 | dsmod user -pwdneverexpires yes

This mailbox database contains one or more mailboxes, mailbox plans, archive mailboxes, or arbitration mailboxes.

Posted on October 7, 2011

I ran into a unique situation where removing an exchange database was testing my sanity and I definitely want to post the solution for anyone else that runs into the same issue.

Here's the scenario: Exchange 2010. You are looking to move all mailboxes out of a particular database. After moving all the mailboxes you request exchange to remove the database through the EMC or shell, when suddenly:

This mailbox database contains one or more mailboxes, mailbox plans, archive mailboxes, or arbitration mailboxes. To get a list of all mailboxes in this database, run the command Get-Mailbox -Database <Database ID>. To get a list of all mailbox plans in this database, run the command Get-MailboxPlan. To get a list of archive mailboxes in this database, run the command Get-Mailbox -Database <Database ID> -Archive. To get a list of all arbitration mailboxes in this database, run the command Get-Mailbox -Database <Database ID> -Arbitration. To disable a non-arbitration mailbox so that you can delete the mailbox database, run the command Disable-Mailbox <Mailbox ID>. To disable an archive mailbox so you can delete the mailbox database, run the command Disable-Mailbox <Mailbox ID> -Archive. Arbitration mailboxes should be moved to another server; to do this, run the command New-MoveRequest <parameters>. If this is the last server in the organization, run the command Disable-Mailbox <Mailbox ID> -Arbitration -DisableLastArbitrationMailboxAllowed to disable the arbitration mailbox. Mailbox plans should be moved to another server; to do this, run the command Set-MailboxPlan <MailboxPlan ID> -Database <Database ID>.

As you are a brilliant IT wizard, you immediately remember to check if you moved all the archive and arbitration mailboxes.

[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>Get-Mailbox -Database "Staff & Testing Mailboxes" -Archive
[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>Get-Mailbox -Database "Staff & Testing Mailboxes" -Arbitration
[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>Get-Mailbox -Database "Staff & Testing Mailboxes"

No results are returned ... why does exchange think there are mailboxes left inside?
Good question!

When the database removal request begins a validation process is completed to ensure no user mailbox attributes are linked to the database. In very rare instances, you may find a particular attribute has failed to update or be reset and thus ... it fails. In our particular case, an existing mailbox had the "online-archive" feature removed and during the process, the "msExchArchiveDatabaseLink:" attribute was still referencing this old database. So how did we find it?

Easy!

1) Load the command prompt and run "dsquery * domainroot -attr * -limit 0 > results.txt"

This will dump the attributes for every object in AD to a text file you can search through.

2) Open the text file with notepad and search for a unique string from your database name. In our case, "Testing" worked out great from "Staff & Testing mailboxes"

3) We found the single attribute that was causing the removal process to think there were still active mailboxes in the database.

msExchArchiveDatabaseLink: CN=Staff & Testing Mailboxes,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=XXXXXXX,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=XXXXXXX,DC=XXX

If you look directly above this row, you will find a few values that will help you identify the user account in question that has this attribute set.
In our case, we found these records a few lines above:

sAMAccountName: jon
userPrincipalName: jon@doe.com
mail: jon@doe.com

Now we know which user has a reference to the old database, and which attribute.

4) Load ADSIEDIT.MSC and browse to the user object under the default naming context. Right click the object, properties, scroll down until you find "msexcharchivedatabaselink" and clear it. After you save it should be "<not set>".

If you're not familiar with ADSIEDIT, open it, choose the default naming context and you will be provided with a list of objects similar to your active directory users/computers. When you find the user that had the bad link, right click their object and select properties. Within is a fantastic list of all sorts of attributes ... including the one you need to change (msexcharchivedatabaselink).

BE CAREFUL USING ADSIEDIT ... you can do SERIOUS damage. You've been warned!

After you reset this value, try removing the database again and you should find success. If not, run the dsquery again and look for other objects referencing the old database.

 

Some other things to mention ... although likely not necessary ... during the process, I also:

- Deleted the System Mailbox record for this database using the DSQUERY Results and ADSIEDIT ... not sure if this was another contributing factor to the success.

- With SP1, mailboxes are moved and the existing copy is left in the old database as a disconnected "SoftDeleted" status. I manually removed these as well, not sure it this was another contributor factor to the success.

If you want to remove all disconnected mailboxes from a database, run the following command

Get-MailboxStatistics –Database “dbname” | Where-Object {$_.DisconnectReason –eq “Disabled”} | ForEach {Remove-StoreMailbox –Database $_.database –identity $_.mailboxguid –MailboxState Disabled }

If you want to remove all soft-deleted mailboxes from a database, run the following command

Get-MailboxStatistics –Database “dbname” | Where-Object {$_.DisconnectReason –eq “Softdeleted”} | ForEach {Remove-StoreMailbox –Database $_.database –identity $_.mailboxguid –MailboxState Softdeleted }

Thanks to: http://www.howexchangeworks.com/2010/09/purge-disconnected-or-soft-deleted.html
For the softdelete info!