How to lookup a user’s current Active-Directory site

Posted on March 13, 2013

Curious what site you're in?

nltest /dsgetsite

Windows Domain DFS namespace – access is denied using domain FQDN, access allowed using server UNC paths directly

Posted on November 5, 2012

This was easily one of the most frustrating and ridiculous fun times I've had working with DFS.

The issue: At several client locations we run file server redundancy by offering (2) DFSR servers. A shared domain namespace with replicated folders to ensure they stay online if a server is offline for planned or unplanned good times. Within group-policy, we map folder redirection to a namespace path:

  • "documents" -> "\\domain.com\users\username\documents"
  • "desktop" -> "\\domain.com\users\username\desktop"
  • ......

By referencing the namespace, it will redirect when server A or B is offline. This should NOT be used in WAN deployments, LAN is fast and therefore replication is fast. Initially the DFS issue was identified when drives mapped to the namespace were missing. Within the client event logs, we saw "access denied" errors associated with these drive-letters.

What we checked and verified:

  • Problematic client stations could not connect to "\\domain.com\dfsroot"  (access denied)
  • Problematic client stations could not connect to "\\domain\dfsroot" (access denied)
  • Problematic client stations could connect to "\\serverA\dfsroot"
  • Problematic client stations could connect to "\\serverB\dfsroot"
  • Permissions on the shares for the DFS Root folder were correctly set to "everyone" with read/write
  • Each of these systems was removed and rejoined to the domain [no success]
  • The local profiles were completely removed from the local systems (file system and registry) and logged back in [no success]
  • Security suites were removed [no success]
  • Each user was tested on working machines and had no issues obtaining the right drives

The culprit: 

  • When we disabled the 'offline files' component and rebooted -> "\\domain.com\dfsroot" was immediately accessible
We ultimately came to this conclusion: 

The offline file cache was corrupt. When offline files are disabled, the system accesses the namespace location directly without issue. This confirms a reference to the namespace is clearly saved within offline file cache. If the cache is corrupt you end up with "Access is Denied". Another quick way to determine if the issue is corrupt cache is to simply try and access the DFS root UNC paths on each server. If you can browse the contents when bypassing the shared namespace path, and this user has no issues on other domain PCs, then it's not permissions.
...........
The Fix:
..........
1) Disable offline files

Control Panel -> Sync Center -> Manage Offline Files -> Disable Offline Files

2) Clear the offline file cache

This sets a temporary registry entry which is read on start-up and runs the cache wipe.
Elevated Command Prompt -> "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Csc\Parameters /v FormatDatabase /t REG_DWORD /d 1 /f "

3) Reboot

You must reboot to successfully wipe the offline file cache

4) Test the namespace path -> "\\domain.com\dfsroot"

If you can now browse the namespace contents, you can optionally re-enable Offline Files.
We understand the Offline Files component is critical to road warriors. You should be safe to re-enable it and reboot.

Control Panel -> Sync Center -> Manage Offline Files -> Enable Offline Files -> Reboot

After you log back in, check that you can still access the namespace path "\\domain.com\dfsroot" after you run a forced sync. If there are still issues, I recommend you follow the steps we initially took "What we checked and verified:" and repeat this fix.

Good luck!

Active Directory Login failure on Blackberry Administration Server (BAS) – The username, password, or domain is not correct. Please correct the entry.

Posted on July 24, 2012

Logging into BAS can fail if DNS records are incorrect or stale.
Before we get into that, I highly recommend you look through your BAS logs to analyse the error.

1) Try to login to the BAS admin service using your LDAP/Active-Directory credentials several times. This will register a few errors in your logs that you can track down.
2) Head to: C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\Logs\(TODAYS DATE)\
3) Open the log file that starts with "SERVERNAME_BBAS-AS-" (Make sure it's the most recently modified version!)
4) Scroll to the bottom and look for lines that start with "(XX/XX XX:XX:XX:XXX):{http-"

(XX/XX XX:XX:XX:XXX):{http-URL.COM%2F10.100.1.36-3443-5} [com.rim.bes.basplugin.activedirectory.LDAPSearch] [INFO] [ADAU-1001] {u=SystemUser, t=30847} performPagedLDAPSearch problem performing LDAP operation: url=ldap://ldapserver.domain.com:3268 base= filter=(&(objectClass=user)(objectCategory=person)(|(sAMAccountName=besadmin)(userPrincipalName=besadmin))) scope=2

If you see a message similar to this, BAS is trying to grab a Kerberos ticket and your DNS is causing errors.

Resolution:

1) Load your Active-Directory DNS management console.
2) Verify that you have reverse DNS setup for the entire domain. You require PTR records (reverse dns records) for each of your domain controllers. If you don't have them, FIX THIS!
3) Verify that you have no stale records pointed to decommissioned or retired domain controllers. Drill down into each DNS folder and confirm the hostname and IP match your current infrastructure. It's amazing how many stale records we find.
4) Once repairs are made to the DNS settings, right click the server name in the DNS management and "clear cache"

Reboot your BES server just for fun, and try to login.

HP System Management HomePage – Processor none – No Hardware Listed

Posted on July 15, 2012

If you recently installed the HP System Management Homepage on a new or existing HP server and you're missing the actual content when you login, you could be missing a quick community setting on your SNMP Service.

1) Goto start -> run/search -> Services.smc
2) Scroll down the list and find "SNMP Service" -> Right Click -> Properties -> Security Tab
3)  Under "Accepted Community Names" look for a "Public" community name. If it's missing, you need to add it. Click "add". Choose "ReadOnly" and enter community name "public".
4) Click Add and then OK to close the windows.

You should now have this:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

5) Right click the "SNMP Service" and choose "Restart". This will require it's HP dependencies to restart as well, click ok and let it finish

Log back into the HSM Homepage and you should now see everything:

Adding 64bit print drivers to 32bit Windows Servers

Posted on May 18, 2012

There has been a lot of confusion on this topic, so let's clear it up!

If you intend on sharing your printer from a 32-bit server to 64-bit clients, you will need to ensure both 32 and 64-bit drivers are installed at the server. The issue however is that the server will not allow you to install 64-bit drivers.  There is a really quick and simple solution.

1) Download the 32 and 64-bit Universal Printer Drivers from the manufacturer's site. DO NOT try and fiddle around with anything else.

2) Log into an as a domain administrator on a 64-bit PC or Server located in the same domain

3) From the command prompt run "printmanagement.msc" 

---- Right Click "Print Servers" -> "Add/Remove Servers"
---- Enter the hostname of your server and click "Add to List"
---- Click "Apply" and "OK"

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

---- Expand the server you entered and load the "Drivers" child object
---- Right click the centre pane and  choose "Add Driver"
---- Choose "x64" and "x86"
---- Complete the driver installation by assisting the installer to the INF files located in your 32 and 64-bit driver downloads you already completed
---- If you successfully installed the drivers, you should see both 32 and 64-bit listed under the drivers pane

4)  It's now time to install and share the printer!

Browse to "Printer Management Console" ->  "Printer Servers" -> "Server Name" -> "Printers"  -> right click "Add Printer"

 Complete the printer installation and select the drivers you installed when it asks.

5) Check the driver options 

Select the printer you installed -> right click "properties" -> "Sharing" -> "Additional Drivers"

You should see both x64 and x86 drivers checked off; you're ready to roll!

If you do not see both checked off:

Select the printer you installed -> right click "properties" -> "advanced tab"
Choose the correct driver from the drop down list under "Driver: " and recheck the additional drivers options to verify.

 

 

How to find all users in active directory with the “password expires” setting enabled or disabled

Posted on October 12, 2011

Just quick tip for those running into the need to query users who's passwords are set to expire, or vice versa.
Open up the Windows PowerShell and use the two following commands:

1) To show your list of users and their settings
dsquery user "ou=someOU,dc=yourdomain,dc=ca" -limit 0 | dsget user -email -pwdneverexpires

2) To update all users to yes or no
dsquery user "ou=someOU,dc=yourdomain,dc=ca" -limit 0 | dsmod user -pwdneverexpires yes

Trend Micro – Worry Free Business Security – Firewall Port Ranges Failing/Not Working

Posted on July 18, 2011

We recently applied an upgrade from Worry Free Business Security 6.0 SP3 to 7.0. After the upgrade we noticed whitelisted Ephemeral and other port ranges in the firewall policies were not allowing traffic in. After numerous hours verifying everything was correctly setup we got in touch with Trend Micro and they sent back a patch to resolve the issue. We haven't seen this online yet, so I figure this may help a few of you.

--------------------------------------------------------------------------------

Good Day.

Please apply the attached Hotfix to the WFBS Server. Unzip password: novirus
Let the agents update afterwards then observe if the issue persists.

We are looking forward to your reply.

Technical Support – Worry-Free Products and Services Trend Micro, Inc. “Securing Your Journey to the Cloud”

--------------------------------------------------------------------------------

Download: http://www.sirk.ca/downloads/WFBS_70_WIN_All_HFB1461.zip

After applying this patch and allowing the update to propagate down to the clients, the port ranges started allowing traffic through.

File locking issues on DFSR (Windows 2003/2008)

Posted on August 22, 2010

Are users complaining that shared documents are being overwritten by other users?
Are user not being prompted that a file is Read-Only when opened by another user?
Are you running a distributed file system with replication?

You’ve enter the world of inherited file locking drama!

The issue is Windows Server 2003 and 2008 presently have no centralized file-locking management. When a user is referred to a server within a DFS with replication, the local server locks the locally requested file. The remaining member services are not sent the same notice to lock the same file and as a result, if another user is referred to a different member server, the most recent save wins. There is presently no concrete method in-place to tackle the issue.

By default a DFS configuration uses the "lowest-cost" or "random" referral methods. If you use these types of referrals you will be subject to the file-locking issues.

The good news is depending on your company’s size and requirements you may have a few workarounds.

1) Ask users to inform one another when documents will be in use (painful!!!)
2) Utilize the built-in conflict resolution folders managed by Windows 2003/2008 DFS
3) Override the lowest-cost and random referral orders with static referral order.

I recommend the 3rd option. It allow for fault-tolerance and let’s face it, your time is valuable! Do you really want to dig through conflict folders? Using this method will force users to share the same DFS server for specific folders. Generally depending on the size of your business this isn’t a huge concern. If the primary DFS server is offline the clients will be redirected to the next server in sequence.

If your goal is to also introduce a load-balancing strategy you will have to manually segregate and deploy your DFS carefully. Target major folders or departments to a reserved DFS server.

For example:

If you have 3 departments (Accounting, Sales and Support). The DFSR structure should encompass all of these departments across all servers. The manual load-balancing would be as follows:

-> \\domain.com\Accounting (1st static referral order "first among all targets" on serverA)
-> \\domain.com\Sales (1st static referral order "first among all targets" on serverB)
-> \\domain.com\Support (1st static referral order "first among all targets" on serverC)

All accounting users will be accessing serverA by default, sales serverB and support serverC. All of these folders are replicated throughout the DFS and as a result, if ServerA went down, the next server you statically assign would take over the responsibility.

To access to Override options in your namespace folders:

DFS Management Console -> Namespaces -> default root namespace -> links (right click) -> properties -> advanced tab