applying Group policy Preferences "Regional Settings" In Vista can have unforeseen results

I am working on a Windows Vista migration project, where i am responsible for designing group policies for Windows Vista. After applying regional settings through Group Policy Preferences, the testmachines started showing strange behavior. These issue's started showing up after the first reboot, since the policy was applied.
These are the symptomes where noted:

1. Client where unable to get an IP address (no ip address could been leased/renewed), although the required services where running. The client did recieve an IP during PXE boot proces (comes from the same DHCP server).
2. The eventviewer was unavailable, allthough the services where running.
3. Unable to release/renew the IP address (RPC service unavailable). Remote Procedure Call service was running fine.
4. Somethimes the test users where unable to log on to the computer.

These isue's where not related to the user, because even after loging on with the local administrative account the same isue's occured. I reinstalled the NIC's on the client, removed all applied policies from the registry. Rebooted the system but still could not get an IP. Troubleshooting also showed that the client couldn't communicate with AD during the Windows Boot Proces, also only cashed domain credentials could log on.

At first i thought there was a problem with the image used for the deployement of the machines. But after redeploying the system I saw there was no issue as long no policies where applied. This pointed me towards the applied policies. The policies where devided in several smaller policies:

1. A general Computer policy (Common Computer policies Desktop Laptop).
2. Desktop Policy (Specific Desktop Policies)
3. A general User Policy (General user policies)
4. An Internet Explorer Policy (General Internet Explorer Policies)
5. An Office 2007 policy (General office Policies)

Started applying the GPO's one by one, which showed that the havoc started after applying the general user policy. This made the GPP's my number one suspect. Braking down and applying the policies over and over again proved my point. After applying the GPP's regional settings the isue starts to occur. Even when only applying the GPP's (no other policy applied) the isue's start to appear.

Compared two registry exports (one before and one after), in the hope to find what was causing the issue, but failed to find the registry entries which where causing these issue's. My troubleshooting did however show that the problem does occur after applying the GPP regional settings.

I did the same testing on Windows Seven RC1, and saw that these issue's are NOT occuring on Windows Seven.

Installing the Telnet Client

Since Windows Server 2008 and Vista, the telnet client is no longer installed by default. This short article shows how to install the Telnet Client On Windows Server 2008 and Windows Vista/Seven from the comand line.

Windows Server 2008/R2
[Code]
ServerManagerCmd -i Telnet-Client
[/Code]

Windows Vista/Seven
[Code]
Start /w pkgmgr /iu:"TelnetClient"
[/Code]

Snapshotting destroys replication.

If you know how Active Directory Replication works, you would be reluctant to use any kind of imaging technology on your domain Controllers. The Active Directory Team wrote a nice artikle explaining why you should or shouldn't use any imaging technology on your DC's.
http://blogs.technet.com/askds/archive/2009/06/05/dc-s-and-vm-s-avoiding-the-do-over.aspx

Unforeseen Outcome

Enforcing the Windows Explorer Classic shell disables tabbed browsing in Internet Explorer.

Enabling the policy User Configuration/Administrative Templates/Windows Components/Windows Explorer/Turn On Classic Shell disables tabbed browsing in Internet Explorer.

Using Exchange 2007 for Resource booking

Found a very interesting article today which handles resource mailbox in exchange 2007.
The article is written by Nathan Winters, and gives a good view how to manage resource mailboxes in Exchange 2007.

http://www.simple-talk.com/exchange/exchange-articles/using-exchange-2007-for-resource-booking/

Windows 7 and Winamp

A few weeks back i decided to install Windows7 Beta on my desktop. Had it running in VMware. But you know how it goes. You install it, play a litle and loos interest. By installing it on my desktop i am forced to use it, and get a far more better experience with the product.

Well so far so good, no problem what so ever. Every thing runs smooth in exeptance of Winamp.
Winamp crashed as soon as i fired it up. Googling the issue told me that some people resolved it with removing the Winamp configuration file from your profile. I tried it, and indeed Winamp would launch after the removal. But you could not see the interface of the program. You just saw the application being active in the quick-launchbar, but that was all. I decided to reinstall it, clear the configuration file, and choose Winamp Clasic instead of the Bento Skin. To my supprise the issue seems to be resolved.

I still could not completly verify, but it looks like the Bento skin doesn't work in Windows7.

So if you want to use Winamp, remove the Configuration file. Launch the Application and do not choose the default Bento skin.
The default location of the Winamp config file is in the user profile:
%Systemdrive%\Users\%Username%\AppData\Roaming\Winamp\Winamp.ini

Inter-Forest migration. Trust requirements

This small article discribes the trust prerequisites do allow Sid-filtering, which will in return allow migrated users from accessing their resources in the source domain.

Create a forest trust between the two domains.
Enable SID History
[Code]
NETDOM TRUST /Domain: /EnableSIDHistory:Yes /UserO: /PasswordO:
[/Code]
Verified the setting by running the same account, without any value on the /EnableSIDHistory switch.
[Code]
NETDOM TRUST /Domain: /EnableSIDHistory:Yes /UserO: /PasswordO:
Which returned
SID History is enabled on this Trust
[/Code]
When a security principal is copied from one to the other forest it will get a new SID from the Target domain. When SID History is enabled the old SID are added to the SID History of the pricipal. This SID History is added to the session key which it will present while trying to access a share, and thus validating the user in the source forest.

Only enabling SID History is not enough. Windows Server 2003 forest have SID Filtering enabled by default. Security principals in Active Directory have an attribute, called SID history, to which domain administrators can add users’ old security identifiers (SIDs). This is useful during Active Directory migrations because administrators do not need to modify access control lists (ACLs) on large numbers of resources and users can use their old SIDs to access resources. However, under some circumstances it is possible for attackers or rogue administrators that have compromised a domain controller in a trusted domain to use the SID history attribute (sIDHistory) to associate SIDs with new user accounts, granting themselves unauthorized rights. To help prevent this type of attack, Windows Server 2003 automatically enables SID filter quarantining on all external trusts that are created by a Windows Server 2003 domain controller. External trusts that are created using domain controllers running Windows 2000 Server with Service Pack 3 (SP3) or earlier must be manually configured to enable SID filter quarantining. This is also the case when creating a forest trust between two forests. So in order to let the SID History to be passed beyond the trust we need to disabled Sid Filtering on that trust. SID Filtering can be disabled by using following command:
[Code]
NETDOM TRUST /Domain: /Quarantine:No /UserO: /PasswordO:
[/Code]
Again you can verify the status by runnung the same command without specifying a value for the /Quarantine command:
[Code]
NETDOM TRUST /Domain: /Quarantine /UserO: /PasswordO:
[/Code]

Note: Disabling SID Filtering and enabling SIDHistory creates a large security risks and a opens a big attack surgace appon both forests. Therefore it is advicable to speed up the migration. It is understandable that you leave the old environment running for a longer time ones the migration has completed. But be sure to enable the filtering again ones all resource have been moved to the target Forets.

Disabling SIDHistory:
[Code]
NETDOM TRUST /Domain: /EnableSIDHistory:No /UserO: /PasswordO:
[/Code]
Enabling SID Filtering
[Code]
NETDOM TRUST /Domain: /Quarantine:Yes /UserO: /PasswordO:
[/Code]

Configure name, IP and domain membership through the CLI

When installing Windows Server 2008 R2, you do not get the option to configure the computername, IP and domainmembership during setup (When not using a Unattended Setup). So these tasks need to be done ones the installation finishes.
Following commands allow you configure these settings using the command Line Interface.

Rename the computer:

Netdom Renamecomputer %Computername% /Newname:Computername

(Requires a reboot)

Configure the Local area connection

Netsh interface ip set address name="Local Area Connection" Static 192.168.1.1 255.255.255.0 192.168.1.254

Explination: "Netsh interface ip set address name="Local Area Connection" Static Ipaddress Subnetmask Defaultgateway"

Netsh Interface IP Set DNS "Local Area Connection" Static 192.168.1.10

Explination: "Netsh interface ip set DNS "Local Area Connection" Static Ipaddress Dns Server

Configure Domain Membership

Netdom Join %Computername% /Domain:Domainname /UserD:Administrator /PasswordD:*

By Specifying the asterix in the Password (*) the CLI will promt you for a password.

Shutdown -r -t 0

By using the %Computername% variable you do not need to check the computername.

Public Beta Exchange 2010 released

http://msexchangeteam.com/
Please download the worldwide beta today! Here's the link: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=1898ed2c-2f88-48ac-824e-d3d20fad77d7

Copy a Complete OU infrastructure

Somethimes you need to copy a complete OU Structure within a single domain. This can be done by following command:

"FOR /F "Tokens=1 Delims=," %* IN ('DSQUERY OU "OU=%Name OU%,DC=%Domain%,DC=%Prefix%"') DO DSADD OU %*,OU=%Parent OU%,DC=%Domain%,DC=%Prefix%"

Change the %Name OU%, %Parent OU%, %Domain% and %Prefix% with your own parameters.

Example:
"FOR /F "Tokens=1 Delims=," %* IN ('DSQUERY OU "OU=Sales,DC=Contoso,DC=Com"') DO DSADD OU %*,OU=Offshore,DC=Contoso,DC=Com"

Changing the credentials for the "EPO" service account.

Ever need to adjust the credentials for your Epolicy Orchestrator?

• Change Password
• Change Username
• Change account
• Change Domain
• Change Database Server
• Change Database Server Port
• Change Database Name

Browse to HTTPS://Localhost/Core/Config to manage your settings.

ADMT plain and simple

Setting up ADMT to migrate objects between two forests.

The latest version is ADMT V3.1, which can be used on Windows Server 2008. If you are using Windows Server 2003, you will need to use v3.0. ADMT v3.0 can only be installed on Windows Server 2003.

This article discribes how to set up ADMT plain and Simple.

Create and test a two way trust between the two or more forest(s).

Create a migration account in the source forest and target forest. To make it simple, make the two service accounts member of the domain admin group. This is not really nescesarry to make both accounts domain admin, but both accounts need to have the permission to create, move and modify objects. If you do not like the idea of making to many domain admins, you could work by providing the nescesarry rights through delligations.

After the migration accounts have been created, you should add the migration account to the administrators group of the opposite forest. Add the Old\Migration to the New\administrators and vica versa.

Install ADMT on a member-server or domain controller within the target forest. Create the 128 encryption file to enable password migration between the two (or more forests). The password file is created by running following command in the ADMT\PES folder. Click start->RUN and type CMD. Than type "CD %Systemroot%\Admt\Pes" (or path to where you installed ADMT).

Than type: ADMT KEY /OPTION:CREATE /SOURCEDOMAIN:%Olddomain% /KEYFILE:%Systemroot%\ADMT\PES\%Name of the keyfile% /PWD:* and press Enter.

You will be promted to type a password, and retype that password.

Note: the /keyfile option directs ADMT where to create the keyfile. This does not have to be the prediscribed path. This path however does contain MIGPWD.MSI which is needed later on.

Create a share, and place the content of ADMT\PES and the keyfile in that share. Make sure that you can access the share from a domain controller in the source domain.

Logon to the source domain controller and access the share you have created, which contains the ADMT key file and migpwd.msi. Open the migpwd.msi which will kick off the ADMT Password Migration DLL installation. This installation will install the Password Export Server Service, which is required to safly migrate your passwords between the two forests.

The installation wizzard will ask you, where it can find the key file. Ones the key file has been located, it will prompt you for the password by which you encrypted the keyfile. Afer filling and confirming that password, th einstallation kicks off. At the end of the installation it will ask you by which account you will start the Password Export Server Service. Here you fill in the account of the migration user in the tarhet forest. This account will also be granted the "logon as a service" permissions. Ones the installation has finished, a reboot of the system is required.

After the reboot of the system you will see that the Password Export server services has been created in the services console (Services.msc). The start-up mode of this service is set to manual, so it will be required to start the service prior to starting the migration procedure.

Still on the source domain controller. Goto run and type regedit, goto HKLM\System\CurrentControlSet\Control\LSH and create following keys:

TCPIPClientSupport Value "1"

AllowPasswordExport Value "1"

Now all is set and ready to start a test migration.

Starting the test migration.

Log-on to the source Domain Controller and start the Password Export Service (Net start PESSVC).

Log-on to the target ADMT migration machine and open the ADMT with the user credentials of the migration user in the Source domain (RUNAS). Rightclick the Active Directory Migration Tool and sellect which object you which to upgrade.

Happy migration!

Update Roll-up 7 for Exchange Server 2007 Service Pack 1 has been released.

Update Roll-up 7 for Exchange Server 2007 Service Pack 1 has been released.
http://msexchangeteam.com/archive/2009/03/18/450863.aspx

Interesting Facts

• Maximum number of objects in Active Directory: A little less than 2.15 billion
• Maximum number of SIDs in in a domain: About 1 billion
• Maximum number of group memberships for Security Principals: 1015*This is for Security groups. Each Security group you're a member of results in its SID being added to your access token at logon.

Note: For Windows 2000 Active Directory environments, the recommended maximum number of members in a group is 5,000. This recommendation is based on the number of concurrent atomic changes that can be committed in a single database transaction.

http://technet.microsoft.com/en-us/library/cc756101.aspx

Xenserver Enterprise edition For FREE!

http://www.virtualization.info/2009/02/citrix-xenserver-is-now-free-xencenter.html

Common Exchange 2007 Errors

· (Windows Server 2008) A new mailbox creation fails with following message: “An Exchange 2007 server on which an address list service is active cannot be found”.
The “Microsoft Exchange System Attendant” service is not running.
***********************************************************************************
· (Windows Server 2008) The exchange Data store fails to mount after disabling IPV6 on a Windows Server 2008.
Re-enable IPV6 for the network interface.
***********************************************************************************
· (Windows Server 2003/2008) When running “Setup /prepareAD /OrganizationName:%name%” following error message is received “Error:A reboot from a previous installation is pending. Please restart the system and rerun setup.”

Although the message is pretty straightforward, the same message appears after rebooting the system. The setup check following registry path “HKLM\System\CurrentControlSet\Control\SessionManager\PendingFileRenameOperations. The entries in this path are set by previous installations and are awaiting execution. For some reason the rename failed, and therefore the entry is not removed. Manually remove the entries will allow the Exchange Setup to proceed.
************************************************************************************
· (Windows Server 2008) Running “Setup /PrepareAD /OrganizationName:%name%” fails with access denied.
Be sure to run the command with administrative privileges.
************************************************************************************
· (Windows Server 2008) Following warning is shown during the setup. "Warning:Setup cannot detect an SMTP or Send connector with an address space of '*'.Mail flow to the Internet may not work properly.".
Complete the installation and create proper Receivers and connectors to assure mailflow from and too the internet.
************************************************************************************
· (Windows Server 2008) Following Warning is shown on the Client Access Server:
--------------------------------------------------------
Microsoft Exchange Warning
--------------------------------------------------------
The following warning(s) were reported while loading topology information:
Get-OWAVirtualDirectory
Completed
Warning:
The virtual directory "Exchange (Default Web Site)" is not configured correctly. This server has the Mailbox server role installed, so HTTP compression must be disabled. You can use the IIS Manager to disable compression.
Warning:
The virtual directory "Public (Default Web Site)" is not configured correctly. This server has the Mailbox server role installed, so HTTP compression must be disabled. You can use the IIS Manager to disable compression.

Warning:
The virtual directory "Exchweb (Default Web Site)" is not configured correctly. This server has the Mailbox server role installed, so HTTP compression must be disabled. You can use the IIS Manager to disable compression.
--------------------------------------------------------
OK
--------------------------------------------------------
Open the IIS Manager, click the default website, than sub sellect the "Exchange" website in the left pane. In the middle pane (under IIS), double click compresion and desellect "Enable Static Content Compression".
*************************************************************************************
-(Windows Server 2003/2008) The Microsoft Exchange System Attendant fails to start.
Following event is notted in the event viewer:
Source: MSExchangeTransportL EventID:7005

Microsoft Exchange couldn't read the configuration from the Active Directory directory service because of error: Failed to load config due to exception: Microsoft.Exchange.Common.ExClusTransientException: The Windows Cluster service encountered an error during function OpenCluster:. ---> System.ComponentModel.Win32Exception: The interface is unknown

Check your site configuration and see if the correct subnet(s) are defined.
*************************************************************************************
-(Windows Server 2003) new mailbox cannot be accessed through https://%Servername%/Owa although the mailbox resides on a Exchange 2007 mailbox server.

Inner ExceptionException type: Microsoft.Exchange.Data.Directory.InvalidADObjectOperationExceptionException message: Property Languages cannot be set on this object because it requires the object to have version 0.1 (8.0.535.0) or later. Current version of the object is 0.0 (6.5.6500.0).

The mailbox was created using ADUC (DSA.MSC) and not the Microsoft Exchange 2007 tools. Therefore the mailbox is marked as legacy and can therefore not be accessed through OWA 2007. Open the Exchange Management Shell, and type: Set-Mailbox %Alias% -applymandatoryproperties
*************************************************************************************

Mcafee Epolicy Orchestrator on Windows Server 2008 X64

EpO 4.0 is not suppported on a 64bit operating system. Version 4.5 should be supported, which will hopefully be resleased before the summer.

Exchange Store will not mount when IPV6 is disabled.

This morning i discovered that the store of a freshly installed Windows server 2008 (SBS), was unable to mount after disabling IPV6 on the interface. After re-enabling the IPV6 again, the exchange store was able to mount again.

GPO: Disabling the Windows Firewall in Vista

Microsoft Best practiches advice to keep the Windows Firewall enabled at all times, yet a lot of companies prefer to diable the firewall inside there corporate networks. I know disabling might be the easy way out, as a proper configured firewall can surely be an added value towards corporate security.

Well if you do decide to take the easy way out, following information can be quit handy.

If you would ask me how to disable the Windows Firewall in Microsoft Vista through policy, i've would have answered:
"Enable the policy 'Do not allow the Windows Firewall to be run on your DNS domain'."



Recently I discovered that that polciy has no affect on Windows Vista. If you want to disable the Windows Firewall in Windows Vista you need to disable the policy "Windows Firewall: Protect all network connections".






You will find this setting on two different locations inside Computer Configuration\Administrative templates\Network\Network Connections\Windows Firewall\:

1. Domain Profile
2. Standard Profile

Now what is the difference between these two profiles?

The domain profile applies to when users where able to authenticate to a domain controller (not logged on by cached credentials). When user are connected to the LAN and able to communicate with a domain controller.

The standard profile on the other hand apply when users are unable to authenticate to the domain controller, and by that where logged on by way of cached credentials. Usually when users are not connected to the LAN, and thus unable to communicate (authenticate) with a domain controller (outside the office, hotelroom, etc).

As corporate LAN's are usually protected by enterprise firewalls, it might be acceptable to disable the Windows firewall inside the corporate network (Domain profile). But outside the corporate network it is surely not advisable. So inside the standard profile i would not disable the Windows firewall.

Policy preferences in Vista

Since Windows server 2008, Microsoft introduced policy preferences. A technology they acquired by the acquisition of DesktopStandard. After installing RSAT (Remote Server Administration Tool) on a Vista machine, you will see the preferences appear when opening the Group Policy Editor (GPEDIT.MSC). In order to make use of these policy preferences, your Vista machines need to have the KB943729 (Windows Vista Link/Windows XP link) installed. A windows Server 2008 domain Controller is not required. You can still use Windows Server 2003, as it is the client which needs to have the proper CSE (Client Side Extensions) to process the policies.

System RequirementsSupported Operating Systems: Windows Vista; Windows Vista Service Pack 1

System RequirementsSupported Operating Systems: Windows XP Service Pack 2; Windows XP Service Pack 3