Feed: Windowstricks - AggScore: 45.9

Difference between windows 2003 and windows 2008

---

Difference between windows 2003 and windows 2008

• Windows 2008 gives you two installation types, Full installation and Server Core installation, to know more
• Windows server 2008 Installation is faster because it’s 32 bit where as 2003 it is 16 bit as well as 32 bit, to know more
• Windows deployment services (WDS) instead of RIS in 2003 server
• Services are known as role in windows server 2008, like Active Directory has been renamed to Active Directory DomainServices (AD DS)
• Windows server 2008 Boot sequence is changed
• Virtualization (Hyper-V) is the main difference between windows 2003 and windows 2008
• PowerShell been fully supported, you can manage easily using PowerShell script and PowerShell commands
• Difference between Group Policy 2003 and 2008, please see my previous article Group Policy 2008 Features
• Group Policy slow link detection process change on windows server 2008
• New power-saving features been introduced in windows server 2008. It includes updated support for Advanced Configuration and Power Interface (ACPI) processor power management (PPM) features, including support for processor performance states (P-states) and processor idle sleep states on multiprocessor systems. These features can be managed through Group Policies.
• Security has been Improved, features like Bitlocker
• IIS updated version
• Difference between Active Directory 2003 and Active Directory 2008
• Difference between Windows DNS server 2003 and 2008
• Difference between Sysvol Replication in Windows 2003 and 2008
• Difference between windows 2008 and r2
• DirectAccess

Google plus invite free for Windows Tricks Followers

---

Install printer through group policy

---

Deploying printers via group policy using Print Management console, if your not installed Print Management then Install Print Management by adding or updating the print server role through Manage Your Server

Deploying printers through GPO

o Open the Print Management console and select the printer you want to install.

o In the results pane, right-click the printer you want to install, then click Deploy with Group Policy

o Click Browse, and then choose a GPO (through which you going to deploy the printer)


o If you want to deploy this printer for user or computer select the appropriate option

o Select the The users that this GPO applies to (per user)
o Select the The computers that this GPO applies to (per machine).

o Click Add


To complete printer deployment on client we have to deploy a PushPrinterConnections.exe to the client computer so that the client can process the printer connection settings through GPO

Deploy PushPrinterConnections.exe file

We have add PushPrinterConnections.exe to logon script on GPO, so that it will deployed while the time of user log on

o Open a Gpmc.msc, right-click the GPO with your printer connections settings and click Edit, Add PushPrinterConnections.exe file

o For per-machine, go to Computer Configuration, Windows Settings, Scripts (Startup/Shutdown).
o For per-user, go to User Configuration, Windows Settings, Scripts (Logon/Logoff).

Ask user to logoff and logon, printer will get installed automatically through GPO, for per-machine ask user to restart the computer in order to apply updated GPO.

How to check tombstone lifetime value in your Forest

---

How to check tombstone lifetime value in your domain/forest

Tombstone lifetime value different from OS to OS, for windows server 2000/2003 it’s 60 days, In Windows Server 2003 SP1, default tombstone lifetime (TSL) value has increased from 60 days to 180 days, again in Windows Server 2003 R2 TSL value has been decreased to 60 days, Windows Server 2003 R2 SP2 and windows server 2008 it’s 180 days

If you migrating windows 2003 environment to windows 2008 then its 60 day’s

you can use the below command to check/view the current tombstone lifetime value for your Domain/Forest

dsquery * "cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=" –scope base –attr tombstonelifetime

Replace forestDN with your domain partition DN, for domainname.com the DN would be dc=domainname, dc=com

To know more about tombstone lifetime & lingering object

Source: http://technet.microsoft.com/en-us/library/cc784932(WS.10).aspx

Microsoft Cloud Services

---

Microsoft entered in to Cloud computing with different services (like Office365
, Windows Azure, Windows Intune and Microsoft Dynamics CRM) to compete with Google apps, amazon cloud, Microsoft Cloud Services are designed for targeted market and customers to fulfill their needs, let’s see how Microsoft cloud can be used in real time


Office365

Through office365, Microsoft able to provide the cloud service for day to day office work, yes the application like Microsoft office(Ms word, excel and power point) email services (Microsoft Outlook), file server service (share point) and communicator (IM), these are the basic application require a day to day office work

No need to invest for high end servers and IT infrastructure in order to provide the basic services to your employee, even you can view and edit the Microsoft office documents from browser itself, no need to install MS office locally on your desktop and it can be access anywhere through the internet

Will discuss more on this in my up coming post, please check back

Windows Azure

Normally any application, runs on server in a data center and this can be accessible from internet or intranet and applications are built on some kind of platform. For
In-house applications, platform usually includes a programming language (.net), operating system (windows server 2008) and how it’s store data.

Applications running in the cloud need a similar foundation,

Windows Azure runs on servers in Microsoft data centers. Normally Microsoft provide
Software that you can install on your own computers, Windows Azure is a service, Customers use it to run applications and store data on Internet-accessible machines owned by Microsoft.

Using Windows Azure you can implement application on cloud and also migrate existing application to Windows Azure, through Windows Azure Microsoft able to provide Infrastructure as a Service (IaaS) and platform as a service (PaaS) like Amazon Web Services’ Elastic Compute Cloud (EC2)

You can create your own VM (virtual machine) on Windows Azure, it will only host applications running on two versions of Windows Server, it’s doesn’t support Linux or other operating systems, that’s why I call it windows as a services rather Infrastructure as a Service (IaaS), and also you can’t supply your own VM image for Windows Azure to run the application. Instead, the platform itself provides and maintains its own copy of Windows


Windows Intune

It’s a Cloud based PC monitoring software, you can monitor the domain based computers and workgroup based computers virtually from anywhere and even these computers not required to connect corporate network in order to get update and monitored, whether they are in the office or on the road, you can able to view the status, alerts, security policies, and more through the web console

Windows Intune client needs to be installed on the computers (require a Windows 7 system) in which you are going to monitor and require an internet connection, its best suite for small and medium environment.

Windowsserver Hyper-V

Windows server Hyper-V for Private cloud, using windows virtualization solution you can implement your own private cloud environment

Microsoft Dynamics CRM

Cloud based CRM integrated with Microsoft Office applications, you access anywhere through MS outlook

Probably emerging cloud technology might change the way we work in future, I will try to elaborate each in my up coming article, please check back

Active Directory Replication failed with “Target principal name is incorrect"

---

If you have issue with the computer account of the domain controller then you may receive target principal name is incorrect or access denied error while the time of replication

To check the computer account run the below command from affected domain controller where you receive the error

net view file://dcname/

or

net use file://dcname/

If you receive access denied error then it’s confirm computer account issue, to resolve this issue, you have to reset the computer account, reset the secure channels between these domain controllers and the PDC

Run the below command to reset the computer account,

Before running this command, disables the Kerberos Key Distribution Center service (KDC).

And this command should be run from the domain controller in which you are going to reset the password, server_name should be PDC or the replication partner

netdom resetpwd /server:server_name /userd:domain_nameadministrator /passwordd:administrator_password


More info: http://support.microsoft.com/kb/288167

Replication failed with “The destination server is currently rejecting replication requests” Error

---

Also receive error “The source server is currently rejecting replication requests. This operation will not continue” in windows server 2008/2003 and Active Directory replication stopped working, possibly the inbound and outbound replication been disabled on the domain controller

Use the below repadmin command to check the inbound and outbound connection object status

repadmin /options DC name

You may receive the error similar like below, then the inbound and outbound connection object been disabled

"Current DC Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL"

If it’s disabled then run the below command to enable the inbound and outbound connection object

repadmin /options DC Name -disable_inbound_repl
repadmin /options DC Name -disable_outbound_repl

If it’s been disabled automatically after some time (15 min) then it’s an issue with the Lingering Objects, you have to check the event viewer for the Event ID 1988

If your environment configured with Strict Replication Consistency, then the Inbound replication of the directory partition of the lingering object has been blocked on the destination domain controller.

You have to remove the Lingering Objects to resolve this issue
Also check Troubleshoot Active Directory Server Replication for other ad replication issues

Cloud Reliability

---

Is Cloud reliable?
All most every tech magazines have an article on Cloud Computing and it’s been frequently used word in IT, yes Cloud is the emerging technology in IT world seeking to change the concept of personal computing and taking it to a new level of computing and it is a talk of the town recently however it Cloud reliable

Host your application on public cloud (Application like E-mail, Website, Database and other), every one planning to migrate locally hosted application to cloud and implement cloud based application, of course cloud has many advantages compare to locally hosted one

I have concerns over the cloud implementation; recently I have seen attacks against Gmail, Amazon's EC2 cloud service is down on Apr 2011 And I have lost all my mails from rediffmail.com, not only me it’s been affected many others, these incidence raise a question on Cloud reliability

The decision to migrate the services to a cloud should always be based on how well the provider can guarantee that the servers will deliver an adequate percentage of uptime. Of course it’s one thing to say that you assurance 99.9 percent uptime and quite another to deliver, so when a cloud provider makes a claim regarding availability you should have a data to validate and how inherently redundant and scalable

And you should have clearly defined SLA and other agreement to protect the data and service high availability, this will ensure the Cloud reliability and of course these features are only possible in paid cloud service

Issue managing IE configuration through GPO

---

List of trusted sites went empty recently, yes the Trusted Sites list got empty, it says: "No sites are in this zone" how to resolve this issue

We had an issue like some one edited the default domain policy to update the trusted site list and we have lost entire IE configuration (Like trusted site list) because he used a different account to edit the group policy, it’s a known issue in Windows server 2003, why it’s clear the IE configuration? Let’s explore this…

Because Internet Explorer policy settings would change based on the policy settings enabled on the administrative workstation used to view the settings.

If you edit the Group policy to configure the internet Explorer settings, it will open the internet options from the system where you modifying the policy, let’s say you login with admin account and this account doesn’t linked to any policy including the default domain policy which has the IE configuration details like trusted sites, if you open and edit the policy to update the trusted site through GPMC, it should be empty because the admin account used to edit the GPO doesn’t linked to any policy

If you click ok then this empty setting will overwrite the policy settings and this will apply to entire users, trusted site will be empty for all the users in the domain

That’s why you have to use the admin account that should be linked to the policy you want to edit (only for IE configuration), while the time of logon the policy will apply and you can able to see the list of trusted sites and other IE configuration setting and able to append the IE settings without any issue

Thanks to Microsoft, in windows 2008 this behavior has been changed, you can change the Internet Explorer policy settings without affecting the policy configuration, because these settings are registry based settings unlike windows server 2003, more in fo about the GPO features

DNS Lookup Tool with GUI

---

Free Nslookup Tool for Windows with GUI interface

It’s a normal Windows Nslookup tool, command line windows Nslookup tool been converted to user friendly GUI tool, this tool used to check the DNS entry and it has many customized features



Features of DNS Lookup Tool

• You can check the different record types (A, MX, NS, SOA, PTR, and SRV)

• You can enable the Debugging mode for better DNS troubleshooting

• You can change the DNS Query Type (Recurse, Iterative (non-recursive))

• Also you can able to specify the server from where you want to query the DNS entry (By default it’s a primary DNS server from the network card configuration)

• Easy to use and user friendly, no installation required you can directly run the tool.

DNS Lookup Tool

Nslookup tool query the A record

Nslookup tool query the MX record

Output of Nslookup tool query with Debugging mode Enabled



Download Nslookup Tool

For more info on NSLOOKUP and DNS troubleshooting

Exchange Recipient Types

---

Exchange recipients are used to send and receive exchange mail, Active directory object or resources that send and receive messages are called Exchange recipient (like User object and Group object in Active Directory) in Exchange 2010 environment different types of Exchange recipient available and each recipient type is represented by a unique features

Most command recipient types

User
Group
Contact

Exchange 2010 recipient types

Dynamic distribution group
Equipment mailbox
Legacy mailbox
Linked mailbox
Mail contact
Mail forest contact
Mail user
Mail-enabled non-universal group
Mail-enabled public folder
Mail-enabled universal distribution group
Mail-enabled universal security group
Microsoft Exchange recipient
Room mailbox
Shared mailbox
User mailbox
Remote mailbox (New recipient type in Exchange 2010)
Linked user (New recipient type in Exchange 2010)

Active Directory Ports

---

It’s been frequently asked question, list of ports used by Active Directory or list of Active Directory Ports for Active Directory replication and Active Directory authentication, this ports can be used to configure the Firewall

Active Directory replication- There is no defined port for Active Directory replication, Active Directory replication remote procedure calls (RPC) occur dynamically over an available port through RPCSS (RPC Endpoint Mapper) by using port 135

File Replication Services (FRS)- There is no defined port for FRS, FRS replication over remote procedure calls (RPCs) occurs dynamically over an available port by using RPCSS (RPC Endpoint Mapper ) on port 135

Other required ports for Active Directory

TCP 53 - DSN (DNS Download)
UDP 53 - DSN (DNS Queries)
TCP 42- WINS
UDP 42- WINS
TCP 3389- RDP (Remote Desktop)
TCP 135 - MS-RPC
TCP 1025 & 1026 - AD Login & replication
TCP 389 - LDAP
TCP 639 - LDAP over SSL/TLS
TCP 3268 -Global Catalog
TCP 3268 - Global Catalog over SSL/TSL
UDP 137 & 138 - NetBIOS related
UDP 88 - Kerberos v5
TCP 445 - SMB , Microsoft-ds
TCP 139 - SMB

Important windows ports

Group Policy slow link detection on windows server 2008

---

Group Policy slow link detection process change on windows server 2008

You can see my earlier article on Group Policy slow link detection

Group Policy Processing over Slow Links in windows 2003(part1)

Group Policy Processing over Slow Links(Part2)

In windows server 2003, Group Policy slow link detection uses the ICMP ping to detect the network bandwidth. Most of the VPN networks have the issue with this because the clients communicate through a Firewall with the domain controller


This was a big problem in windows server 2003 because it uses the ICMP ping to detect the network bandwidth, some of the VPN sites ICMP ping might be disabled in firewall or the MTU size would be less then the required limit and also ping will increase the network traffic, to overcome this problems Microsoft come up with solution called NLA (Network Location Awareness)

Network Location Awareness is a service on client computer, it provide necessary information about the network and GPO uses this to apply the policy settings, most important it’s not using ICMP ping and very efficient compare to earlier process in Windows 2003.

String to GUID Converter

---

Using Online String to GUID Converter Tool, you can convert a string formatted GUID to hexadecimal string format and vice versa (hexadecimal formatted GUID to string format)


If you extract the Active Directory object GUID from Domain Controller using ADSIEDIT you will get the hexadecimal formatted GUID and you have to convert this Hex format GUID to Normal usable string format because most of the windows commands and scripts require a string format GUID.

No need to download and install, it’s a online tool and can be used directly on our website, just click here Online String to GUID converter Tool

Sysvol Replication change in Windows 2008

---

Group Policy replication change

Before I start the SYSVOL replication changes in windows server 2008, I would like to explain how the GPO has been replicated in windows server 2003 and earlier versions


Understanding SYSVOL/GPO replication

Group policy template (GPT) and group policy container (GPC) are two types of Group policy settings, Its stored in two different locations and uses different replication technology to replicate the changes, however both should be available up-to-date on domain controller to function properly

Group policy templates are stored in SYSVOL, it’s a folder structure in SYSVOL share on a domain controller, if you create a new Group Policy it will create a Group policy templates folder on SYSVOL share for the new policy that contain the group policy setting related to this policy, GPT folder name would be Globally Unique Identifier (GUID) of the GPO that you created, you can view all the GPT folders from the below Path (it’s a default GPT path)

C:WindowsSysvolSysvolDomainNamePolicies

Group Policy template (GPT) is replicated by SYSVOL through FRS, FRS uses state-based replication. As soon as there is a change to any file under the Sysvol folder structure, replication is triggered and entire file get replicated

Group policy containers are stored in Active Directory, mostly all the GPO setting are stored in GPT (Group policy templates), GPC only have the reference information of the corresponding GPO, like GPT path, GUID of the GPO, version information, WMI filter information, and a list of components that have settings in the GPO, you can view the GPC from Active Directory Users and Computers (ADUC)

SystemPolicies

Group policy container (GPC) is replicated through Active Directory replication

Note: By default the Group Policy Management Editor console (GPME) uses the PDC Emulator so that all administrators can work on the same domain controller, if you want a different Domain controller you can change through Group Policy Management console (GPMC)

File Replication Services (FRS)

I will try to explain step by step, let say you modify the Policy A from Server001 and how this change get replicated to Server002 (Server002 is a downstream replication partner for server001)

• Once you modify the Policy A from server001, the corresponding GPT folder on SYSVOL gets updated on the server001 (also updates the Group policy containers in Active Directory on server001)

• NTFS will change the USN journal according to the file and folder change.

• FRS monitors the USN journal for changes on the SYSVOL folder

• FRS updates the inbound log on server001, FRS not only updates the local changes on inbound log, also updates the inbound log for the changes from entire upstream replication partner (all inbound partners)

• FRS creates a file in staging folder on server001 by using APIs (backup application programming interfaces) based on the change.

• This change has been updated on outbound log on server001 by FRS. And also send change notification to entire downstream replication partner about the change (all outbound partners)

• Server002 get the change notification from Server001 and store the change order in inbound log, Server002 copies the staging file from Server001 to the staging folder on Server002. Server002 then update outbound log so other outbound partners can pick up the change

• Using Restore APIs, Server002 reconstructs the file and folder in the preinstall folder, and then FRS renames the file or folder into the replica tree

In FRS replication process the entire changed file and folder get replicate to source to destination server

What is NTFS USN journal?

Logs all the changes to an NTFS volume, including file creations, deletions, and changes, Separate log on each NTFS volume and it has a size limit (Windows server 2003 SP2 & Windows server 2008 is 128 MB) if require you can increase the size up to 2 TB, however MS Recommends increasing by 128 MB for every 100,000 files/folders

What happens when the NTFS USN change journal fills up?

If the USN journal log fills up then NTFS will be overwrite the old entry’s, that’s why in some scenarios before the change get updated, NTFS delete the entries in USN journal log, it’s called journal_wrap

USN journal wrap Error

An error that occurs when large numbers of files change so quickly that the USN journal must remove the oldest changes (before FRS has a chance to detect the changes) to stay within the specified size limit, to resolve this issue you have to perform a non-authoritative restore also called D2

Morphed folder

Replication conflict will occur if identically named directories are created in different servers, to resolve this conflict FRS create a folder and this folder called morphed folder

Let’s say two identical directories are created in different replication members, FRS identifies the conflict during replication, and the receiving member protects the original copy of the folder and renames (morphs) the later inbound copy of the folder. The morphed folder names have a suffix of “_NTFRS_xxxxxxxx,” where “xxxxxxxx” represents eight random hexadecimal digits.

Version vector join (vvjoin)

Till now we are discussing about the SYSVOL replication, how the SYSVOL replication works for the newly added replication partner, newly added replication member doesn’t have any updates, and it should build the folder structure from the beginning, this process is called vvjoin, in which a downstream partner joins with an upstream partner for the first time.

Vvjoin is a CPU-intensive operation that can affect the performance of the server and increase the replication traffic

Distributed File System (DFS)

Now we are coming to the point, how the SYSVOL replicating using DFS and how it’s been improved to provide better replication performance, to use this feature you should have Windows Server 2008 domain functional level that means all the domain controller has to be Windows Server 2008

SYSVOL replication using DFS is called DFS-Replicated SYSVOL (DFSR)

DFSR is a multimaster replication engine and changes that occur on one of the replication member are then replicated to all of the other servers in the replication group

DFSR also monitors the NTFS for the update sequence number (USN) journal to detects changes on the volume, and then DFSR replicate the changes only after the file closed

And before sending or receiving a file, DFSR uses a staging folder to stage the file

If any changes in SYSVOL share, FRS replicate the entire file unlike the DFSR, DFSR replicates only the changes blocks and not the entire file, sounds like a attribute level Active Directory replication, it compare the source and destination file using remote differential compression (RDC), it reduce the SYSVOL replication traffic

Other improvements are… (Difference between DFRS and FRS)

• DFSR and Journal Wraps, DFSR also monitors the NTFS change journal, but DFSR always heals itself hence no Journal Wrap error

• Morphed files and folders automatically taken care of

• FRS silently fails if the volume SYSVOL resides on < 1GB of free space

• Copies the changes on files and folder not entire files and folder

• Uses Version Vector tables to confirm the changes, also to resolve the conflicts

• Support read-only replication on a particular members in which users cannot add or change files

• You can also make the changes to the SYSVOL folder of an RODC

• DFSR does not require the version vector join (vvjoin) operation

My previous article related to SYSVOL

Understand the sysvol folder structure

How to Force sysvol replication in AD