Archives for September 2013

Using powershell and SIDs to change ACLs

Recently I needed to create lots of users and homedirectories. This gave a me an challenge. How can I grant rights on a homefolder in seconds after creating an user.

If you create a user and then a folder, then set the rights. Go to the properties>securities tab, if you search for the user it takes a while before the domain controller has information about the new user.

So how do you create thousands of users without setting long delays to allow for Active Directory replication? You turn to SIDs. The SID is the Security Identifier of the account, its the SID that is saved in the ACL.

If you go into the securites tab now you should see the SID unless you are already talking to the same DC that created the user.

So I got a comment from Francis Favorini that I could simplify the account creation and SID retrieval parts. So I implemented those parts too.

Easy handling before removing DNS

Prior to changing the IP or demoting a DNS server it is best to repoint all clients pointing to this DNS server to other DNS server. To assist in this I have written the following script. It requires the DNS service to have debug logging enabled. By running the script and pointing to the debug file, you will get an easy to handle array. Unless you specify a filename for the debuglog it will be in the file %SystemRoot%\system32\dns\dns.log

Download the script from the Microsoft social scripting archive.

[Read more…]

Getting an error while removing an DFS namespace server

I have seen a few get the following error while trying to remove obsolete DFS namespace servers. Usually the server has been removed permanently before removing the server from the DFS namespace. More than once have I seen people being a bit to smart for their own good, by removing the namespace server using ADSIedit.

How to get:

  • Permanently remove a namespace server
  • Use adsiedit to cover up the misstake by removing the namespace server in the DFS configuration
  • Get baffled by it still being in the DFS Managment console
  • Trying to remove the server the correct way

Result:

What to do:

Readd the namespace server to the DFS Configuration using ADSIedit.

Use the correct way of removing an obsolete DFS root server using the correct command:

Remove an obsolete namespace server on a Windows 2000 Server
Remove an obsolete namespace server on a Windows 2003 Server
Remove an obsolete namespace server on a Windows 2008 and newer Server

Remove an obsolete DFS nameserver Windows 2008 and newer

A simple explanation how to remove an obsolete DFS namespace server from a Windows 2008/2008r2 Server. Since Microsoft removed the Support tools with Windows 2008 and replaced them with RSAT, there is no need to install any tools anymore. Just a command and happiness.

Getting an error about:

See my blog entry about errors removing DFS namespace server

Remove an obsolete DFS nameserver Windows 2003

A simple explanation how to remove an obsolete DFS namespace server from a Windows 2003 Server:

  • Download & Install Windows Support Tools for Windows 2003

Getting an error about:

See my blog entry about errors removing DFS namespace server

Remove an obsolete DFS nameserver Windows 2000

A simple explanation how to remove an obsolete DFS namespace server from a Windows 2000 Server:

  • Download & Install Windows Support Tools for Windows 2000

Getting an error about:

See my blog entry about errors removing DFS namespace server

DFS Consolidation root

Why a DFS Consolidation root?

DFS Consolidation roots are a way geting rid of old servers while keeping the name functionality of the old servers.

Consider the company Acme Computing. They are an old company with lots of old file server all over the place. New IT management has decided that all shared data should be available on the same file server. So this is kind of easy, lets just copy all the data to the new server, but wait.. There are old systems that have hardcoded paths to the old servername, this would break them. Some people might suggest just inheriting the share names and add the old names as alternative names of the server. This might work with the smaller companies but all you have done is complicated the fileserver even more. If we look at DFS, we can use an DFS consolidation root to trick the systems that the old paths are alive too. You cant configure a domainbased DFS namespace as a Consolidation root only standalone roots.

What happens (simplified)?

[Read more…]

Setting up a DFS Consolidation root

This is an simple explanation on how to setup a DFS Consolidation Root.

Microsoft has released a KB article with most of the same suggestions, I do however have some slight changes which I think is better. This is for the non clustered server.

Fast paced instructions:

  • First of all install a new Windows server.
  • Install DFS namespace without configuring any namespace
  • Set the registry Server Consolidation Retry value to 1
  • Set up the new Namespace called #oldserver
  • Add the servername oldserver as an computer alternative
  • Make sure the DNS contains entries for oldserver (ipconfig /registerdns)
  • Reboot to get new kerberos ticket

For make it easy to test on a Windows 2012 here is a Powershell:

Now just try it from another machine.

\\oldserver\sysvol show you the domain sysvol. My domain is called file.local, so just change the domain when adding the alternative name and folder targets.

 

Default DFS configuration changes

The DFS service is used in ALL Active directory domains even if you dont really configure one yourself. The DFS service has some fixes that I always try to implement to get a smoother experience for both the end users and IT support crew. I have documented a couple of DFS registry configuration entries in this blog.

Below are a few default configuration changes I usually do. These are mostly recommendation from Microsoft. [Read more…]

DFS Server registry configuration values

With a DFS server there are several configuration settings which needs to be done in the registry. This blog entry is planned to be updated when I discover the use or values.

[Read more…]