Mirroring
Had a need to mirror a database the other day… As its been awhile since I have had to do this and it took entirely too long. After playing with it for a couple of days here are the steps we used to make it work.
Make a full backup of the database.
Windows Update service fails to start
This is an easy one but I have see a lot of posts about it, and this last week I needed to fix a broken Windows Update agent myself as SCCM was no longer working due to the service hanging.
Windows update does not start. (Fails to start or never gets past “starting”)
You may see a DCOM error 10010 for CLSID {e60687f7-01a1-40aa-86ac-db1cbf673334}
Remote Help not connecting
Remote Help not connecting DCOM error
When using Microsoft Remote Help to connect to a computer you get the following window almost immediately.
Delegating permissions to run Dfsrdiag
Where I work, we have regional IT support personal to provide “touch labor”. They also run their own file share server that has DFSR setup back to the corporate headquarters. While troubleshooting an issue with one of the local IT support techs, I was having her run some DFSRDIAG commands but she was getting an error.
Looking up this error, you will find that this is a permissions issue. To set the permissions needed to run the DFS queries follow the directions below. Read the rest of this entry »
JAVA 1330 Error and Fix
JAVA 1330 Error invalid Digital signature
You try and install any version of JAVA on VISTA and your receive:
Error 1330. A File that is required cannot be installed because the cabinet file <path to file> has an invalid digital signature. This may indicate that the cabinet file is corrupt.
Repair KMS errors: 0xc004e002 and 0xc004f012
Repair KMS errors: 0xc004e002 and 0xc004f012
When trying to activate Windows using a KMS server you may see the following error.
- It looks like the Licensing Store might have gotten corrupted – Try the below steps to recreate the Store.
Open an Administrator Command Prompt (CMD.exe)
-
stop the Software Licensing Service by running: net stop slsvc
change directories to c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareLicensing
rename tokens.dat to something else I use tokens.bak
restart the the Software Licensing Service by running: net start slsvc
Re-install system license files by running: cscript c:\windows\system32\slmgr.vbs -rilc
This will take some time to complete so be patient
Restart your computer twice
You may be required to enter the Product Key and/or Activate
SuperG
Mass Power Shell AD update from CSV file
Make mass changes to AD using Power Shell AD and CSV file
You can update almost anything in AD using power shell. Here I will show how to update the company field of a user object.
First look at this page for information if your power shell script does not work with the following error:
“.ps1 cannot be loaded because the execution of scripts is disabled on this system.” Read the rest of this entry »
Password Required for Local Accounts
Set password required and password expires for all local user accounts
So I have a requirement to ensure all local accounts require a password and that the password can expire.
Below is a VB script that I run as a startup script from a Machine GPO. Later we will include this into our imaging process and remove the GPO. (Our imaging is done by SCCM so we will just add this as a task at the end)
I ended up doing this in 2 steps
The first part runs through all the local accounts and runs “net user User.Name /passwordreq:yes”
The second part looks to see if the password does not expire flag is set or not. If its is set to not expire then it gets changed to allow expire. Read the rest of this entry »
ADWS and TMG Listener
Certificate Errors ADWS and TMG
Ran into a problem when trying to setup a Web Listener on TMG.
Exported the SSL Certificate from the IIS server (with private key)
Imported the SSL Certificate to the TMG server
Created the Web Listener
When choosing the SSL Certificate to use for the Web Listener I would get:
Incorrect key type for the Private Key
This is NOT a Cryptography Next Generation (CNG) certificate because TMG (and ISA) don’t support CNG (V3 Certificates). So that is not the problem.
After digging around and looking at manual certificate requests, I noticed that the KeySpec was not set the same.
It seems that by default KeySpec is set to 2 when doing a manual certificate request on Windows 2008R2.
The trouble is caused by the KeySpec=2 (Signature)
This should be changed to KeySpec=1 (Exchange)
On a similar note, the above “Default” seems to also be a problem when doing custom Certificate request for Domain Controllers that are running the Active Directory Web Services.
In the Event Viewer you see:
Active Directory Web Services could not initialize its endpoints. A networking error could have occurred
Event ID: 1002
Source: ADWS
And you may see:
An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
Event ID: 36874
Source: Schannel
Computer: {This will be the Domain Controller}
So looking at this, the ADWS is failing because the server can not make a SSL connection with itself.
If you set the KeySpec=1 for the DC certificate or install a separate SSL certificate with the KeySpec set to 1 ADWS will start to work and the 2 above event logs will no longer be generated
Taken from an old Certificate request text file:
SuperG
Deleted AD Objects
When an object is deleted in AD (2008R2 with recycle Bin installed), that object is marked as being deleted and moved to a special OU.
You can find this object using Active Directory for Windows PowerShell.
Get-ADObject -Filter ‘samaccountname -eq “<Account name>“‘ -IncludeDeletedObjects
Example:
Get-ADObject -Filter ‘samaccountname -eq “ThompsonDA”‘ -IncludeDeletedObjects
Deleted : True
DistinguishedName : CN=Thompson Donald (Test)\0ADEL:64588b0d-a45c-4845-ae92-deb3e5930206,
CN=Deleted Objects,DC=<Domain>,DC=com
Name : Thompson Donald (Test) DEL:64588b0d-a45c-4845-ae92-deb3e5930206
ObjectClass : user
ObjectGUID : 64588b0d-a45c-4845-ae92-deb3e5930206
This shows that the object was deleted, but not a lot more. So to get more information on the object we can look at the replication information.
Then by looking at the isDeleted attribute, we can use the date time stamp to see when the object was deleted and the Originating DSA to see what DC the object was deleted on.
repadmin /showmeta “<GUID=GUID OF OBJECT>” <Domain Controller>
Example:
repadmin /showmeta “<GUID=64588b0d-a45c-4845-ae92-deb3e5930206>” DC1
35 entries.
Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute
======= =============== ========= ============= === =========
12944950 Default-First-Site-Name\DC1 12944950 2011-05-13 09:01:58
1 isDeleted
By looking at Ver you can tell how many times this attribute has been changed In this case, Once, when the object was deleted.
If you undelete this it will change to 2.
So now that you have a Date and time you can now lookup who made the change. Look at the events on the DC that recorded the change. In this case DC1
By looking in the event logs on the Originating DSA we can see the events about this object.
This is assuming that you have auditing enabled.
To Audit changes to AD need to set “directory service changes” to enabled (you should do this on all the DCs).
Example:
auditpol /set /subcategory:”directory service changes” /success:enable
Look in the security events for the Event ID you are looking for and during the time when the event happened.
In this case we are looking for event ID 4726 (User Delete) and during 2011-05-13 09:01:58
So filter the security events for these parameters
Look at the Log and you can see what account deleted the Object