Escape from Expensive Licensing: RemoteApp

Nowadays, the cost involved in the user license for some applications are too high. But off course we cannot avoid this, but for an extent can be minimized smartly by using the RemoteApp. Though RemoteApp is not the first to exist, prior can be done via Citrix.

For example just think about common application used internally which has the per user license, can be published in RemoteApp, in turn used for n number of users.

But there are high end application cover this loop holes, their licensing terms have the virtualizing license terms and also blocked the feasibility of terminal session publish options. As long as the application allows as to work smoothly in RemoteApp, no harm in using it. This can save some serious money for your organization.

Thanks

Logan

Directory Partitions in Active Directory:

We will discuss on the directory partitions in active directory and its purpose served in the windows domain environment. The active directory database is logically separated into directory partitions:

• Schema partition

• Configuration partition

• Domain partition

• Application partition

Each partition is a unit of replication, and each partition has its own replication topology. Replication occurs between replicas of directory partition. Minimum two directory partitions are common among all domain controllers in the same forest: the schema and configuration partitions. All domain controllers which are in the same domain, in addition, share a common domain partition.

Schema Partition

1. Only one schema partition exists per forest.

2. The schema partition is stored on all domain controllers in a forest.

3. The schema partition contains definitions of all objects and attributes that you can create in the directory, and the rules for creating and manipulating them.

4. Schema information is replicated to all domain controllers in the attribute definitions.

Configuration Partition

1. There is only one configuration partition per forest.

2. Second on all domain controllers in a forest.

3. The configuration partition contains information about the forest-wide active directory structure including what domains and sites exist, which domain controllers exist in each forest, and which services are available.

4. Configuration information is replicated to all domain controllers in a forest.

Domain Partition

1. Many domain partitions can exist per forest.

2. Domain partitions are stored on each domain controller in a given domain.

3. A domain partition contains information about users, groups, computers and organizational units.

4. The domain partition is replicated to all domain controllers of that domain. All objects in every domain partition in a forest are stored in the global catalog with only a subset of their attribute values.

Application Partition

1. Application partitions store information about application in Active Directory.

2. Each application determines how it stores, categorizes, and uses application specific information. To prevent unnecessary replication to specific application partitions, you can designate which domain controllers in a forest host specific application partitions. Unlike a domain partitions, an application partition cannot store security principal objects, such as user accounts. In addition, the data in an application partition is not stored in the global catalog.

As an example of application partition, if you use a Domain Name System (DNS) that is integrated with Active Directory you have two application partitions for DNS zones -- ForestDNSZones and DomainDNSZones:

• ForestDNSZones is part of a forest. All domain controllers and DNS servers in a forest receive a replica of this partition. A forest-wide application partition stores the forest zone data.

• DomainDNSZones is unique for each domain. All domain controllers that are DNS servers in that domain receive a replica of this partition. The application partitions store the domain DNS zone in the DomainDNSZones.

Each domain has a DomainDNSZones partition, but there is only one ForestDNSZones partition. No DNS data is replicated to the global catalog server.

The below are some useful commands related to the application partitions in NTDSUTIL,

Creating and deleting application directory partitions,

#CREATE NC dc=application,dc=example,dc=com server.example.com

Or

#CREATE NC dc=application,dc=example,dc=com null

#DELETE NC dc=application,dc=example,dc=com

Creating and deleting replicas,

#ADD NC REPLICA dc=application,dc=example,dc=com server2.example.com

Or

#ADD NC REPLICA dc=application,dc=example,dc=com null

#REMOVE NC REPLICA dc=application,dc=example,dc=com server2.example.com

Or

#REMOVE NC REPLICA dc=application,dc=example,dc=com null

Defining a replication schedule,

#SET NC REPLICATE NOTIFICATION DELAY dc=application,dc=example,dc=com 10 15

Displaying replica information,

#LIST NC REPLICAS dc=application,dc=example,dc=com

Thanks

Logan

Script for Event log backup and clearing:

The below is the simple script for backing up and clearing the event logs.

###########################################################################################

strComputer = "."

Set objWMIService = GetObject("winmgmts:" _

& "{impersonationLevel=impersonate, (Backup, Security)}!\\" _

& strComputer & "\root\cimv2")

Set colLogFiles = objWMIService.ExecQuery _

("Select * from Win32_NTEventLogFile where LogFileName='Security'")

For Each objLogfile in colLogFiles

OutputFile = "c:\eventlog\" & "Security "

OutputFile = OutputFile & Day(Now) & "-" & month(now) & "-" & year(now)

OutputFile = OutputFile & ".evt"

errBackupLog = objLogFile.BackupEventLog(OutputFile)

If errBackupLog = 0 Or errBackupLog = 183 Then

objLogFile.ClearEventLog()

Else

Wscript.Echo "The Security event log could not be backed up."

End If

Next

###########################################################################################

In the above, you can specify the log file type accordingly and also specify the location where the event log .evt file will be stored. After taking the backup of the event log, it will clear the event log.

Thanks

Logan

971552596187 | logu_microsoft@hotmail.com

Logon Event 528 Log:

This article explains about finding the user logon details using the normal event log and also how to interpret to event log details. In server side, environment it is always wise to have the user logon and logoff audits. If you check for the event log 528 under the security logs, you will find some of the positive hits. The typical 528 log entry will have the below information,

• user name
• domain
• logon id
• logon type
• logon process
• authenication package
• workstation name

In Particular, logon type is the one which needs to be paid attention.

2	Interactive	User logged on to the computer's console.
3	Network	User logged on to the computer over the network (e.g., through a drive mapping). Note: On Win2K and later systems, event ID 528 doesn't log this logon type; for network logons, Win2K and later OS versions log event ID 540 with logon type 3.
4	Batch	Batch logon (commonly logged when a COM+ server component starts up).
5	Service	Service logon (required by user accounts configured as account for services).
7	Unlock	Workstation unlocked.
8	NetworkCleartext	Network logon, but with a clear-text password. By default, Windows doesn't allow clear-text password logons unless you explicitly enable them. (However, all versions of Microsoft IIS use clear-text passwords for Basic authentication.)
9	NewCredentials	User used alternative credentials to connect to a resource on the network or used the RunAs command to start programs under a different user account.
10	RemoteInteractive	User logged on to the computer remotely using Terminal Services or Remote Desktop.
11	CachedInteractive	Domain user logged on with cached credentials. Usually logged when a traveling user logs on to a notebook with his or her domain account but no domain controller (DC) is available. Note that event ID 537, not event ID 528, logs this event.

Using the above, we can find the exact mode of logon and also the user details.

Hope the above is useful.

Thanks

Logan

Logu_microsoft@hotmail.com | 971552596187

Expansion server in exchange server 2003

This article explains the function and role of expansion server in the exchange server 2003.
1. Expansion server generally routes the message that are sent to a single distribution list or group of users listed in that group.
2. It is also responsible for expanding the group to its individual members and also will resolves the name of the recipients.
3. Importantly it is used to determine the most efficient path for routing the messages.
4. To find the expansion server for a distribution group, Right click the distribution group àproperties à Exchange advanced à Expansion server à click the drop down button to list.
5. In detail,
a. When user selects group from GAL in outlook. The outlook obtains the GAL via NSPI(Name Service Provider Interface) request sent to a GC.
b. Once the name verification succeeds, it will turn the recipient address bold.
c. When user sends, outlook uses MAPI to transmit the message to the user’s home exchange server.
d. Exchange server sees that the recipient is a group, and it sends an LDAP query to GC for the member’s list along with the email attributes.
6. By default any server can in the exchange organization can acts as a expansion server. This option is recommended because it totally avoids the single point of failure. Assigning particular server as a expansion server for particular group will result in failure if that particular server is unavailable.
Hope the above is informative.
Thanks
Logan
Logu_microsoft@hotmail.com
971-552596187

PFDAVAdmin Tool - Exchange

PFDAVAdmin is an one of the useful tool in the exchange environment.The name PFDAVAdmin stands for Public Folder Distributed Authoring and Versioning (DAV)-based Administration tool. The following are the features..

1. Propagate public folder permissions.It is used to propagate public folder Access Control Entry (ACE) additions, removals and modifications without overwriting the existing Access Control List (ACL).

2. used to Rectify damaged Discretionary Access Control Lists (DACL).Bad DACL is caused due to the incorrect permission from the explorer or from other tool.

3. Import or export permissions against either mailboxes or public folders. This will be a handy option to have the portable different complex level of permission.

4. Setting up Calendar folder permissions in bulk.

Thanks

Logan

91-98414-99143

Garbage Collection and Tombstone object in AD

1. Garbage collection is a housekeeping process that is designed to free space within the Active Directory database. 

2. In Windows 2000 and in the original release version of Windows Server 2003, this process runs on every domain controller in the enterprise with a default lifetime interval of 12 hours. 

3. You can change this interval by modifying the garbageCollPeriod attribute in the enterprise-wide DS configuration object (NTDS) using ADSIEDIT.msc or ldp.exe. 

4. The Active Directory (AD) garbage-collection process performs two vital functions.First, it cleans up deleted objects. When you delete an object in AD, the system doesn't immediately delete the object because when replication occurs, a replication partner would recreate the object. Instead, the system uses a tombstone with a finite lifetime to mark the object as deleted. The tombstone replicates to all domain controllers (DCs), and after it expires, the garbage-collection agent deletes the object.

5. The garbage-collection process also performs online AD defragementation.

6. The default tombstone delete lifetime in windows 2000 and 2003 (w/o SP1) is 60 days. In 2003 Sp1, the value is increased to 180 days.

Thanks

Logan

91-98414-99143

System Mailbox in exchange server 2003:

This article gives you the functionality of the built in system mailbox that present in the mailbox store. Every private information store in Exchange Server 2003, has 3 system mailbox by default.

The following are the three different system mailboxes are:

•SystemMailbox{GUID}
•System Attendant Mailbox
•SMTP Mailbox

System Mailbox {GUID}:

•Contains two parts to each System mailbox – the mailbox itself with its content in the corresponding information store and an associated directory object located in MESO (Microsoft Exchange System Object) folder in AD.
•GUID is related to the objectGUID i.e., to the system mailbox. The objectGUID of the mailbox store with which the system mailbox is associated.
•Whenever we mount the store, it checks for the availability of the systemmailbox{GUID}. If not it looks in the MESO directory for the same.
•Each MDB has its own GUID associated with a particular instance of SystemMailbox{guid}.
•Faulty functioning SystemMailbox{guid} then, there’s a very good chance EXOLEDB event sinks will not function.
•It will occupy some reasonable amt of space for storing the schema definitions.

System Attendant Mailbox:

•Each Exchange 200x server has one (and hopefully only one) System Attendant mailbox
•The System Attendant Mailbox contains the folder SpecialPrivateFolderForFreeBusyStorage, for Free/Busy information for Microsoft Outlook and CDO Applications (Collaboration Data Objects) which will be temporarily stored in MSExchangeFBPublish.
•The System Attendant Mailbox will also be used to send and receive Exchange monitoring messages for the Link Monitoring Service. You can find this function in the Exchange System Manager under Tools – Monitoring and Status.
•System Attendant mailbox is also required to be available during mailbox moves. For instance, if you have the mailbox store containing the System Attendant mailbox dismounted during a mailbox move, the move will fail.
•There are two parts to make up the complete System Attendant mailbox: a directory object and a mailbox object.
•Faulty system attendant mailbox, results in OWA-generated Free/Busy information not getting updated and also mailbox moves fail.

SMTP Mailbox

•The SMTP mailbox will be generated when the private information store is created and mounted.
•SMTP (servername-{guid}) mailbox is used by the mail transport of Exchange 200x as a temporary holding place for various messages as they pass through the system. In other words, every private mailbox store contains an SMTP mailbox to store temporary messages.
•For eg, The folders MTS-IN and MTS-OUT are used by Exchange Deployment Kit (EDK) connectors to transfer messages between the MTA (Microsoft Exchange Transport Agent) and the Exchange Server information store (store.exe). They are also used for X400 connectors, Exchange site connectors, and fax connectors.
•Faulty SMTP mailbox, results in failure in delivery into the store

Logging into system mailbox:

Logging into the system mailbox is not recommended, but still we can open the mailbox using the MFCMAPI.

Please revert if you have any questions.

Thanks

Logu

logu_microsoft@hotmail.com
91-9841499143

Microsoft Exchange System Attendant:

This article explains the characteristic features of the Microsoft exchange system attendant services. The Microsoft Exchange System Attendant service is primarily a collection of subcomponents that work together to proxy Active Directory requests and to regulate internal Exchange Server functions.

1.It is exchange related services. It is critical for exchange server’s performance and many exchange related services will not work.
2.You cannot mount the database unless the exchange system attendant service is running.
3.It facilitates AD communications to enforce the retention policies and mailbox quotas.
4.Main executable file is the MAD.EXE, located in Program Files\Exchsrvr\Bin folder and most of the subcomponents exist as .DLL files.

The following are the components of the System Attendant services.

DSACCESS Component:

1.DSACCESS.dll is used to prevent exchange server from flooding your exchange server with excessive requests.
2. In detail, When exchange server component such as exchange store or SMTP Transport engine needs to get the receipient information from AD, the query is routed through the DSACCESS component. Generally it acts as a proxy for these AD request. The recent request are stored in the cache to avoid the repetitive queries.

DSProxy Component:

1.DSProxy.dll acts as a proxy for AD queries coming from outlook clients.
2.In detail, when client running outlook 2000 or later, refers the GC for processing the AD query (such as a request to retrieve the GAL) in direct. Whereas the client older the outlook client 2000, will acts as a true proxy for communicating the GC, so DSProxy performs he operation on behalf of the client.
3.DSACCESS performs differently, DSACCESS proxies AD request coming from the other exchange component.

RUS – Recipeint Update Service:

1.Abv_dg.DLL is the core file for the RUS.
2.It is used for applying recipient policies to mail-enabled user objects.

Mailbox Manager Component:

The Mailbox Manager's job is to enforce policies that help to control the size of an information store, including mailbox quotas and message retention policies.

Server Monitor Component:

1.It is primarily used to keep exchange server’s link state information up to date.
2.The link state information is used to calculate the optimal path to various destinations within the exchange organization. Metrics like costs, availability and hop counts are taken into account.
3.It is responsible for monitoring server resources using WMI Windows Management Instrumentation.
4.It is also responsible for managing message tracking logs (if the message tracking is enabled).

Offline Address Book Generator:

1.The idea behind OAB generator (OABgen.dll) is for mobile users to access the address book, even is the users are offline.
2.So the offline users rely on the OAB instead of GAL.
3.The OABgen.dll file is stored in an Exchange public folder subfolder called Offline Address Book. This folder contains two subfolder: OAB Version2 and OAB Version 3a.

Free/busy Component:

1.The free/busy (madfb.dll) component is responsible for publishing the free busy information.
2.In detail, free busy information of other attendee is required for scheduling meeting. So the source user needs the free busy data of the target attendee’s calendar. Since user don’t generally have access to other user’s mailbox. Like OAB, the free/busy(madfb.dll) component is stored in a subfolder of the system public folder named SCHEDULE + FREE BUSY.
3.When a user creates an appointment or meeting, the exchange store sends the corresponding free/busy information to the exchange system attendant mailbox. The madfb.dll extracts the free busy data from the message and publishes it in the SCHEDULE + FREE BUSY folder.

Metabase Update Service:

1.Metabase Update Service (ds2mb.dll) is closely related to the IIS.
2.IIS metabase is the core file for IIS. Given that, exchange is dependent on IIS, exchange is also dependent on the IIS metabase.
3.IIS metabase exists in the form of an XML file named Metabase.xml, also stores as binary file called Metabase.bin (located in System root\system32\inetsrv) and the corresponding schema file called MBSchema.xml.
4.Some Exchange configuration information related to SMTP Virtual servers, the HTTP configuration of OWA and few others are stored in AD, but are needed by IIS. This is where the Metabase Update Service comes into play. This service replicates protocol related exchange server configuration information from the AD to the IIS metabase.

Hope the above is informative. Please ping me if you have any questions.

Thanks

Logu

logu_microsft@hotmail.com
91-9841499143

Finding the mailboxes homed in particular mailbox store:

This article explains the different type of methods to find the mailbox homed in particular mailbox store. In simple words, the methods used for querying the mailbox based on the mailbox store information.
When you try to delete a mailbox store from a server that is running Exchange 2000 or Exchange 2003, you may receive the following error message:
“One or more users currently use this mailbox store. These users must be moved to a different mailbox store or be mail disabled before deleting this store.
ID no: c1034a7f
Exchange System Manager”.

In that, we need to find the mailboxes that are homed in that particular mailbox store. The following are the different types of method to find that respective mailboxes.

Method 1: Use the LDP tool (Ldp.exe) to browse for mailboxes that are on a mailbox store

You can use the LDP tool to find all the accounts that have mailboxes on a particular mailbox store. This tool is included with the Microsoft Windows 2000 Support Tools package.

To use the LDP tool to find all the accounts that have mailboxes on a particular mailbox store, follow these steps:
1.Start Ldp.exe.
2.Click Connection, and then click Connect.
3.Enter the name of a domain controller, and then click OK.We recommend that you enter a domain controller in the root domain of the forest.
4.Click Connection, and then click Bind.
5.Enter the user name, the password, and the domain name of an administrative account, and then click OK.
6.On the View menu, click Search.
7.Click to select the "DC=domainname,DC=local" by Base DN check box.
8.Click the Filter box, and then type the following text:
msExchHomeServerName=Exchange virtual server name
9.Click Subtree, and then click Run.
10.Identify the users who have mailboxes on this store. Then, use the Active Directory Users and Computers snap-in to move the mailboxes to a different store or to delete the mailboxes.


Method 2: Use the LDP tool to search for mailboxes that are on a mailbox store

1.Start Ldp.exe.
2.Click Connection, and then click Connect.
3.Enter the name of a domain controller, and then click OK.
4.Click Connection, and then click Bind.
5.Enter the user name, the password, and the domain name of an administrative account, and then click OK.
6.On the View menu, click Tree.
7.Make sure that the Base DN box is blank, and then click OK.If the Base DN box is not blank, clear its contents, and then click OK.
8.Right-click the container that you want to search, such as the CN=Users container, and then click OK.
9.Click the Filter box, and then type the following:
(&(objectCategory=person)(objectClass=user)(msExchHomeServerName=/o=ORGANIZATION NAME/ou=ADMINISTRATIVE GROUP NAME/cn=Configuration/cn=Servers/cn=SERVER-NAME-TO-REMOVE))
10.Click Subtree, and then click Run.
11.When you have identified which users have mailboxes on this store, you can use Active Directory Users and Computers either to move the mailboxes to a different store or to delete the user's mailbox.

Method 3: Use Active Directory Users and Computers to browse for mailboxes that are on a mailbox store

1.Start Active Directory Users and Computers on a computer that has Exchange System Manager installed on it.
2.In Active Directory Users and Computers, click View, click to select the Advanced Features check box, and then click OK.
3.Click View, and then click Choose Columns.
4.In the Modify Columns box, click Exchange Mailbox Store in the Hidden Columns list, click Add, and then click OK to add the Exchange Mailbox Store to the Displayed Columns list.An Exchange Mailbox Store column appears in Active Directory Users and Computers that shows the mailbox store that a user has a mailbox on.
5.When you have identified which users have mailboxes on this store, you can use Active Directory Users and Computers either to move the mailboxes to a different store or to delete the user's mailbox.

Method 4: Use Active Directory Users and Computers to search for mailboxes that are on a mailbox store

1.Start Active Directory Users and Computers.
2.Right-click the domain that you want, and then click Find.
3.Click the Advanced tab, click Field, point to User, and then click Exchange Home Server.
4.In the Condition list, click Ends with, type the name of your Exchange computer, and then click Find Now.
5.If you are prompted to add the current criteria to your search, click Yes.
6.When you have identified which users have mailboxes on this store, you can use Active Directory Users and Computers either to move the mailboxes to a different store or to delete the user's mailbox.
The mailbox search results appear in the lower pane.

Method 5: Use the LDIFDE tool (Ldifde.exe) to create an export file that contains the mailboxes that are on a mailbox store

1.At a command prompt, type an LDIFDE command that is similar to the following. Then press ENTER.
ldifde -d "DC=ROOT,DC=COM" -f c:\output.txt -r "(&(objectCategory=person)(objectClass=user)(msExchHomeServerName=/o=ORGANIZATION NAME/ou=ADMINISTRATIVE GROUP NAME/cn=Configuration/cn=Servers/cn=SERVER-NAME-TO-REMOVE))"
2.Quit the command prompt.
3.Start Notepad or some other text editor, and then load the Output.txt file that you created in step 1 to view the mailboxes that are on the mailbox store.
4.When you have identified which users have mailboxes on this store, you can use Active Directory Users and Computers either to move the mailboxes to a different store or to delete the user's mailbox.

Thanks

Logu

logu_microsoft@hotmail.com
91-9841499143

Best Practices for FSMO role placement:

In an Active Directory environment, some of your domain controllers (DCs) must be assigned certain special roles for your network to function properly. These special roles are called flexible single master operations (FSMO) roles, and DCs that hold such roles are called FSMO role holders. If you don't assign these roles properly, bad things can happen, so the focus of this article is on rules for proper placement of FSMO roles on AD-based networks. But before we proceed, please refer my blog session on FSMO roles.

Symptoms of FSMO Problems:

If one or more of your FSMO role holders has problems, bad things can happen. To help you troubleshoot such situations, the table below describes some of the symptoms that can occur when FSMO role holders go missing or don't work properly.

Symptom:

1. PDC Emulator
1. Users can't log on - If system clocks become unsynchronized, Kerberos may fail.
2. Can't change passwords - Password changes need this role holder.
3. Account lockout not working - Account lockout enforcement needs this role holder.
4. Can't raise the functional level for a domain - This role holder must be available when the raising the domain functional level.
2. RID Master
1. Can't create new users or groups - RID pool has been depleted.
3. Infrastructure Master
1. Problems with universal group memberships - Cross-domain object references need this role holder.
4. Domain Naming Master
1. Can't add or remove a domain - Changes to the namespace need this role holder.
2. Can't promote or demote a DC - Changes to the namespace need this role holder.
5. Schema Master
1. Can't modify the schema - Changes to the schema need this role holder.
2. Can't raise the functional level for the forest - This role holder must be available when the raising the forest functional level.

Rules for FSMO Role Placement

Since FSMO roles are crucial for the proper functioning of an AD-based network, it's a good idea to get them right from the planning stage of your deployment. By default, when you install the first DC of your forest root domain, this first DC holds all five FSMO roles. When you install the first DC of any other domain in your forest, that DC will hold all three domain FSMO roles (PDC Emulator, RID Master, and Infrastructure Master). Depending on the complexity of your network, this FSMO role must be placed.

Rule 1: The PDC Emulator and RID Master roles should be on the same machine because the PDC Emulator is a large consumer of RIDs.

Tip: Since the PDC Emulator is the role that does the most work by far of any FSMO role, if the machine holding the PDC Emulator role is heavily utilized then move this role and the RID Master role to a different DC, preferable not a global catalog server (GC) since those are often heavily used also.

Rule 2: The Infrastructure Master should not be placed on a GC.

Tip: Make sure the Infrastructure Master has a GC in the same site as a direct replication partner.

Exception 1: It's OK to put the Infrastructure Master on a GC if your forest has only one domain.

Exception 2: It's OK to put the Infrastructure Master on a GC if every DC in your forest has the GC.

Rule 3: For simpler management, the Schema Master and Domain Naming Master can be on the same machine, which should also be a GC.

Exception: If you've raised your forest functional level to Windows Server 2003, the Domain Naming Master doesn't need to be on a GC, but it should at least be a direct replication partner with a GC in the same site.

Rule 4: Proactively check from time to time to confirm that all FSMO roles are available or write a script to do this automatically.

Tip: If any FSMO role holders at a remote site are unavailable, check first to see if your WAN link is down.

Hope the above is informative.

Please feel free to contact me for any questions.

Thanks

Logu

Logu_microsoft@hotmail.com

91-98414 99143.

Understanding DSProxy, DSReferral, DSAccess and the Categorizer:

This article explains the features and natures of the important topology in Exchange environment called DSPROXY, DSACCESS and Categorizer. We already aware that both AD and Exchange are highly integrated, the relationship b/w AD and exchange is more complex and often misunderstood. Exchange server uses two services – Dsproxy and Dsaccess – to access the GC Global Catalog. We already know what is Global Catalog?, if not please keep in mind that Global Catalog is a database which contains the partial replicas of the directories of other domains and contains subsets of the AD attributes of all the objects in the forest( for e.g., attributes like email address). Dsproxy is an exchange specific service, whereas Dsaccess is a Windows service in turn used by the exchange server.

Dsproxy:

1. In general, Outlook 2000 clients and above can access the GC directly, but the old outlook client doesn’t.
2. To address the above lack of access, exchange server provides a proxy service called Dsproxy, acts as an intermediary b/w client and the GC.
3. Dsproxy works as a facilitator to allow outlook clients to access information within the AD through the Name Service Provider Interface (NSPI).

Dsreferral:

1. Since the dsproxy helps outlook client to reach the GC directly. Dsreferral also enhance or work to facilitate dsproxy.
2. Dsreferaal is used especially when exchange server not running on GC server. In such cases, DS Referral has the capability to update the Outlook 2000 client's MAPI profile with an appropriate GC server.





Dsaccess:

1. In general, the exchange server shares the GC functionality with the other AD services, It is important to reduce the impact of exchange server queries on GC. Dsaccess become solution for this.
2. Dsaccess implement a cache that stores recently accessed information for a configurable length of time. This cache reduces the number of direct query on GC drastically.

Role of the Categorizer:

The SMTP Categorizer is a component of Exchange that is used to submit mail messages to the proper destination. When a mail message is sent, the Categorizer queries the DSAccess component to locate an Active Directory server list, which is then directly queried for information that can be used to deliver the message. Problems with the Categorizer are often the cause of DNS or AD lookup issues. When troubleshooting mail-flow problems, please use message tracking in Exchange Server 2007 to find the course of a message. If the message stops at the Categorizer, it is often wise to start troubleshooting the issue from a directory access perspective.

Hope the above the information is short and informative.

Thanks

Logu
logu_microsoft@hotmail.com

91-98414 99143

Adding Domains to Exchange Hosting

This article explains how to add multiple domain to exchange hosting. Exchange server can be used for hosting the email account for different domains irrespective of the current domain.

For example, suppose i have implemented exchange server for domain called domain.com and user account will be xyz@domain.com. After multiple domains for exchange hosting enables to have the virtual domain email accounts such as xyz@domain1.com, xyz@domain2.com, etc.

1. Create a OU called domain1.com.

2. Create a group with the scope as Universal and type as Distribution, name it as domain1-all. Also, create an exchange email address with the same name as that of the group name(By default will have the same name).

3. Edit the domain1-all group property - edit the default smtp address from domain1-all@domain.com to domain1-all@domain1.com.

4. Create new recipient policy - name the policy as domain1.com, create new SMTP address as @domain1.com and make it as primary , leave @domain1.com as secondary.

5. Create the filter rules for domain1.com policy as below in the advanced LDAP query
(&(&(&(&(objectCategory=*)(memberOf=CN=domain1-all,OU=domain1.com,DC=domain,DC=com)))))

The analogy behind the above LDAP query is to query the object stored inside the domain1.com OU.

6. Create the GAL(Global address list) for this domain. Name the new GAL as domain1.com and in the filter rule option use advanded menu to find the Email address ends with @domain1.com option.

7. Open the ADSIEdit.msc, Choose Domain-->DC=domain,DC=com-->OU=domain1.com-->right click property-->In attribute editor section, edit uPNSuffixes to domain1.com.

8. Try to create new user, check the drop down box near the logon name button will have @domain.com and @domain1.com in the drop down list.

So we conclued that in the domain.com email server, domain1.com email domain is hosted successfully.

Thanks
Logu
logu_microsoft@hotmail.com
91-98414-99143

Moving 2003 Domain Controller to new machine

Hi friends

This article explains the steps to be followed when moving 2003 DC from to new built server machine. In small organisation, after some period moving DC to new server hardware happens in common. The following gives you the step by step procedure for moving domain controller to the new hardware.

Let us consider the servername as oldserver and newserver and domainname as test.com. The oldserver is the PDC with active directory integrated DNS.

Initail configuration of newserver:

1. Install the server OS, latest SP and patches.
2. Join in test.com domain.

Configure as Additional DC:

Use Dcpromo to promote the newserver as the additional domain controller.

Configuring DNS Server:

Install DNS in newserver as primary active directory integrated by giving the domain name as test.com. Add oldserver as name server and also in vice versa. Allow zone transfer between the name servers. After some time, ie, once the replication is over, change the oldserver as secondary dns server. Now the name resolution part is complete.

Test Connectivity with DCDIAG:

Use Dcdiag.exe support tool to test the connectivity between the DC's.

Role Transfer:

Now using the ntdsutil, we transfer the roles from the oldserver to the newserver.

C:\ntdsutil
Ntdsutil: roles
Fsmo maintenance: connections
Server connections: connect to server servername
Server connections: q
Fsmo maintenance: Transfer domain naming master or
Transfer infrastructure master or
Transfer PDC or
Transfer RID master or
Transfer schema master


Test the role transfer succesful completion sattus using the below command

dumpfsmos servername (here in our eg, dumpfsmos newserver)

Now, the newserver is your primary domain controller for the domain test.com

Thanks

Logu
logu_microsoft@hotmail.com
91-98414-99143

Group policy update forcing

Hi friends

To force the client machine to get the recent group policy from the server use the below options,

For 2000 Clients :

* SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE:

Immediately imposes group policy object settings located within the "machine" node of relevant group policy objects.

* SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE:

Immediate imposes group policy object settings located within the "User" node of the relevant group policy objects

For XP Clients:

gpupdate - To update the group policy in the client machine.

gpresult - To view the resultant set of applied policy to the client machine from the server.

Thanks

Logu
logu_microsoft@hotmail.com
91-98414-99143

Important Port Numbers

Hi friends

This articles gives you the list of important port numbers. The knowledge of the important port numbers are vital in terms of managing the domains and services. The below are list of important port numbers,

FTP(DATA) 20,21

TELNET 23

SMTP 25

HTTP 80

Kerberos 88

POP3 110

NNTP 119

RPC 135

IMAP4 143

LDAP 389

HTTPS 443

SMB 445 - Log shipping and DB seeding

SMTP(SSL) 465

LDAP(SSL) 636

Routing Group Master 691

IMAP4(SSL) 993

POP3(SSL) 995

Global Catalog 3268,3269

RDP 3389

Tcp/ip - 64327 - for exchange DAG log shipping and DB seeding

Thanks

Logu

Logu_microsoft@hotmail.com

91-9841499143

FSMO Roles

Hi friends

In active directory , FSMO roles plays a pivotal part. The analogy behind this concept is very interesting and also gives you the whole picture of whats happens when new object is created and how it is replicated to all parts.

In windows NT, we have the concept of single master operation.PDC(primary domain controller) will have the write copy of the SAM(Security accounts database manager) database and other DC(called BDC-Backup Domain Controllers) will have the read copy alone. Active Directory overcomes this by allowing the write copy for all domain controllers in windows 2000/2003 server environment. Any change in one DC is automatically replicated to all DCs, referred as multi-master replication. Why we need FSMO roles? , the answer is what happen when we make same changes in different DC at the same time, will result in conflicting data in the AD database. To avoid this conflict, they derived out concept called Flexible Single Master Operation roles, shortly called as FSMO roles. There are five distinct roles available each have its own functions. They call first two roles as forest level roles and the other three roles as the domain level roles.

Schema Master :
1.Controls all updates and modifications to the AD schema.
2.Schema update completed, schema master replicate all data to other DCs.
3. There can be only one schema master in the whole forest.

Domian Naming Master :
1.Controls the addition or removal of domains in the forest.
2.add or remove domain can be possible only by domain naming master.
3.There can be only one domain naming master in the whole forest.

Infrastructure Master :
1.Responsible for updating an object's security identifier and distinguished name in a cross domain object references.
2.At any one time, there can be only one infrastructure master in each domain.
3.DC with infrastructure master should not be a global catalog server. This is because GC holds a partial replica of every object in the forest and updating the object in the cross domain object reference in that domain will not be updated and threw error in the event log.This is not the case when all DCs in the domain are global catalog.

RID Master :
1.Responsible for processing RID(Relative Identifier) pool requests from all DCs in a particular domain.
2.unique RID = RID pool range + SID(security identifier)
where
RID pool range = allocated number range for all DC in the domain
SID = unique identifier each and every object created in any DC within a particular domain.
3.There can be only one RID master for that particular domain.

PDC Emulator :
1.Responsible for synchronizing time with in an enterprise.
2.PDC(Primary Domain Controller) emulator of a domain is authoritative for that domain and the forest root domain becomes authoritative for the enterprise.
3.Password changes in any DCs are replicated to PDC emulator.
4.Authentication failure and account lockout are all processed by PDC emulator.
5.Support the Windows NT 4.0 based PDC environment and earlier clients also.
6.There can be only one PDC emulator for that particular domain.

Commands for checking the FSMO roles :

The following are the commands through which you will be able to get the information of the different roles and their respective domain controllers.

1. dumpfsmos {servername}

2. dsquery server –hasfsmo {schema|rid|pdc|infrastructure}

3. dcdiag /test:knowsofroleholders /v

4. netdom query fsmo

To find the global catalog servers in your domain

dsquery server –isgc

dsquery server -domain damacholding.home –isgc

repadmin.exe /options * and use IS_GC for current domain options.

nltest /dsgetdc:corp /GC

Finally the functions of this roles been illustrated. Transferring and seizing of roles is the next step for the readers.

Please do post me if you have any questions.

Thanks
Logu
logu_microsoft@hotmail.com | 91-98414-99143

Managing Firefox with Active directory GPO

Hi Friends,
This article explains the implementation of group policy object for Firefox browser in active directory environment. By default,active directory GPO don't have any support for controlling the browser's setting other than internet explorer.Comparison between the IE and Firefox browser is prevalent in the IT.Since most of the users prefers to have Firefox as their browser rather than IE because of the developer friendly Webdev feature.Hence the effective usage, managing and controlling the Firefox attributes from the server is important.This article helps you to deploy and control the Firefox behavior from the active directory server group policy.
The Firefox is an open source browser package from the Unix/Linux environment and but comes as an executable exe package for the windows. Let me first explain what is AD and GPO.Active directory is just like database with all details about the domain, will have complete records of resources(all objects and their attributes) in the domain environment.GPO (Group Policy Object) is set of policies that can be applied for users and computers in the domain.Please refer Microsoft site for complete description of AD and GPO.
step1:
Download the Firefox msi package and store it in a shared location.
step2:
Using GPO - software deployment just assign /publish the Firefox msi package.
step3:
Download FirefoxADM - is a freeware contains .adm file and logon scripts.
step4:
Using GPO - Logon script , add the downloaded logon script.
step5:
Open GPO and right click the administrative template in user/computer setting and add the downloaded administrative template file i.e .adm file.
step6:
After adding,find the new "Mozilla Firefox default settings" and it will comprises the settings for Firefox.
Step7:
Configure the settings as per need.

Finally, implementation of Firefox administrative templates into the active directory GPO is done.Likewise we can add any available third party application(hopefully both .msi and .adm) into the server side GPO.

Please do post if you have any questions.

Thanks,
Logu
logu_microsoft@hotmail.com