Open a Socket!

The other day I had a need to configure scheduled backups of GPOs to file on a Windows Server 2008 Domain Controller.  Aha (I thought), I’ve done this before using the BackupAllGPOs.wsf script that is included along with a whole bunch of other handy scripts when you install the Group Policy Management Console (GPMC).  After a few minutes of fruitless searching on my Windows Server 2008 DC I realised that although the GPMC was installed (as a feature) the scripts were nowhere to be found.  After some Googling I found out that I hadn’t been singled out for victimisation - unlike Windows Server 2003, the scripts just aren’t installed by default in Windows Server 2008 when you enable the GPMC feature.  I discovered that you could download the Vista and Windows Server 2008 versions of the scripts here:

Group Policy Management Console Sample Scripts

It puzzled me that the scripts weren’t included by default.  I suspect the Vista and WS2008 versions of the scripts were developed after the products had shipped.  Anyway, it made me think that Microsoft maybe wanted me to work with PowerShell and not VBScript.  Aha (I thought again), I’ll see if I can find the PowerShell equivalent of the GPMC scripts.  After a fair bit of searching I found two options.

Option 1.

SDM GPMC PowerShell Cmdlets from Darren Mar-Elia

Option 2.

Sample functions provided by Thorbjörn Sjövold in his Technet Magazine article, Simplify Group Policy Administration with Windows PowerShell

The first option requires installing the Cmdlets from an .msi install package, something I didn’t really want to have to do in the environment I was working with.

The second option proved a winner and provided the functions I needed to get my PowerShell script up and running within a few minutes.  Here’s my script to backup all the GPOs in a given domain. 

## FileName: BackupGPOs.ps1
## Date: 13.12.2008
## Purpose:  Backs up all GPOs within domain to file

## Variables

$backupDirectory = “c:\backup\GPO”
$domainName = [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().Name

## Functions

# Source: http://technet.microsoft.com/en-us/magazine/cc162355.aspx

###########################################################################
# Function   : BackupAllGpos
# Description: Backs up all GPOs in a Domain
# Parameters : $backupDirectory - The directory where the backups will be stored
#            : $domainName - The dns name, e.g. microsoft.com, of the domain to operate on
#            : $backupComment - An optional comment for the backups, if nothing is passed the current date will be
used.
# Returns    : N/A
###########################################################################
function BackupAllGpos(
  [string] $backupDirectory=$(throw ‘$backupDirectory is required’),
  [string] $domainName=$(throw ‘$domainName is required’),
  [string] $backupComment=$(get-date))
{
  $gpmAllGposInDomain = GetAllGposInDomain $domainName

  foreach ($gpmGpo in $gpmAllGposInDomain) # Iterate through all the GPOs
  {
    “Back up GPO : ” + $gpmGpo.DisplayName
    $gpmResult = $gpmGpo.Backup($backupDirectory, $backupComment) # Backup the GPO
    [void] $gpmResult.OverallStatus
    $gpoBackup = $gpmResult.Result
  }
}

###########################################################################
# Function   : GetAllGposInDomain
# Description: Returns all GPOs in a domain
# Parameters : $domainName - The dns name, e.g. microsoft.com, of the domain to operate on
# Returns    : All Group Policy Objects in the supplied domain
###########################################################################
function GetAllGposInDomain(
  [string] $domainName=$(throw ‘$domainName is required’))
{
  $gpm = New-Object -ComObject GPMgmt.GPM # Create the GPMC Main object
  $gpmConstants = $gpm.GetConstants() # Load the GPMC constants
  $gpmDomain = $gpm.GetDomain($domainName, “”, $gpmConstants.UseAnyDC) # Connect to the domain passed using any DC
  $gpmSearchCriteria = $gpm.CreateSearchCriteria() # Create a search criteria without any restrictions
  $gpmDomain.SearchGPOs($gpmSearchCriteria) # Search and find all GPOs in the domain, this will return the array
}

## Main

backupAllGpos $backupDirectory $domainName

## End

Note that I’ve set the $domainName variable to match the domain of the computer from which the script is run.  To set the variable to match the domain of the user account under which the script runs change it to (may wrap):

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name

The sample functions provided by Thorbjörn are comprehensive and cover nearly all of the features included in the original GPMC VBScripts.  I encourage you to take a look.

Or at least it nearly did.

I was working a script and because of a small typo very nearly lost most of the data on my C: drive.   It’s very easy to get wrong, so treat this as a cautionary tale.   The example below shows the error I made and the potential impact.  I’ve used the command line instead of my script in the example, but the effect is the same.

 First of all I set a variable to point to a folder off the root of the C: drive.  Then I cleared the contents of the folder using the variable together with the Remove-Item command.

 The screenshot below shows how to do this correctly.

 Now look what happens when you mistype the name of the variable.  PowerShell basically ignores the variable and assumes you want to remove everything from the root of the drive. 

In my case only the fact that I didn’t use the  -recurse parameter saved me.  If I had used the -recurse parameter I would have lost everything except for items protected by the system.

Nasty.

Windows Server 2008 (and Vista) offer improved options for event log management.  For example, you now have the option to forward events to a central event collector server.  You also now have powerful filtering capabilities.  One of the features I like is the Wevtutil command-line tool that allows you to retrieve, query, archive, export and clear events.   It’s the best option you have if you use Server Core and don’t want to open the firewall to allow remote access using the Event Viewer UI.

Recently, I had to schedule the export of events using Wevtutil using a time-based query.  It took me a little while to get the query syntax right, so I thought I would share it with you here.

Let’s take a scenario in which you want to export all events from in the past 24 hours from the security log to a *.evtx file.  (Note. The default format for exported event log files in Vista and Windows Server 2008 is *.evtx.  For a good explanation of the differences between evt and evtx see this blog entry).   You can leverage the Windows Event Viewer (eventvwr) to assist you with obtaining the query required to filter the log to show only events from the past 24 hours.  To do this, click on your event log of choice (in this case Security).  In the right-hand action pane click Filter Current Log.  Within the Filter tab, select the drop-down list next to Logged and choose Last 24 hours.  Now click on the XML tab.   The query is embedded within the XML content, as follows:

 *[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]

The Wevtutil command to use the filter is shown below (may wrap).

wevtutil.exe epl Security C:\SecurityLog24hours.evtx “/q:*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]” /ow:true

Note that you have to replace the “&lt;” escape sequence meaning “less than” from the XML original with the “<” character, otherwise the query does not work and you will receive the error:

Failed to export log Security. The specified query is invalid.

The time-based filter I have used in this example only scratches the surface of the query capabilities you have with Wevtutil.  The fact that you can leverage the capabilities within the Event Viewer UI to assist with building the queries takes a lot of the pain away.  For more information about Wevtutil, including all the available command line options, see this page on Microsoft Technet.

If you’ve played around with Windows Server 2008 Active Directory Domain Services, you will probably be familiar with the snapshot feature within NTDSUTIL.  The feature allows you to take snapshot of the volumes that host the AD components and to then mount the snapshot.  Once mounted, you can use DSAMAIN.EXE to expose a read-only copy of the AD database to your favourite browsing tool (LDP.EXE, ADSIEDIT.MSC, DSA.MSC, ADFIND.EXE, etc.).  The process for doing this is well documented elsewhere, so I don’t intend to reproduce it here. 

Microsoft recommends that you schedule regular snapshots, as this provides you with a quick method of checking the contents of the directory at different time slices in the past.  One advantage of this that you can quickly identify which backup to use when needing to authoritatively restore accidentally deleted AD objects from backup.

What isn’t quite so well documented it the process to schedule regular snapshots.  It took me a little while to configure this properly, so I thought I would share it with you here.

Windows Server 2008 comes with a re-vamped Task Scheduler.  You can configure tasks using both the UI as well as the command line (schtasks.exe).  I prefer to use the command line as it has the advantage of allowing you to set tasks to run under the SYSTEM account.  It is also the only option if you are using Server Core, unless you want to open the firewall to allow remote task scheduling from a computer running the full version.

Here’s the command line I use. Note that it’s all on one line - wrapped here to fit page

SCHTASKS /Create /RU SYSTEM /SC DAILY /TN MYTASKS\DS_SNAPSHOT

 /TR "%windir%\system32\ntdsutil.exe sn \"ac i ntds\" create q q" /ST 05:00

SCHTASKS /Create /s MYSERVER /U administrator /P xxxxx /RU SYSTEM /SC DAILY /TN MYTASKS\DS_SNAPSHOT

 /TR "%windir%\system32\ntdsutil.exe sn \"ac i ntds\" create q q" /ST 05:00

Since the 24th October I’d been getting the error “Invalid Update Control CTF File” when trying to update AVG 8.0 on my home PC.  I think I remember having this before and it went away after a few days, so I had been ignoring it until today.

Anyway, I found two control files for AVG in the folder “C:\ProgramData\avg8\update\download”, as shown below

I simply renamed them both and then selected “Update Now” after right-clicking the AVG icon on the application tray. 

The update applied successfully and now all is well. 

The other day I had a customer ask what the recommended maximum database size is for Exchange Server 2007 mailbox stores.  I knew I had seen the information somewhere on-line, so I did some Googling.  Initially, I didn’t have much luck. 

First of all I found the article below, which recommends stores grow no larger than 50GB. On the other hand it also mentions .stm files (no longer used in Exchange 2007), so I wasn’t convinced it is still relevant.

http://technet.microsoft.com/en-us/library/aa995715.aspx

Then I found KB823144, which also recommends a 50GB max, but the article only applies to Exchange 2003.

After that, I found the following Blog entry written by Gerod Serafin.  The article references some Microsoft on-line content that talks about different recommendations, but comes back to the 50GB recommendation.

http://blogs.technet.com/gerod_serafin/archive/2007/06/11/200-gb-limit-on-database-sizes.aspx

Feeling somewhat confused, I put the question to the Exchange MVP brains trust.  I was referred to the on-line Technet article that covers Mailbox Server Storage Design.  This provides the authoritative recommendation for Exchange Server 2007, as quoted below.

We recommend the following maximum database sizes for Exchange 2007:

• Databases hosted on a Mailbox server without continuous replication: 100 GB
• Databases hosted on a Mailbox server with continuous replication and gigabit Ethernet: 200 GB

  Note:

  Large databases may also require newer storage technology for increased bandwidth to accommodate repair scenarios.

  Important:

  The true maximum size for your databases should be dictated by the SLA in place at your organization. Determining the largest size database that can be backed up and restored within the period specified in your organization’s SLA is how you determine the maximum size for your databases.

For me, the key element is the comment regarding the SLA in place within your organisation.  When carrying out a high level design the 100GB/200GB recommended maximums shown above are good starting points, but these may need to be adjusted during your proof of concept phase.

Last week I initiated a discussion on the ActiveDir.org mailing list about running Windows Server 2008 Domain Controllers on Server Core.  I was curious to see whether there were any good reasons why all DCs (RODCs and RWDCs) should not be run on Server Core as a best practice.   The conclusion reached was that, with the possible exception of smaller organisations, the benefits of Server Core far outweigh any limitations.

Why Server Core is a good thing

• Because it installs only a subset of the full operating system, Server Core provides a smaller surface area for potential security compromise.
• Server Core requires fewer patches, thereby reducing both the administrative overhead and the potential risk of instability.
• Server Core has a lower system resource overhead, delivering a better bang-for-buck for your server hardware investment.
• Because of it’s small footprint, Server Core lends itself to virtualisation, again delivering a better return on your hardware investment.

Server Core sounds perfect, so why isn’t everyone using it?

• There is no UI, which means that administrators unfamiliar with the command line have to get to grips with new ways of doing things.  Having said that, you still have the option to run all of the AD admin tools remotely by running RSAT on a machine running VISTA or the full UI version of Windows Server 2008.
• DC promotion becomes a little more long-winded as it requires you to create an answer file and run DCPROMO in unattended mode.
• The .NET Framework (and hence Powershell) is not supported, which means you cannot run code locally that requires the Framework.  There are however a number of workarounds to this and changes coming in Powershell 2.0 improve the options for running cmdlets against remote computers.

Despite the minor inconveniences for administrators I would recommend using Server Core for all your Windows Server 2008 Domain Controllers.  For me benefits are too compelling not to.   I predict that as more Windows Server 2008 forests are deployed, Domain Controllers on Server Core will start to be considered best practice.  I also believe that Server Core will become the primary Windows Server platform within the next 10 years, with the full UI version either vanishing altogether or becoming marginalised for use only in small organisations. 

But then I chose Betamax over VHS, so what do I know.

Yes, I know PST files are BAD, but due to circumstances that would take too long to explain, I still use SMTP and POP3 with Outlook 2007 for my home email.  The other day I had a power outage that caused a corruption to one of my PST files.  I know that you can repair PSTs within SCANPST, so I Googled where to find it.

The Microsoft KB article, How to use the Inbox Repair Tools to recover e-mail messages in Outlook 2002, Outlook 2003 and Outlook 2007 has this to say on the location of SCANPST.EXE:

“The Inbox Repair Tool installs automatically during setup. These programs are typically located in one of the following folders:

• disk drive :\Program Files\Common Files\System\Mapi\1033\

• disk drive :\Program Files\Common Files\System\MSMAPI\1033

For a 64-bit operating system, the programs are typically installed in one of the following folders:

• disk drive:\Program Files(x86)\Common Files\System\Mapi\1033\

• disk drive:\Program Files(x86)\Common Files\System\MSMAPI\1033″

The problem was I couldn’t find my SCANPST in any of the location mentioned. Eventually, after searching my Vista machine with the option “Include non-indexed, hidden and system files (might be slow)” I found it here:

C:\Program Files\Microsoft Office\Office12

They weren’t kidding about the “might be slow” part.  Anyway, after locating the file, it worked perfectly for my problem.

I’ve provided feedback on the KB article, so hopefully Microsoft will update the location soon.

Yesterday I fired up an old Exchange Server 2007 VM lab environment.  The first thing I saw when I started the Exchange Management Console (EMC) was a pop-up message saying, “The following servers in your organization are currently unlicensed”, as shown below.

After clicking OK, I got the another pop-up message saying, “The server ‘<server_name>’ is unlicensed and has exceeded its trial period for licensing.

Fair enough, it had been a long time since I had installed the test environment.  After obtaining a valid license key from MSDN I went back to the EMC to update the product key.  The only problem was I couldn’t find the option anywhere!  I found the following information on Technet:

“Open the Exchange Management Console.

• In the console tree, expand Server Configuration.
• In the result pane, select the server that you want to license.
• In the action pane, under the server name, click Enter Product Key. The Enter Product Key wizard appears.
• On the Enter Product Key page, type the product key for the Exchange server, and then click Enter.”

Even with these instructions I still couldn’t find the option. 

Then it struck me that I was using the 32-bit version of Exchange Server 2007, which clearly can’t be licensed because it is not supported for production use.  Doh!

After some further digging I even found wording in the Help documentation that talks about entering the product key:

“Note: 
This action is available only if you installed the 64-bit version of Exchange 2007″

RTFM anyone?

Because you cannot license a 32-bit version of Exchange Server 2007 your options are to either re-install the trial version or to live with the warning messages.  Interestingly the license warnings are just that - i .e. they do not impede or remove functionality.

I thought I would blog about this to save others from going through the same time-wasting process

Next to ADFIND.EXE, LDP is the tool I probably use most often when working with Active Directory.  It’s an LDAP client that was originally developed for use purely within Microsoft. It can be used for browsing, searching and making changes via the LDAP protocol.  Because of its usefulness, Microsoft included LDP in the Support Tools in Windows 2000 and Windows Server 2003.  It has now gone mainstream and is included as part of the Windows Server 2008 installation. 

Here are some of the improvements I have become aware of in the Windows Server 2008 version of LDP.  Note that with the exception of the help documentation, these improvements were first introduced in the versions of LDP that shipped with ADAM in Windows Server 2003 R2 and with the ADAM SP1 download.

Bind as currently logged on user

The long-winded method of getting going with LDP is to Connect and Bind using those options from the Connection menu and fill in all the boxes.  With the Windows Server 2000 and 2003 versions of LDP if you simply want to connect and bind to a DC in the domain that you are already logged into then you don’t need to both with all that.  You simply select Bind from the Connection menu, leave all the boxes empty and then select OK, as shown below.

That’s it - you are then bound to an in-site DC using your current credentials.  There is no need to use the Connect option, unless you need to target a specific DC or port number.

Windows Server 2008 makes this “bind as currently logged on user ” option explicit by a modification to the Bind dialogue options, as shown below.

The behaviour is otherwise the same as the Bind method in earlier versions of LDP.

SID Lookup

With LDP you can lookup an object in the directory based on its security identifier (also known as the objectSid attribute).  The method for doing this is convoluted and involves specifying the SID value as the search base using a special syntax in the form <SID=<objectSid>>, e.g. <SID=S-1-5-21-2596592837-3109173549-302247358-1116>.  For this to work the search scope needs to be set to Base, as shown below.

Windows Server 2008 makes the whole process of SID lookup much easier.  You can still use the method shown above, but there is now also a separate SID Lookup option within the Utilities menu.  This is much quicker if you simply need to resolve the SID to the friendly name.  The screenshot below shows the new feature.

ACL Editor

The version of LDP included with Windows Server 2008 delivers the ability to edit object security descriptors (see screenshot below).  Previous versions of LDP allowed you to view but not edit DACLs and SACLs.

Help Documentation

In earlier versions of LDP help comes in the form of a 13.3MB file by the name of LDP.DOC.  While the information in the file is comprehensive and useful, very few people knew of its existence.  The documentation for the Windows Server 2008 version of LDP is now fully integrated into Windows Help and Support.

There may well be other improvements within the utility that I am not aware of.  If you’re not already familiar with LDP I recommend you take the time get to know it.  It seems that Microsoft is committed to maintaining the tool and extending its capabilities.