Another useful tool to create the SPF record
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
Get-ADUser
Get-ADUser can get one or more Active Directory users; it’s part of Active Directory Module for Windows PowerShell. It’s similar to Get-QADUser in Quest’s ActiveRoles Management Shell (However, ActiveRoles Management Shell can be installed on the older operating system)
Active Directory Module for Windows PowerShell is part of the Remote Server Administration Tools (RSAT) feature on a Windows Server 2008 R2 server; and it’s part of the RSAT feature on a Windows 7 computer (download). However, it’s not available to install on any older operating system, including Windows Server 2008.
Basic usage of Get-ADUser
- Get-ADUser –Filter { } or Get-ADUser –Filter *
- Get-ADUser –Filter { } –SearchBase “DC=xxx,DC=com”
- Get-ADUser –Filter { } –Properties * | Get-Member # to get all the properties; be aware of the property name is different than Get-QADUser cmdlet.
- Get-ADUser –Filter {} –Properties <propertyname1,propertyname2> # to get the non-default properties to the pipeline
Exchange Server 2003 Public Folder Mail Enable or Disable Option
In Microsoft Exchange Server 5.5, all public folders were mail-enabled and hidden by default. In Exchange 2000 Server and Exchange Server 2003, folders can be mail-enabled or mail-disabled, depending on whether the Exchange Server organization is in mixed mode or in native mode.
If Exchange Server 2003 is in mixed mode, the Mail Disable is not available when right-click a public folder / All Tasks in Exchange System Manager, only the Mail Enable option is available (even the public folder is already mail enabled).
To access the Mail Disable option, change Exchange Server 2003 to native mode.
Reference:
PowerShell Credential Input
$cred = Get-Credential
will prompt the user entering the credential that can be used in other PowerShell script.
Or $cred = Get-Credential –Credential domain_name\user_name
to fill in the default user name.
Use $WhatIfPreference in PowerShell to Prevent Accidents
- The default value of $WhatIfPreference variable is $false.
- Adding “$WhatIfPreference = $true” to a script or the PowerShell profile
- Now every cmdlet that supports a whatif switch will execute as the whatif switch is on
- To overwrite the setting in a particular cmdlet, add –whatif:false in the cmdlet
PowerShell ExecutionPolicy Bypass
Windows PowerShell v.2 supports a bypass execution policy. It can be used to overwrite the computer execution policy setting in batch script.
The computer execution policy is restricted. A PowerShell script can not be executed.
With the bypass option, the script is able to execute.
PowerShell: Avoid Bank Lines at End of a Text File
Use System.IO.File .NET Framework class’s Write AllText static method.
[System.IO.File]::WriteAllText(string path, string contents)
or [System.IO.File]::WriteAllText(string path, string contents, System.Text.Encoding encoding)
e.g. [system.io.file]::WriteAllText(“c:\fso\ioascii.txt”, $count, [System.Text.Encoding]::ascii)
More info: [system.io.file] | get-member –static WriteAllText | fl *
[system.text.encoding] | get-member –static –MemberType property
Best Practices for DNS Client Setting in Windows Server Domain Controller with DNS Installed
Assume at least two domain controllers with DNS installed in the domain.
- Configure the remote DNS server set as Preferred DNS server
- Configure 127.0.0.1 as Alternate DNS server
Reference:
PowerGUI Script Editor Add-ons
- Script Editor Essentials: add View White Space, Word Wrap and Virtual White Space menu items to the Edit | Advanced menu …
- ExpandAlias: expand aliases in the code pane to the full cmdlet name.
- Script Template: insert a header for new documents.
- PShellExec: secure/encrypt scripts and execute them right inside the editor
Windows Server 2008 DHCPv6 Stateless and Stateful Mode
Windows Server® 2008 supports stateless and stateful DHCPv6 server functionality. DHCPv6 stateless mode clients use DHCPv6 to obtain network configuration parameters other than the IPv6 address, such as DNS server addresses. Clients configure an IPv6 address through a non-DHCPv6 based mechanism such as IPv6 address auto-configuration (based on the IPv6 prefixes included in router advertisements), or static IP address configuration.
In DHCPv6 stateful mode, clients acquire both the IPv6 address as well as other network configuration parameters through DHCPv6.
Reference: http://technet.microsoft.com/en-us/library/cc753493.aspx
Fix “could not locate entry in sysdatabases” Error
Problem: I ran into this error when executing a script on a SQL database. I could attach or deattach the database, and SQL Management Studio showed the database was fine.
Fix: it turns out the database has ‘-‘ in the name, e.g. database_2008-10-01. Renaming the database by removing ‘-‘ fixed the problem.
Do not use ‘-‘ in SQL database name.
Cannot Add User Account in Windows 7 Home Premium
Local Users and Groups management console (MMC) is not available in Windows 7 Starter and Home Premium. Adding use account in these versions is through Control Panel / User Account. If you get an error “The specified account is not valid, because account names cannot contain the following character…. Please type a different name”,
Here is how to troubleshoot
- Verify the user account name do not contain the listing characters.
- This error also happens when the user account name already exists. Because the disabled account is hidden from Control Panel / User Account, type “net user” in the command prompt to view all user accounts.
Hide User Account in Windows 7 Logon Screen
One way to hide user account in Windows 7 logon screen is to disable the account if it is no longer in use. This is probably the easiest way.
User account management usually is in Local Users and Groups management console (MMC). For Windows 7 Professional and Enterprise Edition, user account can be disabled there. However Local Users and Group MMC is not available in Windows 7 Starter and Home Premium Edition. But it can be done through “net user” in the command line.
- Launch Command Prompt as administrator.
- Enter “net user” to list all the local user account.
- Enter “net user <user name> /active:no” to disable the account.
- Once the account is disabled, it is hidden from the logon screen and Control Panel/User Accounts.
- To reactivate the account, enter “net user <user name> /active:yes”.
Free Burning, PDF Converter, Backup Software
Tiny Burner – Free CD, DVD or Blu-ray burning software for Windows 7, Vista, XP, 2008/2003/2000 Server (32 and 64-bit)
doPDF – Free PDF converter for Windows 7, Vista, XP, 2008/2003/2000 Server (32 and 64-bit). No GhostScript or .NET required.
FBackup – Free backup software for Windows 7, Vista, XP, 2008/2003/2000 Server (32 and 64-bit)
SQL Server Authentication and Authorization
Just read a blog post illustrating the SQL account problem when moving or restoring SQL database between servers. As the blog says:
“SQL Server security is a little complex, but for our purposes it’s enough to consider two core artifacts: logins and users. Logins are instance-level objects (stored in master) and users are database-level objects (stored in the user database). Each of these are responsible for authorization in their respective domains, i.e., used to grant permissions at the instance and at the database respectively. But only logins are used for authentication. So in order to even log on to the server you have to have a login.
Users and logins are associated with each other through a matching identifier called a SID, and in order for a person to connect to and use a database, he must have a user in the target database and matching login on the instance. And here’s where our problem comes from: while users are stored in and move with the database, logins are not and do not. They’re left behind:
The result of this is that someone who could connect to D when it lived on S may no longer be able to do so when it moves to T because their login is missing. This is reparable, of course: you just need to manually add the required logins to the new instance. It’s also not easily automatable, since the target instance may already have a different login with the same name, which would cause a collision.”
It sounds the Contained Database in the next version of SQL Server “Denali” solved the authentication problem. For now, we can resync the user login by using
sp_change_users_login 'update_one', 'username', 'username'
Active Directory Naming Conventions
This KB article includes the Active Directory naming conventions
- Allowed characters
- Disallowed characters
- Minimum name length
- Maximum name length
- Reserved names
- Best practices
for
- Computers
- NetBIOS computer names
- DNS computer names
- Domains
- NetBIOS domain names
- DNS domain names
- Sites
- OUs
SQL Server Database Version List
This web page lists each SQL Server version number (from SQL v.6.5 to 2008 R2) and its patch level. It is useful to compare your installed version with the latest version available.
This is another web site with the similar information.
Install Remote Server Administration Tools (RSAT) on Windows 7 with Service Pack (SP1)
Remote Server Administration Tools (RSAT) for Windows 7 cannot be installed on computers that are running Windows 7 with Service Pack (SP1). The error message is “This update is not applicable to your computer”. This is because Service Pack 1 includes updates components for RSAT.
The resolution is to install RSAT tools before installing Service Pack 1 for Windows 7. If SP1 is already installed, uninstall SP1, install RSAT tools, and then reinstall SP1.
According to RSAT download site, RSAT for Windows 7 with SP1 is scheduled for release in Spring 2011.
Windows Update Scanning Error Fix
If the Windows Update database and manifest corrupted, Windows Update scan can take a long time or crash. The following may fix this problem.
- Run the Windows Update troubleshooter
- Run the System Update Readiness Tool
- Run the System File Checker (sfc) from Administrator Command Prompt. “sfc /scannow”
- Rename and recreate the SoftwareDistribution and Catroot2 folders
- Stop the Windows Update service and its related services
- net stop wuauserv
- net stop bits
- net stop cryptsvc
- If the Windows Update service can not be stopped, change its startup type to Disabled, then reboot the computer.
- Rename %windir%\SoftwareDistribution
- Rename %windir%\system32\Catroot2
- Start the Windows Update service and change its startup type to Automatic (Delayed Start).
- Re-register all the Windows Update DLLs (stop wuauserv, bits, and cryptsvc services first)
- regsvr32 c:\windows\system32\vbscript.dll /s
regsvr32 c:\windows\system32\mshtml.dll /s
regsvr32 c:\windows\system32\msjava.dll /s
regsvr32 c:\windows\system32\jscript.dll /s
regsvr32 c:\windows\system32\msxml.dll /s
regsvr32 c:\windows\system32\actxprxy.dll /s
regsvr32 c:\windows\system32\shdocvw.dll /s
regsvr32 wuapi.dll /s
regsvr32 wuaueng1.dll /s
regsvr32 wuaueng.dll /s
regsvr32 wucltui.dll /s
regsvr32 wups2.dll /s
regsvr32 wups.dll /s
regsvr32 wuweb.dll /s
regsvr32 Softpub.dll /s
regsvr32 Mssip32.dll /s
regsvr32 Initpki.dll /s
regsvr32 softpub.dll /s
regsvr32 wintrust.dll /s
regsvr32 initpki.dll /s
regsvr32 dssenh.dll /s
regsvr32 rsaenh.dll /s
regsvr32 gpkcsp.dll /s
regsvr32 sccbase.dll /s
regsvr32 slbcsp.dll /s
regsvr32 cryptdlg.dll /s
regsvr32 Urlmon.dll /s
regsvr32 Shdocvw.dll /s
regsvr32 Msjava.dll /s
regsvr32 Actxprxy.dll /s
regsvr32 Oleaut32.dll /s
regsvr32 Mshtml.dll /s
regsvr32 msxml.dll /s
regsvr32 msxml2.dll /s
regsvr32 msxml3.dll /s
regsvr32 Browseui.dll /s
regsvr32 shell32.dll /s
regsvr32 wuapi.dll /s
regsvr32 wuaueng.dll /s
regsvr32 wuaueng1.dll /s
regsvr32 wucltui.dll /s
regsvr32 wups.dll /s
regsvr32 wuweb.dll /s
regsvr32 jscript.dll /s
regsvr32 atl.dll /s
regsvr32 Mssip32.dll /s
Juniper SSL-VPN Network Connect Error 23787
When try to launch Network Connect inside Juniper SSL-VPN portal, get an error “cannot start the network connect service, please reinstall network connect, nc.windows.app.23787”.
Uninstalling or reinstalling the Juniper Network Connect works, but the error comes back after restarting the computer.
Solution: verify “Juniper Network Connect Service” service is started on the computer, and the Startup Type is Automatic.
Internet Explorer 9 Tracking Protection Feature
The RTM version of Internet Explorer 9 builds in the tracking protection feature. This feature is disabled by default. It can be enabled through Tools, Safety, Tracking Protection.
Once the feature is enabled, you can subscribe the third-party tracking protection lists (TPLs) through http://ie.microsoft.com/testdrive/Browser/TrackingProtectionLists/Default.html
SPF (Sender Policy Framework) Deployment
After testing the outgoing email server, I find my outgoing server is missing the SPF record. By looking at the Sender Policy Framework site, the deployment is fairly simple if you can edit your DNS records. The web site provides the wizard to create the SPF record. Once the SPF record is created, just add it to your domain’s TXT record. And rerun the outgoing email test to verify the deployment.
Test Outgoing Email Server with Some of the “Best Practices”
While searching the greylisting topic about email delivery problem, I find the “All About Spam” web site offers an outgoing email server test page. It’s a useful tool to learn about your email server compliance; and its report also provides the information on what you can do to make your email not been blocked by the recipient email server.
All About Spam Email Server Test Page can test your outgoing email server with the following technologies/RFC compliance:
- HELO Greeting
- Reverse DNS
- DNSBL (RBL)
- SPF
- Domain Keys
- SPAMAssassin Content Checks
- BATV (Bounce Address Tag Validation)
- Greylisting
- URIBL
Testing Process
- Send an Email to test@allaboutspam.com
- That email will bounce with a URL in the bounce message.
- Either click on the URL or Copy/paste the URL in a browser.
- You will see report on your Email Server.
Greylisting – Use Against E-mail Spam
Definition: In name, as well as operation, greylisting is related to whitelisting and blacklisting. What happen is that each time a given mailbox receives an email from an unknown contact (ip), that mail is rejected with a "try again later"-message (This happens at the SMTP layer and is transparent to the end user). This, in the short run, means that all mail gets delayed at least until the sender tries again - but this is where spam loses out! Most spam is not sent out using RFC compliant MTAs; the spamming software will not try again later.
Source: http://www.greylisting.org/
Remove the Backed Up Files After Windows 7 / Windows Server 2008 R2 SP1
dism /online /cleanup-image /spsuperseded
DNS Lookup Tool - DIG
A windows version of dig can be downloaded at http://www.isc.org/downloads.
Example commands:
- dig abc.com
- dig abc.com any
- dig abc.com ns
- dig abc.com mx
- dig abc.com any @dns-server
Remove IT Policy from a BlackBerry Smartphone
There are many methods to remove an IT policy from a BlackBerry smartphone. See this KB for more details. Here is the easiest method (I think) – using loader.exe.
- Connect the smartphone to the computer.
From the Start menu, click Programs > Accessories > Command Prompt.
Note: When a computer running Windows Vista™ or Windows 7 is used, the user might need to right-click the Command Prompt application and choose Run as administrator. - Find the Apploader folder by typing cd C:\Program Files\Common Files\Research In Motion\Apploader and then pressing ENTER.
Note: For computers using a 64-bit version of Windows, navigate to C:\Program Files (x86)\Common Files\Research In Motion\Apploader. - Type loader.exe /resettofactory.
- Type the BlackBerry smartphone password if prompted.
Exchange Server Licensing
- One Exchange server license per Exchange server
- Exchange Standard v.s Enterprise edition:
- 5 databases per Standard edition
- 100 databases per Enterprise edition
- For database availability group (DAG), do not need Exchange Enterprise edition; however, must have Windows Server 2008 or Windows Server 2008 R2 Enterprise edition.
- One client access license (CAL) per user
- Standard v.s. Enterprise CAL:
- Enterprise CALs are add-ons to Standard CALs. To buy Enterprise CALs must buy the amount of Standard CALs.
- Enterprise CAL features:
- Unified messaging
- Custom retention policies
- Advanced Exchange ActiveSync policies
- Per-user or per-distribution-list journaling
- Personal Archive feature
- Multi-mailbox search
- Information protection and control feature set
Windows 7 or Windows Vista Wake Timer
Windows Vista and later support wake timers that scheduled tasks can use, allowing a system to automatically wake from sleep or hibernate at a certain time.
- Schedule a task:
- Launch Task Scheduler, Conditions tab, select Wake the computer to run this task.
- List all active wake timers
- Cmd, powercfg –waketimers
- List all devices that are capable of waking a machine from sleep
- Cmd, powercfg –devicequery wake_armed
Setup Windows Server 2008 and R2 DHCP Scope
Q. How do I create a DHCP scope in Windows Server 2008 and Server 2008 R2?
A. DHCP is a key service to enable the dynamic allocation of IP addresses to your network. Without DHCP, each machine has to be manually configured with an IP address, gateway, and DNS information. This might work for a small number of servers, but in any sizable environment, the ability for clients to dynamically get IP addresses is vital.
Windows has long had a DHCP service, and it has improved with each new version. In Server 2008 and later, DHCP is a server role that's added through Server Manager. Once you've added the DHCP Server role, you need to configure a scope—a set of IP addresses the DHCP service can allocate from to give to requesting clients. It's important that the DHCP scope you define consists of IP addresses that aren't used on any machine in the network (such as statically defined on a server) nor part of a scope on another DHCP server. Duplicate IP addresses in an environment will cause major problems, and it's always good practice to have an IP allocation scheme and tracking. Some organizations use IP addresses 10-50 of each subnet for servers and printers, 60-240 for DHCP clients, and so on.
Once the DHCP Server role is installed, you need to authorize the DHCP server by navigating to the DHCP Server role in server manager, selecting the server, and selecting Authorize. You can now create a scope.
- Navigate to DHCP Server, the server's name, IPv4.
- Select New Scope from the actions.
- Click Next to the introduction wizard screen.
- You'll be prompted for a name for the scope and a description. Make it meaningful, such as the IP addresses in the scope, and click Next.
- Enter the starting IP address, the ending IP address, and the subnet mask detail and click Next.
- You can now add specific IP address ranges that should be excluded from the scope. Maybe you have some servers that have IP addresses within the range you're allocating to DHCP, which therefore shouldn't be given to clients. You can also set a delay time, which is the amount of time the DHCP server will wait before responding to DHCP requests. Click Next.
- Set the length of time for the IP address lease. The longer the lease time, the less frequent machines have to renew the address—but that means clients keep the address longer. If you have a lot of through traffic of machines on the network, you don't want those machines keeping the lease for long, because your scope will run out of addresses. Set a small lease, maybe a day. Click Next.
- You can configure DHCP options, such as default gateway, DNS servers, WINS servers, etc. Or select No and set them later, or at a server level (for things like DNS server etc). Default gateway will likely be different for each scope. Click Next.
- Click to activate the scope, and you're done.
- If you wanted to select items like DNS and WINS at the server level, the settings apply to all scopes on the server. Select Server Options and you can set global options, as shown here.
Once you have DHCP configured, you can run
ipconfig /renew
on your clients and they should get an IP address from your DHCP server. You can see the address with the command ipconfig.
Configure USB Devices in Windows Virtual PC
Windows Virtual PC has integration features that allow certain types of devices to be shared between the host computer and the virtual machine (VM), including audio devices, clipboard, printers, drivers, and smart cards.
However, the VM may use the generic driver for the USB device, and the device may not work correctly. To install the driver for the USB device,
- Disable Integration Features.
- Log on again. Under the USB menu, attach the USB device and click Continue to remove the device from the host computer.
- Install the USB driver, and test it.
- Release the USB device from the VM using the USB menu.
- Enable the integration features again, and the USB device should work because the right driver is loaded in the VM.
Subscribe to:
Posts (Atom)
-
Recently, we created a new child domain in the existing AD forest with two new Windows Server 2012 R2 domain controllers. The AD authenticat... -
find out the name of vSphere host running the stuck task if possible SSH to the vCenter Server server appliance service vmware-vpxd resta...
-
By default, the Pi-hole web interface runs on HTTP, including the web admin panel URL. I want to secure the Pi-hole password with HTTPS when...