Rapid replication

Installed Server 2003 in two virtual machines ("server1" and "server2") this evening. Made them domain controllers for the same domain. Learned how to force replication via ADSS. Disabled the default domain GP password settings & tried to create a user w/ no password; this failed with "Windows cannot create the object because: Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirement of the domain." Running gpupdate by itself didn't help, but running gpupdate /force did.

Windows allows you turn off Global Catalog functionality completely in a domain, but if you try to create a user after that, it reports "Windows cannot verify that the user name is unique because the following error occurred while contacting the global catalog: The directory service is unavailable. Windows will create this user account, but the user can log on only after the user name is verified to be unique. Make the sure the global catalog is available." If the user that you create in this offline state is a duplicate, the global catalog server will keep the duplicate account name but assign a unique SID and append gibberish to the name in AD.

A cool tool for viewing an account's SID or last logon/off date comes with the Server 2003 Resource Kit. After you download and install the kit (it's free), run regsvr32 "C:\Program Files\Windows Resource Kits\Tools\acctinfo.dll".

Despite the fact that my two domain controllers are running in the default forest/domain modes, intrasite replication happens almost immediately! I thought you'd have to wait 15 minutes or 5 minutes or 15 seconds.

In other news, Windows Server 2008 was released yesterday (February 28) and I took 70-297 last Saturday, but failed.


Choppy DVD playback

My sister called a couple evenings ago and said "I think my DVD-ROM is going bad! Videos are so choppy and jerky, they're no fun to watch". This was caused by her secondary IDE channel reverting back to PIO mode, an older method for accessing drives - and too slow for DVDs. To fix, we uninstalled the channel, redetected it, enabled DMA mode, and then rebooted. See this article on DMA reverts to PIO.

Fixing RRAS and FPS

A client called our office this morning and said "My users can't access the Internet or browse shared folders!". The client runs Windows SBS 2003. RRAS w/ NAT distributes Internet access on the WAN interface to all the workstations.

What was wrong? File and Printer Sharing had been disabled on the LAN interface (and enabled on the WAN)! This generated lots of errors in the event log, including event 1058 and 1030, because Windows couldn't access the SYSVOL share via UNC path (in fact, while shares were visible via \\servername, double-clicking on any of them merely brought up a username/password prompt). After correcting this, users could once again access shared resources on the server, but they still couldn't access the Internet.

It turned out that the LAN interface had recently been replaced or renamed...so RRAS wasn't doing NAT on the renamed interface. Right-clicking in RRAS/NAT and choosing "Add interface" quickly resolved the problem.


ActiveX error

To access a security camera system for one of our clients, you have to change Internet Explorer's security zone settings. IE will tell you "Your current security settings prohibit running ActiveX controls on this page". To fix, go to Tools -> Internet Options -> Security tab -> Custom Level -> ActiveX controls and plug-ins -> Download unsigned ActiveX controls -> Prompt (instead of disabled).


Malware infections

One of your users has a malware infection. Your antivirus program quarantined part of it, but it’s still hanging on, just beyond the reach of your two or three favorite antivirus/antispyware tools. Now what?

1. Connect the infected hard drive to a spare PC running Windows XP or Vista so you can freely access the file system.

2. Search the Windows directory for recently created/modified *.exe, *.com, *.dll, *.ocx, *.bat, *.dat, *.drv, *.sys, *.bin, *.scr files. Configure the search results to display the file’s publisher and version number.

Recently created or modified files which do not display a publisher are probably malware and should be disabled (by appending a different file extension, e.g. *.bad). Files that do have a legitimate publisher but were recently modified, are probably corrupt and can be replaced by an older (clean) copy displaying the same version number.

Lastly, run HijackThis to cleanup any remaining traces of infection.

I've used this method to remove malware missed by NOD32 and Spyware Doctor.


Theory, part 1

Active directory sites serve two purposes:
- Control AD replication traffic
- Ensure that users logon to a local DC rather than crossing a WAN link during login

As a general rule of thumb, you should install a domain controller in a branch office if there are 50+ users, and you should install a global catalog if there are 100+ users.

There are three reasons to have an OU:
- To delegate administration
- To apply group policies
- To hide resources



Began studying for 70-297 this evening. I need to try out Visio 2007 and Smart Draw 2008 to see if either program is really easy to use. Academic prices are $80 and $120 respectively.


Powershell and VBScript

Microsoft has a new scripting language called PowerShell, which works on Windows XP and everything newer. Someday I would like to take a course on PowerShell or VBScript. Microsoft has some videos about PowerShell.

Fixing a BSOD

A tech in our office recently imaged a hard drive onto a new computer. He did a repair installation of Windows XP on the drive, but after restarting, WinXP setup always crashed with error STOP 0x0000007E. This was resolved with Microsoft's Diagnostics and Recovery Toolset. This oh-so-handy bootable CD lets you disable unwanted device drivers!

Never relay a message

You recall my Exchange 6 post on January 21st? I allowed Exchange to relay messages to the site's own domain, through their web host's SMTP server, because this is a "shared namespace" (not all user accounts are on the Exchange server). The following Monday the web host admin informed us that 40,000 spams had been sent to users at this domain from their own IP address!!! I think the culprit was a compromised workstation on the LAN. To fix the problem, I disabled relaying and used a setting in the SMTP virtual server that says "Forward messages with unresolved recipients to: {insert mail server name or IP}". Problem solved. Note that no SMTP authentication is required in this case.

At the same site, I drastically shortened the amount of time that Exchange spends on retrying message delivery so that users are quickly notified when there's a delivery problem.

SQL error 15401

A couple of weeks ago a customer couldn't create an SQL login account because it had a duplicate SID with an existing account (I have no idea how that happened). I followed Microsoft's directions to identify and delete the offending account.

Someday, I would like to take Test Out's SQL course or CBT Nuggets' SQL course.


70-284 - Passed!

Passed 70-284 this afternoon. There were 30 questions, with an emphasis on name resolution and firewall interaction.