Thursday, June 29, 2006

AD Replication Health Check

If you have reported replication problems with a Domain Controller what diagnostic tools are in your toolkit to help diagnose the problem? Stage one would be to identify any simple connectivity problems on the machine, the netsh command is a great way to run a quick test.

Netsh diag show test

As Domain Controller’s communicate using GUID’s rather than machine name’s it is important to ensure that DNS records are in place for the Domain Controllers in the environment and that the DC’s in question is able to resolve them.

Dnslint /s localhost /ad

If connectivity and name resolution is in good shape the next step would be to look at active directory for any errors that may have occurred. The DCDiag utility is a great way to health check a machine.

DCDiag or to get futher detail dcdiag /verbose

Be careful when reading the DCDiag information to look for the date of the error when considering any messages, often problems may have occurred because of a connectivity problem which has since been solved. From DCDiag you may then need to investigate the eventlogs, FRS replication using Sonar, Replication using replmon or repadmin.

Another important utility that is available allows you to check the consistency between two domain controllers. This can quickly provide a high level of confidence that replication problems have been resolved or identify where there are large discrepancies between Domain Controllers. Remember that when comparing machines between sites there will naturally be a discrepancy until the next scheduled cross site replication which may be every 3hrs for example.

Dsastat –s:DC1;DC2

You can use Replmon or repadmin to force replication across site links and the use Dsastat again to confirm that the two Domain Controllers have converged.


Friday, June 23, 2006

ADModify Utility

ADModify is a great utility for Exchange and Active Directory users looking to make bulk changes to user attributes in Active Directory. Well worth investigating.

Click here to download


WMIC to enable Remote Desktop

Using the Windows Management Instrumentation Command line can be useful to enable remote desktop on servers that have already been deployed without the feature enabled.

wmic /node:SERVERNAME rdtoggle WHERE servername="SERVERNAME" CALL SetAllowTSConnections 1

WMIC is worth investigating further, I comes with a large list of pre-configured WMI commands with simple aliases. Open a command Windows on any XP or Windows 2003 server and type WMIC then type /? to explore some of the capabilities.

The /node is the switch that enables you to work remotely e.g:


Will display the hotfix levels between two machines for comparison


Sunday, June 18, 2006

Display SID History Information

A useful tool worth investigating if you are using the SID History function during a migration is acctinfo.dll. This utility is part of the Windows 2003 resource kit and can also be found in the Account lockout tools.

Copy acctinfo.dll into the System32 directory and register using:

Regsvr32 acctinfo.dll

Once registered an “Additional Information” tab is available through Active Directory Users and Computers. This Tab allows you to see extra useful information for example when the user’s password was last set, password expiry date, the users SID and importantly any information stored in the users SID History.


Thursday, June 15, 2006

Reset User Passwords using DSQuery

Reset a complicated collection of users passwords the easy way using DSQuery. First use the Saved Queries function within Active Directory Users and Computers to narrow down the query and ensure you have the users required; for example all of the Bristol Office Staff.

The edit Copy the Query String from the Saved Query you have created and use it the following way from the command line:

dsquery * -filter "(&(objectCategory=user)(physicalDeliveryOfficeName=Bristol*))"

This will then return all of the users as in the saved query

The add the following to the end of the line which will then dsmod all of the users to reset the passwords.

dsmod user -pwd "P@ssword"


Tuesday, June 13, 2006

Debug GPO Application Deployment

Investigate group policy application installation problems by enabling diagnostic logging in the registry to help identify problems:

Key: HKLM\Software\Microsoft\Windows NT\Current Version\Diagnostics

Name: AppMgmtDebugLevel

AppMgmtDebugLevel = Hex 9b

The log file is located in the %systemroot%\debug\Usermode folder called Appmgmt.log

In addition to this consider enabling Windows Installer logging on the local machine using group policy.

Computer Configuration\Admin Templates\Windows Components\Windows Installer

Enable logging

The log file msi.log will be in the temp folder on the system drive


Friday, June 09, 2006

Multiple Local GPO's in Vista

Windows Vista now supports multiple local GPO's. If you are exploring the new Beta 2 checkout creating a local GPO through the normal MMC Group Policy object editor snap-in, however when it displays "Local Machine" use the browse button and the select the users tab. Very interesting feature for standalone machines kiosks, library machines etc.


Reporting Local Security Settings

If you are having problems reporting local security settings on machine's and want a simple utility then Dumpsec is worth investigating. SomarSoft provide this FREE useful utility that allows you to remotely dump security settings on machines. Cool utility, which whilst having security limitations, is a great tool for a Security Administrator.


Public Download of Vista Beta 2

Windows Vista Beta 2 is now available for Public download.


Sunday, June 04, 2006

Vista Beta 2 Video Drivers

If you are having problems loading drivers for the nVidia Quadro FX350 on Vista Beta 2, there is a work around. If you are faced with the message "Could not find a compatible card…" then go manual.

Through device manager update the video driver and use the have disk approach to use the extracted nVidia driver set and they load without any problems providing the full Aero experience.

Also worth a look is the offer of free anti-virus software for Vista Beta 2


Friday, June 02, 2006

Scripting Fun with Speach API (SAPI)

Add a little fun to your scripts using the Speach API.

set objVoice = createobject("SAPI.spVoice")
objVoice.Speak "I'm sorry Dave, I'm affraid I can't do that"

Thanks goes out to Brian for this one.