Be aware in Exchange 2007 if a Domain account is disabled the mailbox can still receive emails. This was not the default behavior in Exchange 2000 or 2003. Exchange 2003 however did have a hot-fix which changed its behavior to that of 2007. Please see the link below for more information on this. The point here is to make sure everyone is aware disabling an AD account will not necessarily stop email from being delivered to a mailbox.
We’re starting a new series on Monday called “Policy Monday” to help share common technology policies. This week we’ll start with Adding Guest Accounts to the Network.
The following is a general guideline for creating guest user accounts on Active Directory based Windows network.
- Create a new Guest Organizational Unit
- Create the guest account:
- If it is a role account (several temps performing the same job) then create a “role based” username
- If it is restricted to a single user for a short period of time, then create a “real name” based username
- Set the account expiry to something reasonable
- Set the change password on next logon and assist the user with their first logon to the desktop.
While working with a Blackberry Enterprise Server install which recommends setting user AD account options to “this account supports Kerberos AES xxx encryption” this setting is not supported in a mixed 2003/2008 AD environment. Be sure to only select the “Kerberos DES encryption” per the BES setup instructions. AES encryption is not supported in Server 2003 DCs, and setting an account that way may result in errors authentication or changing passwords because your computer will try to use the most secure method, AES 256 which the account is marked as supporting, but depending on which DC it hits (2003 or 2008) it may or may not work. Which made isolating the issue a bit harder because it wouldn’t consistently work/not work.
A couple of symptoms you’ll observe is:
- Sys-tray pop-up that you account may be compromised
- Sys-tray pop-up asking you to lock and unlock your computer, and after you complete it, it prompts you again
- Event ID 14: While processing an AS request for target service, the account did not have a suitable key for generating a Kerberos ticket
- Event ID 40960: The Security System detected an authentication error for the server…the failure code from the authentication protocol was “(0x80080341)”.
- Event ID 6: Automatic certificate enrollment for USER failed (0,80072095) A directory service error has occurred.
Of course this issue is not isolated to Blackberry installations but typical out of the box configurations do not have AES selected, so this issue only arises when you’re in a mixed environment and change the setting… and in this case, BES was the case for change.
Today I have resolved my fourth SBS Wizard related problem this year. The symptoms are the same on both SBS 2003 and SBS 2008 – when attempting to use the Wizards to create a user or computer, the wizard works all the way until the last step and then fails with an error.
The problem in all four cases this year have been because someone treated an SBS server like a Windows Standard Server. And the reality is that while it is based upon standard server, it really is not. There have been major tweaks and adjustments to permit it to work the way it does. Among them is various restrictions on changes to Active Directory. Basically, unless you understand exactly how the SBS Wizards leverage Active Directory, it is best not to do anything through the standard Active Director Users and Computers console. The Wizards require that users, computer and other data are placed in very specific Organization Units, with very specific names. Renaming OUs or moving users into a more “logical” place will prevent the wizards from working properly.
The people who get themselves into too much trouble are often IT consultants who think they know better – but really don’t. The reason is that a newbie administrator will actually read the documentation that comes with SBS and/or pickup a great reference book, which all say the same thing — use the wizards for absolutely everything, don’t make any changes to Active Directory outside of a wizard. The only exception being would be documentation which specifically takes SBS into account. A Microsoft Technet page will specifically call out that it works with SBS; if it just mentions Standard Server, beware! Remember that SBS is made for oranizations of 75 users or less, and in these environments, rarely will you need a complex OU scheme.
In all four cases this year, it has been because someone has renamed or deleted the default SBS OUs which are created automatically. A quick rename of the OUs back to what they were origionally named, will resolve your problems. That’s it, no big changes, registry adjustments, etc. Simply put the OUs back to where they were automatically created and you should be all set.
Remember, SBS 2003/2008 is not Standard Server, nor is it Exchange Standard — it is a (for lack of better terms) hacked version of Server Standard and Exchange Standard – they are ment to be managed nearly 100% by the wizard and SBS consoles.
There are various situations where you may want a computer to automatically loggoff the user when they have been idle for a period of time. The most freqnet use for this is for shared workstations, such as on a production floor, or other open access area. In the past, a common method was to enable a “role based” user account, such as shipping or quality control. This logon was known to all users of the specific workstation.
There is, however a tool available which is basically a screen saver hack, provided by Microsoft, which, when enabled, will log off the user instead of displaying a screen saver. This effectively permits multiple users to share the same system throughout the day, while retaining seperate, secret passwords – without hindering the other user when they forget to log off. Now it is still a better practice to actually log off, but this is a great fail safe alternative: WinExit.scr – you can find it at: http://support.microsoft.com/kb/314999
- Delete OU which was replicared, need t o perform authoratative restore (not lostandfound; when below is not available)
- Delete ou which was replicated, need to perform non-auth restore, and then mark single OU as auth (more granular than above, when available as an answer)
- Failued of hard drive on one dc (multi dc enviro), non-authoriataive restore
- Any restore of AD requires DSRM (Directory Services Restore Mode) – boots local uses local username/password SAM; no GPO applied
- Safe mode still boots AD, but does not apply GPO on DC
- Use NTDSUTIL to reset DSRM password on each DC seperately
- Rombstone lifespan should be greater than backup interval, use ADSIedit, script or ldp.exe to modify time (default 60 days)
After running a resultant set of policy (RSOP) within the Microsoft Group Policy Management Console, you may see a some settings which are listed under “Extra Registry Settings”. The primary cause for this is that the currently loaded set of ADM files for the GPMC do not match the version which was used to create the Group Policy. Frequently this is because the policy was configured on a different workstation than the one you are using to view the RSOP. Simply download the latest GPO ADM files from Microsoft’s website and apply them to the GPMC to have them show properly.
On the topic of Group Policy, don’t forget about the handy GPO Policy Reference worksheet found here:
When designing your 0rganizational units within a domain:
- Design first based on administrative needs
- Layout using consistant hierarchy:
- Nested/layered/Hybrid design okay (Physical site/business units; bu/site; etc)
- Avoid hybrid designs on the same level (PS/BU at the same level, hierachial, okay)
- If using sites for OU’s, avoid a design which omits a site (same with Business units)
- Use OU’s with Delegation of authority instead of child domains when possible (q89)
- When mutiple administrators are working in AD, and one moved objects into an OU, just deleted by another admin (but neither DC has replicated yet), the contents of the deleted OU go to the LostandFound folder.
- If you delete an OU, the contents of the OU go as well (except per above)
- Replication occours at the feature level in 2000; vs value level in 2003 – reducing replication collissions resulting in latest-takes-precident
Here are the design considerations when evaluating a Preferred Bridgehead Server for multi-site deployments of Active Directory:
- It is best practice to have more than one bridgehead server per site.
- But if you want to “control” or “manage” site-to-site-replication, you must only choose one preferred bridgehead server.
- If replication fails in a 3+ site environment, and there are preferred bridgehead servers, change the bridgehead server. Non-fully IP Routable networks may require another (non problem) site to replicate to and the failed PBHS may reside there
- To avoid single point of failure with PBHS, you need to either have multiple PBHS at each site, or NONE – but this will reduce management.
- If poor performance on a DC (which is also an app server) make another DC the PBHS, typically the RRAS DC if there is one.
- Use PBHS for controlling replication traffic, not GC
- PBHS can be configured for IP and/or SMTP (seperately)
- Use IP by default, SMTP for unreliable connections
- SMTP requires a Enterprise Certificate Authority (ECA)
When designing Active Directory Site Links:
- On non-fully IP routed networks, disable automatic site links, implement a site link bridge
- A site link is a set of sites which communicate at the same cost, and can be automatically configured to route in a redundant path between sites within a site-link
- In a fully routed network, you do not need site link bridges unless you wanted to specifically control the flow of replication changes.
- Controls which sites are connected and at what cost, but does not directly control which servers replicate with one another, this would be the role of a Preferred Bridgehead Server
- Best Practice to create site links from corporate to branches, little benefit in having a tiered site line corp->branch->branch
- You cannot create site-links between networks which are not IP routed
- Site link bridging is used when an IP network is not fully routed; or if replication is not converging properly (used when site’s are 2+ hops away)
- Site links are for same domain only, and are between IP-routable networks unless you use a ip bridge to connect two non-routable network in the same domain;
- If two non-routable domains are separated by a site in a different domain, you will need to have a DC setup in that site or you will need a routable network
- IP Replication for single domain sites; SMTP not available