Hi,

This video tutorial below is to allow perform system state backup on local drive or critical volume. by default, you will be unable to store backup on local drive C:\

However, you can change the default behaviour of Windows Server 2008 R2 by adding a registry entry.

Check the video that I posted on YouTube:

http://www.youtube.com/watch?v=1JDy8QvspOk

Articles:

http://support.microsoft.com/kb/944530

Test the System backup using Command Prompt or Graphical User Interface.

However I prefer using command prompt due to faster backup.

Steps:

1. right Click Command Prompt and click Run As Administrator.

2. Type the command :-> wbadmin start systemstatebackup -backuptarget:c:

Last few days and nights, I am working hard on the Lync Server with Edge and Director because Lync Server is new toy to me and manage to work it all.. I will share this to you all.

I have funny thing done last few hours. I was creating a new policy for External Access policy and applied to users in my lab environment. Then, some users are already applied to the External Access Policy but some are not. I noticed that the failure users are member of domain admin. Here is the image or screenshot of failure below:

Active Directory Operation failed on “dc.yourdomain.com” You cannot retry this operation: “Insufficient access rights to perform the operation 0002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF,ACCESS_RIGHT), data 0.”

You do not have the appropriate permissions to perform this operation in Active Directory. One Possible cause is that the Lyn Server Control Panel and Remote Windows PowerShell cannot modify users who belong to protected security groups (for example,

the Domain Admins groups). To manage users in the Domain Admin group, user the Lync Server Management Shell and log on using Domain Admins account. There are other possible causes. For details, see Lync Server 2010 Help.

Solution to this matter is to enable the “include inheritable permissions from this object’s parent”

Step 1:Open Active Directory for Users and Computers. Click On View Menu and select Advanced Features.

Step 2:          Click a User which are member of domain admin. for example, Administrator. Right-click and click Properties.

Step 3:          Go to Security Tab and click on Advanced button below:

Step 4:         On Permission Tab, on lower below, click on “Include Inheritable Permission to include from this object’s parent

I would like to share interactively on how to add Active Directory Domain Service (AD DS) Role in Windows Server 8 beta.

step1: Open Server Manager

step 2: On Add Roles and Features Wizard, click Next

step 3: On Select Installation type, choose Role-based or feature-based installation. Then click Next.

step 4:  On Select destination server, select “select a server from the server pool“. Click Next.

step 5: On Select Server roles, tick “Active Directory Domain Services” to enable Active Directory.

step 6: Once you have checked the button, there are some features are required to be installed which are Remote Server Administration Tools, PowerShell, AD DS and AD LDS Tools. click “Add Features”. then click Next.

Step 7:  On Select Features, click Next

step 8: On Active Directory Domain Services, click Next.

step 9: On Confirm Installation selections. it is ready to be installed, once ready, click Install.

Result:

On Result, it show the installation progress and just click Close. However, the AD roles are installed but have not yet deploy the domain controller. You have to promote a domain controller either using dcpromo or click “promote this server to a domain controller” on figure below.

In part 1: adding role on Active Directory Domain Services.

http://netoverme.wordpress.com/2012/05/02/part-1-adding-role-of-active-directory-domain-services-in-windows-server-8-beta/

This part 2 will have a promote the Active Directory. after you run part 1, you will have to run dcpromo or click the image below:

then it will pop up the next wizard of Deployment Configuration.

On the figure below, since you have no other DC or forest in the organization, choose a new forest and click Next.

On a Domain controller Option below, we will be asked to specify the domain and forest functional level.  Set the forest and domain functional level to Windows 2003. My purpose is that it will easy to upgrade the level than downgrade the level because it cannot be reversal.

you need to check DNS and by default first promote domain controller will hold and deploy the global catalog. You need to put and set the password for Directory Service Restore Mode (DSRM).  DSRM is also useful to restore user in authoritative restore.  After that, you may click Next.

After that, On DNS Option, click Next

On Additonal Name wizard, you can type another additional name on NETBIOS. in my case, my NETBIOS is NETOVERME.

On Path, click Next.

On Review, check back the configuration you gone through before finalizing the Active Directory, you need to beware on such NETBIOS and SYSVOL path, NETLOGON, and domain name. after you agree on configuration, please click Next.

On Pre-requisites check, just click Install.

Hi..

I would like to share this topic in my blog regarding to have an alert on Audit Account Management via SCOM 2007 R2

In my implementation, I would like to monitor the specific event id such as Event ID 4726 – A User Account is deleted.

http://support.microsoft.com/kb/947226

How would to do that? Later I will describe on other post

1. Enable Audit Account Management via Group Policy (GPO)

2. Create Rule To have Alert on Event ID 4726.

How To Enable Audit Account Management via Group Policy?

By Default, Audit Account Management is not defined. Therefore, I have to enable the Auditing Account Management.

• Open Group Policy Management in domain controller.
• On Domain Controller OU, right-click and choose ‘Create GPO in this domain and link it here’.
• Rename the  GPO as Audit Account Management

• Right click on the Audit Account Management GPO, and choose Edit
• Go To Computer Configuration, and expand Windows Settings and then Local Policies, and choose Audit Policy.
• Choose Audit Account Management,  check the box define this policy settings, and enable Success and Failure.

later in part 2, I will show you on how to create rule to have alert for event id 4726.

At previous section of set rule on Audit Account Management http://netoverme.wordpress.com/2012/05/19/part-1-set-rule-on-audit-account-management-using-scom-2007-r2/ I was enabling the Audit Account Management in Group Policy Management.

Now, what I want to do is to set the rule to give an alert based on the event ID 4726 which is Delete Account.

Step1: Go to Authoring pane. Under Management Pack Object, you see the rule. right-click the rules and choose Create a New Rule.

step 2:  On create rule wizard, on Event Based, select NT Event Log, and click Next.

step 3: On Rule Name and Description, type a Rule Name. Under Rule Category, select Security Health. Make Sure the Rule Target is Windows Domain Controller.

Step 4: On Event Log Name, choose Security.

Step 5: On Build Event Expression, type the Event ID number. In this case, the event id is 4726.

Step 6: On Configure Alert wizard, just click New.

Verify the successful Alert.

-Delete the user in Active Directory.

-Check On Event Viewer and search for Event ID 4726.

-Go to System Center Operation Manager.  See at Monitoring Pane.

please see the alert below:

Active Directory Recycle Bin is one of new feature introduced in Windows Server 2008 R2. Now, in Windows Server 2012, it gets more better with a GUI.

You could restore the accidental deleted users or objects easily. It helps to minimize the AD Service downtime. In Windows Server 2003 and Windows Server 2008 AD DS, there are ways to restore deleted objects such as from backup, DSRM via ntdsutil authoritative restore and another third party software i.e ADRestore.

How to perform the Active Directory Recycle Bin?

step1:

The forest functional level of your Active Directory Service should be Windows Server 2008 R2 or above. This can be done on Active Directory Domains and Trusts.

step2:

Enable the AD Recycle Bin by using Windows PowerShell. By default, AD Recycle Bin is disabled.

step3:

try to delete the target user in Active Directory Users and Computers as example below

step 4: Open Active Directory Administrative Center.

step 5: On action pane, double click “Deleted Objects” Container. You will see the list of users that have been deleted.

step 6: To restore the deleted users, right-click the user as example below:

then, select which Organizational Unit you want to place the user and click OK.

To verify the user has been restored, check the user the respective OU that is been selected.

Here I am covering this topic while doing all everything such Exchange and Active Directory.

In my scenario, there is a parent domain called netoverme.info and the exchange server is installed under this domain. Then the organization is adding the child domain controller such as Management and its domain is management.netoverme.info. A Management’s domain controller is located in the site office and they just wanted to use the exchange server that was already had in parent domain netoverme.info.

When the administrator tried to create mailbox for new users that was sitting in child domain of management.netoverme.info, they encountered the problem. the UPN is not appeared as figure below:

what is the solution?

Solution:

Here is the thing, we need to update the domain using the Exchange Server Installation Media and run “the setup /preparealldomains” in the exchange.

For example figure below. Make sure the preparations are fully completed.

After it is completed. Then try open the console and create mailbox for using that sitting under the finance.netoverme.info.

I have this type of warning below:

Why the warning appeared when creating user by using Active Directory Users and Computers.?

The warning is appeared because they are running of identifier pool where RID block size contains up to 500. by default, each domain is allocated 500 RIDs. when it comes to 500, the DC try to contact FSMO DC to request another 500 RIDs.

you would also see the warning on Event Viewer. Please take note the Event ID 16645

It comes to my attention to share some of AD replication error that might be available or faced in your organization. I always run this replication summary, “Repadmin /Replsummary” and gets the output below:

The error above is (8456) The source server is currently rejecting replication requests.

when I go to the URL link http://support.microsoft.com/kb/2023007, there are helpful for me to troubleshoot.

I have followed some steps to troubleshoot and solution:

1. I have checked the possible cause of this. I checked the registry to check the status on “DSA not Writable”.  Run Regedit.

Go to the HKLM -> System -> CurrentControlSet -> Services -> NTDS -> Paramaters.

On Setting DSA Not Writable. Check the value and I capture the screenshot below:

The DSA Not Writable is set to 4. When checking on the table of link http://support.microsoft.com/kb/2023007, it shows and means that USN Rollback occurred.

The active directory was incorrectly roll back due to cause following below:

- snapshot of Virtual Machine was taken or was saved on previous snapshot.

- Restoring DC on using Imaging such as Norton Ghost.

2. I also checked the Event Viewer on Directory Service. The Event ID 1308 shows the failure of the replication.

3. I have no choice to decommission the affected domain controller by using DCPROMO /ForceRemoval.

4. After I successfully forced removal of the affected domain controller, I then use the Metadata cleanup to remove the domain controller. Check the url link – > http://netoverme.wordpress.com/2011/06/03/metadata-cleanup-in-windows-2003/

5. After that, remove the server record in DNS, Active Directory Site and Services.

6. On the affected server (previous affected domain controller), I then promote back to become a domain controller to have multiple domain controller.

I will update more on any kind of possible solution.

Thank you.

I just want to continue on how to do possible solution on previous post below

http://netoverme.wordpress.com/2012/11/26/error-ad-replication-8456-the-source-server-is-currently-rejecting-replication-requests/

another way is to restore the system state backup from recent backup.

How?

1. reboot the server and log in in DSRM mode.

2.    Use command prompt to restore the previous backup.

run the command

“wbadmin start systemstaterecovery -version:your recent backup version”

let the backup finished until the screen below.

it will ask the server to restart. press Y to proceed.

3.  then, verify the successful replication.

I have a problem with adding another child domain controller for my lab. In my scenario, my other child domain controller is also online and one of the parent domain controller is also online.

What other finding I have to make sure is that the DNS is pointed to the child domain controller.

Also, I have checked the debug log in C:\Windows\Debug\Dcpromoui.log. It seems that the error is appeared similar on the error above.

In the error above, when we further look, it successfully queries the SRV record of testbranch.netoverme.local.

My solution is by checking the Domain Naming Master role has be to online and contacted. Domain Naming FSMO role is responsible to add and also remove domain. In my case, I have 2 parent domain controller (dc1.netoverme.local and dc2.netoverme.local) and my child domain controller is testbranch.netoverme.local. my scenario above is to add another domain controller to child domain controller of testbranch.netoverme.local.

After I can ping dc1.netoverme.local which hold the FSMO role of Domain Naming Role and make sure the port and firewall is not blocking, now the domain controller can successfully add. One more thing FSMO role has to be contacted or online, DNS delegation has to be done for adding all DNS record in the parent domain.

In Windows Server 2012 standard edition, it is really accommodate to configure the fine grained password policy just using the Active Directory Administrative Center.

1. Run the “dsac” or go to administrative tools.

2. On the Graphical Interface, on the left pane, click the tree view, and Expand the tree.

3. Go to System under your domain. In my case, I expand “netoverme” and go to System container.

4. Click on the Password Setting Container.

5. Right-click the Password Setting Container, and choose New and select Password Setting

6. on the figure below, you will be prompted on different setting such as Password Complexity, Minimum Password Age, etc.

7. After finish password settings, you will need to link or apply the users or groups you intend to use this password setting such as IT Admin. On Direcly Applies To, click Add button and type user or group that you need to set.

In order to ask replicate directory changes permission to a domain controller, it does not have to be a domain admin. by delegation, we can create this.

why do we do this?

like say, user wants to update their information from SharePoint by themselve, we can allow the information that store in SharePoint database and replicate to the Active Directory. Some also need to be done as well in SharePoint Administration.

How to Grant Replicate Directory Changes?

• At your domain controller, open up the Active Directory Users and Computers.
• Right-click the domain. for example, netoverme.local ans select Delegate Control
• Click Next on the Delegation Control Wizard.
• On Users and Groups windows, click Add.
• type a name of synchronization account. For example, sp_admin .click Next
• on task to delegate, select create a custom to delegate and click next.
• on the Active Directory Objext Type, Select This Folder,existing objects in this folder, and creation of new objects in this folder, and click Next.
• on the Permission pages, select Replicating Directory Changes.
• click Next and Finish.

Hi,

Just to share this.. it’s good for us to enable the audit event in the group policy in order just to see who,when and what are the recent changes in our domain controllers.

In my example, I did enable all audit policy in my domain controller group policy.

Here, I must admit that, every activities in your domain controllers will be logged and will cost you the size of disk space as well.

I mostly picked important logs such as Audit Forest Functional level. Let’s say, if you have so many domain admins group in parent domain, people can go anywhere. When your domain controller still set to Windows 2003 functional level, yet the domain admin members can upgrade or raise this to upper level such as Windows Server 2008.

When you upgrade the forest functional level, it saves the logs in the event viewer. you will see this in Directory Services.

Usually, I can use SCOM Alert to monitor this Event ID 2040 if there is a change.

In the General Tabs, it tells you that the New forest Functional Level is equal to 3. This “3″ means that the forest functional level is raised to Windows Server 2008. please see reference below:

0 = Forest functional level: Windows 2000

1 = Forest functional level: Windows Server 2003 interim

2 = Forest functional level: Windows Server 2003

3 = Forest functional level: Windows Server 2008

4 = Forest functional level: Windows Server 2008 R2

5 = Forest functional level: Windows Server 2012

Another Event ID 1968 will tell you the previous functional level and current functional level.

Thank you for viewing and reading this article.

reference URL :

http://social.technet.microsoft.com/wiki/contents/articles/3446.how-to-revert-back-or-downgrade-windows-server-2008-r2-forest-and-domain-functional-level.aspx

Hi,

I would like to share on how to External Domain Access SharePoint in its trusted domain.

Here is the scenario design below:

In this scenario above, by default the users in abc.local cannot able to access resources in other domain controller. So, in order to access  the resources from external domain to another domain is by creating a trust.

In the figure above, abc.local domain is an external forest where it will have to create a trust with netoverme.info forest.

I assumed that you know on how to build a trust between this two forest.

please refer to this article:

http://technet.microsoft.com/en-us/library/cc740018(v=ws.10).aspx

After a trust has been established, then you can share resources such as file server, contact, GAL,etc.

in my example, I am giving abc.local users to access sharepoint in netoverme.info. in order to give access to surf and managing profile, I give an access of specific users of abc.local to access sharepoint.

Not only that, I tried to synchronise a picture of ABC domain users to upload to be used at Sharepoint.netoverme.info.

Here, I firstly create a connection:

there are two AD connection. One is External forest which is ABC.local and another is AD Synchronization which is netoverme.info parent forest.

In Picture’s User Profile Property below, I create two AD Mapping to do exportation job to synchronize picture property to ThumbnailPhoto Attribute.

Here is a AD  Property Mapping Synchronization below:

you see that, there are two mapping to do the same job but different domain. the job is to write the thumbnailphoto attribute whenever the users upload the picture in SharePoint and synchronize to the domain ‘abc.local’ and ‘netoverme.info’

Result:

At the End, it works fine. I am happy to figure and share this. Thanks.

Hi,

before I begin, just want to say Happy New Year 2014 to all..

Okay, I would like to share this screenshot below:

You have seen this error lately? must be panic right and start to search into the TechNet.

Here is the article link http://support.microsoft.com/kb/2734946 .

In my case, there is a some period that between domain controllers have not replicated. Some of the DC was offline when I installed Exchange Server. So the while setup the Exchange, the setup will extend the AD schema. So since the Schema partition is forestwide, it might change and update the Schema FSMO role as well.

Resolution: you can manually force replication or wait the replication time takes place.

In this scenario, the domain user called “aliyani@netoverme.info” tried to log in to the domain using his workstation.

Then, he got the error below:

“During the Logon attempt, the user’s security context accumulated too many security IDs”…

However, his account has been added on the 3 members “domain admins, domain users, and HQ security group in active directory environment. 

what happen?

after checking his account in active directory, log in to the other workstation, and it was working fine and able to log in. He cannot only log in to the problematic workstation above with error as stated. So, then saw that the domain account tightened or added  with multiple groups which is about 1217 groups in this workstation .

so in conclusion, the domain user does not only take into account to the member of domain groups that can affect the SIDs token which is more than 1024 group, but the local group of workstation or servers can also affect the limit access token.

This couple of days, I’ve been searching the solution on why the UDP 389 is unable to respond the query using PortQry.exe

the result  example:

I found out that the IPv6 TCP/IP on Network Properties is unchecked. So therefore, I tried to check the box to enable the IPv6 and restart the server.

the result after enable IPv6 TCP/IP:

have a read article below:

http://support.microsoft.com/kb/832919

https://support.microsoft.com/kb/929852

http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx

Hi,

I would like to share this screen shot below.

How Event ID 5774 is still appeared in Domain Controller with running Windows Server 2008 R2 SP1.?

before we do so much discussion, I would like to compile the link from Microsoft related to event ID 5774.

http://support.microsoft.com/kb/977158

http://support.microsoft.com/kb/284963

I have the scenario below:

The forwarder of my child domain was configured to query a parent domain domain (netoverme.info) either for Internal domains listed in parent domain or public DNS.

my scenario and event ID 5774 (at child domain) are related.

Event ID 5774 is logged to my child domain controller where the DNS is failing to register as error is quoted below:

Log Name: System
Source: NETLOGON
Date: 7/26/2014 6:51:45 AM
Event ID: 5774
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: NOM-CH1.child.netoverme.info
Description:
The dynamic registration of the DNS record ‘ForestDnsZones.netoverme.info. 600 IN A 10.78.1.112′ failed on the following DNS server:

DNS server IP address:
Returned Response Code (RCODE): 5
Returned Status Code: 9017

For computers and users to locate this domain controller, this record must be registered in DNS.

Check list for for workaround:

1. Check the ISP /DNS is not configured at NIC of child domain controllers and Parent Domain controlelr

2. check any unused NIC whethere they have ISP DNS or other DNS configured.

3. Check the AD zone is configured to allow dynamic updates. for example:

4. check on DNS delegation for child domain controller. child domain controller is preconfigured as DNS delegation when it is promoted.

All checklist have been completely verified but the event 5774 still there.

Solution:

At the end I know what is causing the problem, the problem is that the child domain could not contact the parent domain controller due to following:

- Domain Controllers are down

- DNS service is stopped

- Network Connectivity is bad such as WAN link drop, high network congestion.