Monthly Archives: February 2011

The Blog Wrap-Up for February 2011

  • Manage your Windows 2008 R2 DNS Server from XP
  • You’ve upgraded your servers to 2008 R2 but your admins’ workstations are still on XP? You can’t manage your DNS server then until you make some changes.

  • The case of jammed permissions
  • You change permissions on an AD object but the permissions get back. Look at the article.

  • Service Pack 1 for Windows 7 & Windows Server 2008 R2 released + MBAM
  • News, just news. BTW, SP1 is available to download and install.

  • %SystemRoot%System32 Secrets: AzMan
  • The series continue. This time we manage authorization with AzMan console.

  • Do you miss your search results? Kill’em.
  • Your users keep complaining they can’t find anything in their email? Probably you have a corrupted index.

  • Scripting Games 2011
  • The date is announced, get yourself prepared.

  • MCP Club: Follow UP
  • I was trying to get my audience bored again. Hopefully without success

    MCP Club: Follow UP

    MCP ClubThe day before yesterday I was speaking at MCP Club: Moscow. The topic was named like “IPD Guides: I Plan Darn Good”. Guess what? Seems like it was fun! =) Well, at least I found it entertaining and I hope everyone else had a good time =)


    What have we done back there? First I delivered a small presentation about IPD and why is it important to plan. For example, I said that it allows you to reduce resource conflicts like that:



    After this we had a workshop:


    The audience created company (a strange one, I’d say, but it worked for us), then planned with my little help for the Exchange roll-out and then we did it with IPD. At the end it was obvious that we lost availability on our way without IPD, but nothing else. So, the audience was way proficient Winking smile 

    Thanks, guys. That was a session of a kind which is clearly impossible without your involvement, so you were a great crowd! =)

    Scripting Games 2011

    powershellYeah, this year they will be held again! I doubt I will find time to join them (though I’ll do my best), but I definitely recommend everyone else to do it =)

    The Games to start at April 4 and finish at the 15th. The details are not fully revealed yet, but there are already some learning resources in place. And also some banner to place at your web site/blog/forum. Here is the badge: 2011 Scripting Games

    Grab this badge here!

    P.S. BTW, I’ve already downloaded and installed Service Pack 1 for Windows 7/Windows 2008 R2 whenever it is not a hazard for business systems. Those who are not TechNet/MSDN subscribers will get it tomorrow Winking smile

    P.P.S. Tomorrow I’m speaking on the Moscow UG – MCP Club. The topic is all about Infrastructure Design Planning Guides. I hope to get my auditory interested in it Winking smile

    Do you miss your search results? Kill’em.

    exchangeI’ve had one more case recently: an employee reported that his outlook wouldn’t search any item for the last three weeks or so. Rebuilding indices didn’t help and moreover he was not using cached outlook mode. Well, while my search seemed to be ok, I needed to reproduce the problem somehow, so I went nuts and removed cached mode too. Bingo! My search results were restricted by the period from the same three-weeks-ago and to the beginning of time. No results from yesterday or last week. Considering the fact that mailboxes, both the employee’s and mine were in the same storage group I decided that it was the server index who was responsible for that tragedy (do you know where is each your mail at the moment, by the way?).

    How can we check if something is wrong with the index on a server? The answer was easy to find: Test-ExchangeSearch for Exchange 2010 or for 2007. Running the command for my account returned the following:

    ResultFound : False
    SearchTime : –1

    Obviously something went wrong with index. How can we restore it? Again, easy: here is the KB which was found at no time. So I just got to my server and run the script ResetSearchIndex.ps1 for the problematic DB from Exchange folder. Of course, deleting index and recreating it gives a server hard time in terms of processor usage and IO, so I did it in non-working hours. And just in case you, like I, need to know if the index is being rebuilt or has it been rebuilt, you will need to look at a counter for the DB which you are reindexing. The counter is MSExchange Search Indices – Full Mode Crawl Status. You can track it for a particular DB or for _Total. If it is 1 then you have Full Crawl being performed. If it is 0, then crawls have stopped. And after they stopped, you can check again if you have solved your problems with search:

    [PS] C:Windowssystem32>Test-ExchangeSearch domainnameusername

                                ResultFound                              SearchTime
                                         ———–                                     ———-
                                                True                                               5

    I definitely did =)

    %SystemRoot%System32 Secrets: AzMan

    To be honest, I had been thinking of it as of some unneeded tool for quite a long time before I had a close look on the console and its abilities. I was wrong. It is really powerful instrument to manage or delegate permissions for an application. It is as powerful that I’m only teasing you in this article, before creating one or more big articles about it. Imagine, you need a person to have a full control over some Hyper-V virtual machine, including the right to delete it, but the only thing he or she is not to do is creating snapshots (because those are a pain in the neck, you know). Can you create such a set of permissions? Easy! Do you want to create quite the opposite policy? You are welcome. Do you want to check a user against some complex rules, not only groups? Create your scripts for this matter. What is even more pleasant: it is very role-oriented. Thinking in terms of roles is simple and nice with the tool.


    Ok, will tell you me, what’s the trap? Unfortunately there are not one of them. First of them: your application should be written with AzMan in mind. It is true though for many MS applications, like, say, Hyper-V or DPM. But if you use VMM, then it is almost impossible for you to use AzMan with Hyper-V. And VMM has less abilities in the field. And I don’t like the way it has them =) DPM’s AzMan is not yet broken by any “management” software, but, my gosh! It is soooo poor in its capabilities =(

    Still, if you don’t use VMM, or use some other app which is compatible with AzMan then I sincere recommend you to take a look at it.

    Service Pack 1 for Windows 7 & Windows Server 2008 R2 released + MBAM

    Brandon LeBlanc made my day again! =) The Service Pack is now RTM. It will be available for TechNet and MSDN subscribers on the 16th, February and for common public on February 22nd.

    Among fixes the SP contains RemoteFX and Dynamic Memory.

    One more good news: Microsoft Desktop Optimization Pack got some brand-new addition. And it is MBAM! =) Or Microsoft Bitlocker Administration and Monitoring. Deploy, monitor, help users to recover it – they tell it is all much easier now. I’m going to try it Winking smile

    The case of jammed permissions

    imageOnce I got a request ticket from one of our administrators whom are delegated some permissions in their parts of AD to. The person told me that he didn’t have permissions for some accounts. Well, no problem: I investigated the issue, found that the inheritance on that record was broken and I fixed it – one checkbox and “OK” button – big deal! The next day I received another request… for the same person. The inheritance was broken again! Ok, I’m not a newbie, I even know something about adminCount, adminSDHolder and SDProp. So I went and checked if the account was a member of any of protected groups: no, it wasn’t though it had been before. So I tried several more tricks, like moving the account to another OU and back. No luck. And and that point I received another request, from other administrator with the same problem but an other account. And this other person had been domain admin before too.

    Well, at this point I was almost sure, that it is because SDProp overwrites the permissions. Quick check of adminCount attribute showed that I was right: it was set to 1. After I had set it to 0 and restored inheritance to the object everything became normal. And a bit of investigation showed that when an account leaves a protected group, adminCount attribute doesn’t switch to 0. After that a bit more of investigation showed me that it is by design. In more detail read here and here. Next time, I won’t be so lazy and will trust my inner admin Winking smile

    Manage your Windows 2008 R2 DNS Server from XP

    Being an MS MVP involves answering questions. I don’t receive many of them, but this happens sometimes. The latest one was quite interesting. After reading my article about delegating administration of DNS one of my readers discovers that he cannot implement my solution in his environment. You see, he has got Windows XP workstation for administrators but windows Server 2008 R2 DNS servers. This configuration leads to either “access denied”, this:


    or other errors error while trying to connect from XP DNS console to W2K8R2 DNS server.

    I hadn’t ever encounter such a problem, seems like I pass it and others similar due to my habit to use new MS Windows versions from early beta stage. So, at first I thought that it can be some misconfiguration at me reader’s network, but a simple experiment showed me that I had been wrong: my freshly installed XP box wouldn’t connect to any R2 DNS servers in my network, while connecting to any 2003 was not a problem at all. To cut long story short, I have finally found a KB article at which describes the problem. Here you got it: Windows Server 2008 R2 DNS Servers can only be managed by computers running Windows Server 2008 or later.

    The cause of the problem is in the fact that 2008 R2 uses more secure means of RPC communication by default. The solutions, proposed by the article are simple enough: you can either

    1) manage your DNS Server locally (from console or through terminal services)

    2) or reduce security level by entering the command dnscmd /config /RpcAuthLevel 0 on each server which you want to manage from Windows XP workstation.

    The first method is self-explanatory: don’t get what you want at the expense of your security. The second method is less straightforward in terms of consequences. Obviously enough it makes your DNS servers less secure. What you can do to reduce impact? That’s easy:

    • use this only for one server: let AD or other means to replicate changes
    • isolate this server as much as you can. Let only your administrators’ workstations to access it via RPC (and other necessary hosts, of course, if any)

    And the last option, which I like the best: upgrade your workstations to Windows 7. Get the most out of your environment =)