Monthly Archives: February 2011

The Blog Wrap-Up for February 2011

  • Manage your Windows 2008 R2 DNS Server from XP
  • You’ve upgraded your servers to 2008 R2 but your admins’ workstations are still on XP? You can’t manage your DNS server then until you make some changes.

  • The case of jammed permissions
  • You change permissions on an AD object but the permissions get back. Look at the article.

  • Service Pack 1 for Windows 7 & Windows Server 2008 R2 released + MBAM
  • News, just news. BTW, SP1 is available to download and install.

  • %SystemRoot%System32 Secrets: AzMan
  • The series continue. This time we manage authorization with AzMan console.

  • Do you miss your search results? Kill’em.
  • Your users keep complaining they can’t find anything in their email? Probably you have a corrupted index.

  • Scripting Games 2011
  • The date is announced, get yourself prepared.

  • MCP Club: Follow UP
  • I was trying to get my audience bored again. Hopefully without success


    MCP Club: Follow UP

    MCP ClubThe day before yesterday I was speaking at MCP Club: Moscow. The topic was named like “IPD Guides: I Plan Darn Good”. Guess what? Seems like it was fun! =) Well, at least I found it entertaining and I hope everyone else had a good time =)


    What have we done back there? First I delivered a small presentation about IPD and why is it important to plan. For example, I said that it allows you to reduce resource conflicts like that:



    After this we had a workshop:


    The audience created company (a strange one, I’d say, but it worked for us), then planned with my little help for the Exchange roll-out and then we did it with IPD. At the end it was obvious that we lost availability on our way without IPD, but nothing else. So, the audience was way proficient Winking smile 

    Thanks, guys. That was a session of a kind which is clearly impossible without your involvement, so you were a great crowd! =)

    Scripting Games 2011

    powershellYeah, this year they will be held again! I doubt I will find time to join them (though I’ll do my best), but I definitely recommend everyone else to do it =)

    The Games to start at April 4 and finish at the 15th. The details are not fully revealed yet, but there are already some learning resources in place. And also some banner to place at your web site/blog/forum. Here is the badge: 2011 Scripting Games

    Grab this badge here!

    P.S. BTW, I’ve already downloaded and installed Service Pack 1 for Windows 7/Windows 2008 R2 whenever it is not a hazard for business systems. Those who are not TechNet/MSDN subscribers will get it tomorrow Winking smile

    P.P.S. Tomorrow I’m speaking on the Moscow UG – MCP Club. The topic is all about Infrastructure Design Planning Guides. I hope to get my auditory interested in it Winking smile

    Do you miss your search results? Kill’em.

    exchangeI’ve had one more case recently: an employee reported that his outlook wouldn’t search any item for the last three weeks or so. Rebuilding indices didn’t help and moreover he was not using cached outlook mode. Well, while my search seemed to be ok, I needed to reproduce the problem somehow, so I went nuts and removed cached mode too. Bingo! My search results were restricted by the period from the same three-weeks-ago and to the beginning of time. No results from yesterday or last week. Considering the fact that mailboxes, both the employee’s and mine were in the same storage group I decided that it was the server index who was responsible for that tragedy (do you know where is each your mail at the moment, by the way?).

    How can we check if something is wrong with the index on a server? The answer was easy to find: Test-ExchangeSearch for Exchange 2010 or for 2007. Running the command for my account returned the following:

    ResultFound : False
    SearchTime : –1

    Obviously something went wrong with index. How can we restore it? Again, easy: here is the KB which was found at no time. So I just got to my server and run the script ResetSearchIndex.ps1 for the problematic DB from Exchange folder. Of course, deleting index and recreating it gives a server hard time in terms of processor usage and IO, so I did it in non-working hours. And just in case you, like I, need to know if the index is being rebuilt or has it been rebuilt, you will need to look at a counter for the DB which you are reindexing. The counter is MSExchange Search Indices – Full Mode Crawl Status. You can track it for a particular DB or for _Total. If it is 1 then you have Full Crawl being performed. If it is 0, then crawls have stopped. And after they stopped, you can check again if you have solved your problems with search:

    [PS] C:Windowssystem32>Test-ExchangeSearch domainnameusername

                                ResultFound                              SearchTime
                                         ———–                                     ———-
                                                True                                               5

    I definitely did =)

    %SystemRoot%System32 Secrets: AzMan

    To be honest, I had been thinking of it as of some unneeded tool for quite a long time before I had a close look on the console and its abilities. I was wrong. It is really powerful instrument to manage or delegate permissions for an application. It is as powerful that I’m only teasing you in this article, before creating one or more big articles about it. Imagine, you need a person to have a full control over some Hyper-V virtual machine, including the right to delete it, but the only thing he or she is not to do is creating snapshots (because those are a pain in the neck, you know). Can you create such a set of permissions? Easy! Do you want to create quite the opposite policy? You are welcome. Do you want to check a user against some complex rules, not only groups? Create your scripts for this matter. What is even more pleasant: it is very role-oriented. Thinking in terms of roles is simple and nice with the tool.


    Ok, will tell you me, what’s the trap? Unfortunately there are not one of them. First of them: your application should be written with AzMan in mind. It is true though for many MS applications, like, say, Hyper-V or DPM. But if you use VMM, then it is almost impossible for you to use AzMan with Hyper-V. And VMM has less abilities in the field. And I don’t like the way it has them =) DPM’s AzMan is not yet broken by any “management” software, but, my gosh! It is soooo poor in its capabilities =(

    Still, if you don’t use VMM, or use some other app which is compatible with AzMan then I sincere recommend you to take a look at it.

    Service Pack 1 for Windows 7 & Windows Server 2008 R2 released + MBAM

    Brandon LeBlanc made my day again! =) The Service Pack is now RTM. It will be available for TechNet and MSDN subscribers on the 16th, February and for common public on February 22nd.

    Among fixes the SP contains RemoteFX and Dynamic Memory.

    One more good news: Microsoft Desktop Optimization Pack got some brand-new addition. And it is MBAM! =) Or Microsoft Bitlocker Administration and Monitoring. Deploy, monitor, help users to recover it – they tell it is all much easier now. I’m going to try it Winking smile

    The case of jammed permissions

    imageOnce I got a request ticket from one of our administrators whom are delegated some permissions in their parts of AD to. The person told me that he didn’t have permissions for some accounts. Well, no problem: I investigated the issue, found that the inheritance on that record was broken and I fixed it – one checkbox and “OK” button – big deal! The next day I received another request… for the same person. The inheritance was broken again! Ok, I’m not a newbie, I even know something about adminCount, adminSDHolder and SDProp. So I went and checked if the account was a member of any of protected groups: no, it wasn’t though it had been before. So I tried several more tricks, like moving the account to another OU and back. No luck. And and that point I received another request, from other administrator with the same problem but an other account. And this other person had been domain admin before too.

    Well, at this point I was almost sure, that it is because SDProp overwrites the permissions. Quick check of adminCount attribute showed that I was right: it was set to 1. After I had set it to 0 and restored inheritance to the object everything became normal. And a bit of investigation showed that when an account leaves a protected group, adminCount attribute doesn’t switch to 0. After that a bit more of investigation showed me that it is by design. In more detail read here and here. Next time, I won’t be so lazy and will trust my inner admin Winking smile